Merge pull request #411 from fabriziosestito/test/pin-vuln-db

test: use fixed vulnerability databases from our registry

Author: fabriziosestito

cmd/worker/main.go

@@ -28,14 +28,18 @@ func main() { //nolint:funlen // This function is intentionally long to keep the
 	var natsKey string
 	var natsCA string
 	var logLevel string
+	var trivyDBRepository string
+	var trivyJavaDBRepository string
 	var runDir string
 
-	flag.StringVar(&natsURL, "nats-url", "localhost:4222", "The URL of the NATS server")
+	flag.StringVar(&natsURL, "nats-url", "localhost:4222", "The URL of the NATS server.")
 	flag.StringVar(&natsCert, "nats-cert", "/nats/tls/tls.crt", "The path to the NATS client certificate.")
 	flag.StringVar(&natsKey, "nats-key", "/nats/tls/tls.key", "The path to the NATS client key.")
 	flag.StringVar(&natsCA, "nats-ca", "/nats/tls/ca.crt", "The path to the NATS CA certificate.")
-	flag.StringVar(&runDir, "run-dir", "/var/run/worker", "Directory to store temporary files")
-	flag.StringVar(&logLevel, "log-level", slog.LevelInfo.String(), "Log level")
+	flag.StringVar(&runDir, "run-dir", "/var/run/worker", "Directory to store temporary files.")
+	flag.StringVar(&trivyDBRepository, "trivy-db-repository", "public.ecr.aws/aquasecurity/trivy-db", "OCI repository to retrieve trivy-db.")
+	flag.StringVar(&trivyJavaDBRepository, "trivy-java-db-repository", "public.ecr.aws/aquasecurity/trivy-java-db", "OCI repository to retrieve trivy-java-db.")
+	flag.StringVar(&logLevel, "log-level", slog.LevelInfo.String(), "Log level.")
 	flag.Parse()
 
 	slogLevel, err := cmdutil.ParseLogLevel(logLevel)
@@ -101,7 +105,7 @@ func main() { //nolint:funlen // This function is intentionally long to keep the
 	registry := messaging.HandlerRegistry{
 		handlers.CreateCatalogSubject: handlers.NewCreateCatalogHandler(registryClientFactory, k8sClient, scheme, publisher, logger),
 		handlers.GenerateSBOMSubject:  handlers.NewGenerateSBOMHandler(k8sClient, scheme, runDir, publisher, logger),
-		handlers.ScanSBOMSubject:      handlers.NewScanSBOMHandler(k8sClient, scheme, runDir, logger),
+		handlers.ScanSBOMSubject:      handlers.NewScanSBOMHandler(k8sClient, scheme, runDir, trivyDBRepository, trivyJavaDBRepository, logger),
 	}
 	failureHandler := handlers.NewScanJobFailureHandler(k8sClient, logger)
 

internal/handlers/scan_sbom.go

@@ -37,24 +37,30 @@ const (
 
 // ScanSBOMHandler is responsible for handling SBOM scan requests.
 type ScanSBOMHandler struct {
-	k8sClient client.Client
-	scheme    *runtime.Scheme
-	workDir   string
-	logger    *slog.Logger
+	k8sClient             client.Client
+	scheme                *runtime.Scheme
+	workDir               string
+	trivyDBRepository     string
+	trivyJavaDBRepository string
+	logger                *slog.Logger
 }
 
 // NewScanSBOMHandler creates a new instance of ScanSBOMHandler.
 func NewScanSBOMHandler(
 	k8sClient client.Client,
 	scheme *runtime.Scheme,
 	workDir string,
+	trivyDBRepository string,
+	trivyJavaDBRepository string,
 	logger *slog.Logger,
 ) *ScanSBOMHandler {
 	return &ScanSBOMHandler{
-		k8sClient: k8sClient,
-		scheme:    scheme,
-		workDir:   workDir,
-		logger:    logger.With("handler", "scan_sbom_handler"),
+		k8sClient:             k8sClient,
+		scheme:                scheme,
+		workDir:               workDir,
+		trivyDBRepository:     trivyDBRepository,
+		trivyJavaDBRepository: trivyJavaDBRepository,
+		logger:                logger.With("handler", "scan_sbom_handler"),
 	}
 }
 
@@ -138,8 +144,8 @@ func (h *ScanSBOMHandler) Handle(ctx context.Context, message []byte) error { //
 		"--format", "json",
 		// Use the public ECR repository to bypass GitHub's rate limits.
 		// Refer to https://github.com/orgs/community/discussions/139074 for details.
-		"--db-repository", "public.ecr.aws/aquasecurity/trivy-db",
-		"--java-db-repository", "public.ecr.aws/aquasecurity/trivy-java-db",
+		"--db-repository", h.trivyDBRepository,
+		"--java-db-repository", h.trivyJavaDBRepository,
 		"--output", reportFile.Name(),
 	}
 	// Set XDG_DATA_HOME environment variable to /tmp because trivy expects

internal/handlers/scan_sbom_test.go

@@ -22,6 +22,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
+const (
+	testTrivyDBRepository     = "ghcr.io/rancher-sandbox/sbombastic/test-assets/trivy-db:2"
+	testTrivyJavaDBRepository = "ghcr.io/rancher-sandbox/sbombastic/test-assets/trivy-java-db:2"
+)
+
 func TestScanSBOMHandler_Handle(t *testing.T) {
 	vexHubServer := fakeVEXHubRepository(t)
 	vexHubServer.Start()
@@ -163,7 +168,7 @@ func testScanSBOM(t *testing.T, cacheDir, platform, sourceSBOMJSON, expectedRepo
 	err = json.Unmarshal(reportData, expectedReport)
 	require.NoError(t, err, "failed to unmarshal expected report file %s", expectedReportJSON)
 
-	handler := NewScanSBOMHandler(k8sClient, scheme, cacheDir, slog.Default())
+	handler := NewScanSBOMHandler(k8sClient, scheme, cacheDir, testTrivyDBRepository, testTrivyJavaDBRepository, slog.Default())
 
 	message, err := json.Marshal(&ScanSBOMMessage{
 		BaseMessage: BaseMessage{

test/fixtures/golang-1.12-alpine-386.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",
@@ -2158,4 +2156,4 @@
       ]
     }
   ]
-}
+}

test/fixtures/golang-1.12-alpine-amd64.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",

test/fixtures/golang-1.12-alpine-arm-v6.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",
@@ -2158,4 +2156,4 @@
       ]
     }
   ]
-}
+}

test/fixtures/golang-1.12-alpine-arm-v7.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",
@@ -2158,4 +2156,4 @@
       ]
     }
   ]
-}
+}

test/fixtures/golang-1.12-alpine-arm64-v8.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",
@@ -2158,4 +2156,4 @@
       ]
     }
   ]
-}
+}

test/fixtures/golang-1.12-alpine-ppc64le.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",
@@ -2158,4 +2156,4 @@
       ]
     }
   ]
-}
+}

test/fixtures/golang-1.12-alpine-s390x.sbombastic.json

@@ -2105,13 +2105,11 @@
             "https://access.redhat.com/errata/RHSA-2022:8291",
             "https://access.redhat.com/security/cve/CVE-2022-37434",
             "https://bugzilla.redhat.com/2116639",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2053198",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2077431",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=2081296",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2043753",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2116639",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434",
             "https://errata.almalinux.org/9/ALSA-2022-8291.html",
-            "https://errata.rockylinux.org/RLSA-2022:8291",
+            "https://errata.rockylinux.org/RLSA-2022:7793",
             "https://github.com/curl/curl/issues/9271",
             "https://github.com/ivd38/zlib_overflow",
             "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063",