Skip to content

CI: Update Trivy DB #38397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yatinappsmith merged 1 commit into from
Dec 30, 2024
Merged

CI: Update Trivy DB #38397

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion scripts/trivy_vulnerabilities_data.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,14 +71,22 @@ case "$IMAGE" in
*) product_name="UNKNOWN" ;;
esac

# Download Trivy DB if necessary
if [ ! -d "$HOME/.cache/trivy/db" ]; then
echo "Trivy DB not found. Downloading..."
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
fi

Comment on lines +74 to +82
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add error handling and space verification for database download.

The database download logic looks good, but could benefit from additional safeguards.

Apply this diff to add error handling and space checks:

 # Download Trivy DB if necessary
 if [ ! -d "$HOME/.cache/trivy/db" ]; then
   echo "Trivy DB not found. Downloading..."
+  # Check for sufficient disk space (at least 500MB free)
+  free_space=$(df -m . | awk 'NR==2 {print $4}')
+  if [ "$free_space" -lt 500 ]; then
+    echo "Error: Insufficient disk space. Need at least 500MB free."
+    exit 1
+  fi
   TRIVY_TEMP_DIR=$(mktemp -d)
-  trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+  if ! trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only; then
+    echo "Error: Failed to download Trivy database"
+    rm -rf "$TRIVY_TEMP_DIR"
+    exit 1
+  fi
-  tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+  if ! tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db; then
+    echo "Error: Failed to create database archive"
+    rm -rf "$TRIVY_TEMP_DIR"
+    exit 1
+  fi
   rm -rf $TRIVY_TEMP_DIR
 fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Download Trivy DB if necessary
if [ ! -d "$HOME/.cache/trivy/db" ]; then
echo "Trivy DB not found. Downloading..."
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
fi
# Download Trivy DB if necessary
if [ ! -d "$HOME/.cache/trivy/db" ]; then
echo "Trivy DB not found. Downloading..."
# Check for sufficient disk space (at least 500MB free)
free_space=$(df -m . | awk 'NR==2 {print $4}')
if [ "$free_space" -lt 500 ]; then
echo "Error: Insufficient disk space. Need at least 500MB free."
exit 1
fi
TRIVY_TEMP_DIR=$(mktemp -d)
if ! trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only; then
echo "Error: Failed to download Trivy database"
rm -rf "$TRIVY_TEMP_DIR"
exit 1
fi
if ! tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db; then
echo "Error: Failed to create database archive"
rm -rf "$TRIVY_TEMP_DIR"
exit 1
fi
rm -rf $TRIVY_TEMP_DIR
fi

💡 Codebase verification

Database download logic needs error handling

The script has two issues that need attention:

  • The database download command lacks error handling, which could lead to silent failures
  • The downloaded database isn't used as the scan explicitly uses ECR repositories

Suggested fixes:

  • Add error handling to the download: trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only || { echo "Error: DB download failed"; exit 1; }
  • Remove the DB download block since the scan uses remote repositories anyway
🔗 Analysis chain

Verify database usage in vulnerability scanning.

The downloaded database should be properly utilized by the subsequent Trivy scan command.

Run this script to verify database usage:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the Trivy scan command uses the downloaded database.

# Check if the scan command references any custom database paths
rg --type sh 'trivy\s+.*(?:--cache-dir|--db-repository)' .

# Check for any Trivy configuration files that might override database settings
fd -t f -e yaml -e yml trivy

Length of output: 430

Script:

#!/bin/bash
# Let's verify the complete database handling logic in the script

# Check the full context of database usage
rg -A 10 -B 5 'trivy.*--cache-dir' scripts/trivy_vulnerabilities_data.sh

# Check if there's any error handling for the database download
rg 'trivy.*download-db-only.*(\|\||&&|;)' scripts/trivy_vulnerabilities_data.sh

# Check if the downloaded database is actually used in the scan
rg -A 5 'trivy image.*--db-repository' scripts/trivy_vulnerabilities_data.sh

Length of output: 1180

# Run Trivy scan
echo "Running Trivy scan for image: $IMAGE..."
trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --insecure --format json "$IMAGE" > "trivy_vulnerabilities.json" || {
echo "Error: Trivy scan failed for image: $IMAGE"
exit 1
}


# Process vulnerabilities and generate CSV
if jq -e '.Results | length > 0' "trivy_vulnerabilities.json" > /dev/null; then
jq -r --arg product "$product_name" '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID),\($product),TRIVY,\(.Severity)"' "trivy_vulnerabilities.json" | sort -u > "$NEW_VULN_FILE"
Expand Down
Loading