feat: add local cache mode for scanner

[zhcli]

Description

Adding local cache mode for vulnerability scanner

Related issues

• Close Use vulnerability database from local cache #1342

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[zhcli]

Hi @chen-keinan , drafted this PR to address #1342 . Let me know what you think about this approach.

[chen-keinan]

@zhcli the only different between standalone to local cache

is that it has different command on initContainer ?

example :

standalone :

Command: []string{
			"trivy",
		},
		Args: []string{
			"--cache-dir",
			"/tmp/trivy/.cache",
			"image",
			"--download-db-only",
			"--db-repository",
			dbRepository,
		},

loca-cache

Command: []string{
			"/bin/sh",
		},
		Args: []string{
			"-c", fmt.Sprintf("mkdir /tmp/trivy-db && cp -rv %s /tmp/trivy-db && chmod -R 777 /tmp/trivy-db", cacheDir),
		},

[zhcli]

Hi @chen-keinan , yes it is.
I tried to remove the init container but was unsuccessful, the trivy run time container file system is read-only, so I have to adopt a read-write volume. I was able to reduce an init container for file system scan though.
To avoid code duplication, I can merge the logic into original standalone functions by introducing a new parameter to handle local cache mode.
Let me know.

[chen-keinan]

Hi @chen-keinan , yes it is. I tried to remove the init container but was unsuccessful, the trivy run time container file system is read-only, so I have to adopt a read-write volume. I was able to reduce an init container for file system scan though. To avoid code duplication, I can merge the logic into original standalone functions by introducing a new parameter to handle local cache mode. Let me know.

@zhcli is setting this helm flag will not do the work for not running initContainer

[zhcli]

Hi @chen-keinan , yes it is. I tried to remove the init container but was unsuccessful, the trivy run time container file system is read-only, so I have to adopt a read-write volume. I was able to reduce an init container for file system scan though. To avoid code duplication, I can merge the logic into original standalone functions by introducing a new parameter to handle local cache mode. Let me know.

@zhcli is setting this helm flag will not do the work for not running initContainer

@chen-keinan I am reading the codes correctly, the skipInitContainers does not have any actual effect on the init containers. I also believe if the init container is taken away from the Standalone image/FS scan mode, they will fail.

[chen-keinan]

Hi @chen-keinan , yes it is. I tried to remove the init container but was unsuccessful, the trivy run time container file system is read-only, so I have to adopt a read-write volume. I was able to reduce an init container for file system scan though. To avoid code duplication, I can merge the logic into original standalone functions by introducing a new parameter to handle local cache mode. Let me know.

@zhcli is setting this helm flag will not do the work for not running initContainer

@chen-keinan I am reading the codes correctly, the skipInitContainers does not have any actual effect on the init containers. I also believe if the init container is taken away from the Standalone image/FS scan mode, they will fail.

@zhcli true, it will fail because it do not have vulnedb on TRIVY_CACHE_DIR but if the backed trivy image (for air gapped env) will include the vulndb on TRIVY_CACHE_DIR, isn't it will solve the issue ? or I'm not understanding the req.

[zhcli]

@chen-keinan I was intended to remove all the init containers for local cache mode, however after that trivy complains about file systems permissions issue about its Vul DB files. It seems that I ran into the same issue as aquasecurity/trivy#4286

[chen-keinan]

@chen-keinan I was intended to remove all the init containers for local cache mode, however after that trivy complains about file systems permissions issue about its Vul DB files. It seems that I ran into the same issue as aquasecurity/trivy#4286

qq: does the trivy image include vuln db in it ?

[zhcli]

@chen-keinan I was intended to remove all the init containers for local cache mode, however after that trivy complains about file systems permissions issue about its Vul DB files. It seems that I ran into the same issue as aquasecurity/trivy#4286

qq: does the trivy image include vuln db in it ?

Yes. My testing environment is docker desktop + kind. I built a trivy image with latest Vul DB, no matter which volume I put the DB files, trivy complains about permissions issue. I have to leverage an external volume with read-write permission.

[chen-keinan]

@chen-keinan I was intended to remove all the init containers for local cache mode, however after that trivy complains about file systems permissions issue about its Vul DB files. It seems that I ran into the same issue as aquasecurity/trivy#4286

qq: does the trivy image include vuln db in it ?

Yes. My testing environment is docker desktop + kind. I built a trivy image with latest Vul DB, no matter which volume I put the DB files, trivy complains about permissions issue. I have to leverage an external volume with read-write permission.

can put it here an example how you build the vulndb with trivy image ?

[zhcli]

@chen-keinan I was intended to remove all the init containers for local cache mode, however after that trivy complains about file systems permissions issue about its Vul DB files. It seems that I ran into the same issue as aquasecurity/trivy#4286

qq: does the trivy image include vuln db in it ?

Yes. My testing environment is docker desktop + kind. I built a trivy image with latest Vul DB, no matter which volume I put the DB files, trivy complains about permissions issue. I have to leverage an external volume with read-write permission.

can put it here an example how you build the vulndb with trivy image ?

@chen-keinan please see below

FROM ghcr.io/aquasecurity/trivy:0.46.0

RUN adduser -u 10000 -D -g '' trivyoperator trivyoperator

USER 10000

RUN trivy --cache-dir /home/trivyoperator/.cache image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db

RUN chmod -R 777 /home/trivyoperator/.cache

ENTRYPOINT ["trivy"]

[chen-keinan]

@chen-keinan I was intended to remove all the init containers for local cache mode, however after that trivy complains about file systems permissions issue about its Vul DB files. It seems that I ran into the same issue as aquasecurity/trivy#4286

qq: does the trivy image include vuln db in it ?

Yes. My testing environment is docker desktop + kind. I built a trivy image with latest Vul DB, no matter which volume I put the DB files, trivy complains about permissions issue. I have to leverage an external volume with read-write permission.

can put it here an example how you build the vulndb with trivy image ?

@chen-keinan please see below

FROM ghcr.io/aquasecurity/trivy:0.46.0

RUN adduser -u 10000 -D -g '' trivyoperator trivyoperator

USER 10000

RUN trivy --cache-dir /home/trivyoperator/.cache image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db

RUN chmod -R 777 /home/trivyoperator/.cache

ENTRYPOINT ["trivy"]

thanks will check it up and update you

[chen-keinan]

@zhcli thanks for sharing the docker file , I was able to reproduce this issue.
the right approach will be 1st is to separate cache flags for db and image as suggested by this discussion
and then add a simple change in trivy-operator

the fix in trivy is simple you can raise a PR and I can help with it or I'll do it my self if you do not have time.
let me know wdyt

[zhcli]

@zhcli thanks for sharing the docker file , I was able to reproduce this issue. the right approach will be 1st is to separate cache flags for db and image as suggested by this discussion and then add a simple change in trivy-operator

the fix in trivy is simple you can raise a PR and I can help with it or I'll do it my self if you do not have time. let me know wdyt

@chen-keinan thanks for testing, I can take a look the trivy issue when I have some spare times, most likely late weekend nights. Also are you in the trivy slack channel? I will join and communicate with you over there.

[gerbil]

Any progress here?

[github-actions]

This PR is stale because it has been labeled with inactivity.

[tibuntu]

@chen-keinan any chance that this functionality is provided soon?

Can we help with a contribution or do you want to cover that internally?

[chen-keinan]

@tibuntu it has dependency on trivy to support separate cache folders for vulndb and layers , its look like issue is not yet supported, once it will be done then it will be easy fix

[github-actions]

This PR is stale because it has been labeled with inactivity.

[2Bor2C]

The above issue referenced was closed - is this still pending?

[github-actions]

This PR is stale because it has been labeled with inactivity.