[Cherry-pick] feat: enable configuration of skip_java_db_update (#19997)

feat: enable configuration of skip_java_db_update Signed-off-by: Shengwen Yu <yshengwen@vmware.com>
goharbor · Feb 21, 2024 · ce85f47 · ce85f47
1 parent a79c5da
commit ce85f47
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -104,8 +104,8 @@ PREPARE_VERSION_NAME=versions
 
 #versions
 REGISTRYVERSION=v2.8.2-patch-redis
-TRIVYVERSION=v0.48.3
-TRIVYADAPTERVERSION=v0.30.21
+TRIVYVERSION=v0.49.1
+TRIVYADAPTERVERSION=v0.30.22
 
 # version of registry for pulling the source code
 REGISTRY_SRC_TAG=v2.8.2

diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl
@@ -86,6 +86,10 @@ trivy:
   # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
   skip_update: false
   #
+  # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
+  # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
+  skip_java_db_update: false
+  #
   # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
   # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
   # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't

diff --git a/make/photon/prepare/templates/trivy-adapter/env.jinja b/make/photon/prepare/templates/trivy-adapter/env.jinja
@@ -10,6 +10,7 @@ SCANNER_TRIVY_VULN_TYPE=os,library
 SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}}
 SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}}
+SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE={{trivy_skip_java_db_update}}
 SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}}
 SCANNER_TRIVY_SECURITY_CHECKS={{trivy_security_check}}
 SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}}

diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py
@@ -212,6 +212,7 @@ def parse_yaml_config(config_file_path, with_trivy):
     trivy_configs = configs.get("trivy") or {}
     config_dict['trivy_github_token'] = trivy_configs.get("github_token") or ''
     config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False
+    config_dict['trivy_skip_java_db_update'] = trivy_configs.get("skip_java_db_update") or False
     config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False
     config_dict['trivy_security_check'] = trivy_configs.get("security_check") or 'vuln'
     config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False