mirror of
https://github.com/project-zot/zot.git
synced 2026-06-15 20:07:55 +08:00
chore: fix dependabot alerts (#2431)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
This commit is contained in:
Andrei Aaron
@@ -12,10 +12,12 @@ import (
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy/pkg/commands/artifact"
|
||||
"github.com/aquasecurity/trivy/pkg/commands/operation"
|
||||
"github.com/aquasecurity/trivy/pkg/db"
|
||||
fanalTypes "github.com/aquasecurity/trivy/pkg/fanal/types"
|
||||
"github.com/aquasecurity/trivy/pkg/flag"
|
||||
"github.com/aquasecurity/trivy/pkg/javadb"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
regTypes "github.com/google/go-containerregistry/pkg/v1/types"
|
||||
godigest "github.com/opencontainers/go-digest"
|
||||
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
@@ -34,7 +36,7 @@ const cacheSize = 1000000
|
||||
|
||||
// getNewScanOptions sets trivy configuration values for our scans and returns them as
|
||||
// a trivy Options structure.
|
||||
func getNewScanOptions(dir, dbRepository, javaDBRepository string) *flag.Options {
|
||||
func getNewScanOptions(dir string, dbRepositoryRef, javaDBRepositoryRef name.Reference) *flag.Options {
|
||||
scanOptions := flag.Options{
|
||||
GlobalOptions: flag.GlobalOptions{
|
||||
CacheDir: dir,
|
||||
@@ -47,8 +49,8 @@ func getNewScanOptions(dir, dbRepository, javaDBRepository string) *flag.Options
|
||||
VulnType: []string{types.VulnTypeOS, types.VulnTypeLibrary},
|
||||
},
|
||||
DBOptions: flag.DBOptions{
|
||||
DBRepository: dbRepository,
|
||||
JavaDBRepository: javaDBRepository,
|
||||
DBRepository: dbRepositoryRef,
|
||||
JavaDBRepository: javaDBRepositoryRef,
|
||||
SkipDBUpdate: true,
|
||||
SkipJavaDBUpdate: true,
|
||||
},
|
||||
@@ -73,19 +75,46 @@ type cveTrivyController struct {
|
||||
}
|
||||
|
||||
type Scanner struct {
|
||||
metaDB mTypes.MetaDB
|
||||
cveController cveTrivyController
|
||||
storeController storage.StoreController
|
||||
log log.Logger
|
||||
dbLock *sync.Mutex
|
||||
cache *cvecache.CveCache
|
||||
dbRepository string
|
||||
javaDBRepository string
|
||||
metaDB mTypes.MetaDB
|
||||
cveController cveTrivyController
|
||||
storeController storage.StoreController
|
||||
log log.Logger
|
||||
dbLock *sync.Mutex
|
||||
cache *cvecache.CveCache
|
||||
dbRepositoryRef name.Reference
|
||||
javaDBRepositoryRef name.Reference
|
||||
}
|
||||
|
||||
func NewScanner(storeController storage.StoreController,
|
||||
metaDB mTypes.MetaDB, dbRepository, javaDBRepository string, log log.Logger,
|
||||
) *Scanner {
|
||||
// The logic to set defaults is similar to what trivy itself uses:
|
||||
// https://github.com/aquasecurity/trivy/blob/v0.51.4/pkg/flag/db_flags.go#L152
|
||||
var dbRepositoryRef name.Reference
|
||||
|
||||
dbRepositoryRef, err := name.ParseReference(dbRepository, name.WithDefaultTag(""))
|
||||
if err != nil {
|
||||
log.Fatal().Err(err).Str("dbRepository", dbRepository).Msg("invalid reference")
|
||||
}
|
||||
|
||||
// Add the schema version if the tag is not specified for backward compatibility.
|
||||
if t, ok := dbRepositoryRef.(name.Tag); ok && t.TagStr() == "" {
|
||||
dbRepositoryRef = t.Tag(fmt.Sprint(db.SchemaVersion))
|
||||
}
|
||||
|
||||
var javaDBRepositoryRef name.Reference
|
||||
if javaDBRepository != "" {
|
||||
javaDBRepositoryRef, err = name.ParseReference(javaDBRepository, name.WithDefaultTag(""))
|
||||
if err != nil {
|
||||
log.Fatal().Err(err).Str("javaDBRepository", javaDBRepository).Msg("invalid reference")
|
||||
}
|
||||
|
||||
// Add the schema version if the tag is not specified for backward compatibility.
|
||||
if t, ok := javaDBRepositoryRef.(name.Tag); ok && t.TagStr() == "" {
|
||||
javaDBRepositoryRef = t.Tag(fmt.Sprint(javadb.SchemaVersion))
|
||||
}
|
||||
}
|
||||
|
||||
cveController := cveTrivyController{}
|
||||
|
||||
subCveConfig := make(map[string]*flag.Options)
|
||||
@@ -96,7 +125,7 @@ func NewScanner(storeController storage.StoreController,
|
||||
rootDir := imageStore.RootDir()
|
||||
|
||||
cacheDir := path.Join(rootDir, "_trivy")
|
||||
opts := getNewScanOptions(cacheDir, dbRepository, javaDBRepository)
|
||||
opts := getNewScanOptions(cacheDir, dbRepositoryRef, javaDBRepositoryRef)
|
||||
|
||||
cveController.DefaultCveConfig = opts
|
||||
}
|
||||
@@ -106,7 +135,7 @@ func NewScanner(storeController storage.StoreController,
|
||||
rootDir := storage.RootDir()
|
||||
|
||||
cacheDir := path.Join(rootDir, "_trivy")
|
||||
opts := getNewScanOptions(cacheDir, dbRepository, javaDBRepository)
|
||||
opts := getNewScanOptions(cacheDir, dbRepositoryRef, javaDBRepositoryRef)
|
||||
|
||||
subCveConfig[route] = opts
|
||||
}
|
||||
@@ -115,14 +144,14 @@ func NewScanner(storeController storage.StoreController,
|
||||
cveController.SubCveConfig = subCveConfig
|
||||
|
||||
return &Scanner{
|
||||
log: log,
|
||||
metaDB: metaDB,
|
||||
cveController: cveController,
|
||||
storeController: storeController,
|
||||
dbLock: &sync.Mutex{},
|
||||
cache: cvecache.NewCveCache(cacheSize, log),
|
||||
dbRepository: dbRepository,
|
||||
javaDBRepository: javaDBRepository,
|
||||
log: log,
|
||||
metaDB: metaDB,
|
||||
cveController: cveController,
|
||||
storeController: storeController,
|
||||
dbLock: &sync.Mutex{},
|
||||
cache: cvecache.NewCveCache(cacheSize, log),
|
||||
dbRepositoryRef: dbRepositoryRef,
|
||||
javaDBRepositoryRef: javaDBRepositoryRef,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -552,20 +581,22 @@ func (scanner Scanner) updateDB(ctx context.Context, dbDir string) error {
|
||||
|
||||
scanner.log.Debug().Str("dbDir", dbDir).Msg("started downloading trivy-db to destination dir")
|
||||
|
||||
err := operation.DownloadDB(ctx, "dev", dbDir, scanner.dbRepository, false, false, registryOpts)
|
||||
err := operation.DownloadDB(ctx, "dev", dbDir, scanner.dbRepositoryRef, false, false, registryOpts)
|
||||
if err != nil {
|
||||
scanner.log.Error().Err(err).Str("dbDir", dbDir).
|
||||
Str("dbRepository", scanner.dbRepository).Msg("failed to download trivy-db to destination dir")
|
||||
Str("dbRepository", scanner.dbRepositoryRef.String()).
|
||||
Msg("failed to download trivy-db to destination dir")
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
if scanner.javaDBRepository != "" {
|
||||
javadb.Init(dbDir, scanner.javaDBRepository, false, false, registryOpts)
|
||||
if scanner.javaDBRepositoryRef != nil {
|
||||
javadb.Init(dbDir, scanner.javaDBRepositoryRef, false, false, registryOpts)
|
||||
|
||||
if err := javadb.Update(); err != nil {
|
||||
scanner.log.Error().Err(err).Str("dbDir", dbDir).
|
||||
Str("javaDBRepository", scanner.javaDBRepository).Msg("failed to download trivy-java-db to destination dir")
|
||||
Str("javaDBRepository", scanner.javaDBRepositoryRef.String()).
|
||||
Msg("failed to download trivy-java-db to destination dir")
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -17,6 +17,7 @@ import (
|
||||
zerr "zotregistry.dev/zot/errors"
|
||||
"zotregistry.dev/zot/pkg/common"
|
||||
"zotregistry.dev/zot/pkg/extensions/monitoring"
|
||||
cvecache "zotregistry.dev/zot/pkg/extensions/search/cve/cache"
|
||||
"zotregistry.dev/zot/pkg/extensions/search/cve/model"
|
||||
"zotregistry.dev/zot/pkg/log"
|
||||
"zotregistry.dev/zot/pkg/meta"
|
||||
@@ -194,15 +195,15 @@ func TestTrivyLibraryErrors(t *testing.T) {
|
||||
|
||||
img := "zot-test:0.0.1" //nolint:goconst
|
||||
|
||||
// Download DB fails for missing DB url
|
||||
scanner := NewScanner(storeController, metaDB, "", "", log)
|
||||
// Download DB fails for invalid DB url
|
||||
scanner := NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-not-db", "", log)
|
||||
|
||||
ctx := context.Background()
|
||||
|
||||
err = scanner.UpdateDB(ctx)
|
||||
So(err, ShouldNotBeNil)
|
||||
|
||||
// Try to scan without the DB being downloaded
|
||||
// Try to scan without a valid DB being downloaded
|
||||
opts := scanner.getTrivyOptions(img)
|
||||
_, err = scanner.runTrivy(ctx, opts)
|
||||
So(err, ShouldNotBeNil)
|
||||
@@ -425,7 +426,12 @@ func TestIsIndexScanable(t *testing.T) {
|
||||
log := log.NewLogger("debug", "")
|
||||
|
||||
Convey("Find index in cache", func() {
|
||||
scanner := NewScanner(storeController, metaDB, "", "", log)
|
||||
scanner := Scanner{
|
||||
log: log,
|
||||
metaDB: metaDB,
|
||||
storeController: storeController,
|
||||
cache: cvecache.NewCveCache(cacheSize, log),
|
||||
}
|
||||
|
||||
scanner.cache.Add("digest", make(map[string]model.CVE))
|
||||
|
||||
@@ -458,7 +464,13 @@ func TestIsIndexScannableErrors(t *testing.T) {
|
||||
}[digest.String()], nil
|
||||
}
|
||||
|
||||
scanner := NewScanner(storeController, metaDB, "", "", log)
|
||||
scanner := Scanner{
|
||||
log: log,
|
||||
metaDB: metaDB,
|
||||
storeController: storeController,
|
||||
cache: cvecache.NewCveCache(cacheSize, log),
|
||||
}
|
||||
|
||||
ok, err := scanner.isIndexScannable(multiarch.DigestStr())
|
||||
So(err, ShouldBeNil)
|
||||
So(ok, ShouldBeFalse)
|
||||
|
||||
@@ -112,6 +112,7 @@ func TestScanningByDigest(t *testing.T) {
|
||||
|
||||
cveMap, err := scanner.ScanImage(ctx, "multi-arch@"+vulnImage.DigestStr())
|
||||
So(err, ShouldBeNil)
|
||||
t.Logf("cveMap=%v\n", cveMap)
|
||||
So(cveMap, ShouldContainKey, Vulnerability1ID)
|
||||
So(cveMap, ShouldContainKey, Vulnerability2ID)
|
||||
So(cveMap, ShouldContainKey, Vulnerability3ID)
|
||||
|
||||
Reference in New Issue
Block a user