feat(cve): use github action caching for trivy databases

.github/workflows/cve-scan-and-patching.yml

@@ -35,6 +35,28 @@ jobs:
       kfd_versions_json: ${{ steps.set_output.outputs.KFD_VERSIONS_JSON }}
       kfd_versions_list: ${{ steps.set_output.outputs.KFD_VERSIONS_JSON }}
       today_date: ${{ steps.set_output.outputs.TODAY_DATE }}
+  update_trivy_db:
+    runs-on: ubuntu-latest
+    needs:
+      - fetch_kfd_versions
+    steps:
+      - uses: actions/checkout@master
+      - name: update trivy dbs
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+          trivy --version
+          
+          cd CVEs
+          make trivy-download-db TRIVY_CACHE_DIR=/tmp/.cache/trivy
+      - name: cache trivy db
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.cache/trivy
+          key: trivy-db-cache-${{ needs.fetch_kfd_versions.outputs.today_date }}
   scan_pre_patch:
     runs-on: ubuntu-latest
     needs:
@@ -68,12 +90,17 @@ jobs:
           wget https://github.com/sighupio/furyctl/releases/latest/download/furyctl-linux-amd64.tar.gz
           tar -xzvf furyctl-linux-amd64.tar.gz -C /usr/local/bin/
           furyctl version
+      - name: cache trivy db
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.cache/trivy
+          restore-keys: |
+            trivy-db-cache-${{ needs.fetch_kfd_versions.outputs.today_date }}
       - name: Execute CVEs scan for KFD ${{ matrix.kfd_version }}
         id: scan_pre_patch
         run: |
           cd CVEs
-          make trivy-download-db
-          make scan-pre-patch KFD_VERSIONS="${{ matrix.kfd_version }}"
+          make scan-pre-patch KFD_VERSIONS="${{ matrix.kfd_version }}" TRIVY_CACHE_DIR=/tmp/.cache/trivy
         env:
           DOCKER_CONFIG: ${{ needs.set_docker_config_env_var.outputs.docker_config}}
       - name: publish CVE scan pre patch output files for KFD ${{ matrix.kfd_version }}
@@ -104,6 +131,7 @@ jobs:
   patch:
     runs-on: ubuntu-latest
     needs:
+      - fetch_kfd_versions
       - set_docker_config_env_var
       - fetch_kfd_images_to_patch
     continue-on-error: true
@@ -153,16 +181,22 @@ jobs:
         uses: docker/setup-qemu-action@v3
         with:
           platforms: amd64,arm64
+      - name: cache trivy db
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.cache/trivy
+          restore-keys: |
+            trivy-db-cache-${{ needs.fetch_kfd_versions.outputs.today_date }}
       - name: Execute CVEs patching
         id: patching
         run: |
           IMAGE_TO_PATCH=${{ matrix.image_to_patch }}
           IMAGE_TO_PATCH_NORMALIZED=${IMAGE_TO_PATCH//[:\/]/_}
           cd CVEs
           mkdir -p reports
-          make trivy-download-db
-          make patch DRY_RUN=0 IMAGE_TO_PATCH="${IMAGE_TO_PATCH}" PATCH_REPORT_OUTPUT_FILE="reports/${IMAGE_TO_PATCH_NORMALIZED}.patched.md"
-          
+          make patch DRY_RUN=0 IMAGE_TO_PATCH="${IMAGE_TO_PATCH}" \
+            PATCH_REPORT_OUTPUT_FILE="reports/${IMAGE_TO_PATCH_NORMALIZED}.patched.md" \
+            TRIVY_CACHE_DIR=/tmp/.cache/trivy
           echo "IMAGE_TO_PATCH_NORMALIZED=${IMAGE_TO_PATCH_NORMALIZED}" >> "$GITHUB_OUTPUT"
         env:
           DOCKER_CONFIG: ${{ needs.set_docker_config_env_var.outputs.docker_config}}
@@ -206,12 +240,19 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           path: CVEs
+      - name: cache trivy db
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.cache/trivy
+          restore-keys: |
+            trivy-db-cache-${{ needs.fetch_kfd_versions.outputs.today_date }}
       - name: Execute CVEs scan post patch for KFD ${{ matrix.kfd_version }}
         id: scan_post_patch
         run: |
           cd CVEs
-          make trivy-download-db
-          make scan-post-patch KFD_VERSIONS="${{ matrix.kfd_version }}"
+          make scan-post-patch \
+            KFD_VERSIONS="${{ matrix.kfd_version }}" \
+            TRIVY_CACHE_DIR=/tmp/.cache/trivy
         env:
           DOCKER_CONFIG: ${{ needs.set_docker_config_env_var.outputs.docker_config}}
       - name: publish CVE scan post patch output files for KFD ${{ matrix.kfd_version }}

CVEs/Makefile

@@ -10,6 +10,7 @@
 KFD_VERSIONS := $(shell find . -maxdepth 1 -mindepth 1 -type d -name "v*"  | cut -d/ -f2 | sort )
 DRY_RUN := 1
 PATCH_FILE_IMAGE_LIST_TO_PATCHING := all_kfd_images.txt
+TRIVY_CACHE_DIR := /tmp/.cache/trivy
 
 all: trivy-download-db scan-pre-patch concat-multiple-kfd-images-list patch scan-post-patch
 
@@ -32,7 +33,7 @@ concat-multiple-kfd-images-list:
 	rm $(PATCH_FILE_IMAGE_LIST_TO_PATCHING).tmp
 
 patch:
-	DRY_RUN=$(DRY_RUN) ./patch_images_with_copacetic.sh -i "$(IMAGE_TO_PATCH)" -l "$(PATCH_FILE_IMAGE_LIST_TO_PATCHING)" -o "$(PATCH_REPORT_OUTPUT_FILE)"
+	DRY_RUN=$(DRY_RUN) TRIVY_CACHE_DIR=$(TRIVY_CACHE_DIR) ./patch_images_with_copacetic.sh -i "$(IMAGE_TO_PATCH)" -l "$(PATCH_FILE_IMAGE_LIST_TO_PATCHING)" -o "$(PATCH_REPORT_OUTPUT_FILE)"
 
 scan-post-patch:
 	@for version in $(KFD_VERSIONS); do \
@@ -67,11 +68,11 @@ generate-image-list-from-manifests:
 	sort --unique $(KFD_VERSION)/images.tmp.txt --output $(KFD_VERSION)/images.txt && rm $(KFD_VERSION)/images.tmp.txt
 
 trivy-download-db:
-	trivy image --download-db-only --db-repository registry.sighup.io/fury-secured/aquasecurity/trivy-db:2 --no-progress
-	trivy image --download-java-db-only --java-db-repository registry.sighup.io/fury-secured/aquasecurity/trivy-java-db:1 --no-progress
+	trivy image --download-db-only --db-repository registry.sighup.io/fury-secured/aquasecurity/trivy-db:2 --no-progress --cache-dir $(TRIVY_CACHE_DIR)
+	trivy image --download-java-db-only --java-db-repository registry.sighup.io/fury-secured/aquasecurity/trivy-java-db:1 --no-progress --cache-dir $(TRIVY_CACHE_DIR)
 
 scan-vulns:
-	./scan_vuln.sh -v "$(KFD_VERSION)" -l "$(LIST_FILE)" -o "$(OUTPUT_FILE)";
+	TRIVY_CACHE_DIR=$(TRIVY_CACHE_DIR) ./scan_vuln.sh -v "$(KFD_VERSION)" -l "$(LIST_FILE)" -o "$(OUTPUT_FILE)";
 
 
 

CVEs/patch_images_with_copacetic.sh

@@ -103,7 +103,12 @@ function patch_image() {
     COPA_REPORT_OUTPUT_FILE=${COPA_PATCH_OUTPUT_DIR}/${image_to_patch//[:\/]/_}-${ARCHITECTURE}.vex.json
     COPA_PATCHING_LOG_FILE=${COPA_PATCH_OUTPUT_DIR}/${image_to_patch//[:\/]/_}-${ARCHITECTURE}.log
     info "Looking for CVEs in ${image_to_patch} for linux/${ARCHITECTURE}"
-    trivy image --platform=linux/${ARCHITECTURE} --skip-db-update --skip-java-db-update --scanners vuln -q --vuln-type os --ignore-unfixed -f json -o "${TRIVY_SCAN_OUTPUT_FILE}" "${image_to_patch_with_digest}"
+    trivy image --platform=linux/${ARCHITECTURE} \
+      --skip-db-update --skip-java-db-update \
+      --cache-dir ${TRIVY_CACHE_DIR:-/tmp/.cache/trivy} \
+      --scanners vuln -q --vuln-type os --ignore-unfixed \
+      -f json -o "${TRIVY_SCAN_OUTPUT_FILE}" \
+      "${image_to_patch_with_digest}"
     info "Clean trivy scan cache"
     trivy clean --scan-cache
     info "Patching CVEs in ${image_to_patch} for linux/${ARCHITECTURE}"

CVEs/scan_vuln.sh

@@ -67,7 +67,14 @@ for image in $IMAGE_LIST; do
       '.[] | select(.architecture == $arch) | .digest ' \
     )
     info "Looking for CVEs in $image for linux/${ARCHITECTURE}"
-    if ! trivy image --skip-db-update --skip-java-db-update --scanners vuln --no-progress --output "$TRIVY_SCAN_OUTPUT_FILE" --format json --severity CRITICAL "$IMAGE_REPO@$IMAGE_DIGEST" --platform linux/${ARCHITECTURE}
+    if ! trivy image \
+      --platform linux/${ARCHITECTURE} \
+      --cache-dir ${TRIVY_CACHE_DIR:-/tmp/.cache/trivy} \
+      --skip-db-update --skip-java-db-update \
+      --scanners vuln --no-progress \
+      --output "$TRIVY_SCAN_OUTPUT_FILE" \
+      --format json --severity CRITICAL \
+      "$IMAGE_REPO@$IMAGE_DIGEST"
     then
       error "trivy failed to scan $image for linux/${ARCHITECTURE}"
       RETURN_ERROR=$((RETURN_ERROR + 1))