Configure trivy to scan local images instead of downloading them again

[jandubois]

Run as root so trivy has access to the containerd socket.

Don't output the trivy JSON to the browser; this is extremely slow when the output is several megabytes.

Also don't output the trivy JSON to images.log, as it makes the file unwieldy.

---

On the first scan trivy needs to download trivy.db, which is almost 600MB. Subsequent scans are then almost instantaneous. Even results for python:latest show up in a second, which used to take almost a minute when the JSON was output to the browser.

Fixes #539

[mook-as]

In general most of my complaints stem from setting the environment inline instead of passing it in as a mapping.

[mook-as]

Please actually document the arguments, or just drop the JSDoc bits if you don't want to do that. (It's generally better to add docs, of course…)

[mook-as]

So the only reason this exists (instead of having the concrete class calling this.executor.spawn directly) is to call processChildOutput?

It's probably better to take env as a second argument (or first), instead of setting it as part of the arg… or even just take SpawnOptions.

[jandubois]

I don't think this.executor.spawn supports env options. And even if it did, they would not survive the sudo call without extra effort.

This will require a ton of changes and not solve the underlying issue that processChildOutput is not designed to be called with anything but docker or nerdctl.

[mook-as]

It doesn't support changing the environment, but that's why we have PRs… How about we at least call this something other than runTrivyCommand (say, runTrivyImageCommand) so it's not pretending to be more generic than it is? If we specialize it just for that it's less confusing.

Or just drop this wrapper and have the caller do things manually. But I think just making this function specific to trivy image is fine.

[mook-as]

Shouldn't the caller set sendNotifications correctly instead of this weird hack?

[jandubois]

I don't understand the logic behind sendNotifications, but it is later used to process the output. If you set it to false, then the output is discarded.

[mook-as]

This is going to be so confusing when we start trying to use args for one of the non-trivy commands…

[jandubois]

Yeah, but you won't. This is already a hack. args for other commands are not passed in at all, except for subcommandName, which is needed for another hack to treat nerdctl images differently.

[mook-as]

No, subcommandName (per the method docs) is for displaying to the user; the fact that it's used for nerdctl images is the hack, but we still need to preserve it for its primary purpose.

A better way to do this would be to just pass it in:

type ProcessChildOutputOptions = {
  commandName?: string;
  subcommandName: string;
  sendNotifications: boolean;
}
async processChildOutput(child: ChildProcess, options: ProcessChildOutputOptions, args?: string[]): Promise<childResultType> {
    const commandName = options.commandName ?? this.processorName;

[jandubois]

I can update the comments, but the rest is not reasonable without a complete refactoring of this package.

[jandubois]

I don't think this.executor.spawn supports env options. And even if it did, they would not survive the sudo call without extra effort.

This will require a ton of changes and not solve the underlying issue that processChildOutput is not designed to be called with anything but docker or nerdctl.

[jandubois]

Yeah, but you won't. This is already a hack. args for other commands are not passed in at all, except for subcommandName, which is needed for another hack to treat nerdctl images differently.

[jandubois]

I don't understand the logic behind sendNotifications, but it is later used to process the output. If you set it to false, then the output is discarded.

[mook-as]

This is piling on too much short-term hacks, which would make things unmaintainable.

If the decision is that we will not maintain this, then we should just not take this PR…

[mook-as]

It doesn't support changing the environment, but that's why we have PRs… How about we at least call this something other than runTrivyCommand (say, runTrivyImageCommand) so it's not pretending to be more generic than it is? If we specialize it just for that it's less confusing.

Or just drop this wrapper and have the caller do things manually. But I think just making this function specific to trivy image is fine.

[mook-as]

No, subcommandName (per the method docs) is for displaying to the user; the fact that it's used for nerdctl images is the hack, but we still need to preserve it for its primary purpose.

A better way to do this would be to just pass it in:

type ProcessChildOutputOptions = {
  commandName?: string;
  subcommandName: string;
  sendNotifications: boolean;
}
async processChildOutput(child: ChildProcess, options: ProcessChildOutputOptions, args?: string[]): Promise<childResultType> {
    const commandName = options.commandName ?? this.processorName;

[mook-as]

Suggested change

	return await this.processChildOutput(child, subcommandName, true, args);
	return await this.processChildOutput(child, subcommandName, false, args);

Why the heck are we passing true here for sendNotifications only to add a hack to disable its effect when processing the argument‽

If you're doing this so we get stderr but not stdout, then we need separate flags for those.

[mook-as]

Has this been tested on Windows? You're not going through sudo (nor env) there.

[mook-as]

I've force-pushed the code into what I'd like to see.
@jandubois please check if you're okay with that, and if yes merge it (/set auto-merge)?