Update trivy to version 0.38.3
Why is this change being made?
The current version of Trivy being used is 0.36.2 which quite behind at this point.
The current latest version of Trivy is 0.38.3.
Changelogs for releases > 0.36.2:
- https://github.com/aquasecurity/trivy/releases/tag/v0.37.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.37.1
- https://github.com/aquasecurity/trivy/releases/tag/v0.37.2
- https://github.com/aquasecurity/trivy/releases/tag/v0.37.3
- https://github.com/aquasecurity/trivy/releases/tag/v0.38.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.38.1
- https://github.com/aquasecurity/trivy/releases/tag/v0.38.2
- https://github.com/aquasecurity/trivy/releases/tag/v0.38.3
The change of significance is the Java DB. Trivy will download a Java DB from an OCI container registry when it encounters Java files, then uses that DB to determine what project those files belong to so it can then look up vulnerabilities for that project. The Java DB repository is configurable using the --java-db-repository argument. Ideally, I think GitLab should either bake the Java DB into its security-products/container-scanning image like it does the vulnerability database already) or proxy the Java DB image (the default Java DB location is ghcr.io/aquasecurity/trivy-java-db).
I think this Trivy version bump should not wait for a "perfect" solution to the Java DB image situation, though. The version of Trivy included in container-scanning right now, 0.36.1, is susceptible to scans failing due to timeouts and/or giving inconsistent results due to a not perfectly reliable Maven service; see https://github.com/aquasecurity/trivy/issues/3421 for details.
This MR supersedes !2843 (closed)
What are the relevant issue numbers?
Add workaround in Container Scanning to allow u... (gitlab-org/gitlab#404587 - closed)