The adapter implements Pluggable Scanners API v1.1
and ships with Trivy v0.14.0.
There's also a tiny change in the way Trivy settings
are displayed in the scanner metadata response, i.e.
instead of com.github.aquasecurity.trivy.debugMode
it prints env.SCANNER_TRIVY_DEBUG_MODE. It makes it
explicit which env is use to set this parameter.
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
Add cleanbaseimage target in Makefile, and append it to the dependencies
of the cleanall target.
Closes#13602
Signed-off-by: He Weiwei <hweiwei@vmware.com>
This is the maintenance release to recompile the trivy
adapter service with Go 1.14.7 and pull Trivy v0.9.2.
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
We should use a golang that isn't having security issues.
This includes:
* go1.14.6 (released 2020/07/16) includes fixes to the go command, the
compiler, the linker, vet, and the database/sql, encoding/json,
net/http, reflect, and testing packages. See the Go 1.14.6 milestone on
our issue tracker for details.
* go1.14.7 (released 2020/08/06) includes security fixes to the
encoding/binary package. See the Go 1.14.7 milestone on our issue
tracker for details (CVE-2020-16845)
Signed-off-by: Dirk Mueller <dirk@dmllr.de>
Signed-off-by: Dirk Mueller <dmueller@suse.com>
Fixes#11885
This part will not by default be packaged into release.
A README.md will be added in another commit.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
The new version of the adapter service improves the Redis connection pool
management. In the previous versions a new connection pool was created for
each scan job, which might negatively impact the performance and resources
utilisation.
There is also a bug fix in Trivy v0.9.1 to properly handle the debug mode.
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
This commit bumps up Trivy to resolve the following issues reported
in the aquasecurity/harbor-scanner-trivy repository:
- https://github.com/aquasecurity/harbor-scanner-trivy/issues/114
- https://github.com/aquasecurity/harbor-scanner-trivy/issues/108
Note that this adapter vendors in Trivy v0.9.0 which has changed
the algorithm for qualifying severities. Previous versions of Trivy
preferred NVD scores, whereas this version will use vendor score
whenever it's possible.
We believe it's more suitable approach for qualifying severities.
Even though this change might impact vulnerability summaries in
some cases, the total number of vulnerabilities should stay the
same.
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
This commit bumps up Trivy to 0.7.0 and Trivy adapter service to 0.10.0
in order to handle scratch and slim images, for which we cannot detect
the underlying operating system.
Resolves: #11964
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
This release adds ubuntu support for newer releases and fixes an issue where RHEL updaters bailed to quickly.
https://github.com/quay/clair/releases/tag/v2.1.3
Signed-off-by: Leo Le Bouter <leo.lebouter-ext@aphp.fr>
1. Enable `security` in the swagger.yaml.
2. Include `basic` auth in `security` to make the generated python
client by `swagger-codegen-cli` work with basic authorization.
3. Include `anonymous` auth in `security` to make APIs of v2.0 generated
by `goswagger` work with `security` middleware.
Closes#11771
Signed-off-by: He Weiwei <hweiwei@vmware.com>
- Vendor the latest Trivy release 0.6.0
- Configure TLS 1.2 as min version when TLS is enabled
- Add more tracing to adapter config to facilitate troubleshooting
Resolves: #11544
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
In this version of Trivy we improved error handling
when Trivy cannot open the Trivy DB file. If it fails,
the error is catched to retry the DB file download.
Resolves: #11373
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
Allows configuring SCANNER_TRIVY_GITHUB_TOKEN environment variable,
which is passed to trivy executable binary when it starts scanning
a given artifact.
This is to increase GitHub requests rate limit from 60 per hours
(for anonymous requests) to 5000 when Trivy download its
vulnerabilities database.
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>