Skip to content

Commit

Permalink
feat: split trivy.imageRef into trivy.repository and trivy.tag (#524)
Browse files Browse the repository at this point in the history 
Signed-off-by: Engin Diri <engin.diri@mail.schwarz>

Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
  • Loading branch information
@dirien
dirien committed Sep 18, 2022
1 parent 02447b9 commit c5447c5
Show file tree
Hide file tree
Showing 7 changed files with 119 additions and 64 deletions.
3 changes: 2 additions & 1 deletion deploy/helm/templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ metadata:
labels:
{{- include "trivy-operator.labels" $ | nindent 4 }}
data:
trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .imageRef | quote }}
trivy.repository: {{ required ".Values.trivy.repository is required" .repository | quote }}
trivy.tag: {{ required ".Values.trivy.tag is required" .tag | quote }}
trivy.mode: {{ .mode | quote }}
trivy.additionalVulnerabilityReportFields: {{ .additionalVulnerabilityReportFields | quote}}
{{- if .httpProxy }}
Expand Down
6 changes: 4 additions & 2 deletions deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,8 +149,10 @@ trivy:
# createConfig indicates whether to create config objects
createConfig: true

# imageRef the Trivy image reference.
imageRef: ghcr.io/aquasecurity/trivy:0.31.3
# repository of the Trivy image
repository: ghcr.io/aquasecurity/trivy
# tag version of the Trivy image
tag: 0.31.3

# mode is the Trivy client mode. Either Standalone or ClientServer. Depending
# on the active mode other settings might be applicable or required.
Expand Down
3 changes: 2 additions & 1 deletion deploy/static/trivy-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1214,7 +1214,8 @@ metadata:
app.kubernetes.io/version: "0.2.1"
app.kubernetes.io/managed-by: kubectl
data:
trivy.imageRef: "ghcr.io/aquasecurity/trivy:0.31.3"
trivy.repository: "ghcr.io/aquasecurity/trivy"
trivy.tag: "0.31.3"
trivy.mode: "Standalone"
trivy.additionalVulnerabilityReportFields: ""
trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
Expand Down
55 changes: 28 additions & 27 deletions docs/vulnerability-scanning/trivy.md
View file

Large diffs are not rendered by default.

17 changes: 14 additions & 3 deletions pkg/plugins/trivy/plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ const (
)

const (
keyTrivyImageRef = "trivy.imageRef"
keyTrivyImageRepository = "trivy.repository"
keyTrivyImageTag = "trivy.tag"
keyTrivyMode = "trivy.mode"
keyTrivyAdditionalVulnerabilityReportFields = "trivy.additionalVulnerabilityReportFields"
keyTrivyCommand = "trivy.command"
Expand Down Expand Up @@ -135,7 +136,16 @@ func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields {

// GetImageRef returns upstream Trivy container image reference.
func (c Config) GetImageRef() (string, error) {
return c.GetRequiredData(keyTrivyImageRef)
repository, err := c.GetRequiredData(keyTrivyImageRepository)
if err != nil {
return "", err
}
tag, err := c.GetRequiredData(keyTrivyImageTag)
if err != nil {
return "", err
}

return fmt.Sprintf("%s:%s", repository, tag), nil
}

func (c Config) GetMode() (Mode, error) {
Expand Down Expand Up @@ -338,7 +348,8 @@ func NewTrivyConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, obj
func (p *plugin) Init(ctx trivyoperator.PluginContext) error {
return ctx.EnsureConfig(trivyoperator.PluginConfig{
Data: map[string]string{
keyTrivyImageRef: "ghcr.io/aquasecurity/trivy:0.31.3",
keyTrivyImageRepository: "ghcr.io/aquasecurity/trivy",
keyTrivyImageTag: "0.31.3",
keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
keyTrivyMode: string(Standalone),
keyTrivyTimeout: "5m0s",
Expand Down
96 changes: 67 additions & 29 deletions pkg/plugins/trivy/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,32 @@ func TestConfig_GetImageRef(t *testing.T) {
{
name: "Should return error",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{}},
expectedError: "property trivy.imageRef not set",
expectedError: "property trivy.repository not set",
},
{
name: "Should return error",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.tag": "0.8.0",
},
}},
expectedError: "property trivy.repository not set",
},
{
name: "Should return error",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.repository": "gcr.io/aquasecurity/trivy",
},
}},
expectedError: "property trivy.tag not set",
},
{
name: "Should return image reference from config data",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.imageRef": "gcr.io/aquasecurity/trivy:0.8.0",
"trivy.repository": "gcr.io/aquasecurity/trivy",
"trivy.tag": "0.8.0",
},
}},
expectedImageRef: "gcr.io/aquasecurity/trivy:0.8.0",
Expand Down Expand Up @@ -532,7 +551,8 @@ func TestPlugin_Init(t *testing.T) {
ResourceVersion: "1",
},
Data: map[string]string{
"trivy.imageRef": "ghcr.io/aquasecurity/trivy:0.31.3",
"trivy.repository": "ghcr.io/aquasecurity/trivy",
"trivy.tag": "0.31.3",
"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"trivy.mode": "Standalone",
"trivy.timeout": "5m0s",
Expand Down Expand Up @@ -560,9 +580,10 @@ func TestPlugin_Init(t *testing.T) {
ResourceVersion: "1",
},
Data: map[string]string{
"trivy.imageRef": "ghcr.io/aquasecurity/trivy:0.31.3",
"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"trivy.mode": "Standalone",
"trivy.repository": "gcr.io/aquasecurity/trivy",
"trivy.tag": "0.31.3",
"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"trivy.mode": "Standalone",
},
}).Build()
resolver := kube.NewObjectResolver(testClient, &kube.CompatibleObjectMapper{})
Expand Down Expand Up @@ -594,9 +615,10 @@ func TestPlugin_Init(t *testing.T) {
ResourceVersion: "1",
},
Data: map[string]string{
"trivy.imageRef": "ghcr.io/aquasecurity/trivy:0.31.3",
"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"trivy.mode": "Standalone",
"trivy.repository": "gcr.io/aquasecurity/trivy",
"trivy.tag": "0.31.3",
"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"trivy.mode": "Standalone",
},
}, cm)
})
Expand Down Expand Up @@ -649,7 +671,8 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.Standalone),
"trivy.dbRepository": defaultDBRepository,
"trivy.resources.requests.cpu": "100m",
Expand Down Expand Up @@ -909,7 +932,8 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.Standalone),
"trivy.insecureRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
"trivy.dbRepository": defaultDBRepository,
Expand Down Expand Up @@ -1169,7 +1193,8 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
trivyoperator.KeyExposedSecretsScannerEnabled: "false",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.Standalone),
"trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
"trivy.dbRepository": defaultDBRepository,
Expand Down Expand Up @@ -1429,8 +1454,9 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.mode": string(trivy.Standalone),
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.Standalone),
"trivy.ignoreFile": `# Accept the risk
CVE-2018-14618
Expand Down Expand Up @@ -1714,8 +1740,9 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.mode": string(trivy.Standalone),
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.Standalone),

"trivy.dbRepository": defaultDBRepository,
"trivy.resources.requests.cpu": "100m",
Expand Down Expand Up @@ -1973,7 +2000,8 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.dbRepository": defaultDBRepository,
Expand Down Expand Up @@ -2174,7 +2202,8 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.dbRepository": defaultDBRepository,
Expand Down Expand Up @@ -2375,7 +2404,8 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "https://trivy.trivy:4954",
"trivy.serverInsecure": "true",
Expand Down Expand Up @@ -2581,7 +2611,8 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "false",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
Expand Down Expand Up @@ -2787,9 +2818,10 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.14.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.ignoreFile": `# Accept the risk
CVE-2018-14618
Expand Down Expand Up @@ -3019,7 +3051,8 @@ CVE-2019-1543`,
trivyoperator.KeyExposedSecretsScannerEnabled: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.31.3",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.31.3",
"trivy.mode": string(trivy.Standalone),
"trivy.command": string(trivy.Filesystem),
"trivy.dbRepository": defaultDBRepository,
Expand Down Expand Up @@ -3363,7 +3396,8 @@ CVE-2019-1543`,
trivyoperator.KeyVulnerabilityScansInSameNamespace: "true",
},
config: map[string]string{
"trivy.imageRef": "docker.io/aquasec/trivy:0.22.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.22.0",
"trivy.mode": string(trivy.Standalone),
"trivy.command": string(trivy.Filesystem),
"trivy.dbRepository": defaultDBRepository,
Expand Down Expand Up @@ -3836,7 +3870,8 @@ func TestPlugin_ParseReportData(t *testing.T) {
Namespace: "trivyoperator-ns",
},
Data: map[string]string{
"trivy.imageRef": "aquasec/trivy:0.9.1",
"trivy.repository": "aquasec/trivy",
"trivy.tag": "0.9.1",
},
}

Expand Down Expand Up @@ -4058,7 +4093,8 @@ func TestGetContainers(t *testing.T) {
name: "Standalone mode with image command",
configData: map[string]string{
"trivy.dbRepository": defaultDBRepository,
"trivy.imageRef": "docker.io/aquasec/trivy:0.22.0",
"trivy.repository": "gcr.io/aquasec/trivy",
"trivy.tag": "0.22.0",
"trivy.mode": string(trivy.Standalone),
"trivy.command": string(trivy.Image),
},
Expand All @@ -4068,7 +4104,8 @@ func TestGetContainers(t *testing.T) {
configData: map[string]string{
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.dbRepository": defaultDBRepository,
"trivy.imageRef": "docker.io/aquasec/trivy:0.22.0",
"trivy.repository": "gcr.io/aquasec/trivy",
"trivy.tag": "0.22.0",
"trivy.mode": string(trivy.ClientServer),
"trivy.command": string(trivy.Image),
},
Expand All @@ -4078,7 +4115,8 @@ func TestGetContainers(t *testing.T) {
configData: map[string]string{
"trivy.serverURL": "http://trivy.trivy:4954",
"trivy.dbRepository": defaultDBRepository,
"trivy.imageRef": "docker.io/aquasec/trivy:0.22.0",
"trivy.repository": "docker.io/aquasec/trivy",
"trivy.tag": "0.22.0",
"trivy.mode": string(trivy.Standalone),
"trivy.command": string(trivy.Filesystem),
},
Expand Down
3 changes: 2 additions & 1 deletion pkg/vulnerabilityreport/suite_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@ var _ = BeforeSuite(func() {
Expect(err).ToNot(HaveOccurred())
err = pluginContext.EnsureConfig(trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.imageRef": "ghcr.io/aquasecurity/trivy:0.29.1",
"trivy.repository": "ghcr.io/aquasecurity/trivy",
"trivy.tag": "0.29.1",
"trivy.mode": "Standalone",
"trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db",
},
Expand Down

0 comments on commit c5447c5

Please sign in to comment.