Use GitLab's advisory DB with container scanning

Why are we doing this work

We want to include the latest advisories from gemnasium-db in our container scanning analyzer.

Relevant links

• Trivy supports the GitLab Advisory DB, called "GLAD" in the implementation.
• We have an up-to-date fork of trivy-db in GitLab.

Non-functional requirements

• Documentation:

  • Container scanning user documentation
  • Legal requirements

• Feature flag:

• Performance:

• Testing:

• Legal:

  • we are legally allowed to do this
  • the documentation requirements have been added to the scope

Implementation plan

Building the database artifacts

Maciej's trivy-db-gitlab-build now releases the built trivy-db databases as OCI artifacts to the project's container registry.

• Copy gitlab-org/protect/demos/sandbox/trivy-db-gitlab-build to gitlab-org/security-products/dependencies/trivy-db-glad. Currently, two workarounds are included as we rely on upstream merging our contributions:
  • Maciej's fork of vuln-list-db is currently used, because the PR has not been merged yet.
  • trivy-db's OCI media type is not in use, because as of March 30, the GitLab registry does not support it. However support was added and the media types will be supported likely tomorrow, March 31.
• Add a README explaining the build process
• Schedule pipeline runs for the default branch, every 12 hours

Consuming the database artifacts

In container-scanning/script/setup.sh, pull in the database artifact:

diff --git a/script/setup.sh b/script/setup.sh
--- a/script/setup.sh
+++ b/script/setup.sh
@@ -10,7 +10,7 @@ setup_trivy_files() {
   echo "Dowloading and installing Trivy ${trivy_version}"
   wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v"${trivy_version}"/trivy_"${trivy_version}"_Linux-64bit.tar.gz -O - | tar -zxvf -
   echo "Dowloading Trivy DB"
-  oras pull ghcr.io/aquasecurity/trivy-db:"${trivy_db_version}" -a && tar -zxvf db.tar.gz -C "$TMP_FOLDER"
+  oras pull registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db-glad:"${trivy_db_version}" -a && tar -zxvf db.tar.gz -C "$TMP_FOLDER"
   rm -f db.tar.gz
   echo "Setting up Trivy files"
   mkdir -p /home/gitlab/.cache/trivy/db

Legal requirements

1. Move the trivy binary to its own directory, along with LICENSE
2. Add GitLab's EE license for the container scanning analyzer to /home/gitlab.
3. Add trivy-db's NOTICE and LICENSE files to /home/gitlab/.cache/trivy/db
4. Add GitLab's Gemnasium license to the location where its database is to be installed in the image.