fix: options for multiple java db references

future-architect · Oct 8, 2024 · ed79680 · ed79680
1 parent aa21f61
commit ed79680
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 8 deletions.
diff --git a/config/config.go b/config/config.go
@@ -89,9 +89,10 @@ type ReportOpts struct {
 
 // TrivyOpts is options for trivy DBs
 type TrivyOpts struct {
- TrivyCacheDBDir string `json:"trivyCacheDBDir,omitempty"`
- TrivyJavaDBRepository string `json:"trivyJavaDBRepository,omitempty"`
- TrivySkipJavaDBUpdate bool `json:"trivySkipJavaDBUpdate,omitempty"`
+ TrivyCacheDBDir string `json:"trivyCacheDBDir,omitempty"`
+ TrivyJavaDBRepository string `json:"trivyJavaDBRepository,omitempty"` // only for backward compatibility
+ TrivyJavaDBRepositories []string `json:"trivyJavaDBRepositories,omitempty"`
+ TrivySkipJavaDBUpdate bool `json:"trivySkipJavaDBUpdate,omitempty"`
 }
 
 // ValidateOnConfigtest validates

diff --git a/detector/javadb/javadb.go b/detector/javadb/javadb.go
@@ -7,14 +7,19 @@ package javadb
 import (
  "context"
  "errors"
+ "fmt"
  "os"
  "path/filepath"
+ "slices"
+ "strings"
  "time"
 
  "github.com/aquasecurity/trivy-java-db/pkg/db"
  "github.com/aquasecurity/trivy/pkg/dependency/parser/java/jar"
  "github.com/aquasecurity/trivy/pkg/fanal/types"
+ trivyJavadb "github.com/aquasecurity/trivy/pkg/javadb"
  "github.com/aquasecurity/trivy/pkg/oci"
+ "github.com/google/go-containerregistry/pkg/name"
  "golang.org/x/xerrors"
 
  "github.com/future-architect/vuls/config"
@@ -45,10 +50,40 @@ func UpdateJavaDB(trivyOpts config.TrivyOpts, noProgress bool) error {
  }
 
  // Download DB
- logging.Log.Infof("Trivy Java DB Repository: %s", trivyOpts.TrivyJavaDBRepository)
+ repos := trivyOpts.TrivyJavaDBRepositories
+ if trivyOpts.TrivyJavaDBRepository != "" && !slices.Contains(repos, trivyOpts.TrivyJavaDBRepository) {
+ repos = append(repos, trivyOpts.TrivyJavaDBRepository)
+ }
+ logging.Log.Infof("Trivy Java DB Repository: %s", strings.Join(repos, ","))
  logging.Log.Info("Downloading Trivy Java DB...")
 
- a := oci.NewArtifact(trivyOpts.TrivyJavaDBRepository, types.RegistryOptions{})
+ var javaDBRepositories []name.Reference
+ for _, repo := range repos {
+ ref, err := func() (name.Reference, error) {
+ ref, err := name.ParseReference(repo, name.WithDefaultTag(""))
+ if err != nil {
+ return nil, err
+ }
+
+ // Add the schema version if the tag is not specified for backward compatibility.
+ t, ok := ref.(name.Tag)
+ if !ok || t.TagStr() != "" {
+ return ref, nil
+ }
+
+ ref = t.Tag(fmt.Sprint(trivyJavadb.SchemaVersion))
+ logging.Log.Infof("Adding schema version to the DB repository for backward compatibility. repository: %s", ref.String())
+
+ return ref, nil
+ }()
+ if err != nil {
+ return xerrors.Errorf("invalid javadb repository: %w", err)
+ }
+ javaDBRepositories = append(javaDBRepositories, ref)
+ }
+
+ a := oci.NewArtifacts(javaDBRepositories, types.RegistryOptions{})
+
  if err = a.Download(context.Background(), dbDir, oci.DownloadOption{
  MediaType: "application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip",
  Quiet: noProgress,

diff --git a/go.mod b/go.mod
@@ -23,6 +23,7 @@ require (
  github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
  github.com/emersion/go-smtp v0.21.3
  github.com/google/go-cmp v0.6.0
+ github.com/google/go-containerregistry v0.20.2
  github.com/google/subcommands v1.2.0
  github.com/google/uuid v1.6.0
  github.com/gosnmp/gosnmp v1.38.0
@@ -182,7 +183,6 @@ require (
  github.com/golang/protobuf v1.5.4 // indirect
  github.com/google/btree v1.1.2 // indirect
  github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
- github.com/google/go-containerregistry v0.20.2 // indirect
  github.com/google/go-github/v62 v62.0.0 // indirect
  github.com/google/go-querystring v1.1.0 // indirect
  github.com/google/gofuzz v1.2.0 // indirect

diff --git a/subcmds/report.go b/subcmds/report.go
@@ -7,6 +7,7 @@ import (
  "flag"
  "os"
  "path/filepath"
+ "strings"
 
  "github.com/aquasecurity/trivy/pkg/cache"
  trivyJavaDb "github.com/aquasecurity/trivy/pkg/javadb"
@@ -179,8 +180,11 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
 
  f.StringVar(&config.Conf.TrivyCacheDBDir, "trivy-cachedb-dir",
  cache.DefaultDir(), "/path/to/dir")
- f.StringVar(&config.Conf.TrivyJavaDBRepository, "trivy-java-db-repository",
- trivyJavaDb.DefaultGHCRRepository, "Trivy Java DB Repository")
+
+ config.Conf.TrivyOpts.TrivyJavaDBRepositories = []string{trivyJavaDb.DefaultGHCRRepository}
+ trivyJavaDBRepositoriesFlag := trivyJavaDBRepositoriesFlag{target: &config.Conf.TrivyOpts.TrivyJavaDBRepositories}
+ f.Var(&trivyJavaDBRepositoriesFlag, "trivy-java-db-repository", "Trivy Java DB Repository in a comma-separated list")
+
  f.BoolVar(&config.Conf.TrivySkipJavaDBUpdate, "trivy-skip-java-db-update",
  false, "Skip Trivy Java DB Update")
 }
@@ -388,3 +392,16 @@ func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}
 
  return subcommands.ExitSuccess
 }
+
+type trivyJavaDBRepositoriesFlag struct {
+ target *[]string
+}
+
+func (f *trivyJavaDBRepositoriesFlag) String() string {
+ return strings.Join(*f.target, ",")
+}
+
+func (f *trivyJavaDBRepositoriesFlag) Set(value string) error {
+ *f.target = strings.Split(value, ",")
+ return nil
+}