#911 Document trivy vulnerability database cache

Lukas Fischer · Lukas Fischer · commit 82397413218b · 2023-06-28T09:29:14.000+02:00
Update the documentation to reflect that the trivy vulnerability DB is
now by default served by a trivy server container.

This shortens this section of the documentation quite a bit, because
most of it was example code to set up what is now integrated.

Signed-off-by: Lukas Fischer &lt;lukas.fischer@iteratec.com&gt;
diff --git a/scanners/trivy/.helm-docs.gotmpl b/scanners/trivy/.helm-docs.gotmpl
@@ -68,95 +68,14 @@ spec:
 ```
 
 ### Scanning Many Targets
-By default, the docker container of trivy will download new rulesets when starting the process.
+By default, the docker container of trivy will download the vulnerability database when starting the process.
 As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
-Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
-Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
-If this fits your use case, you can deploy a rule service with the following template:
-```yaml
-# First declare a service that will serve requests to the rule pod
-kind: Service
-apiVersion: v1
-metadata:
-  name: trivy-rules
-  # Update the namespace here if you are using a different one
-  namespace: default
-  labels:
-    app: trivy-rules
-spec:
-  selector:
-    app: trivy-rules
-  ports:
-  - port: 8080
-    protocol: TCP
-    targetPort: 8080
-  type: ClusterIP
----
-# Now declare the actual deployment of the rule server
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: trivy-rules
-  # Again, update the namespace here
-  namespace: default
-  labels:
-    app: trivy-rules
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: trivy-rules
-  template:
-    metadata:
-      labels:
-        app: trivy-rules
-    spec:
-      containers:
-      - name: trivy-rules
-        # Don't forget to set this to a version matching that used in secureCodeBox
-        image: aquasec/trivy:0.20.2
-        imagePullPolicy: Always
-        args:
-        - "server"
-        - "--listen"
-        - "0.0.0.0:8080"
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-```
-
-You can then start scans of images using the client mode. For example:
+Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/) where one process downloads a copy of the vulnerability database and provides it to the others.
 
-```yaml
-apiVersion: "execution.securecodebox.io/v1"
-kind: Scan
-metadata:
-  name: "test-trivy"
-  # Don't forget to update the namespace if necessary
-  namespace: default
-spec:
-  scanType: "trivy-image"
-  parameters:
-    - "client"
-    # Again, add the extra parameters here (required to make the parser work)
-    # But don't add the --no-progress switch.
-    - "--format"
-    - "json"
-    - "--output"
-    - "/home/securecodebox/trivy-results.json"
-    # Specify the rule service internal DNS name here.
-    # (Substitute a different namespace if you changed it)
-    - "--remote"
-    - "http://trivy-rules.default.svc:8080"
-    # Finally, specify the image you want to scan
-    - "securecodebox/operator:3.0.0"
-```
+This mode is implemented and active by default.
+A separate Deployment for the trivy server will be created during the installation and the trivy scanTypes are automatically configured to run in client mode and connect to the server.
 
-If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
-Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/).
-In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
-Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://www.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
-Consult the [trivy documentation](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/) for additional details on the required steps.
+In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install.
 {{- end }}
 
 {{- define "extra.chartConfigurationSection" -}}
diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md
@@ -85,95 +85,14 @@ spec:
 ```
 
 ### Scanning Many Targets
-By default, the docker container of trivy will download new rulesets when starting the process.
+By default, the docker container of trivy will download the vulnerability database when starting the process.
 As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
-Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
-Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
-If this fits your use case, you can deploy a rule service with the following template:
-```yaml
-# First declare a service that will serve requests to the rule pod
-kind: Service
-apiVersion: v1
-metadata:
-  name: trivy-rules
-  # Update the namespace here if you are using a different one
-  namespace: default
-  labels:
-    app: trivy-rules
-spec:
-  selector:
-    app: trivy-rules
-  ports:
-  - port: 8080
-    protocol: TCP
-    targetPort: 8080
-  type: ClusterIP
----
-# Now declare the actual deployment of the rule server
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: trivy-rules
-  # Again, update the namespace here
-  namespace: default
-  labels:
-    app: trivy-rules
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: trivy-rules
-  template:
-    metadata:
-      labels:
-        app: trivy-rules
-    spec:
-      containers:
-      - name: trivy-rules
-        # Don't forget to set this to a version matching that used in secureCodeBox
-        image: aquasec/trivy:0.20.2
-        imagePullPolicy: Always
-        args:
-        - "server"
-        - "--listen"
-        - "0.0.0.0:8080"
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-```
-
-You can then start scans of images using the client mode. For example:
+Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/) where one process downloads a copy of the vulnerability database and provides it to the others.
 
-```yaml
-apiVersion: "execution.securecodebox.io/v1"
-kind: Scan
-metadata:
-  name: "test-trivy"
-  # Don't forget to update the namespace if necessary
-  namespace: default
-spec:
-  scanType: "trivy-image"
-  parameters:
-    - "client"
-    # Again, add the extra parameters here (required to make the parser work)
-    # But don't add the --no-progress switch.
-    - "--format"
-    - "json"
-    - "--output"
-    - "/home/securecodebox/trivy-results.json"
-    # Specify the rule service internal DNS name here.
-    # (Substitute a different namespace if you changed it)
-    - "--remote"
-    - "http://trivy-rules.default.svc:8080"
-    # Finally, specify the image you want to scan
-    - "securecodebox/operator:3.0.0"
-```
+This mode is implemented and active by default.
+A separate Deployment for the trivy server will be created during the installation and the trivy scanTypes are automatically configured to run in client mode and connect to the server.
 
-If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
-Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/).
-In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
-Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://www.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
-Consult the [trivy documentation](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/) for additional details on the required steps.
+In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install.
 
 ## Requirements
 
diff --git a/scanners/trivy/docs/README.ArtifactHub.md b/scanners/trivy/docs/README.ArtifactHub.md
@@ -92,95 +92,14 @@ spec:
 ```
 
 ### Scanning Many Targets
-By default, the docker container of trivy will download new rulesets when starting the process.
+By default, the docker container of trivy will download the vulnerability database when starting the process.
 As this download is performed directly from GitHub, you will run into API rate limiting issues after roughly 50 requests.
-Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/advanced/modes/client-server/) where one process downloads a copy of the rule database and provides it to the others.
-Due to [limitations in trivy](https://github.com/aquasecurity/trivy/issues/634), this mode currently only supports scanning container images.
-If this fits your use case, you can deploy a rule service with the following template:
-```yaml
-# First declare a service that will serve requests to the rule pod
-kind: Service
-apiVersion: v1
-metadata:
-  name: trivy-rules
-  # Update the namespace here if you are using a different one
-  namespace: default
-  labels:
-    app: trivy-rules
-spec:
-  selector:
-    app: trivy-rules
-  ports:
-  - port: 8080
-    protocol: TCP
-    targetPort: 8080
-  type: ClusterIP
----
-# Now declare the actual deployment of the rule server
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: trivy-rules
-  # Again, update the namespace here
-  namespace: default
-  labels:
-    app: trivy-rules
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: trivy-rules
-  template:
-    metadata:
-      labels:
-        app: trivy-rules
-    spec:
-      containers:
-      - name: trivy-rules
-        # Don't forget to set this to a version matching that used in secureCodeBox
-        image: aquasec/trivy:0.20.2
-        imagePullPolicy: Always
-        args:
-        - "server"
-        - "--listen"
-        - "0.0.0.0:8080"
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-```
+Trivy [supports a client-server mode](https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/) where one process downloads a copy of the vulnerability database and provides it to the others.
 
-You can then start scans of images using the client mode. For example:
-
-```yaml
-apiVersion: "execution.securecodebox.io/v1"
-kind: Scan
-metadata:
-  name: "test-trivy"
-  # Don't forget to update the namespace if necessary
-  namespace: default
-spec:
-  scanType: "trivy-image"
-  parameters:
-    - "client"
-    # Again, add the extra parameters here (required to make the parser work)
-    # But don't add the --no-progress switch.
-    - "--format"
-    - "json"
-    - "--output"
-    - "/home/securecodebox/trivy-results.json"
-    # Specify the rule service internal DNS name here.
-    # (Substitute a different namespace if you changed it)
-    - "--remote"
-    - "http://trivy-rules.default.svc:8080"
-    # Finally, specify the image you want to scan
-    - "securecodebox/operator:3.0.0"
-```
+This mode is implemented and active by default.
+A separate Deployment for the trivy server will be created during the installation and the trivy scanTypes are automatically configured to run in client mode and connect to the server.
 
-If you want to scan anything other than docker images, you currently [cannot use the client-server mode](https://github.com/aquasecurity/trivy/issues/634) described above.
-Instead, you have to [manually download the ruleset and provide it to trivy](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/).
-In practice, this is a difficult problem because the most natural method for providing these files in kubernetes, ConfigMaps, has a size limit of 1 MB, while the vulnerability database is over 200 MB in size (28 MB after compression).
-Your best bet would thus be to serve the files from your own servers and load them into the scanner [using an initContainer](https://www.securecodebox.io/docs/api/crds/scan#initcontainers-optional), taking care to keep the databases on your server up to date.
-Consult the [trivy documentation](https://aquasecurity.github.io/trivy/latest/advanced/air-gap/) for additional details on the required steps.
+In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install.
 
 ## Requirements
 
