From 0e0e7afce0e493eea3990e92cfffa468ffdfac90 Mon Sep 17 00:00:00 2001 From: DQ Date: Tue, 8 Sep 2020 14:26:01 +0800 Subject: [PATCH] Fix trivy setting in upgrading script Signed-off-by: DQ --- .../version_1_10_0/harbor.yml.jinja | 2 + .../migrations/version_1_9_0/harbor.yml.jinja | 2 + .../migrations/version_2_0_0/harbor.yml.jinja | 27 ++++++-- .../migrations/version_2_1_0/harbor.yml.jinja | 69 +++++++++++++++++-- 4 files changed, 86 insertions(+), 14 deletions(-) diff --git a/make/photon/prepare/migrations/version_1_10_0/harbor.yml.jinja b/make/photon/prepare/migrations/version_1_10_0/harbor.yml.jinja index b09389807..b79fee3ee 100644 --- a/make/photon/prepare/migrations/version_1_10_0/harbor.yml.jinja +++ b/make/photon/prepare/migrations/version_1_10_0/harbor.yml.jinja @@ -254,6 +254,8 @@ external_database: # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port diff --git a/make/photon/prepare/migrations/version_1_9_0/harbor.yml.jinja b/make/photon/prepare/migrations/version_1_9_0/harbor.yml.jinja index 6d6b9750b..45c39bff4 100644 --- a/make/photon/prepare/migrations/version_1_9_0/harbor.yml.jinja +++ b/make/photon/prepare/migrations/version_1_9_0/harbor.yml.jinja @@ -193,6 +193,8 @@ external_database: # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port diff --git a/make/photon/prepare/migrations/version_2_0_0/harbor.yml.jinja b/make/photon/prepare/migrations/version_2_0_0/harbor.yml.jinja index 19ba39a66..ea9be0d81 100644 --- a/make/photon/prepare/migrations/version_2_0_0/harbor.yml.jinja +++ b/make/photon/prepare/migrations/version_2_0_0/harbor.yml.jinja @@ -134,21 +134,32 @@ clair: {% endif %} # Trivy configuration +# +# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. +# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached +# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it +# should download a newer version from the Internet or use the cached one. Currently, the database is updated every +# 12 hours and published as a new release to GitHub. trivy: - # github_token The GitHub access token to download Trivy DB + # ignoreUnfixed The flag to display only fixed vulnerabilities + ignore_unfixed: false + # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (/home/scanner/.cache/trivy/db/trivy.db). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and + # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. + skip_update: false + # + # insecure The flag to skip verifying registry certificate + insecure: false + # github_token The GitHub access token to download Trivy DB # # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult # https://developer.github.com/v3/#rate-limiting # - # You can create a GitHub token by following the instuctions in + # You can create a GitHub token by following the instructions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line # # github_token: xxx @@ -281,6 +292,8 @@ external_database: # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port diff --git a/make/photon/prepare/migrations/version_2_1_0/harbor.yml.jinja b/make/photon/prepare/migrations/version_2_1_0/harbor.yml.jinja index f40bf47de..c096583a5 100644 --- a/make/photon/prepare/migrations/version_2_1_0/harbor.yml.jinja +++ b/make/photon/prepare/migrations/version_2_1_0/harbor.yml.jinja @@ -134,24 +134,77 @@ clair: {% endif %} # Trivy configuration +# +# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. +# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached +# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it +# should download a newer version from the Internet or use the cached one. Currently, the database is updated every +# 12 hours and published as a new release to GitHub. +{% if trivy is defined %} trivy: - # github_token The GitHub access token to download Trivy DB + # ignoreUnfixed The flag to display only fixed vulnerabilities + {% if trivy.ignore_unfixed is defined %} + ignore_unfixed: {{ trivy.ignore_unfixed }} + {% else %} + ignore_unfixed: false + {% endif %} + # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (/home/scanner/.cache/trivy/db/trivy.db). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the flag is enabled you have to manually download the `trivy.db` file and mount it in the + # /home/scanner/.cache/trivy/db/trivy.db path. + {% if trivy.skip_update is defined %} + skip_update: {{ trivy.skip_update }} + {% else %} + skip_update: false + {% endif %} + # + # insecure The flag to skip verifying registry certificate + {% if trivy.insecure is defined %} + insecure: {{ trivy.insecure }} + {% else %} + insecure: false + {% endif %} + # github_token The GitHub access token to download Trivy DB # # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult # https://developer.github.com/v3/#rate-limiting # - # You can create a GitHub token by following the instuctions in + # You can create a GitHub token by following the instructions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line # + {% if trivy.github_token is defined %} + github_token: {{ trivy.github_token }} + {% else %} # github_token: xxx + {% endif %} +{% else %} +# trivy: +# # ignoreUnfixed The flag to display only fixed vulnerabilities +# ignore_unfixed: false +# # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub +# # +# # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. +# # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and +# # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. +# skip_update: false +# # +# # insecure The flag to skip verifying registry certificate +# insecure: false +# # github_token The GitHub access token to download Trivy DB +# # +# # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough +# # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 +# # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult +# # https://developer.github.com/v3/#rate-limiting +# # +# # You can create a GitHub token by following the instructions in +# # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line +# # +# # github_token: xxx +{% endif %} jobservice: # Maximum number of job workers in job service @@ -281,6 +334,8 @@ external_database: # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port