fix: trivy-v0.37.x deprecate flags support (#949)

* fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> * fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> * fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> * fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> * fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> * fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> * fix: trivy-v0.37.x deprecate flag support Signed-off-by: chenk <[email protected]> --------- Signed-off-by: chenk <[email protected]>
aquasecurity · Feb 12, 2023 · 9c8fe92 · 9c8fe92
1 parent e8e1b9a
commit 9c8fe92
Show file tree

Hide file tree

Showing 9 changed files with 243 additions and 69 deletions.
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -196,7 +196,7 @@ trivy:
   # repository of the Trivy image
   repository: ghcr.io/aquasecurity/trivy
   # tag version of the Trivy image
-  tag: 0.36.0
+  tag: 0.37.2
   # imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
   # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
   # imagePullSecret:

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -1824,7 +1824,7 @@ metadata:
     app.kubernetes.io/managed-by: kubectl
 data:
   trivy.repository: "ghcr.io/aquasecurity/trivy"
-  trivy.tag: "0.36.0"
+  trivy.tag: "0.37.2"
   trivy.additionalVulnerabilityReportFields: ""
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   trivy.slow: "true"

diff --git a/pkg/plugins/trivy/flags.go b/pkg/plugins/trivy/flags.go
@@ -0,0 +1,61 @@
+package trivy
+
+import (
+	"github.com/Masterminds/semver"
+)
+
+func compareTagVersion(currentTag string, contraint string) bool {
+	c, err := semver.NewConstraint(contraint)
+	if err != nil {
+		return false
+	}
+
+	v, err := semver.NewVersion(currentTag)
+	if err != nil {
+		return false
+	}
+	// Check if the version meets the constraints. The a variable will be true.
+	return c.Check(v)
+}
+
+// Slow determine if to use the slow flag (improve memory footprint)
+func Slow(c Config) string {
+	tag, err := c.GetImageTag()
+	if err != nil {
+		return ""
+	}
+	// support backward competability with older tags
+	if compareTagVersion(tag, "< 0.35.0") {
+		return ""
+	}
+	if c.GetSlow() {
+		return "--slow"
+	}
+	return ""
+}
+
+// Scanners use scanners flag
+func Scanners(c Config) string {
+	tag, err := c.GetImageTag()
+	if err != nil {
+		return "--scanners"
+	}
+	// support backward competability with older tags
+	if compareTagVersion(tag, "< 0.37.0") {
+		return "--security-checks"
+	}
+	return "--scanners"
+}
+
+// SkipDBUpdate skip update flag
+func SkipDBUpdate(c Config) string {
+	tag, err := c.GetImageTag()
+	if err != nil {
+		return "--skip-db-update"
+	}
+	// support backward competability with older tags
+	if compareTagVersion(tag, "< 0.37.0") {
+		return "--skip-update"
+	}
+	return "--skip-db-update"
+}
diff --git a/pkg/plugins/trivy/flags_test.go b/pkg/plugins/trivy/flags_test.go
@@ -0,0 +1,147 @@
+package trivy_test
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/trivy-operator/pkg/plugins/trivy"
+	"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSlow(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configData trivyoperator.ConfigData
+		want       string
+	}{{
+
+		name: "slow param set to true",
+		configData: map[string]string{
+			"trivy.tag":  "0.35.0",
+			"trivy.slow": "true",
+		},
+		want: "--slow",
+	},
+		{
+			name: "slow param set to false",
+			configData: map[string]string{
+				"trivy.tag":  "0.35.0",
+				"trivy.slow": "false",
+			},
+			want: "",
+		},
+		{
+			name: "slow param set to no valid value",
+			configData: map[string]string{
+				"trivy.tag":  "0.35.0",
+				"trivy.slow": "false2",
+			},
+			want: "--slow",
+		},
+		{
+			name: "slow param set to true and trivy tag is less then 0.35.0",
+			configData: map[string]string{
+				"trivy.slow": "true",
+				"trivy.tag":  "0.33.0",
+			},
+			want: "",
+		},
+
+		{
+			name: "slow param set to true and trivy tag is bigger then 0.35.0",
+			configData: map[string]string{
+				"trivy.slow": "true",
+				"trivy.tag":  "0.36.0",
+			},
+			want: "--slow",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := trivy.Slow(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}})
+			assert.Equal(t, got, tc.want)
+		})
+	}
+}
+
+func TestScanner(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configData trivyoperator.ConfigData
+		want       string
+	}{{
+
+		name: "scanner with trivy tag lower then v0.37.0",
+		configData: map[string]string{
+			"trivy.tag": "0.36.0",
+		},
+		want: "--security-checks",
+	},
+		{
+			name: "scanner with trivy tag equal then v0.37.0",
+			configData: map[string]string{
+				"trivy.tag": "0.37.0",
+			},
+			want: "--scanners",
+		},
+		{
+			name: "scanner with trivy tag higher then v0.38.0",
+			configData: map[string]string{
+				"trivy.tag": "0.38.0",
+			},
+			want: "--scanners",
+		},
+		{
+			name:       "scanner with no trivy tag lower",
+			configData: map[string]string{},
+			want:       "--scanners",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := trivy.Scanners(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}})
+			assert.Equal(t, got, tc.want)
+		})
+	}
+}
+
+func TestSkipDBUpdate(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configData trivyoperator.ConfigData
+		want       string
+	}{{
+
+		name: "skip update DB with trivy tag lower then v0.37.0",
+		configData: map[string]string{
+			"trivy.tag": "0.36.0",
+		},
+		want: "--skip-update",
+	},
+		{
+			name: "skip update DB with trivy tag equal then v0.37.0",
+			configData: map[string]string{
+				"trivy.tag": "0.37.0",
+			},
+			want: "--skip-db-update",
+		},
+		{
+			name: "skip update DB with trivy tag higher then v0.38.0",
+			configData: map[string]string{
+				"trivy.tag": "0.38.0",
+			},
+			want: "--skip-db-update",
+		},
+		{
+			name:       "skip update DB with no trivy tag lower",
+			configData: map[string]string{},
+			want:       "--skip-db-update",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := trivy.SkipDBUpdate(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}})
+			assert.Equal(t, got, tc.want)
+		})
+	}
+}
diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go
@@ -11,7 +11,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/Masterminds/semver"
 	"github.com/aquasecurity/trivy-db/pkg/types"
 
 	"github.com/aquasecurity/trivy-operator/pkg/utils"
@@ -152,14 +151,23 @@ func (c Config) GetImageRef() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	tag, err := c.GetRequiredData(keyTrivyImageTag)
+	tag, err := c.GetImageTag()
 	if err != nil {
 		return "", err
 	}
 
 	return fmt.Sprintf("%s:%s", repository, tag), nil
 }
 
+// GetImageTag returns upstream Trivy container image tag.
+func (c Config) GetImageTag() (string, error) {
+	tag, err := c.GetRequiredData(keyTrivyImageTag)
+	if err != nil {
+		return "", err
+	}
+	return tag, nil
+}
+
 func (c Config) GetImagePullSecret() []corev1.LocalObjectReference {
 	ips, ok := c.Data[keyTrivyImagePullSecret]
 	if !ok {
@@ -235,40 +243,17 @@ func (c Config) GetUseBuiltinRegoPolicies() bool {
 }
 
 func (c Config) GetSlow() bool {
-	tag, err := c.GetRequiredData(keyTrivyImageTag)
-	if err != nil {
-		return false
-	}
-	// support backward competability with older tags
-	if !validVersion(tag, ">= 0.35.0") {
-		return false
-	}
 	val, ok := c.Data[keyTrivySlow]
 	if !ok {
 		return true
 	}
-
 	boolVal, err := strconv.ParseBool(val)
 	if err != nil {
 		return true
 	}
 	return boolVal
 }
 
-func validVersion(currentTag string, contraint string) bool {
-	c, err := semver.NewConstraint(contraint)
-	if err != nil {
-		return false
-	}
-
-	v, err := semver.NewVersion(currentTag)
-	if err != nil {
-		return false
-	}
-	// Check if the version meets the constraints. The a variable will be true.
-	return c.Check(v)
-}
-
 func (c Config) GetSupportedConfigAuditKinds() []string {
 	val, ok := c.Data[keyTrivySupportedConfigAuditKinds]
 	if !ok {
@@ -1260,13 +1245,18 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 		"trivy",
 	}
 	compressLogs := ctx.GetTrivyOperatorConfig().CompressLogs()
-	slow := p.trivySlow(ctx)
+	c, err := p.getConfig(ctx)
+	if err != nil {
+		return []string{}, []string{}
+	}
+	slow := Slow(c)
+	scanners := Scanners(c)
 	if mode == ClientServer {
 		if !compressLogs {
 			args := []string{
 				"--quiet",
 				"image",
-				"--security-checks",
+				scanners,
 				getSecurityChecks(ctx),
 				"--format",
 				"json",
@@ -1279,18 +1269,18 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 			}
 			return command, args
 		}
-		return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' --security-checks %s --quiet --format json --server '%s' > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, getSecurityChecks(ctx), trivyServerURL, resultFileName, resultFileName)}
+		return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s --quiet --format json --server '%s' > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), trivyServerURL, resultFileName, resultFileName)}
 	}
-
+	skipUpdate := SkipDBUpdate(c)
 	if !compressLogs {
 		args := []string{
 			"--cache-dir",
 			"/tmp/trivy/.cache",
 			"--quiet",
 			"image",
-			"--security-checks",
+			scanners,
 			getSecurityChecks(ctx),
-			"--skip-update",
+			skipUpdate,
 			"--format",
 			"json",
 			imageRef,
@@ -1300,18 +1290,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 		}
 		return command, args
 	}
-	return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' --security-checks %s --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, getSecurityChecks(ctx), resultFileName, resultFileName)}
-}
-
-func (p *plugin) trivySlow(ctx trivyoperator.PluginContext) string {
-	config, err := p.newConfigFrom(ctx)
-	if err != nil {
-		return ""
-	}
-	if config.GetSlow() {
-		return "--slow"
-	}
-	return ""
+	return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), skipUpdate, resultFileName, resultFileName)}
 }
 
 func getAutomountServiceAccountToken(ctx trivyoperator.PluginContext) bool {
@@ -1727,22 +1706,28 @@ func (p *plugin) getPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext
 }
 
 func (p *plugin) getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string {
+	c, err := p.getConfig(ctx)
+	if err != nil {
+		return []string{}
+	}
+	scanners := Scanners(c)
+	skipUpdate := SkipDBUpdate(c)
 	args := []string{
 		"--cache-dir",
 		"/var/trivyoperator/trivy-db",
 		"--quiet",
 		string(command),
-		"--security-checks",
+		scanners,
 		getSecurityChecks(ctx),
-		"--skip-update",
+		skipUpdate,
 		"--format",
 		"json",
 		"/",
 	}
 	if mode == ClientServer {
 		args = append(args, "--server", trivyServerURL)
 	}
-	slow := p.trivySlow(ctx)
+	slow := Slow(c)
 	if len(slow) > 0 {
 		args = append(args, slow)
 	}