diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index aeaef5d8b..4be8bc521 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -196,7 +196,7 @@ trivy: # repository of the Trivy image repository: ghcr.io/aquasecurity/trivy # tag version of the Trivy image - tag: 0.36.0 + tag: 0.37.2 # imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace # imagePullSecret: diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 2a03e8632..ff18ab64a 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -1824,7 +1824,7 @@ metadata: app.kubernetes.io/managed-by: kubectl data: trivy.repository: "ghcr.io/aquasecurity/trivy" - trivy.tag: "0.36.0" + trivy.tag: "0.37.2" trivy.additionalVulnerabilityReportFields: "" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.slow: "true" diff --git a/pkg/plugins/trivy/flags.go b/pkg/plugins/trivy/flags.go new file mode 100644 index 000000000..7ab0176d9 --- /dev/null +++ b/pkg/plugins/trivy/flags.go @@ -0,0 +1,61 @@ +package trivy + +import ( + "github.com/Masterminds/semver" +) + +func compareTagVersion(currentTag string, contraint string) bool { + c, err := semver.NewConstraint(contraint) + if err != nil { + return false + } + + v, err := semver.NewVersion(currentTag) + if err != nil { + return false + } + // Check if the version meets the constraints. The a variable will be true. + return c.Check(v) +} + +// Slow determine if to use the slow flag (improve memory footprint) +func Slow(c Config) string { + tag, err := c.GetImageTag() + if err != nil { + return "" + } + // support backward competability with older tags + if compareTagVersion(tag, "< 0.35.0") { + return "" + } + if c.GetSlow() { + return "--slow" + } + return "" +} + +// Scanners use scanners flag +func Scanners(c Config) string { + tag, err := c.GetImageTag() + if err != nil { + return "--scanners" + } + // support backward competability with older tags + if compareTagVersion(tag, "< 0.37.0") { + return "--security-checks" + } + return "--scanners" +} + +// SkipDBUpdate skip update flag +func SkipDBUpdate(c Config) string { + tag, err := c.GetImageTag() + if err != nil { + return "--skip-db-update" + } + // support backward competability with older tags + if compareTagVersion(tag, "< 0.37.0") { + return "--skip-update" + } + return "--skip-db-update" +} diff --git a/pkg/plugins/trivy/flags_test.go b/pkg/plugins/trivy/flags_test.go new file mode 100644 index 000000000..266c4c2c4 --- /dev/null +++ b/pkg/plugins/trivy/flags_test.go @@ -0,0 +1,147 @@ +package trivy_test + +import ( + "testing" + + "github.com/aquasecurity/trivy-operator/pkg/plugins/trivy" + "github.com/aquasecurity/trivy-operator/pkg/trivyoperator" + "github.com/stretchr/testify/assert" +) + +func TestSlow(t *testing.T) { + testCases := []struct { + name string + configData trivyoperator.ConfigData + want string + }{{ + + name: "slow param set to true", + configData: map[string]string{ + "trivy.tag": "0.35.0", + "trivy.slow": "true", + }, + want: "--slow", + }, + { + name: "slow param set to false", + configData: map[string]string{ + "trivy.tag": "0.35.0", + "trivy.slow": "false", + }, + want: "", + }, + { + name: "slow param set to no valid value", + configData: map[string]string{ + "trivy.tag": "0.35.0", + "trivy.slow": "false2", + }, + want: "--slow", + }, + { + name: "slow param set to true and trivy tag is less then 0.35.0", + configData: map[string]string{ + "trivy.slow": "true", + "trivy.tag": "0.33.0", + }, + want: "", + }, + + { + name: "slow param set to true and trivy tag is bigger then 0.35.0", + configData: map[string]string{ + "trivy.slow": "true", + "trivy.tag": "0.36.0", + }, + want: "--slow", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + got := trivy.Slow(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}}) + assert.Equal(t, got, tc.want) + }) + } +} + +func TestScanner(t *testing.T) { + testCases := []struct { + name string + configData trivyoperator.ConfigData + want string + }{{ + + name: "scanner with trivy tag lower then v0.37.0", + configData: map[string]string{ + "trivy.tag": "0.36.0", + }, + want: "--security-checks", + }, + { + name: "scanner with trivy tag equal then v0.37.0", + configData: map[string]string{ + "trivy.tag": "0.37.0", + }, + want: "--scanners", + }, + { + name: "scanner with trivy tag higher then v0.38.0", + configData: map[string]string{ + "trivy.tag": "0.38.0", + }, + want: "--scanners", + }, + { + name: "scanner with no trivy tag lower", + configData: map[string]string{}, + want: "--scanners", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + got := trivy.Scanners(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}}) + assert.Equal(t, got, tc.want) + }) + } +} + +func TestSkipDBUpdate(t *testing.T) { + testCases := []struct { + name string + configData trivyoperator.ConfigData + want string + }{{ + + name: "skip update DB with trivy tag lower then v0.37.0", + configData: map[string]string{ + "trivy.tag": "0.36.0", + }, + want: "--skip-update", + }, + { + name: "skip update DB with trivy tag equal then v0.37.0", + configData: map[string]string{ + "trivy.tag": "0.37.0", + }, + want: "--skip-db-update", + }, + { + name: "skip update DB with trivy tag higher then v0.38.0", + configData: map[string]string{ + "trivy.tag": "0.38.0", + }, + want: "--skip-db-update", + }, + { + name: "skip update DB with no trivy tag lower", + configData: map[string]string{}, + want: "--skip-db-update", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + got := trivy.SkipDBUpdate(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}}) + assert.Equal(t, got, tc.want) + }) + } +} diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go index 79768c8f4..93a3f0910 100644 --- a/pkg/plugins/trivy/plugin.go +++ b/pkg/plugins/trivy/plugin.go @@ -11,7 +11,6 @@ import ( "strconv" "strings" - "github.com/Masterminds/semver" "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-operator/pkg/utils" @@ -152,7 +151,7 @@ func (c Config) GetImageRef() (string, error) { if err != nil { return "", err } - tag, err := c.GetRequiredData(keyTrivyImageTag) + tag, err := c.GetImageTag() if err != nil { return "", err } @@ -160,6 +159,15 @@ func (c Config) GetImageRef() (string, error) { return fmt.Sprintf("%s:%s", repository, tag), nil } +// GetImageTag returns upstream Trivy container image tag. +func (c Config) GetImageTag() (string, error) { + tag, err := c.GetRequiredData(keyTrivyImageTag) + if err != nil { + return "", err + } + return tag, nil +} + func (c Config) GetImagePullSecret() []corev1.LocalObjectReference { ips, ok := c.Data[keyTrivyImagePullSecret] if !ok { @@ -235,19 +243,10 @@ func (c Config) GetUseBuiltinRegoPolicies() bool { } func (c Config) GetSlow() bool { - tag, err := c.GetRequiredData(keyTrivyImageTag) - if err != nil { - return false - } - // support backward competability with older tags - if !validVersion(tag, ">= 0.35.0") { - return false - } val, ok := c.Data[keyTrivySlow] if !ok { return true } - boolVal, err := strconv.ParseBool(val) if err != nil { return true @@ -255,20 +254,6 @@ func (c Config) GetSlow() bool { return boolVal } -func validVersion(currentTag string, contraint string) bool { - c, err := semver.NewConstraint(contraint) - if err != nil { - return false - } - - v, err := semver.NewVersion(currentTag) - if err != nil { - return false - } - // Check if the version meets the constraints. The a variable will be true. - return c.Check(v) -} - func (c Config) GetSupportedConfigAuditKinds() []string { val, ok := c.Data[keyTrivySupportedConfigAuditKinds] if !ok { @@ -1260,13 +1245,18 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i "trivy", } compressLogs := ctx.GetTrivyOperatorConfig().CompressLogs() - slow := p.trivySlow(ctx) + c, err := p.getConfig(ctx) + if err != nil { + return []string{}, []string{} + } + slow := Slow(c) + scanners := Scanners(c) if mode == ClientServer { if !compressLogs { args := []string{ "--quiet", "image", - "--security-checks", + scanners, getSecurityChecks(ctx), "--format", "json", @@ -1279,18 +1269,18 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i } return command, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' --security-checks %s --quiet --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, getSecurityChecks(ctx), trivyServerURL, resultFileName, resultFileName)} + return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s --quiet --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), trivyServerURL, resultFileName, resultFileName)} } - + skipUpdate := SkipDBUpdate(c) if !compressLogs { args := []string{ "--cache-dir", "/tmp/trivy/.cache", "--quiet", "image", - "--security-checks", + scanners, getSecurityChecks(ctx), - "--skip-update", + skipUpdate, "--format", "json", imageRef, @@ -1300,18 +1290,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i } return command, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' --security-checks %s --cache-dir /tmp/trivy/.cache --quiet --skip-update --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, getSecurityChecks(ctx), resultFileName, resultFileName)} -} - -func (p *plugin) trivySlow(ctx trivyoperator.PluginContext) string { - config, err := p.newConfigFrom(ctx) - if err != nil { - return "" - } - if config.GetSlow() { - return "--slow" - } - return "" + return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), skipUpdate, resultFileName, resultFileName)} } func getAutomountServiceAccountToken(ctx trivyoperator.PluginContext) bool { @@ -1727,14 +1706,20 @@ func (p *plugin) getPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext } func (p *plugin) getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mode, trivyServerURL string) []string { + c, err := p.getConfig(ctx) + if err != nil { + return []string{} + } + scanners := Scanners(c) + skipUpdate := SkipDBUpdate(c) args := []string{ "--cache-dir", "/var/trivyoperator/trivy-db", "--quiet", string(command), - "--security-checks", + scanners, getSecurityChecks(ctx), - "--skip-update", + skipUpdate, "--format", "json", "/", @@ -1742,7 +1727,7 @@ func (p *plugin) getFSScanningArgs(ctx trivyoperator.PluginContext, command Comm if mode == ClientServer { args = append(args, "--server", trivyServerURL) } - slow := p.trivySlow(ctx) + slow := Slow(c) if len(slow) > 0 { args = append(args, slow) } diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index c11d60573..fd1d0882c 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -205,7 +205,6 @@ func TestGetSlow(t *testing.T) { name: "slow param set to true", configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ Data: map[string]string{ - "trivy.tag": "0.35.0", "trivy.slow": "true", }, }}, @@ -215,7 +214,6 @@ func TestGetSlow(t *testing.T) { name: "slow param set to false", configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ Data: map[string]string{ - "trivy.tag": "0.35.0", "trivy.slow": "false", }, }}, @@ -225,29 +223,15 @@ func TestGetSlow(t *testing.T) { name: "slow param set to no valid value", configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ Data: map[string]string{ - "trivy.tag": "0.35.0", "trivy.slow": "false2", }, }}, want: true, }, { - name: "slow param set to true and trivy tag is less then 0.35.0", + name: "slow param set to no value", configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ - Data: map[string]string{ - "trivy.slow": "true", - "trivy.tag": "0.33.0", - }, - }}, - want: false, - }, - { - name: "slow param set to true and trivy tag is bigger then 0.35.0", - configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ - Data: map[string]string{ - "trivy.slow": "true", - "trivy.tag": "0.36.0", - }, + Data: map[string]string{}, }}, want: true, }, diff --git a/tests/e2e/client-server/workload/00-assert.yaml b/tests/e2e/client-server/workload/00-assert.yaml index 1a1bfeb74..ee9927eb6 100644 --- a/tests/e2e/client-server/workload/00-assert.yaml +++ b/tests/e2e/client-server/workload/00-assert.yaml @@ -14,4 +14,3 @@ report: scanner: name: Trivy vendor: Aqua Security - version: 0.36.0 diff --git a/tests/e2e/fs-mode/workload/00-assert.yaml b/tests/e2e/fs-mode/workload/00-assert.yaml index 1a1bfeb74..ee9927eb6 100644 --- a/tests/e2e/fs-mode/workload/00-assert.yaml +++ b/tests/e2e/fs-mode/workload/00-assert.yaml @@ -14,4 +14,3 @@ report: scanner: name: Trivy vendor: Aqua Security - version: 0.36.0 diff --git a/tests/e2e/image-mode/workload/00-assert.yaml b/tests/e2e/image-mode/workload/00-assert.yaml index 1a1bfeb74..ee9927eb6 100644 --- a/tests/e2e/image-mode/workload/00-assert.yaml +++ b/tests/e2e/image-mode/workload/00-assert.yaml @@ -14,4 +14,3 @@ report: scanner: name: Trivy vendor: Aqua Security - version: 0.36.0