Skip to content

[SCB-Bot] Upgraded trivy from 0.19.2 to 0.20.2 #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ilyesbdlala merged 12 commits into from
Nov 9, 2021
Merged

[SCB-Bot] Upgraded trivy from 0.19.2 to 0.20.2 #777

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6775715
Upgrading trivy from 0.19.2 to 0.20.2
secureCodeBoxBot Oct 26, 2021
919c8bd
Fixing release version to match the docker version
Ilyesbdlala Nov 3, 2021
3fe7f07
Updating Helm Docs
Ilyesbdlala Nov 3, 2021
3814133
Update trivy parser to new format
malexmave Nov 4, 2021
a5fd5f9
Update trivy test cases
malexmave Nov 4, 2021
e035333
Add new category definition for NodeJS
malexmave Nov 4, 2021
c6987be
Update the categories for trivy
malexmave Nov 4, 2021
dcab0fb
Add warning about parameters to documentation
malexmave Nov 8, 2021
212c53e
Updating Helm Docs
malexmave Nov 8, 2021
def1d0c
Add information about bulk scanning to trivy docs
malexmave Nov 8, 2021
413e6dc
Updating Helm Docs
malexmave Nov 8, 2021
87fb0dd
Also add where the rule was matched to result
malexmave Nov 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions scanners/trivy/.helm-docs.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,129 @@ The following security scan configuration example are based on the [Trivy Docume
- Filter the vulnerabilities by type (`os` or `library`) `trivy image --vuln-type os ruby:2.4.0`
- Skip update of vulnerability DB: `trivy image --skip-update python:3.4-alpine3.9`
- Ignore unfixed vulnerabilities:`trivy image --ignore-unfixed ruby:2.4.0` By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the `--ignore-unfixed` option.

::: caution
Due to [limitations in the trivy argument parser](https://github.com/secureCodeBox/secureCodeBox/issues/796), scanning anything other than docker images (e.g., Git repositories) requires some extra parameters.
Please append the following extra arguments **after** specifying the mode (e.g., `repo`) but **before** specifying the target for the scan:
```yaml
- "--no-progress"
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
```

A complete scan definition for the secureCodeBox repository may look something like this:
```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "trivy-scb"
spec:
scanType: "trivy"
parameters:
- "repo"
- "--no-progress"
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
- "https://github.com/secureCodeBox/secureCodeBox"
```
:::

### Scanning Many Targets
By default, the docker container of trivy will download new rulesets when starting the process.
As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/v0.20.2/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
If this fits your use case, you can deploy a rule service with the following template:
```yaml
# First declare a service that will serve requests to the rule pod
kind: Service
apiVersion: v1
metadata:
name: trivy-rules
# Update the namespace here if you are using a different one
namespace: default
labels:
app: trivy-rules
spec:
selector:
app: trivy-rules
ports:
- port: 8080
protocol: TCP
targetPort: 8080
type: ClusterIP
---
# Now declare the actual deployment of the rule server
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-rules
# Again, update the namespace here
namespace: default
labels:
app: trivy-rules
spec:
replicas: 1
selector:
matchLabels:
app: trivy-rules
template:
metadata:
labels:
app: trivy-rules
spec:
containers:
- name: trivy-rules
# Don't forget to set this to a version matching that used in secureCodeBox
image: aquasec/trivy:0.20.2
imagePullPolicy: Always
args:
- "server"
- "--listen"
- "0.0.0.0:8080"
ports:
- containerPort: 8080
protocol: TCP
```

You can then start scans of images using the client mode. For example:

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "test-trivy"
# Don't forget to update the namespace if necessary
namespace: default
spec:
scanType: "trivy"
parameters:
- "client"
# Again, add the extra parameters here (required to make the parser work)
# But don't add the --no-progress switch.
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
# Specify the rule service internal DNS name here.
# (Substitute a different namespace if you changed it)
- "--remote"
- "http://trivy-rules.default.svc:8080"
# Finally, specify the image you want to scan
- "securecodebox/operator:3.0.0"
```

If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/v0.20.2/advanced/air-gap/).
In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://docs.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
Consult the [trivy documentation](https://aquasecurity.github.io/trivy/v0.20.2/advanced/air-gap/) for additional details on the required steps.


{{- end }}

{{- define "extra.chartConfigurationSection" -}}
Expand Down
5 changes: 1 addition & 4 deletions scanners/trivy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,12 @@
apiVersion: v2
name: trivy
description: A Helm chart for the trivy security scanner that integrates with the secureCodeBox.

type: application
# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: v3.1.0-alpha1
appVersion: "0.19.2"
appVersion: "0.20.2"
kubeVersion: ">=v1.11.0-0"

versionApi: https://api.github.com/repos/aquasecurity/trivy/releases/latest

keywords:
- security
- trivy
Expand Down
123 changes: 122 additions & 1 deletion scanners/trivy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: "Trivy"
category: "scanner"
type: "Container"
state: "released"
appVersion: "0.19.2"
appVersion: "0.20.2"
usecase: "Container Vulnerability Scanner"
---

Expand Down Expand Up @@ -59,6 +59,127 @@ The following security scan configuration example are based on the [Trivy Docume
- Skip update of vulnerability DB: `trivy image --skip-update python:3.4-alpine3.9`
- Ignore unfixed vulnerabilities:`trivy image --ignore-unfixed ruby:2.4.0` By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the `--ignore-unfixed` option.

::: caution
Due to [limitations in the trivy argument parser](https://github.com/secureCodeBox/secureCodeBox/issues/796), scanning anything other than docker images (e.g., Git repositories) requires some extra parameters.
Please append the following extra arguments **after** specifying the mode (e.g., `repo`) but **before** specifying the target for the scan:
```yaml
- "--no-progress"
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
```

A complete scan definition for the secureCodeBox repository may look something like this:
```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "trivy-scb"
spec:
scanType: "trivy"
parameters:
- "repo"
- "--no-progress"
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
- "https://github.com/secureCodeBox/secureCodeBox"
```
:::

### Scanning Many Targets
By default, the docker container of trivy will download new rulesets when starting the process.
As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/v0.20.2/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
If this fits your use case, you can deploy a rule service with the following template:
```yaml
# First declare a service that will serve requests to the rule pod
kind: Service
apiVersion: v1
metadata:
name: trivy-rules
# Update the namespace here if you are using a different one
namespace: default
labels:
app: trivy-rules
spec:
selector:
app: trivy-rules
ports:
- port: 8080
protocol: TCP
targetPort: 8080
type: ClusterIP
---
# Now declare the actual deployment of the rule server
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-rules
# Again, update the namespace here
namespace: default
labels:
app: trivy-rules
spec:
replicas: 1
selector:
matchLabels:
app: trivy-rules
template:
metadata:
labels:
app: trivy-rules
spec:
containers:
- name: trivy-rules
# Don't forget to set this to a version matching that used in secureCodeBox
image: aquasec/trivy:0.20.2
imagePullPolicy: Always
args:
- "server"
- "--listen"
- "0.0.0.0:8080"
ports:
- containerPort: 8080
protocol: TCP
```

You can then start scans of images using the client mode. For example:

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "test-trivy"
# Don't forget to update the namespace if necessary
namespace: default
spec:
scanType: "trivy"
parameters:
- "client"
# Again, add the extra parameters here (required to make the parser work)
# But don't add the --no-progress switch.
- "--format"
- "json"
- "--output"
- "/home/securecodebox/trivy-results.json"
# Specify the rule service internal DNS name here.
# (Substitute a different namespace if you changed it)
- "--remote"
- "http://trivy-rules.default.svc:8080"
# Finally, specify the image you want to scan
- "securecodebox/operator:3.0.0"
```

If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/v0.20.2/advanced/air-gap/).
In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://docs.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
Consult the [trivy documentation](https://aquasecurity.github.io/trivy/v0.20.2/advanced/air-gap/) for additional details on the required steps.

## Requirements

Kubernetes: `>=v1.11.0-0`
Expand Down
Loading