fix: trivy uses deprecated subcommand (#891)

Resolves: #888
aquasecurity · Jan 11, 2022 · 8b46e5b · 8b46e5b
1 parent 3d0417d
commit 8b46e5b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 14 deletions.
diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go
@@ -256,13 +256,13 @@ const (
 // volume shared with main containers. In other words, the init container runs
 // the following Trivy command:
 //
-//     trivy --download-db-only --cache-dir /var/lib/trivy
+//     trivy --cache-dir /var/lib/trivy image --download-db-only
 //
 // The number of main containers correspond to the number of containers
 // defined for the scanned workload. Each container runs the Trivy image scan
 // command and skips the database download:
 //
-//     trivy --skip-update --cache-dir /var/lib/trivy \
+//     trivy --cache-dir /var/lib/trivy image --skip-update \
 //       --format json <container image>
 func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config Config, spec corev1.PodSpec, credentials map[string]docker.Auth) (corev1.PodSpec, []*corev1.Secret, error) {
 	var secret *corev1.Secret
@@ -344,9 +344,10 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 			"trivy",
 		},
 		Args: []string{
-			"--download-db-only",
 			"--cache-dir",
 			"/var/lib/trivy",
+			"image",
+			"--download-db-only",
 		},
 		Resources: requirements,
 		VolumeMounts: []corev1.VolumeMount{
@@ -556,10 +557,11 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 				"trivy",
 			},
 			Args: []string{
-				"--skip-update",
 				"--cache-dir",
 				"/var/lib/trivy",
 				"--quiet",
+				"image",
+				"--skip-update",
 				"--format",
 				"json",
 				optionalMirroredImage,

diff --git a/pkg/plugin/trivy/plugin_test.go b/pkg/plugin/trivy/plugin_test.go
@@ -558,8 +558,9 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"trivy",
 						},
 						Args: []string{
-							"--download-db-only",
 							"--cache-dir", "/var/lib/trivy",
+							"image",
+							"--download-db-only",
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -676,9 +677,10 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"trivy",
 						},
 						Args: []string{
-							"--skip-update",
 							"--cache-dir", "/var/lib/trivy",
 							"--quiet",
+							"image",
+							"--skip-update",
 							"--format", "json",
 							"nginx:1.16",
 						},
@@ -816,8 +818,9 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"trivy",
 						},
 						Args: []string{
-							"--download-db-only",
 							"--cache-dir", "/var/lib/trivy",
+							"image",
+							"--download-db-only",
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -938,9 +941,10 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"trivy",
 						},
 						Args: []string{
-							"--skip-update",
 							"--cache-dir", "/var/lib/trivy",
 							"--quiet",
+							"image",
+							"--skip-update",
 							"--format", "json",
 							"poc.myregistry.harbor.com.pl/nginx:1.16",
 						},
@@ -1078,8 +1082,9 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"trivy",
 						},
 						Args: []string{
-							"--download-db-only",
 							"--cache-dir", "/var/lib/trivy",
+							"image",
+							"--download-db-only",
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1200,9 +1205,10 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"trivy",
 						},
 						Args: []string{
-							"--skip-update",
 							"--cache-dir", "/var/lib/trivy",
 							"--quiet",
+							"image",
+							"--skip-update",
 							"--format", "json",
 							"poc.myregistry.harbor.com.pl/nginx:1.16",
 						},
@@ -1361,8 +1367,9 @@ CVE-2019-1543`,
 							"trivy",
 						},
 						Args: []string{
-							"--download-db-only",
 							"--cache-dir", "/var/lib/trivy",
+							"image",
+							"--download-db-only",
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1483,9 +1490,10 @@ CVE-2019-1543`,
 							"trivy",
 						},
 						Args: []string{
-							"--skip-update",
 							"--cache-dir", "/var/lib/trivy",
 							"--quiet",
+							"image",
+							"--skip-update",
 							"--format", "json",
 							"nginx:1.16",
 						},
@@ -1631,8 +1639,9 @@ CVE-2019-1543`,
 							"trivy",
 						},
 						Args: []string{
-							"--download-db-only",
 							"--cache-dir", "/var/lib/trivy",
+							"image",
+							"--download-db-only",
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1749,9 +1758,10 @@ CVE-2019-1543`,
 							"trivy",
 						},
 						Args: []string{
-							"--skip-update",
 							"--cache-dir", "/var/lib/trivy",
 							"--quiet",
+							"image",
+							"--skip-update",
 							"--format", "json",
 							"mirror.io/library/nginx:1.16",
 						},