chore: bump up trivy to v0.57.1 #2301
Conversation
afdesk
changed the title
afdesk
force-pushed
the
chore/bump-trivy-0.56.2
branch
from
d7b3e21 to
709ae3c
Compare
afdesk
force-pushed
the
chore/bump-trivy-0.56.2
branch
from
033fb43 to
5fa71c0
Compare
|
@simar7 @nikpivkin there were some changes (renaming) in |
|
PR mentions an upgrade to v0.57.0, but v0.57.1 is already available |
There was a problem hiding this comment.
I reviewed the pkg/ changes and they lgtm. @nikpivkin could you also take another look?
afdesk
changed the title
fixed |
| @@ -690,7 +690,7 @@ policiesBundle: | |||
| # -- repository of the policies bundle | |||
| repository: aquasecurity/trivy-checks | |||
There was a problem hiding this comment.
I think it's worth changing the default value in the future after the release of trivy-checks in DockerHub in case the use of embedded checks is disabled.
|
Did you miss to bump the version of the chart or is there any reason? https://github.com/aquasecurity/trivy-operator/blob/main/deploy/helm/Chart.yaml#L9 I'm happy to provide a PR for the change. |
|
I've just seen that other changes have also been merged recently, and I assume it's not being updated because of the upcoming release? I apologize for my impatience and the inconvenience. |
It's OK |
* chore: bump up trivy to v0.56.2 * bump up trivy-check * fix dep conflicts * refactor: rebase go.mod * chore: update static yaml files * chore: rerun tests * fix: incorrect check for duplicate controller names * ci: bump timeouts up 10 minutes * chore: bump Trivy up 0.57.0 * chore: install yamllint * chore: set up a specific ubuntu version for GH runners * ci: bump up helm chart testing * ci: set up a specific version for helm chart testing * chore: increase a timeout for helm test * ci: bump up timeouts * chore: bump Trivy up in helm chart * docs: bump up Trivy version * chore: update static yaml * chore: using docker.io as a registry * chore: update docs and static yaml * chore: skip validation of controller name * chore: revert registry from docker to ghcr * chore: remove timeouts for tests * chore: bump up trivy-check tag * chore: using embedded rego policies * chore: show logs for failures * chore: using mirror.gcr.io instead of ghcr.io * update to trivy v0.57.1 --------- Co-authored-by: Simar <[email protected]>
Description
This PR updates dependencies related on Trivy 0.57.0 and fixes some vulnerabilities inside these ones.
Notes:
Support NVD CVSS V4.0 Schema was added in Trivy DB: feat(vulnsrc/nvd): add CVSS v4.0 trivy-db#414.
controller-runtime v0.19.0contains a breaking change - a check for duplicate controller names (⚠️ Validate controller names are unique kubernetes-sigs/controller-runtime#2902). It's disabled for this PR and should be disabled for tests.More details: incorrect check for duplicate controller names kubernetes-sigs/controller-runtime#2937
Now using build-in Rego policies is disabled by default,
useEmbeddedRegoPoliciesis enabled. It allows to decrease downloads fromghcr.io(the single source for trivy-checks)Trivy-operator uses
mirror.gcr.ioregistry instead ofghcr.ioby default for some available OCI artifacts (trivy-db,trivy-java-db).Before:
After
Checklist