bump needed for trivy to v0.57.1 in harbor-scanner-trivy

[stgdns]

Hello everyone,

I'm proposing that trivy is updated to v0.57.1 in harbor-scanner-trivy.

Reason: trivy scanner is not usable since quite a while because the vuln-db download constantly fails, because of github rate-limiting at the organization level ("aquasecurity"), see:
aquasecurity/trivy#7938

fixed in version: trivy to v0.57.1

If this is not possible, then maybe the PR goharbor/harbor-scanner-trivy#7 could be merged and the helm chart at https://helm.goharbor.io updated, to allow setting the vuln-db URLs manually.

PS: since recently the new home of harbor-scanner-trivy is:
https://github.com/goharbor/harbor-scanner-trivy

[benji78]

Technically harbor v2.11.2 now contains harbor-scanner-trivy v0.32.0 (= trivy v0.56.1)
So you can already set SCANNER_TRIVY_DB_REPOSITORY and SCANNER_TRIVY_JAVA_DB_REPOSITORY environment variables to manually change the vulnerability database repositories (multiple db repositories should work).
This is not yet the case of harbor v2.12.0 (which only contains harbor-scanner-trivy v0.31.4 (= trivy v0.54.1))

If you use the helm chart, version 1.16.0 (harbor v2.12.0) has been updated with trivy-adapter-photon v2.12.0 (= harbor-scanner-trivy v0.32.0 = trivy v0.56.1) so you can set the environment variables directly in the chart's values:

    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

For previous versions, you can change the image version in the chart values (untested):

    trivy:
      image:
        tag: v2.12.0

For the new trivy defaults, an upgrade to trivy v0.57.1 is indeed necessary unless I hard code them in harbor-scanner-trivy#7 and it is merged.

[m8-t]

Just for clearance @benji78 - I recently updated Harbor to 2.12.0 because of the first trivy fix a few weeks ago.
Trivy adapter reports 0.56.1 as trivy version, so I would assume that this solution also works for 2.12?

scanner [ / ]$ trivy -v
Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-21 18:16:43.863577371 +0000 UTC
  NextUpdate: 2024-11-22 18:16:43.86357697 +0000 UTC
  DownloadedAt: 2024-11-21 21:46:14.990881268 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-22 02:45:24.819418998 +0000 UTC
  NextUpdate: 2024-11-25 02:45:24.819418878 +0000 UTC
  DownloadedAt: 2024-11-22 09:01:38.827602395 +0000 UTC

goharbor/trivy-adapter-photon:v2.12.0 is what I use (docker-compose setup)

[reasonerjt]

@dan-m8t I think the answer is yes.

[reasonerjt]

We'll resolve this one after trivy adapter's GAed, reopening...

[reasonerjt]

Closing the issue as v2.12.1 has pinned to trivy adapter v0.32.1 and trivy v0.57.1 via #21308