From 0af2129dd95dad407053763863c446cc8f04ab92 Mon Sep 17 00:00:00 2001
From: Quentin Bouteiller <quentin.bouteiller@values-associates.com>
Date: Fri, 15 Nov 2024 14:53:21 +0100
Subject: [PATCH] Add support for trivy db_repository and java_db_repository

Signed-off-by: Quentin Bouteiller <quentin.bouteiller@values-associates.com>
---
 make/harbor.yml.tmpl                                  | 5 +++++
 make/photon/prepare/templates/trivy-adapter/env.jinja | 2 ++
 make/photon/prepare/utils/configs.py                  | 2 ++
 3 files changed, 9 insertions(+)

diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl
index 212544159..531dcc95b 100644
--- a/make/harbor.yml.tmpl
+++ b/make/harbor.yml.tmpl
@@ -102,6 +102,11 @@ trivy:
   # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
   skip_java_db_update: false
   #
+  # OCI repository to retrieve the trivy vulnerability database from.
+  db_repository: ghcr.io/aquasecurity/trivy-db
+  # OCI repository to retrieve the Java trivy vulnerability database from.
+  java_db_repository: ghcr.io/aquasecurity/trivy-java-db
+  #
   # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
   # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
   # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
diff --git a/make/photon/prepare/templates/trivy-adapter/env.jinja b/make/photon/prepare/templates/trivy-adapter/env.jinja
index 406e6a91a..871abb430 100644
--- a/make/photon/prepare/templates/trivy-adapter/env.jinja
+++ b/make/photon/prepare/templates/trivy-adapter/env.jinja
@@ -11,6 +11,8 @@ SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}}
 SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}}
 SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE={{trivy_skip_java_db_update}}
+SCANNER_TRIVY_DB_REPOSITORY={{trivy_db_repository}}
+SCANNER_TRIVY_JAVA_DB_REPOSITORY={{trivy_java_db_repository}}
 SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}}
 SCANNER_TRIVY_SECURITY_CHECKS={{trivy_security_check}}
 SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py
index aff786729..4ac7f60d2 100644
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@@ -213,6 +213,8 @@ def parse_yaml_config(config_file_path, with_trivy):
     config_dict['trivy_github_token'] = trivy_configs.get("github_token") or ''
     config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False
     config_dict['trivy_skip_java_db_update'] = trivy_configs.get("skip_java_db_update") or False
+    config_dict['trivy_db_repository'] = trivy_configs.get("db_repository") or 'ghcr.io/aquasecurity/trivy-db'
+    config_dict['trivy_java_db_repository'] = trivy_configs.get("java_db_repository") or 'ghcr.io/aquasecurity/trivy-java-db'
     config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False
     config_dict['trivy_security_check'] = trivy_configs.get("security_check") or 'vuln'
     config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False