From f651b320ce40ff58b459adec595162cf3b27a7fa Mon Sep 17 00:00:00 2001 From: Robert Auer Date: Thu, 28 Nov 2024 09:11:38 +0100 Subject: [PATCH 1/2] Adapt old trivy function to new implementation; #136 --- vars/findVulnerabilitiesWithTrivy.groovy | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/vars/findVulnerabilitiesWithTrivy.groovy b/vars/findVulnerabilitiesWithTrivy.groovy index 60241fb9..7d7813dd 100644 --- a/vars/findVulnerabilitiesWithTrivy.groovy +++ b/vars/findVulnerabilitiesWithTrivy.groovy @@ -10,8 +10,8 @@ ArrayList call (Map args) { if(args.containsKey('allowList')) error "Arg allowList is deprecated, please use .trivyignore file" def imageName = args.imageName - def trivyVersion = args.trivyVersion ? args.trivyVersion : '0.55.2' - def severityFlag = args.severity ? "--severity=${args.severity.join(',')}" : '' + def trivyVersion = args.trivyVersion ? args.trivyVersion : '0.57.1' + def severityFlag = args.severity ? "${args.severity.join(',')}" : '' def additionalFlags = args.additionalFlags ? args.additionalFlags : '' println(severityFlag) @@ -27,7 +27,8 @@ ArrayList call (Map args) { ArrayList getVulnerabilities(String trivyVersion, String severityFlag, String additionalFlags,String imageName) { // this runs trivy and creates an output file with found vulnerabilities - runTrivyInDocker(trivyVersion, severityFlag, additionalFlags, imageName) + Trivy trivy = new Trivy(this, trivyVersion) + trivy.scanImage(imageName, severityFlag, TrivyScanStrategy.UNSTABLE, additionalFlags, "${env.WORKSPACE}/.trivy/trivyOutput.json") def trivyOutput = readJSON file: "${env.WORKSPACE}/.trivy/trivyOutput.json" @@ -42,21 +43,6 @@ ArrayList getVulnerabilities(String trivyVersion, String severityFlag, String ad } - - - -def runTrivyInDocker(String trivyVersion, severityFlag, additionalFlags, imageName) { - new Docker(this).image("aquasec/trivy:${trivyVersion}") - .mountJenkinsUser() - .mountDockerSocket() - .inside("-v ${env.WORKSPACE}/.trivy/.cache:/root/.cache/") { - - sh "trivy image -f json -o .trivy/trivyOutput.json ${severityFlag} ${additionalFlags} ${imageName}" - } -} - - - static boolean validateArgs(Map args) { return !(args == null || args.imageName == null || args.imageName == '') } From dc31bd44f0d414c760557e80680c7cde09299ff1 Mon Sep 17 00:00:00 2001 From: Robert Auer Date: Thu, 28 Nov 2024 09:19:56 +0100 Subject: [PATCH 2/2] Update changelog; #136 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 077baca7..97b32197 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- Add Trivy class for scanning container images with Trivy + - Combines the functionality of the findVulnerabilitiesWithTrivy function and the Trivy class of the dogu-build-lib + +### Deprecated +- findVulnerabilitiesWithTrivy function is deprecated now. Please use the new Trivy class. ## [3.1.0](https://github.com/cloudogu/ces-build-lib/releases/tag/3.0.0) - 2024-11-25 ### Added