Use Trivy database that contains GitLab Advisory Database
Why is this change being made?
We want to use GitLab's advisory DB with container scanning (gitlab-org/gitlab#349160 (closed)).
To simplify distribution, we ship both CE and EE Trivy databases within the same images (relevant Slack thread).
The scanner symlinks one of the two databases, according to the existing EE detection (Gcs::Environment.ee?).
Images include the following licenses:
- Trivy
- Grype
- GitLab Enterprise License
- GitLab Advisory Database Terms
Directory layouts
Trivy
/home/gitlab
├── GRYPE_VERSION
├── TRIVY_DB_VERSION
├── TRIVY_VERSION
├── ee
│ └── LICENSE
├── gcs.gem
├── opt
│ └── trivy
│ ├── LICENSE
│ ├── README.md
│ ├── contrib
│ │ ├── asff.tpl
│ │ ├── gitlab-codequality.tpl
│ │ ├── gitlab.tpl
│ │ ├── html.tpl
│ │ └── junit.tpl
│ └── trivy
├── setup.sh
└── trivy -> /home/gitlab/opt/trivy/trivyWithout GITLAB_FEATURES=container_scanning:
/home/gitlab/.cache/trivy/
├── db
│ ├── ce
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── ee
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── legal
│ │ ├── glad
│ │ │ └── LICENSE
│ │ └── trivy-db
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── metadata.json -> /home/gitlab/.cache/trivy/db/ce/metadata.json
│ └── trivy.db -> /home/gitlab/.cache/trivy/db/ce/trivy.db
└── fanal
└── fanal.dbWith GITLAB_FEATURES=container_scanning:
/home/gitlab/.cache/trivy/
├── db
│ ├── ce
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── ee
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── legal
│ │ ├── glad
│ │ │ └── LICENSE
│ │ └── trivy-db
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── metadata.json -> /home/gitlab/.cache/trivy/db/ee/metadata.json
│ └── trivy.db -> /home/gitlab/.cache/trivy/db/ee/trivy.db
└── fanal
└── fanal.dbGrype
/home/gitlab
├── GRYPE_VERSION
├── TRIVY_DB_VERSION
├── TRIVY_VERSION
├── ee
│ └── LICENSE
├── gcs.gem
├── grype -> /home/gitlab/opt/grype/grype
├── legal
│ └── grype
│ └── LICENSE
├── opt
│ └── grype
│ └── grype
└── setup.shEdited by Dominic Bauer