chore: update documentation to account for self generating vuln DB

Previously we had hosted a security DB that was updated nightly but as previously stated, this is no longer tenable. In place of this we added some machinary to allow users to (hopefully) easily generate it. This change updates the README to reflect those changes. Signed-off-by: crozzy <joseph.crosland@gmail.com>
quay · Jun 24, 2024 · a7a7195 · a7a7195
1 parent 9c69f8e
commit a7a7195
Show file tree

Hide file tree

Showing 5 changed files with 100 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -11,6 +11,9 @@ ___
   - [Image path](#image-path)
   - [Image ref](#image-ref)
   - [Image ref with auth](#image-ref-with-auth)
+  - [Generating vulnerability DB and using it for report creation](#generating-vulnerability-db-and-using-it-for-report-creation)
+    - [Generate the vulnerability DB example:](#generate-the-vulnerability-db-example)
+    - [Using generated database:](#using-generated-database)
 - [Customizing](#customizing)
   - [inputs](#inputs)
 - [Releases](#releases)
@@ -151,6 +154,96 @@ jobs:
           sarif_file: clair_results.sarif
 ```
 
+### Generating vulnerability DB and using it for report creation
+
+As the vulnerability database isn't hosted anywhere, it is the responsibility of the user to generate it.
+`Clair-action` surfaces an update mode to allow users to do this.
+
+#### Generate the vulnerability DB example:
+
+```yaml
+name: db_update
+
+on:
+  workflow_dispatch: {}
+  # Run every day at 5AM UTC
+  schedule:
+    - cron: '0 5 * * *'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Run Clair V4 update
+        uses: quay/clair-action@main
+        with:
+          db-file: matcher.db
+          mode: update
+
+      - name: Cache DB
+        uses: actions/cache@v3
+        with:
+          path: matcher.db
+          key: matcher.db
+```
+
+#### Using generated database:
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+jobs:
+  docker-build:
+    name: "Docker Build"
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Grab cache DB
+        uses: actions/cache@v3
+        with:
+          path: matcher.db
+          key: matcher.db
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t crozzy/great-app:${{ github.sha }} .
+      - name: Save Docker image
+        run: |
+          docker save -o ${{ github.sha }} crozzy/great-app:${{ github.sha }}
+      - name: Run Clair V4
+        uses: quay/clair-action@main
+        with:
+          image-path: ${{ github.sha }}
+          db-file: matcher.db  # Use DB from cache
+          format: sarif
+          output: clair_results.sarif
+      - name: Upload artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: sarif
+          path: clair_results.sarif
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: clair_results.sarif
+```
+
 ## Customizing
 
 ### inputs
@@ -164,10 +257,11 @@ Following inputs can be used as `step.with` keys
 | `format`            | String | no       | `clair`          | The output format of the report, currently `clair`, `sarif` and `quay` are supported.                                                                                                      |
 | `output`            | String | yes      | -                | The file path where the report gets saved (e.g., /tmp/my-image-report.sarif)                                                                                                               |
 | `return-code`       | String | no       | `0`              | A code to return from the process if Clair found vulnerabilities. (e.g., `1`)                                                                                                              |
+| `mode`              | String | no       | report           | Specify which mode to run the action in, supported values are `report` and `update`. `report` reports vulnerabilities for an image, `update` update generates the sqlite3 vulnerability DB.                                        |
+| `db-file`           | String | no       | empty string     | Optional param to specify where on the filesystem the zstd compressed sqlite3 DB lives.                                                                                                    |
 | `db-file-url`       | String | no       | liable to change | Optional param to specify your own url where the zstd compressed sqlite3 DB lives.                                                                                                         |
 | `docker-config-dir` | String | no       | -                | Optional param to specify the docker (or other) config dir to allow for pulling of layers from private images                                                                              |
 
-
 \* either `image-ref` or `image-path` need to be defined.
 
 ## Releases

diff --git a/action.yaml b/action.yaml
@@ -25,7 +25,7 @@ inputs:
   db-file-url:
     description: 'URL of the Sqlite3 zstd-compressed vulnerability database'
     required: false
-    default: 'https://clair-sqlite-db.s3.amazonaws.com/matcher.zst'
+    default: ''
   docker-config-dir:
     description: 'Path to the docker config dir for the image registry where image-ref is stored'
     required: false

diff --git a/tekton/cron.yaml b/tekton/cron.yaml
@@ -3,18 +3,18 @@ kind: CronJob
 metadata:
   name: update-db
 spec:
-  schedule: "20 * * * *"
+  schedule: "35 * * * *"
   jobTemplate:
     spec:
       template:
         spec:
           containers:
           - name: get-data
-            image: quay.io/projectquay/clair-action:v0.0.2
+            image: quay.io/projectquay/clair-action:v0.0.8
             command:
             - /bin/sh
             - -c
-            - microdnf install wget zstd && wget -q https://clair-sqlite-db.s3.amazonaws.com/matcher.zst && zstd -o /tmp/matcher.db -d matcher.zst
+            - clair-action update --db-path=/tmp/matcher.db
             volumeMounts:
             - name: vuln-store
               mountPath: /tmp

diff --git a/tekton/pipeline.yaml b/tekton/pipeline.yaml
@@ -18,7 +18,7 @@ spec:
             description: shared vuln data
         steps:
           - name: run-report
-            image: quay.io/projectquay/clair-action:v0.0.2
+            image: quay.io/projectquay/clair-action:v0.0.8
             script: |
               #!/bin/sh
               clair-action report --image-ref=debian:bullseye --db-path=$(workspaces.source.path)/matcher.db --format=quay
diff --git a/tekton/pvc.yaml b/tekton/pvc.yaml
@@ -1,7 +1,6 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  namespace: default
   name: vuln-store
 spec:
   accessModes: