feat: Update registry fallbacks

[simar7]

Description

Adds public ECR registry as a fallback for both vuln-db and java-db.

Related PRs

• feat: support multiple DB repositories for vulnerability and Java DB #7605

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses.

[DmitriyLewen]

I'm worried about adding ecr as the default registry.
I think most users will ignore the authentication recommendation, and some users just don't read the docs.

Instead of adding ecr - I suggest adding warning if downloading db from ghcr returns error.
We will show information about using ecr (with authentication information) + link to the docs.

[nvuillam]

We read the docs but... having to authenticate to aws would be a breaking change 🥹

[DmitriyLewen]

hello @nvuillam
Authentication is necessary to preserve aws limits for unauthenticated users as much as possible.
But we don't require it. We just ask users to do it if possible - it will help avoid rate limiting errors like ghcr.io.

[simar7]

We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses.

Yes - I wanted to add more info on this topic. Added fa03189

[DmitriyLewen]

24 hours is incorrect.
We publish trivy-db every 6 hours, but update interval is 24 hours.
for trivy-java-db: publish every 24 hours, update interval is 3 days.

[knqyf263]

We will show information about using ecr (with authentication information) + link to the docs.

I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc.

Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs.

[simar7]

We will show information about using ecr (with authentication information) + link to the docs.

I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc.

Yes but the same can be said for GHCR today.

Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs.

I added some docs here.

Ultimately we can reach rate limits even with authenticated use of container registries. The fallback to using a secondary registry only mitigates the risk up to an extent.

[knqyf263]

Yes but the same can be said for GHCR today.

The rate limits in GHCR are on the organization, not the user, unlike ECR Public. In other words, heavy use of GHCR may make aquasecurity images unavailable, but not other images. Users may not be able to use Trivy, but they will be able to pull any other images except aquasecurity.