feat(vulnerabilityreports): Use primary URLs returned by Trivy v0.14.0 (

#252)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

README.md

@@ -271,7 +271,7 @@ The following table lists available configuration parameters.
 | `trivy.httpProxy`     | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. Only applicable if Trivy runs in the `Standalone` mode. |
 | `trivy.githubToken`   | N/A                                                    | The GitHub personal access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable if Trivy runs in the `Standalone` mode. |
 | `trivy.severity`      | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
-| `trivy.imageRef`      | `docker.io/aquasec/trivy:0.12.0`                       | Trivy image reference |
+| `trivy.imageRef`      | `docker.io/aquasec/trivy:0.14.0`                       | Trivy image reference |
 | `trivy.mode`          | `Standalone`                                           | Trivy client mode. Either `Standalone` or `ClientServer`. |
 | `trivy.serverURL`     | `http://trivy-server.trivy-server:4954`                | The endpoint URL of the Trivy server. This parameter is required when Trivy runs in the `ClientServer` mode. |
 | `polaris.config.yaml` | [Check the default value here][default-polaris-config] | Polaris configuration file |

deploy/init/03-starboard.cm.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: starboard
 data:
   trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-  trivy.imageRef: docker.io/aquasec/trivy:0.12.0
+  trivy.imageRef: docker.io/aquasec/trivy:0.14.0
   trivy.mode: Standalone
   trivy.serverURL: http://trivy-server.trivy-server:4954
   kube-bench.imageRef: docker.io/aquasec/kube-bench:0.4.0

deploy/trivy-server/03-trivy-server.deployment.yaml

@@ -23,7 +23,7 @@ spec:
           emptyDir: {}
       containers:
         - name: trivy-server
-          image: docker.io/aquasec/trivy:0.12.0
+          image: docker.io/aquasec/trivy:0.14.0
           command:
             - trivy
             - server

deploy/trivy-server/README.md

@@ -10,7 +10,7 @@ $ kubectl apply -f deploy/trivy-server
 ```
 
 ```
-$ kubectl run trivy-client -it --rm --image aquasec/trivy:0.12.0 --command -- sh
+$ kubectl run trivy-client -it --rm --image aquasec/trivy:0.14.0 --command -- sh
 / # trivy client --format json --remote http://trivy-server.trivy-server:4954 wordpress:4.9
 / # trivy client --format json --remote http://trivy-server.trivy-server:4954 wordpress:5.5
 ```

itest/starboard/starboard_cli_test.go

@@ -225,7 +225,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -290,7 +290,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -313,7 +313,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -396,7 +396,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -491,7 +491,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -582,7 +582,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -673,7 +673,7 @@ var _ = Describe("Starboard CLI", func() {
 							"Scanner": Equal(v1alpha1.Scanner{
 								Name:    "Trivy",
 								Vendor:  "Aqua Security",
-								Version: "0.12.0",
+								Version: "0.14.0",
 							}),
 						}),
 					}),
@@ -716,7 +716,7 @@ var _ = Describe("Starboard CLI", func() {
 					Scanner: v1alpha1.Scanner{
 						Name:    "Trivy",
 						Vendor:  "Aqua Security",
-						Version: "0.12.0",
+						Version: "0.14.0",
 					},
 					Registry: v1alpha1.Registry{
 						Server: "index.docker.io",

pkg/find/vulnerabilities/scanner.go

@@ -40,7 +40,7 @@ func NewScanner(scheme *runtime.Scheme, config starboard.TrivyConfig, opts kube.
 		opts:        opts,
 		clientset:   clientset,
 		pods:        pod.NewPodManager(clientset),
-		converter:   trivy.DefaultConverter,
+		converter:   trivy.NewConverter(config),
 		idGenerator: idGenerator,
 		delegate:    trivy.NewScanner(idGenerator, config),
 	}
@@ -173,7 +173,7 @@ func (s *Scanner) GetVulnerabilityReportsByScanJob(ctx context.Context, job *bat
 		if err != nil {
 			return nil, err
 		}
-		result, err := s.converter.Convert(s.config, containerImages[c.Name], logReader)
+		result, err := s.converter.Convert(containerImages[c.Name], logReader)
 
 		report, err := vulnerabilityreport.NewBuilder(s.scheme).
 			Owner(owner).

pkg/starboard/config.go

@@ -251,8 +251,8 @@ type ConfigManager interface {
 func GetDefaultConfig() ConfigData {
 	return map[string]string{
 		"trivy.severity":      "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-		"trivy.imageRef":      "docker.io/aquasec/trivy:0.12.0",
-		"trivy.mode":          "Standalone",
+		"trivy.imageRef":      "docker.io/aquasec/trivy:0.14.0",
+		"trivy.mode":          string(Standalone),
 		"trivy.serverURL":     "http://trivy-server.trivy-server:4954",
 		"kube-bench.imageRef": "docker.io/aquasec/kube-bench:0.4.0",
 		"polaris.config.yaml": polarisConfigYAML,
@@ -263,7 +263,7 @@ func (c ConfigData) GetTrivyImageRef() string {
 	if imageRef, ok := c["trivy.imageRef"]; ok {
 		return imageRef
 	}
-	return "docker.io/aquasec/trivy:0.12.0"
+	return "docker.io/aquasec/trivy:0.14.0"
 }
 
 func (c ConfigData) GetTrivyMode() TrivyMode {

pkg/starboard/config_test.go

@@ -59,7 +59,7 @@ func TestConfigData_GetTrivyImageRef(t *testing.T) {
 		{
 			name:             "Should return default image reference",
 			configData:       starboard.ConfigData{},
-			expectedImageRef: "docker.io/aquasec/trivy:0.12.0",
+			expectedImageRef: "docker.io/aquasec/trivy:0.14.0",
 		},
 		{
 			name: "Should return image reference from config data",

pkg/trivy/converter.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/aquasecurity/starboard/pkg/starboard"
 
-	starboardv1alpha1 "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/google/go-containerregistry/pkg/name"
 )
 
@@ -18,58 +18,59 @@ import (
 // Convert converts the vulnerabilities model used by Trivy
 // to a generic model defined by the Custom Security Resource Specification.
 type Converter interface {
-	Convert(config starboard.TrivyConfig, imageRef string, reader io.Reader) (starboardv1alpha1.VulnerabilityScanResult, error)
+	Convert(imageRef string, reader io.Reader) (v1alpha1.VulnerabilityScanResult, error)
 }
 
 type converter struct {
+	config starboard.TrivyConfig
 }
 
-var DefaultConverter = NewConverter()
-
-func NewConverter() Converter {
-	return &converter{}
+func NewConverter(config starboard.TrivyConfig) Converter {
+	return &converter{
+		config: config,
+	}
 }
 
-func (c *converter) Convert(config starboard.TrivyConfig, imageRef string, reader io.Reader) (report starboardv1alpha1.VulnerabilityScanResult, err error) {
+func (c *converter) Convert(imageRef string, reader io.Reader) (v1alpha1.VulnerabilityScanResult, error) {
 	var scanReports []ScanReport
-	err = json.NewDecoder(reader).Decode(&scanReports)
+	err := json.NewDecoder(reader).Decode(&scanReports)
 	if err != nil {
-		return
+		return v1alpha1.VulnerabilityScanResult{}, err
 	}
-	return c.convert(config, imageRef, scanReports)
+	return c.convert(imageRef, scanReports)
 }
 
-func (c *converter) convert(config starboard.TrivyConfig, imageRef string, reports []ScanReport) (starboardv1alpha1.VulnerabilityScanResult, error) {
-	vulnerabilities := make([]starboardv1alpha1.Vulnerability, 0)
+func (c *converter) convert(imageRef string, reports []ScanReport) (v1alpha1.VulnerabilityScanResult, error) {
+	vulnerabilities := make([]v1alpha1.Vulnerability, 0)
 
 	for _, report := range reports {
 		for _, sr := range report.Vulnerabilities {
-			vulnerabilities = append(vulnerabilities, starboardv1alpha1.Vulnerability{
+			vulnerabilities = append(vulnerabilities, v1alpha1.Vulnerability{
 				VulnerabilityID:  sr.VulnerabilityID,
 				Resource:         sr.PkgName,
 				InstalledVersion: sr.InstalledVersion,
 				FixedVersion:     sr.FixedVersion,
 				Severity:         sr.Severity,
 				Title:            sr.Title,
-				Description:      sr.Description,
-				Links:            c.toLinks(sr.References),
+				PrimaryLink:      sr.PrimaryURL,
+				Links:            []string{},
 			})
 		}
 	}
 
 	registry, artifact, err := c.parseImageRef(imageRef)
 	if err != nil {
-		return starboardv1alpha1.VulnerabilityScanResult{}, err
+		return v1alpha1.VulnerabilityScanResult{}, err
 	}
 
-	version, err := starboard.GetVersionFromImageRef(config.GetTrivyImageRef())
+	version, err := starboard.GetVersionFromImageRef(c.config.GetTrivyImageRef())
 	if err != nil {
-		return starboardv1alpha1.VulnerabilityScanResult{}, err
+		return v1alpha1.VulnerabilityScanResult{}, err
 	}
 
-	return starboardv1alpha1.VulnerabilityScanResult{
+	return v1alpha1.VulnerabilityScanResult{
 		UpdateTimestamp: metav1.NewTime(time.Now()),
-		Scanner: starboardv1alpha1.Scanner{
+		Scanner: v1alpha1.Scanner{
 			Name:    "Trivy",
 			Vendor:  "Aqua Security",
 			Version: version,
@@ -81,23 +82,16 @@ func (c *converter) convert(config starboard.TrivyConfig, imageRef string, repor
 	}, nil
 }
 
-func (c *converter) toLinks(references []string) []string {
-	if references == nil {
-		return []string{}
-	}
-	return references
-}
-
-func (c *converter) toSummary(vulnerabilities []starboardv1alpha1.Vulnerability) (vs starboardv1alpha1.VulnerabilitySummary) {
+func (c *converter) toSummary(vulnerabilities []v1alpha1.Vulnerability) (vs v1alpha1.VulnerabilitySummary) {
 	for _, v := range vulnerabilities {
 		switch v.Severity {
-		case starboardv1alpha1.SeverityCritical:
+		case v1alpha1.SeverityCritical:
 			vs.CriticalCount++
-		case starboardv1alpha1.SeverityHigh:
+		case v1alpha1.SeverityHigh:
 			vs.HighCount++
-		case starboardv1alpha1.SeverityMedium:
+		case v1alpha1.SeverityMedium:
 			vs.MediumCount++
-		case starboardv1alpha1.SeverityLow:
+		case v1alpha1.SeverityLow:
 			vs.LowCount++
 		default:
 			vs.UnknownCount++
@@ -106,15 +100,15 @@ func (c *converter) toSummary(vulnerabilities []starboardv1alpha1.Vulnerability)
 	return
 }
 
-func (c *converter) parseImageRef(imageRef string) (starboardv1alpha1.Registry, starboardv1alpha1.Artifact, error) {
+func (c *converter) parseImageRef(imageRef string) (v1alpha1.Registry, v1alpha1.Artifact, error) {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
-		return starboardv1alpha1.Registry{}, starboardv1alpha1.Artifact{}, err
+		return v1alpha1.Registry{}, v1alpha1.Artifact{}, err
 	}
-	registry := starboardv1alpha1.Registry{
+	registry := v1alpha1.Registry{
 		Server: ref.Context().RegistryStr(),
 	}
-	artifact := starboardv1alpha1.Artifact{
+	artifact := v1alpha1.Artifact{
 		Repository: ref.Context().RepositoryStr(),
 	}
 	switch t := ref.(type) {