Use Trivy database that contains GitLab Advisory Database
Why is this change being made?
We want to use GitLab's advisory DB with container scanning (gitlab-org/gitlab#349160 (closed)).
To simplify distribution, we ship both CE and EE Trivy databases within the same images (relevant Slack thread).
The scanner symlinks one of the two databases, according to the existing EE detection (Gcs::Environment.ee?
).
Images include the following licenses:
- Trivy
- Grype
- GitLab Enterprise License
- GitLab Advisory Database Terms
Directory layouts
Trivy
/home/gitlab
├── GRYPE_VERSION
├── TRIVY_DB_VERSION
├── TRIVY_VERSION
├── ee
│ └── LICENSE
├── gcs.gem
├── opt
│ └── trivy
│ ├── LICENSE
│ ├── README.md
│ ├── contrib
│ │ ├── asff.tpl
│ │ ├── gitlab-codequality.tpl
│ │ ├── gitlab.tpl
│ │ ├── html.tpl
│ │ └── junit.tpl
│ └── trivy
├── setup.sh
└── trivy -> /home/gitlab/opt/trivy/trivy
Without GITLAB_FEATURES=container_scanning
:
/home/gitlab/.cache/trivy/
├── db
│ ├── ce
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── ee
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── legal
│ │ ├── glad
│ │ │ └── LICENSE
│ │ └── trivy-db
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── metadata.json -> /home/gitlab/.cache/trivy/db/ce/metadata.json
│ └── trivy.db -> /home/gitlab/.cache/trivy/db/ce/trivy.db
└── fanal
└── fanal.db
With GITLAB_FEATURES=container_scanning
:
/home/gitlab/.cache/trivy/
├── db
│ ├── ce
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── ee
│ │ ├── metadata.json
│ │ └── trivy.db
│ ├── legal
│ │ ├── glad
│ │ │ └── LICENSE
│ │ └── trivy-db
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── metadata.json -> /home/gitlab/.cache/trivy/db/ee/metadata.json
│ └── trivy.db -> /home/gitlab/.cache/trivy/db/ee/trivy.db
└── fanal
└── fanal.db
Grype
/home/gitlab
├── GRYPE_VERSION
├── TRIVY_DB_VERSION
├── TRIVY_VERSION
├── ee
│ └── LICENSE
├── gcs.gem
├── grype -> /home/gitlab/opt/grype/grype
├── legal
│ └── grype
│ └── LICENSE
├── opt
│ └── grype
│ └── grype
└── setup.sh
Edited by Dominic Bauer