Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish tag containing the build date to locate old DB #251

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

jdolitsky
Copy link

@jdolitsky jdolitsky commented Sep 15, 2022

There does not currently appear to be any way to run Trivy using an older version of the DB.

Example use case: check how many vulnerabilities would have been detected by Trivy in a given image 30 days ago.

There is additional work to do in the CLI to change the tag to something other that "2" (for example --db-tag=2022091512). However, until these tags start to be published, there is no reliable way to obtain this data other than by scrubbing through the GitHub Actions logs, locating the digest published by oras, and following the air-gap instructions.

@jdolitsky jdolitsky requested a review from knqyf263 as a code owner September 15, 2022 21:30
@CLAassistant
Copy link

CLAassistant commented Sep 15, 2022

CLA assistant check
All committers have signed the CLA.

@itaysk
Copy link

itaysk commented Nov 2, 2022

Update: see my next comment :)

The maintainer @knqyf263 is away for the next couple of weeks, but I might add a comment in the meantime:

while this is a valid quick fix for the specific use case you describe, I'm trying to forward into using this information in the trivy cli and other use cases. In this case I think it will not suffice to just tag the image at push time, we will need to

  1. persist the timestamp with the DB
  2. the timestamp to be consistent.

I think it would be best to add the timestamp to the db Metadata struct, and then consumers will have access to a persistent timestamp:

  1. To address your use case, trivy-db build job will be able to access the ts through the trivy-db cli (TBD) instead of getting date at time of push.
  2. to give another example use case, if we wanted to include db timestamp in vulnerability reports, trivy cli will be able to access ts through API. for example here instead ofdbmeta.UpdatedAt

@itaysk
Copy link

itaysk commented Nov 16, 2022

Actually, metadata.Metadata.UpdatedAt is what we were looking for (sorry for the confusion). So what's left to do is just to tag the image with this date. In order to access it it's probably needed to add a cli command to the trivy-db cli that prints it.

@jdolitsky
Copy link
Author

@itaysk alright, we have implemented this in this PR! Please take a look when you have a moment

$ ./trivy-db timestamp
2022-11-17-18-09-07

@jdolitsky
Copy link
Author

Hi there, just checking in to see if anything I can do to help get this merged

Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're so sorry to make another suggestion again, but can't we load metadata.json rather than adding a new subcommand? It is simpler if it works.

You can read the file between make db-compact and make db-compress steps.

- name: Compact DB
run: make db-compact
- name: Compress assets
run: make db-compress

I'd suggest as below.

      - name: Compact DB
        run: make db-compact

      - name: Get the UpdatedAt timestamp
        id: timestamp
        run: |
          echo "timestamp=$(jq .UpdatedAt assets/metadata.json | date "+%F-%H-%M-%S")" >> $GITHUB_OUTPUT

      - name: Compress assets
        run: make db-compress

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

tag trivy-db image with timestamp
4 participants