Skip to content

Commit 7af8c0a

Browse files
authored
Merge pull request #34 from hteichmann-strato/feat/add-vex-support
feat: Add config option to enable vex-support for trivy
2 parents 253ac11 + 271f1da commit 7af8c0a

File tree

9 files changed

+56
-19
lines changed

9 files changed

+56
-19
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,8 @@ Configuration of the adapter is done via environment variables at startup.
9595
| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) |
9696
| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate |
9797
| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion |
98+
| `SCANNER_TRIVY_VEX_SOURCE` | N/A | Enable VEX, possible values are `oci` and `repo` [EXPERIMENTAL] |
99+
| `SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE` | `false` | Skip updating the VEX repository [EXPERIMENTAL] |
98100
| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store |
99101
| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports |
100102
| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis |

helm/harbor-scanner-trivy/templates/statefulset.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,10 @@ spec:
121121
value: "/certs/tls.crt"
122122
- name: "SCANNER_API_SERVER_TLS_KEY"
123123
value: "/certs/tls.key"
124+
- name: "SCANNER_TRIVY_VEX_SOURCE"
125+
value: {{ .Values.scanner.trivy.VEXSource | default "" | quote }}
126+
- name: "SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE"
127+
value: {{ .Values.scanner.trivy.skipVEXRepoUpdate | default false | quote }}
124128
{{- end }}
125129
ports:
126130
- name: api-server

helm/harbor-scanner-trivy/values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,10 @@ scanner:
150150
# # https://cwe.mitre.org/data/definitions/352.html
151151
# input.CweIDs[_] == "CWE-352"
152152
# }
153+
## VEXSource the VEX source for vulnerability filtering. Possible values are `oci` and `repo`.
154+
VEXSource: ""
155+
## skipVEXRepoUpdate the flag to skip updating the VEX repository
156+
skipVEXRepoUpdate: false
153157
store:
154158
## redisNamespace the namespace for keys in the Redis store
155159
redisNamespace: "harbor.scanner.trivy:store"

pkg/etc/config.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,10 @@ type Trivy struct {
3838
JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY"`
3939
OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
4040
GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
41-
Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
42-
Timeout time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
41+
Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
42+
VEXSource string `env:"SCANNER_TRIVY_VEX_SOURCE"`
43+
SkipVEXRepoUpdate bool `env:"SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE" envDefault:"false"`
44+
Timeout time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
4345
}
4446

4547
type API struct {

pkg/etc/config_test.go

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,9 @@ func TestGetConfig(t *testing.T) {
159159
"SCANNER_TRIVY_SKIP_UPDATE": "true",
160160
"SCANNER_TRIVY_OFFLINE_SCAN": "true",
161161
"SCANNER_TRIVY_GITHUB_TOKEN": "<GITHUB_TOKEN>",
162-
"SCANNER_TRIVY_TIMEOUT": "15m30s",
162+
"SCANNER_TRIVY_TIMEOUT": "15m30s",
163+
"SCANNER_TRIVY_VEX_SOURCE": "oci",
164+
"SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "true",
163165

164166
"SCANNER_STORE_REDIS_NAMESPACE": "store.ns",
165167
"SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s",
@@ -199,8 +201,10 @@ func TestGetConfig(t *testing.T) {
199201
SkipJavaDBUpdate: false,
200202
OfflineScan: true,
201203
Insecure: true,
202-
GitHubToken: "<GITHUB_TOKEN>",
203-
Timeout: parseDuration(t, "15m30s"),
204+
GitHubToken: "<GITHUB_TOKEN>",
205+
Timeout: parseDuration(t, "15m30s"),
206+
VEXSource: "oci",
207+
SkipVEXRepoUpdate: true,
204208
},
205209
RedisPool: RedisPool{
206210
URL: "redis://harbor-harbor-redis:6379",

pkg/http/api/v1/handler.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -315,7 +315,9 @@ func (h *requestHandler) GetMetadata(res http.ResponseWriter, _ *http.Request) {
315315
"env.SCANNER_TRIVY_VULN_TYPE": h.config.Trivy.VulnType,
316316
"env.SCANNER_TRIVY_SECURITY_CHECKS": h.config.Trivy.Scanners,
317317
"env.SCANNER_TRIVY_SEVERITY": h.config.Trivy.Severity,
318-
"env.SCANNER_TRIVY_TIMEOUT": h.config.Trivy.Timeout.String(),
318+
"env.SCANNER_TRIVY_TIMEOUT": h.config.Trivy.Timeout.String(),
319+
"env.SCANNER_TRIVY_VEX_SOURCE": h.config.Trivy.VEXSource,
320+
"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": strconv.FormatBool(h.config.Trivy.SkipVEXRepoUpdate),
319321
}
320322

321323
vi, err := h.wrapper.GetVersion()

pkg/http/api/v1/handler_test.go

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -710,15 +710,17 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
710710
},
711711
config: etc.Config{
712712
Trivy: etc.Trivy{
713-
SkipDBUpdate: false,
714-
SkipJavaDBUpdate: false,
715-
IgnoreUnfixed: true,
716-
DebugMode: true,
717-
Insecure: true,
718-
VulnType: "os,library",
719-
Scanners: "vuln",
720-
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
721-
Timeout: 5 * time.Minute,
713+
SkipDBUpdate: false,
714+
SkipJavaDBUpdate: false,
715+
IgnoreUnfixed: true,
716+
DebugMode: true,
717+
Insecure: true,
718+
VulnType: "os,library",
719+
Scanners: "vuln",
720+
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
721+
Timeout: 5 * time.Minute,
722+
VEXSource: "oci",
723+
SkipVEXRepoUpdate: true,
722724
},
723725
},
724726
expectedHTTPCode: http.StatusOK,
@@ -773,7 +775,9 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
773775
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
774776
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
775777
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
776-
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
778+
"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
779+
"env.SCANNER_TRIVY_VEX_SOURCE": "oci",
780+
"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "true"
777781
}
778782
}`,
779783
},
@@ -798,6 +802,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
798802
Scanners: "vuln",
799803
Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
800804
Timeout: 5 * time.Minute,
805+
VEXSource: "repo",
801806
},
802807
},
803808
expectedHTTPCode: http.StatusOK,
@@ -850,7 +855,9 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
850855
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
851856
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
852857
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
853-
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
858+
"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
859+
"env.SCANNER_TRIVY_VEX_SOURCE": "repo",
860+
"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "false"
854861
}
855862
}`,
856863
},
@@ -921,7 +928,9 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
921928
"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
922929
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
923930
"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
924-
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
931+
"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
932+
"env.SCANNER_TRIVY_VEX_SOURCE": "",
933+
"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "false"
925934
}
926935
}`,
927936
},

pkg/trivy/wrapper.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -219,6 +219,14 @@ func (w *wrapper) prepareScanCmd(target ScanTarget, outputFile string, opt ScanO
219219
args = append(args, "--insecure")
220220
}
221221

222+
if w.config.VEXSource != "" {
223+
args = append(args, "--vex", w.config.VEXSource)
224+
}
225+
226+
if w.config.SkipVEXRepoUpdate {
227+
args = append(args, "--skip-vex-repo-update")
228+
}
229+
222230
targetName, err := target.Name()
223231
if err != nil {
224232
return nil, xerrors.Errorf("get target name: %w", err)

test/integration/api/rest_api_test.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -417,7 +417,9 @@ func TestRestAPI(t *testing.T) {
417417
"env.SCANNER_TRIVY_VULN_TYPE": "os",
418418
"env.SCANNER_TRIVY_SEVERITY": "LOW,MEDIUM,HIGH,CRITICAL",
419419
"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
420-
"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
420+
"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
421+
"env.SCANNER_TRIVY_VEX_SOURCE": "",
422+
"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "false"
421423
}
422424
}`,
423425
now.UTC().Format(time.RFC3339)),

0 commit comments

Comments
 (0)