Use GitLab's advisory DB with container scanning
Why are we doing this work
We want to include the latest advisories from gemnasium-db in our container scanning analyzer.
Relevant links
- Trivy supports the GitLab Advisory DB, called "GLAD" in the implementation.
- We have an up-to-date fork of
trivy-db
in GitLab.
Non-functional requirements
-
Documentation: -
Container scanning user documentation -
Legal requirements
-
-
Feature flag: -
Performance: -
Testing: -
Legal: -
we are legally allowed to do this -
the documentation requirements have been added to the scope
-
Implementation plan
Building the database artifacts
Maciej's trivy-db-gitlab-build now releases the built trivy-db databases as OCI artifacts to the project's container registry.
-
Copy gitlab-org/protect/demos/sandbox/trivy-db-gitlab-build to gitlab-org/security-products/dependencies/trivy-db-glad. Currently, two workarounds are included as we rely on upstream merging our contributions: - Maciej's fork of vuln-list-db is currently used, because the PR has not been merged yet.
- trivy-db's OCI media type is not in use, because as of March 30, the GitLab registry does not support it. However support was added and the media types will be supported likely tomorrow, March 31.
-
Add a README explaining the build process -
Schedule pipeline runs for the default branch, every 12 hours
Consuming the database artifacts
In container-scanning/script/setup.sh
, pull in the database artifact:
diff --git a/script/setup.sh b/script/setup.sh
--- a/script/setup.sh
+++ b/script/setup.sh
@@ -10,7 +10,7 @@ setup_trivy_files() {
echo "Dowloading and installing Trivy ${trivy_version}"
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v"${trivy_version}"/trivy_"${trivy_version}"_Linux-64bit.tar.gz -O - | tar -zxvf -
echo "Dowloading Trivy DB"
- oras pull ghcr.io/aquasecurity/trivy-db:"${trivy_db_version}" -a && tar -zxvf db.tar.gz -C "$TMP_FOLDER"
+ oras pull registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db-glad:"${trivy_db_version}" -a && tar -zxvf db.tar.gz -C "$TMP_FOLDER"
rm -f db.tar.gz
echo "Setting up Trivy files"
mkdir -p /home/gitlab/.cache/trivy/db
Legal requirements
-
Move the trivy
binary to its own directory, along withLICENSE
-
Add GitLab's EE license for the container scanning analyzer to /home/gitlab
. -
Add trivy-db's NOTICE
andLICENSE
files to/home/gitlab/.cache/trivy/db
-
Add GitLab's Gemnasium license to the location where its database is to be installed in the image.
Edited by Brian Williams