feat: bump TRIVYVERSION to v0.22.0 and bump TRIVYADAPTERVERSION to v0.25.0

Signed-off-by: Shengwen Yu <yshengwen@vmware.com>
2024-11-22 10:15:35 +01:00 · 2022-01-19 17:42:12 +08:00 · 2022-01-19 17:42:12 +08:00 · 46f97ecf6c
commit 46f97ecf6c
parent 9afe596403
4 changed files with 12 additions and 2 deletions
--- a/4
+++ b/4
@ -111,8 +111,8 @@ PREPARE_VERSION_NAME=versions
 REGISTRYVERSION=v2.7.1-patch-2819-2553-redis
 NOTARYVERSION=v0.6.1
 NOTARYMIGRATEVERSION=v4.11.0
-TRIVYVERSION=v0.20.1
-TRIVYADAPTERVERSION=v0.24.0
+TRIVYVERSION=v0.22.0
+TRIVYADAPTERVERSION=v0.25.0

 # version of chartmuseum for pulling the source code
 CHARTMUSEUM_SRC_TAG=v0.13.1
--- a/make/harbor.yml.tmpl
+++ b/make/harbor.yml.tmpl
@ -78,6 +78,14 @@ trivy:
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: false
  #
+  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
+  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
+  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
+  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
+  # It would work if all the dependencies are in local.
+  # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
+  offline_scan: false
+  #
  # insecure The flag to skip verifying registry certificate
  insecure: false
  # github_token The GitHub access token to download Trivy DB
--- a/make/photon/prepare/templates/trivy-adapter/env.jinja
+++ b/make/photon/prepare/templates/trivy-adapter/env.jinja
@ -10,6 +10,7 @@ SCANNER_TRIVY_VULN_TYPE=os,library
 SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}}
 SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}}
+SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}}
 SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}
 SCANNER_TRIVY_INSECURE={{trivy_insecure}}
 SCANNER_TRIVY_TIMEOUT={{trivy_timeout}}
--- a/make/photon/prepare/utils/configs.py
+++ b/make/photon/prepare/utils/configs.py
@ -222,6 +222,7 @@ def parse_yaml_config(config_file_path, with_notary, with_trivy, with_chartmuseu
    trivy_configs = configs.get("trivy") or {}
    config_dict['trivy_github_token'] = trivy_configs.get("github_token") or ''
    config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False
+    config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False
    config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False
    config_dict['trivy_insecure'] = trivy_configs.get("insecure") or False
    config_dict['trivy_timeout'] = trivy_configs.get("timeout") or '5m0s'