From 766d9e1eff472d3b02b8f7e7043fef28e3d35b40 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 24 Sep 2024 08:03:48 +0200 Subject: [PATCH 01/12] Limit scope of changes that are monitored by Trivy scan Do not start Trivy scan if changes not related to dependencies. Run Trivy on daily bases. Add badge to follow cycle Trivy scans Enable scans on request Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 16 +++++++++++++++- README.md | 1 + utils/trivy/trivy.yaml | 3 +-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index a9eec6447fd..fb93a369cf9 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,8 +1,20 @@ +# SPDX-License-Identifier: BSD-2-Clause-Patent +# Copyright (C) 2024 Intel Corporation. + name: Trivy scan on: - pull_request: + workflow_dispatch: + schedule: + - cron: '45 8 * * *' + push: branches: ["master", "release/**"] + pull_request: + paths: + - '**/go.mod' + - '**/pom.xml' + - '**/requirements.txt' + - '**/*trivy*' # Declare default permissions as nothing. permissions: {} @@ -11,6 +23,8 @@ jobs: build: name: Build runs-on: ubuntu-20.04 + permissions: + security-events: write steps: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/README.md b/README.md index 0bd1915919e..35fd647b185 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ [![Build](https://github.com/daos-stack/daos/actions/workflows/ci2.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/ci2.yml) [![Codespell](https://github.com/daos-stack/daos/actions/workflows/spelling.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/spelling.yml) [![Doxygen](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml) +[![Trivy scan](https://github.com/daos-stack/daos/actions/workflows/trivy.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/trivy.yml) diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index 293f7b1ba9f..2d3119efd37 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -1,6 +1,5 @@ cache: - backend: fs - clear: false + backend: memory dir: redis: ca: "" From c029a80b7f222181c98e7b4d3fbbb306fe39925b Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 9 Oct 2024 12:48:29 +0200 Subject: [PATCH 02/12] Fix SPDX license header Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 2 +- utils/trivy/trivy.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index fb93a369cf9..a9405354e5e 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,5 +1,5 @@ # SPDX-License-Identifier: BSD-2-Clause-Patent -# Copyright (C) 2024 Intel Corporation. +# Copyright (c) 2024 Intel Corporation. name: Trivy scan diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index 2d3119efd37..20681f37458 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: BSD-2-Clause-Patent +# Copyright (c) 2024 Intel Corporation. + cache: backend: memory dir: From 3f4c483fdb133bb50a1d11f72cf417464a198447 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Thu, 10 Oct 2024 14:49:29 +0200 Subject: [PATCH 03/12] fix: restore unnecessary cache backend Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- utils/trivy/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index 20681f37458..50f0d6ab500 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -2,7 +2,7 @@ # Copyright (c) 2024 Intel Corporation. cache: - backend: memory + backend: fs dir: redis: ca: "" From 7406a757734ec13f6d7fe14d27b71ef11451be2e Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Mon, 21 Oct 2024 14:34:01 +0200 Subject: [PATCH 04/12] Fix: addjust monitored files list. https://aquasecurity.github.io/trivy/v0.56/docs/coverage/language/#supported-languages provides the full list of scanned file in the 'filesystem' scan. Keep the same condition for PR and merge trigger. Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 41322ae7f19..c0f2a3e72c5 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -9,12 +9,25 @@ on: - cron: '45 8 * * *' push: branches: ["master", "release/**"] + paths: + - '**/go.mod' + - '**/pom.xml' + - '**/*gradle.lockfile' + - '**/*.sbt.lock' + - '**/requirements.txt' + - '**/poetry.lock' + - '**/Pipfile.lock' + - '**/*trivy*' pull_request: branches: ["master", "release/**"] paths: - '**/go.mod' - '**/pom.xml' + - '**/*gradle.lockfile' + - '**/*.sbt.lock' - '**/requirements.txt' + - '**/poetry.lock' + - '**/Pipfile.lock' - '**/*trivy*' # Declare default permissions as nothing. From d7c35a22815699dbacff962f1a4fdfa0c2307960 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Mon, 21 Oct 2024 14:38:58 +0200 Subject: [PATCH 05/12] Fix: documentation Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index c0f2a3e72c5..b8227bc371c 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -43,7 +43,7 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run Trivy vulnerability scanner in repo mode + - name: Run Trivy vulnerability scanner in filesystem mode uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: 'fs' @@ -68,7 +68,7 @@ jobs: utils/trivy/trivy.yaml sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml - - name: Run Trivy vulnerability scanner in repo mode + - name: Run Trivy vulnerability scanner in filesystem mode uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: 'fs' @@ -87,7 +87,7 @@ jobs: sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml - - name: Run Trivy vulnerability scanner in repo mode + - name: Run Trivy vulnerability scanner in filesystem mode uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: 'fs' From 1d529321d67a993f06955bcc4ab5d25d7bbbe7ae Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 22 Oct 2024 17:54:24 +0200 Subject: [PATCH 06/12] Fix: simplify triggering rules Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 26 ++++---------------------- 1 file changed, 4 insertions(+), 22 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index b8227bc371c..c374939f262 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -9,33 +9,15 @@ on: - cron: '45 8 * * *' push: branches: ["master", "release/**"] - paths: - - '**/go.mod' - - '**/pom.xml' - - '**/*gradle.lockfile' - - '**/*.sbt.lock' - - '**/requirements.txt' - - '**/poetry.lock' - - '**/Pipfile.lock' - - '**/*trivy*' pull_request: branches: ["master", "release/**"] - paths: - - '**/go.mod' - - '**/pom.xml' - - '**/*gradle.lockfile' - - '**/*.sbt.lock' - - '**/requirements.txt' - - '**/poetry.lock' - - '**/Pipfile.lock' - - '**/*trivy*' # Declare default permissions as nothing. permissions: {} jobs: build: - name: Build + name: Scan with Trivy runs-on: ubuntu-20.04 permissions: security-events: write @@ -43,7 +25,7 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run Trivy vulnerability scanner in filesystem mode + - name: Run Trivy vulnerability scanner in filesystem mode (table format) uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: 'fs' @@ -68,7 +50,7 @@ jobs: utils/trivy/trivy.yaml sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml - - name: Run Trivy vulnerability scanner in filesystem mode + - name: Run Trivy vulnerability scanner in filesystem mode (sarif format) uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: 'fs' @@ -87,7 +69,7 @@ jobs: sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml - - name: Run Trivy vulnerability scanner in filesystem mode + - name: Run Trivy vulnerability scanner in filesystem mode (human readable format) uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: 'fs' From c4fa9390070594beb14f8864b835342a017bcb55 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Thu, 24 Oct 2024 07:45:18 +0200 Subject: [PATCH 07/12] SRE-2505 ci: Fix Trivy scan upload to the Security tab Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki From 184fabd8dd19628de116749927387b66e1d6cbe7 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 24 Sep 2024 08:03:48 +0200 Subject: [PATCH 08/12] SRE-2505 ci: Trivy scans tuning - Use GHA cache to avoid Trivy scan failure Trivy CVEs database downloads fails often. The most promissing solution is to use cache and download the database once a day. CVEs database is cached during daily build (`schedule`). Cache is not used if `master` branch cache is not available. https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch - Avoid Trivy scanners re-initialization https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times The latest available version of `aquasecurity/trivy-action` is used to be able to use `skip-setup-trivy` parameter. Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 114 +++++++++++++++++++++++++++++++++--- README.md | 1 + utils/trivy/trivy.yaml | 3 + 3 files changed, 109 insertions(+), 9 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 8f5524d4513..2a9d291ccd0 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,7 +1,12 @@ +# SPDX-License-Identifier: BSD-2-Clause-Patent +# Copyright (c) 2024 Intel Corporation. + name: Trivy scan on: workflow_dispatch: + schedule: + - cron: '0 0 * * *' push: branches: ["master", "release/**"] pull_request: @@ -11,19 +16,98 @@ on: permissions: {} jobs: - build: - name: Build - runs-on: ubuntu-20.04 + update-trivy-db: + name: Update Trivy DB + runs-on: ubuntu-latest + steps: + - name: Checkout code to see if we run on default (master) branch + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Skip update on not default branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + run: | + echo "Not on the default branch" + exit 0 + + - name: Setup oras + if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21 + + - name: Get current date to create cache entry + if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Check if Trivy DB cached already + if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + id: db-downloaded + uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + lookup-only: true + + - name: Download and extract the vulnerability DB + if: | + steps.db-downloaded.outputs.cache-hit != 'true' && + github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + if: | + steps.db-downloaded.outputs.cache-hit != 'true' && + github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Save DBs in cache of the default (master) branch + if: | + steps.db-downloaded.outputs.cache-hit != 'true' && + github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + + scan: + name: Scan with Trivy + needs: update-trivy-db + runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + - name: Get current date to create cache entry + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Check if Trivy DB cached already + id: db-downloaded + uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + lookup-only: true + + - name: Run Trivy vulnerability scanner in filesystem mode (table format) + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' + cache: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + env: + TRIVY_SKIP_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + TRIVY_SKIP_JAVA_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} - name: Prepare the report to be uploaded to the GitHub artifact store run: | @@ -43,12 +127,18 @@ jobs: utils/trivy/trivy.yaml sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + - name: Run Trivy vulnerability scanner in filesystem mode (sarif format) + # master to have 'skip-setup-trivy' + uses: aquasecurity/trivy-action@d2a392a13760cb64cb6bbd31d4bed2a7d9a5298d with: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' + skip-setup-trivy: true + cache: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + env: + TRIVY_SKIP_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + TRIVY_SKIP_JAVA_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a @@ -62,9 +152,15 @@ jobs: sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + - name: Run Trivy vulnerability scanner in filesystem mode (human readable format) + # master to have 'skip-setup-trivy' + uses: aquasecurity/trivy-action@d2a392a13760cb64cb6bbd31d4bed2a7d9a5298d with: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' + skip-setup-trivy: true + cache: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + env: + TRIVY_SKIP_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + TRIVY_SKIP_JAVA_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} diff --git a/README.md b/README.md index 0bd1915919e..35fd647b185 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ [![Build](https://github.com/daos-stack/daos/actions/workflows/ci2.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/ci2.yml) [![Codespell](https://github.com/daos-stack/daos/actions/workflows/spelling.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/spelling.yml) [![Doxygen](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml) +[![Trivy scan](https://github.com/daos-stack/daos/actions/workflows/trivy.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/trivy.yml) diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index cfb13b5c40f..50f0d6ab500 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: BSD-2-Clause-Patent +# Copyright (c) 2024 Intel Corporation. + cache: backend: fs dir: From 827c0670c6edc6b9da216da2306eeced37eb6b08 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 29 Oct 2024 12:34:40 +0100 Subject: [PATCH 09/12] common: update workflow documentation Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2a9d291ccd0..a5442a763bc 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -17,18 +17,30 @@ permissions: {} jobs: update-trivy-db: - name: Update Trivy DB + # Only one CVEs database in the default branch cache to be shared across all branches. + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache + # The solution is based on + # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch. + # Alternatively, it can be moved to a separate workflow. + # The workflow triggered by `schedule` event at 00:00 creates a new cache entry + # based on actual date (e.g. `cache-trivy-2024-10-29`). + # The same cache key is used for a whole date by all workflow execution. + # Practically all PR-triggered execution skips this job, + # as it is not executed on the `default` branch + + name: Update Trivy DB in the default branch cache runs-on: ubuntu-latest steps: - name: Checkout code to see if we run on default (master) branch uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Skip update on not default branch + # This step is only to print message why we are skipping database update + - name: CVEs database update conditions check if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) run: | - echo "Not on the default branch" - exit 0 + echo "Not on the default branch - skip CVEs database caching" + # The following steps are executed only on the default branch - name: Setup oras if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21 @@ -38,7 +50,7 @@ jobs: id: date run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - name: Check if Trivy DB cached already + - name: Check if Trivy DB cached already for a given date if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) id: db-downloaded uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -55,7 +67,6 @@ jobs: mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db oras pull ghcr.io/aquasecurity/trivy-db:2 tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - rm db.tar.gz - name: Download and extract the Java DB if: | @@ -65,7 +76,6 @@ jobs: mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db oras pull ghcr.io/aquasecurity/trivy-java-db:1 tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db - rm javadb.tar.gz - name: Save DBs in cache of the default (master) branch if: | @@ -78,6 +88,8 @@ jobs: scan: name: Scan with Trivy + # Trivy scan may use cached CVEs database if cache already exists. + # Otherwise, the Trivy scan tool downloads CVEs database itself. needs: update-trivy-db runs-on: ubuntu-latest permissions: From c9e4e5ca4e8be515668b8d795d134d8152eae849 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 30 Oct 2024 07:21:03 +0100 Subject: [PATCH 10/12] Make the solution more reliable and more simple Use external caching mechanism to ensure PR scan not failing. Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index a5442a763bc..40c0f6b3bdf 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -98,17 +98,12 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Get current date to create cache entry - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Check if Trivy DB cached already - id: db-downloaded + - name: Restore Trivy CVEs DB from cache (the latest one) uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} - lookup-only: true + key: cache-trivy-YY-MM-DD + restore-keys: cache-trivy- - name: Run Trivy vulnerability scanner in filesystem mode (table format) uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 @@ -116,10 +111,10 @@ jobs: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' - cache: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + cache: false env: - TRIVY_SKIP_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} - TRIVY_SKIP_JAVA_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Prepare the report to be uploaded to the GitHub artifact store run: | @@ -147,10 +142,10 @@ jobs: scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' skip-setup-trivy: true - cache: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + cache: false env: - TRIVY_SKIP_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} - TRIVY_SKIP_JAVA_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a @@ -172,7 +167,7 @@ jobs: scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' skip-setup-trivy: true - cache: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + cache: false env: - TRIVY_SKIP_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} - TRIVY_SKIP_JAVA_DB_UPDATE: ${{ steps.db-downloaded.outputs.cache-hit == 'true' }} + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true From ecab684f8e0f221be391027418be75b8d50c9e10 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 30 Oct 2024 23:40:36 +0100 Subject: [PATCH 11/12] common: simplified workflow with cache enabled Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 100 +----------------------------------- 1 file changed, 2 insertions(+), 98 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 40c0f6b3bdf..89152cb1afa 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -16,81 +16,8 @@ on: permissions: {} jobs: - update-trivy-db: - # Only one CVEs database in the default branch cache to be shared across all branches. - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache - # The solution is based on - # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch. - # Alternatively, it can be moved to a separate workflow. - # The workflow triggered by `schedule` event at 00:00 creates a new cache entry - # based on actual date (e.g. `cache-trivy-2024-10-29`). - # The same cache key is used for a whole date by all workflow execution. - # Practically all PR-triggered execution skips this job, - # as it is not executed on the `default` branch - - name: Update Trivy DB in the default branch cache - runs-on: ubuntu-latest - steps: - - name: Checkout code to see if we run on default (master) branch - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - # This step is only to print message why we are skipping database update - - name: CVEs database update conditions check - if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - run: | - echo "Not on the default branch - skip CVEs database caching" - - # The following steps are executed only on the default branch - - name: Setup oras - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21 - - - name: Get current date to create cache entry - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Check if Trivy DB cached already for a given date - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - id: db-downloaded - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} - lookup-only: true - - - name: Download and extract the vulnerability DB - if: | - steps.db-downloaded.outputs.cache-hit != 'true' && - github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db - oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - - - name: Download and extract the Java DB - if: | - steps.db-downloaded.outputs.cache-hit != 'true' && - github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db - oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db - - - name: Save DBs in cache of the default (master) branch - if: | - steps.db-downloaded.outputs.cache-hit != 'true' && - github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} - scan: name: Scan with Trivy - # Trivy scan may use cached CVEs database if cache already exists. - # Otherwise, the Trivy scan tool downloads CVEs database itself. - needs: update-trivy-db runs-on: ubuntu-latest permissions: security-events: write @@ -98,23 +25,12 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Restore Trivy CVEs DB from cache (the latest one) - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-YY-MM-DD - restore-keys: cache-trivy- - - name: Run Trivy vulnerability scanner in filesystem mode (table format) uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' - cache: false - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Prepare the report to be uploaded to the GitHub artifact store run: | @@ -135,17 +51,11 @@ jobs: sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml - name: Run Trivy vulnerability scanner in filesystem mode (sarif format) - # master to have 'skip-setup-trivy' - uses: aquasecurity/trivy-action@d2a392a13760cb64cb6bbd31d4bed2a7d9a5298d + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' - skip-setup-trivy: true - cache: false - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a @@ -160,14 +70,8 @@ jobs: sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml - name: Run Trivy vulnerability scanner in filesystem mode (human readable format) - # master to have 'skip-setup-trivy' - uses: aquasecurity/trivy-action@d2a392a13760cb64cb6bbd31d4bed2a7d9a5298d + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: scan-type: 'fs' scan-ref: '.' trivy-config: 'utils/trivy/trivy.yaml' - skip-setup-trivy: true - cache: false - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true From 78a59e308eaeea2f9a6abe0d719de88a10e99664 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 30 Oct 2024 23:43:56 +0100 Subject: [PATCH 12/12] common: enable Trivy debug Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- utils/trivy/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index 50f0d6ab500..c6d9974456d 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -19,7 +19,7 @@ db: no-progress: false repository: ghcr.io/aquasecurity/trivy-db skip-update: false -debug: false +debug: true dependency-tree: true exit-code: 0 generate-default-config: false