Uncompress vulnerability databases at runtime

Proposal

In order to save space in the Docker image, gemmnasium-maven contains various versions of Java in a compressed state, and inflates them before running a scan.

The purpose of this issue is to implement the same approach in container-scanning in order to decrease the size of the Docker image. For example, this proof of concept Uncompress vulnerability databases at runtime (gitlab-org/security-products/analyzers/container-scanning!2868 - merged) was able to decrease the size of the container-scanning image from 1,160MB to 502MB, a savings of 57%.

Implementation Plan

Use Uncompress vulnerability databases at runtime (gitlab-org/security-products/analyzers/container-scanning!2868 - merged) as a starting point.

1. Update script/setup.sh:

   1. Do not uncompress trivy data files:

      Remove the lines that uncompresses db.tar.gz to trivy/ce/db and trivy/ee/db, and instead, pull the trivy_db_version_ce and trivy_db_version_ee ORAS images directly to the /tmp/trivy-ce and /tmp/trivy-ee directories, repectively.

   2. Compress grype data files:

      In the setup_grype_files function, right after we call download_grype_db, we should add another function compress_grype_db which compresses the files in ~/.cache/grype/db/

2. Create a .bashrc file which inflates the trivy and grype database files compressed in step 1. above.

   This .bashrc should be executed and inflate the vulnerability databases when running the GitLab container scanning image from:

   • the commandline
   • a CI job

3. Update the description of this issue to show how much space was saved for both grype and trivy container scanning images.

   Compression and benchmarking details are in the MR description.

/cc @sam.white @gonzoyumo