### Summary When Operational Container Scanning attempts to scan an image that contains Java dependencies, it attempts to download the Trivy Java DB from `ghcr.io/aquasecurity/trivy-java-db:1`. Due to the lower limits for unauthenticated users, the rate limit for pulling this image is hit quite quickly, causing the scans to fail. ### Steps to reproduce 1. Set up a Kubernetes cluster with a deployment that contains Java images. For example, you can create a deployment that uses the `webgoat/webgoat:latest` image. 1. Set up OCS on this cluster, and set a cadence for scans to run every 5 minutes. 1. After some time you will see that the scan pods fail because of the 429 too many requests error. ### What is the current _bug_ behavior? Rate limit is triggered, the scan fails, and all previous vulnerabilities are removed from the project. ### What is the expected _correct_ behavior? 1. The rate limit is not hit so quickly. The proposed solution is to use the GitLab mirrored database, but this doesn't mean that a rate limit is impossible to reach. It just means that it's highly unlikely. 1. _If_ the rate limit is reached, say a user has cluster with a lot of activity, then the scan should fail and not cause the vulnerabilities to be removed. This will most likely turn into a separate issue. ### Relevant logs and/or screenshots ```sh ERROR Error during vulnerabilities or misconfiguration scan err=\"scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:4c5f388e71e673829df754051fdd5038b76f9996dbb479fecd8cbac34d54a29e): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: DB download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-java-db/manifests/1: TOOMANYREQUESTS: retry-after: 1.01763ms, allowed: 44000/minute ``` ### Additional information This occurs on the v0.4.0 release of the Trivy K8s wrapper. ### Possible fixes _Not mutually exclusive._ * Set the Trivy K8s wrapper to use the GitLab mirror of the Trivy Java DB by default and release new version (tentatively 0.6.0). ```yaml container_scanning: trivy_k8s_wrapper_image: repository: "registry.gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper" tag: "0.6.0" cadence: '*/5 * * * *' ``` * Allow users to define a mirror of the repository of their choice.