Help pulling trivy-db and java-db from private registry

[ctdfo]

We are trying to pull the trivy-db and java-db from a private registry. To note, we are running in ClientServer mode.

We already allowed Trivy Operator to access private registries via the Helm chart value privateRegistryScanSecretsNames. However, when setting dbRegistry and javaDbRegistry we tried setting the dbRepositoryUsername and dbRepositoryPassword via an External Secret but we get errors in both trivy-operator and trivy-server saying that the databases cannot be downloaded (we also set trivy.existingSecret to false).

We also tried setting directly the TRIVY_USERNAME and TRIVY_PASSWORD values via an External Secret trivy-server was able to pull from the trivy-db (but the trivy-client was not able to pull from java-db).

[Patrick2402]

Hi, i also spent several hours on finding solution how to pull trivy-db and java-db. trivy-db from private repository works great but as i checked pulling java-db for now its impossible.

i hope they will add this functionality asap.
the only way is to allow specific domains in security rules.

[tom1299]

I would appreciate this feature as well, as I have the exact same problem. I looked at the scan job and it seems that the init container that downloads the normal db has the TRIVY_USERNAME and TRIVY_PASSWORD set as env vars. Hence download works;

  initContainers:
  - args:
    - --cache-dir
    - /tmp/trivy/.cache
    - image
    - --download-db-only
    - --db-repository
    - artifactory.devops.telekom.de/ghcr.io.docker/aquasecurity/trivy-db
    command:
    - trivy
    ....
    - name: TRIVY_USERNAME
      valueFrom:
        secretKeyRef:
          key: trivy.dbRepositoryUsername
          name: trivy-operator-trivy-config
          optional: true
    - name: TRIVY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: trivy.dbReposito	ryPassword
          name: trivy-operator-trivy-config
          optional: true

Yet the main container does not. I was also wondering whether there is the possibility to use different credentials for downloading the java-db.

[schreddies]

Per documentation https://github.com/aquasecurity/trivy/blob/release/v0.58/docs/docs/advanced/private-registries/index.md it should handle multiple key pairs.

[tom1299]

Thank you very much for the link. So one part of getting this to work is to set the values trivy.dbRepositoryPassword and trivy.dbRepositoryUsername to comma separate values.
But the problem that the main container does neither have TRIVY_USERNAME nor TRIVY_PASSWORD set remains. So I searched a little bit and found the code where the env vars for the main container are set and simply added username and password:

constructEnvVarSourceFromSecret("TRIVY_USERNAME", trivyConfigName, keyTrivyDBRepositoryUsername),
constructEnvVarSourceFromSecret("TRIVY_PASSWORD", trivyConfigName, keyTrivyDBRepositoryPassword),

And it worked like a charm 🙂
Maybe there is another way to set these env vars for the scan podspec than patching the source code. But as of now I haven't found one.

[tom1299]

FYI: A possible workaround I use now is to have an independent cronjob which pulls the db and java-db form the private registry onto a persistent volume. This volume can than be mounted using scanJobCustomVolume / scanJobCustomVolumesMount as the trivy cache dir. Since the database are up to date, no pull attempt is made.
Unfortunately in the current version the custom volume mounts do not work #2348 . I opened a PR #2347 to fix that.

[Patrick2402]

I checked trivy code and found where Error is generated. https://github.com/aquasecurity/trivy/blob/51f2123c5ccc4f7a37d1068830b6670b4ccf9ac8/pkg/javadb/client.go#L101. What is interesting, mechanism of downloading trivydb and javadb is the same, only difference is in Error msg 😄.

So i started digging deeper.

As @tom1299 said, trivy uses TRIVY_USERNAME and TRIVY_PASSWORD env to authentication. Those credentials work for both trivy-db and java-db.

Tests

i decided to perform some tests.
i created ubuntu container where i download trivy in latest version 0.58. Next i add 3 ENV Variables:

• TRIVY_USERNAME
• TRIVY_PASSWORD
• TRIVY_JAVA_DB_REPOSITORY

and then i ran my scan:

trivy image nginx:1.14.2 --db-repository registry.gitlab.com/myrepo:tag

Everything was working fine, i got scan result and trivy downloaded trivy-db and java-db from my private gitlab registry.

Conclusion

Trivy itself works fine, so the problem lies with the trivy-operator and how authentication is managed. It is thought that somehow after downloading the trivy-db database, the trivy operator loses credentials to the registry.

tbh after couple of hours i don't have any idea why this is not working, code looks fine.... maybe someone will find my findings useful.

[tom1299]

I did the same like you did and came to the exact same conclusion.
T he reason I think it does not work with the trivy-operator is the missing TRIVY_USERNAME and TRIVY_PASSWORD environment variables in the main container of the scanjob (see post #2344 (comment)). Yet the main container tries to download the java-db which then obviously fails.
One way to fix that would be to add these two env vars when the main container is build (see post #2344 (comment)). After I patched the code, build it locally and deployed to my local kind cluster it worked. I'm preparing a PR for that.

[tom1299]

FYI: I made a PR which simply adds a dedicated second init container to download the java db if required. That seemed to fit better with the overall concept of the scan jobs design.

[Patrick2402]

HI,
Just checked your PR. looks great, exactly what we need. GJ
I hope they will approve that asap.

[afdesk]

Hi guys! thanks for your feedback!

Now Trivy-operator correctly downloads TrivyDb from a private registry if you set next options:

trivy-operator/deploy/helm/values.yaml

Lines 589 to 592 in e01fd4d

	# -- serverUser this param is the server user to be used to download db from private registry
	serverUser: ""
	# -- serverPassword this param is the server user to be used to download db from private registry
	serverPassword: ""

About Trivy-Java-db.
By design, this DB should be stored on a client side even for client-server mode, and #2353 added it (thanks @tom1299 ).