Trivy stage maintenance (#1152)

opendevstack · Sep 2, 2024 · 20a9b14 · 20a9b14
1 parent 80a27a1
commit 20a9b14
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 
 ### Changed
 * Enhance SSDS Document Generation Performance using New Atlassian APIs ([#1084](https://github.com/opendevstack/ods-jenkins-shared-library/issues/1084))
+* Deprecation of vuln-type and scanners config in Trivy ([#1150](https://github.com/opendevstack/ods-jenkins-shared-library/issues/1150))
 
 ### Fixed
 * Fix Tailor deployment drifts for D, Q envs ([#1055](https://github.com/opendevstack/ods-jenkins-shared-library/pull/1055))

diff --git a/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithTrivy.adoc b/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithTrivy.adoc
@@ -62,6 +62,11 @@ _String_
 |Name of the Nexus repository where the scan report will be stored. Defaults to `leva-documentation`.
 
 
+| *pkgType* +
+_String_
+|Comma-separated list of vulnerability types to scan. Defaults to `os,library`.
+
+
 | *reportFile* +
 _String_
 |Name of the file that will be archived in Jenkins and uploaded in Nexus.
@@ -77,9 +82,4 @@ _String_
 _String_
 |Comma-separated list of what security issues to detect. Defaults to `vuln,config,secret,license`.
 
-
-| *vulType* +
-_String_
-|Comma-separated list of vulnerability types to scan. Defaults to `os,library`.
-
 |===
diff --git a/src/org/ods/component/ScanWithTrivyOptions.groovy b/src/org/ods/component/ScanWithTrivyOptions.groovy
@@ -19,7 +19,7 @@ class ScanWithTrivyOptions extends Options {
 
     /**
      * Comma-separated list of vulnerability types to scan. Defaults to `os,library`. */
-    String vulType
+    String pkgType
 
     /**
      * Name of the Nexus repository where the scan report will be stored. Defaults to `leva-documentation`. */

diff --git a/src/org/ods/component/ScanWithTrivyStage.groovy b/src/org/ods/component/ScanWithTrivyStage.groovy
@@ -32,10 +32,10 @@ class ScanWithTrivyStage extends Stage {
             config.format = 'cyclonedx'
         }
         if (!config.scanners) {
-            config.scanners = 'vuln,config,secret,license'
+            config.scanners = 'vuln,misconfig,secret,license'
         }
-        if (!config.vulType) {
-            config.vulType = 'os,library'
+        if (!config.pkgType) {
+            config.pkgType = 'os,library'
         }
         if (!config.additionalFlags) {
             config.additionalFlags = []
@@ -58,7 +58,7 @@ class ScanWithTrivyStage extends Stage {
 
     protected run() {
         String errorMessages = ''
-        int returnCode = scanViaCli(options.scanners, options.vulType, options.format,
+        int returnCode = scanViaCli(options.scanners, options.pkgType, options.format,
             options.additionalFlags, options.reportFile, options.nexusDataBaseRepository,
             openShift.getApplicationDomain())
         if ([TrivyService.TRIVY_SUCCESS].contains(returnCode)) {
@@ -78,14 +78,14 @@ class ScanWithTrivyStage extends Stage {
     }
 
     @SuppressWarnings('ParameterCount')
-    private int scanViaCli(String scanners, String vulType, String format,
+    private int scanViaCli(String scanners, String pkgType, String format,
         List<String> additionalFlags, String reportFile, String nexusDataBaseRepository, String openshiftAppDomain) {
         logger.startClocked(options.resourceName)
         String flags = ""
         additionalFlags.each { flag ->
             flags += " " + flag
         }
-        int returnCode = trivy.scanViaCli(scanners, vulType, format, flags, reportFile,
+        int returnCode = trivy.scanViaCli(scanners, pkgType, format, flags, reportFile,
             nexusDataBaseRepository, openshiftAppDomain)
         switch (returnCode) {
             case TrivyService.TRIVY_SUCCESS:

diff --git a/src/org/ods/services/TrivyService.groovy b/src/org/ods/services/TrivyService.groovy
@@ -19,7 +19,7 @@ class TrivyService {
     }
 
     @SuppressWarnings('ParameterCount')
-    int scanViaCli(String scanners, String vulType, String format, String flags,
+    int scanViaCli(String scanners, String pkgType, String format, String flags,
         String reportFile, String nexusRepository, String openshiftDomain ) {
         logger.info "Starting to scan via Trivy CLI..."
         int status = TRIVY_SUCCESS
@@ -33,7 +33,7 @@ class TrivyService {
                 --java-db-repository ${nexusRepository}.${openshiftDomain}/aquasecurity/trivy-java-db \
                 --cache-dir /tmp/.cache \
                 --scanners ${scanners} \
-                --vuln-type ${vulType} \
+                --pkg-types ${pkgType} \
                 --format ${format} \
                 --output ${reportFile} \
                 --license-full \

diff --git a/test/groovy/org/ods/services/TrivyServiceSpec.groovy b/test/groovy/org/ods/services/TrivyServiceSpec.groovy
@@ -14,7 +14,7 @@ class TrivyServiceSpec extends PipelineSpockTestBase {
         ])
 
         when:
-        def result = service.scanViaCli("vuln,config,secret,license", "os,library",
+        def result = service.scanViaCli("vuln,misconfig,secret,license", "os,library",
            "cyclonedx", "--debug --timeout=10m", "trivy-sbom.json", "docker-group-ods", "openshift-domain.com")
 
         then:
@@ -26,8 +26,8 @@ class TrivyServiceSpec extends PipelineSpockTestBase {
             assert it.script.toString().contains('--db-repository docker-group-ods.openshift-domain.com/aquasecurity/trivy-db')
             assert it.script.toString().contains('--java-db-repository docker-group-ods.openshift-domain.com/aquasecurity/trivy-java-db')
             assert it.script.toString().contains('--cache-dir /tmp/.cache')
-            assert it.script.toString().contains('--scanners vuln,config,secret,license')
-            assert it.script.toString().contains('--vuln-type os,library')
+            assert it.script.toString().contains('--scanners vuln,misconfig,secret,license')
+            assert it.script.toString().contains('--pkg-types os,library')
             assert it.script.toString().contains('--format cyclonedx')
             assert it.script.toString().contains('--output trivy-sbom.json')
             assert it.script.toString().contains('--license-full')