🐞 Bug report
In addition to scanning docker images, trivy can also can software repos, filesystems, etc. However, this does not work with the SCB integration due to the way that SCB handles parameters.
Describe the bug
SecureCodeBox parameterizes the docker container of trivy as follows:
|
command: |
|
- "trivy" |
|
# Suppress progress bar, as it pollutes non interactive terminal logs |
|
- "--no-progress" |
|
- "--format" |
|
- "json" |
|
- "--output" |
|
- "/home/securecodebox/trivy-results.json" |
When replicated locally, this results in:
trivy --no-progress --format json --output /home/securecodebox/trivy-results.json $PARAMS
(where $PARAMS is any additional parameters as specified in the Scan definition).
This works fine for scanning a docker image from the repositories (the default behavior). However, when trying to scan a VCS repo, you need to use trivy repo $PARAMS..., when scanning a file system trivy fs $PARAMS. Any parameters given before the repo, fs etc. are silently ignored by trivy. Thus, any ScanSpec that utilizes these modes will effectively strip the --no-progress --format json --output /home/securecodebox/trivy-results.json from the command, leading to the parser failing to run properly.
Example Scan to reproduce:
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "trivy-breakage"
spec:
scanType: "trivy"
parameters:
- "repo"
- "https://github.com/secureCodeBox/secureCodeBox"This will result in the parser failing to find a result, and the pod logs showing the ASCII output of trivy.
Workaround
You can work around this issue by specifying the missing parameters again in the Scan definition, after the fs/ repo but before the target (specifying them after the target will also break the trivy parameter parser, it seems).
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "trivy-breakage"
spec:
scanType: "trivy"
parameters:
- "repo"
- "--no-progress"
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
- "https://github.com/secureCodeBox/secureCodeBox"I am not sure if there is anything we can do about this aside from putting a warning into the docs, so I have labelled this as both a bug and a documentation issue. If anyone has an idea, let me know, otherwise I'll update the docs as part of the change introduced in #777.
🐞 Bug report
In addition to scanning docker images, trivy can also can software repos, filesystems, etc. However, this does not work with the SCB integration due to the way that SCB handles parameters.
Describe the bug
SecureCodeBox parameterizes the docker container of trivy as follows:
secureCodeBox/scanners/trivy/templates/trivy-scan-type.yaml
Lines 29 to 36 in cdc9732
When replicated locally, this results in:
trivy --no-progress --format json --output /home/securecodebox/trivy-results.json $PARAMS(where
$PARAMSis any additional parameters as specified in the Scan definition).This works fine for scanning a docker image from the repositories (the default behavior). However, when trying to scan a VCS repo, you need to use
trivy repo $PARAMS..., when scanning a file systemtrivy fs $PARAMS. Any parameters given before therepo,fsetc. are silently ignored by trivy. Thus, any ScanSpec that utilizes these modes will effectively strip the--no-progress --format json --output /home/securecodebox/trivy-results.jsonfrom the command, leading to the parser failing to run properly.Example Scan to reproduce:
This will result in the parser failing to find a result, and the pod logs showing the ASCII output of trivy.
Workaround
You can work around this issue by specifying the missing parameters again in the Scan definition, after the
fs/repobut before the target (specifying them after the target will also break the trivy parameter parser, it seems).I am not sure if there is anything we can do about this aside from putting a warning into the docs, so I have labelled this as both a bug and a documentation issue. If anyone has an idea, let me know, otherwise I'll update the docs as part of the change introduced in #777.