Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Update registry fallbacks #7679

Merged
merged 13 commits into from
Nov 18, 2024
Merged

feat: Update registry fallbacks #7679

merged 13 commits into from
Nov 18, 2024

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Oct 8, 2024
edited by DmitriyLewen
Loading

Description

Adds public mirror.gcr.io registry as a fallback for both vuln-db and java-db.

Issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@simar7 simar7 requested a review from nikpivkin October 8, 2024 23:18
@simar7 simar7 self-assigned this Oct 8, 2024
@knqyf263
Copy link
Collaborator

knqyf263 commented Oct 9, 2024

We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses.

@DmitriyLewen
Copy link
Contributor

I'm worried about adding ecr as the default registry.
I think most users will ignore the authentication recommendation, and some users just don't read the docs.

Instead of adding ecr - I suggest adding warning if downloading db from ghcr returns error.
We will show information about using ecr (with authentication information) + link to the docs.

@simar7 simar7 mentioned this pull request Oct 9, 2024
Closed
6 tasks
@nvuillam
Copy link

nvuillam commented Oct 9, 2024

We read the docs but... having to authenticate to aws would be a breaking change 🥹

@DmitriyLewen
Copy link
Contributor

hello @nvuillam
Authentication is necessary to preserve aws limits for unauthenticated users as much as possible.
But we don't require it. We just ask users to do it if possible - it will help avoid rate limiting errors like ghcr.io.

@simar7
Copy link
Member Author

simar7 commented Oct 10, 2024
edited
Loading

We should document how to authenticate with ECR. Otherwise, ECR Public has only 500 GB free tier for anonymous users. Also, it's calculated by IP address. I suppose we'll run out of the free tier on CI service as it shares IP addresses.

Yes - I wanted to add more info on this topic. Added fa03189

@simar7 simar7 force-pushed the update-registry-fallbacks branch from c4d3c8d to fa03189 Compare October 10, 2024 06:15
@simar7 simar7 marked this pull request as ready for review October 10, 2024 06:16
@simar7 simar7 requested a review from knqyf263 as a code owner October 10, 2024 06:16
@simar7 simar7 requested a review from DmitriyLewen October 10, 2024 06:16
DmitriyLewen
DmitriyLewen reviewed Oct 10, 2024
View reviewed changes
docs/docs/configuration/db.md Outdated
Please see more info on how to authenticate with ECR [auth-ecr] and GHCR [auth-ghcr].

#### Caching DBs
Trivy DB and Trivy Java DB are published every 24 hours. If you are running Trivy scans more often than this, you can significantly benefit from caching the DBs on each run and updating them as needed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

24 hours is incorrect.
We publish trivy-db every 6 hours, but update interval is 24 hours.
for trivy-java-db: publish every 24 hours, update interval is 3 days.

@knqyf263
Copy link
Collaborator

We will show information about using ecr (with authentication information) + link to the docs.

I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc.

Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs.

@simar7
Copy link
Member Author

simar7 commented Oct 17, 2024

We will show information about using ecr (with authentication information) + link to the docs.

I'm also leaning toward this approach. I'm afraid that users downloading container images from ECR Public (e.g., Kubernetes cluster) may suddenly reach rate limits due to Trivy DB and be unable to deploy, etc.

Yes but the same can be said for GHCR today.

Of course, it is best if users can continue to use DBs as before without being aware of it, but the implicit use of ECR Public may have other negative effects. We should be careful about the use of ECR Public. If users explicitly set this up, they will understand these trade-offs.

I added some docs here.

Ultimately we can reach rate limits even with authenticated use of container registries. The fallback to using a secondary registry only mitigates the risk up to an extent.

@knqyf263
Copy link
Collaborator

Yes but the same can be said for GHCR today.

The rate limits in GHCR are on the organization, not the user, unlike ECR Public. In other words, heavy use of GHCR may make aquasecurity images unavailable, but not other images. Users may not be able to use Trivy, but they will be able to pull any other images except aquasecurity.

qligier added a commit to ahdis/matchbox that referenced this pull request Oct 21, 2024
@qligier
Make trivy scanning more reliable
3626580 
It should also be improved once this PR is merged: aquasecurity/trivy#7679
@goatwu1993
Copy link

checks bundle also needs ecr.

        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
          TRIVY_CHECKS_BUNDLE_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks

@bgoareguer
Copy link
Contributor

The trivy.dbRepository parameter in the helm/trivy/values.yaml file also needs to be updated.

@afdesk
Copy link
Contributor

afdesk commented Oct 28, 2024
edited
Loading

The trivy.dbRepository parameter in the helm/trivy/values.yaml file also needs to be updated.

thanks for the good idea.
it should be add after the PR is merged and released.

@afdesk
Copy link
Contributor

afdesk commented Oct 28, 2024

@simar7
Now trivy-db pushes the database to Docker Hub: aquasecurity/trivy-db#448
maybe it makes sense to add Docker Hub as a default repository too?
just idea. thanks!

@knqyf263 knqyf263 mentioned this pull request Nov 5, 2024
Closed
3 tasks
@mkurapov mkurapov mentioned this pull request Nov 6, 2024
Merged
6 tasks
@P4sca1 P4sca1 mentioned this pull request Nov 8, 2024
Closed
@jeanmarcmoeckel
Copy link

Any updates here?

@knqyf263
Copy link
Collaborator

knqyf263 commented Nov 14, 2024
edited
Loading

mirror.gcr.io seems the best for our use case. Please let us know if anyone knows about rate limits on that.
#7538 (comment)

@benji78
Copy link

benji78 commented Nov 15, 2024

I see 8 incorrect mentions of public.ecr.aws/aquasecurity/trivy-db:1 which should be trivy-java-db !

DmitriyLewen
DmitriyLewen reviewed Nov 15, 2024
View reviewed changes
pkg/javadb/client.go Outdated
@@ -29,6 +29,9 @@ const (
var (
// GitHub Container Registry
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-java-db", SchemaVersion)

// AWS ECR
DefaultECRRepository = fmt.Sprintf("%s:%d", "public.ecr.aws/aquasecurity/trivy-db", SchemaVersion)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
DefaultECRRepository = fmt.Sprintf("%s:%d", "public.ecr.aws/aquasecurity/trivy-db", SchemaVersion)
DefaultECRRepository = fmt.Sprintf("%s:%d", "public.ecr.aws/aquasecurity/trivy-java-db", SchemaVersion)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @benji78 !

@benji78 benji78 mentioned this pull request Nov 16, 2024
Open
knqyf263
knqyf263 reviewed Nov 18, 2024
View reviewed changes
pkg/remote/remote.go Outdated
token := registry.GetToken(ctx, domain, option)
if !lo.IsEmpty(token) {
opts = append(opts, remote.WithAuth(&token))
// The default trivy-db and trivy-java-db repositories are public.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, there is no chance that mirror.gcr.io requires authentication. We should skip mirror.gcr.io here.

trivy/pkg/fanal/image/registry/google/google.go

Line 32 in 94791f8

if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, you're probably right, I didn't think about it
Changed in 99e96bb

knqyf263
knqyf263 reviewed Nov 18, 2024
View reviewed changes
docs/docs/configuration/db.md Outdated

#### Authenticated use of Registries
By authenticating with the registries that Trivy hosts its DBs on can significantly increase the limit for users. For Amazon ECR, the details for rate limits can be found [ecr-limits].
For GitHub GHCR, the rate limits can be found [ghcr-limits]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not correct. GHCR doesn't respect the GitHub token now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But some users wrote that GH token helps them.
Do you think that for GHCR it makes no difference at all whether the user is authorized or not when downloading the image?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But some users wrote that GH token helps them.

Trivy has a bug that doesn't reflect GITHUB_TOKEN now, so I'm sure those users luckily didn't see rate limit errors.

I saw the same rate limit error when I set the token, so I believe it has no effect on GHCR. If we confirm it helps, we can add it back.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it!
Removed info about GHCR in c18a511

pkg/javadb/client.go Outdated
@@ -29,6 +29,9 @@ const (
var (
// GitHub Container Registry
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-java-db", SchemaVersion)

// GHC mirrors
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
// GHC mirrors
// GCR mirrors

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! fixed in 272b1a0

@knqyf263 knqyf263 enabled auto-merge November 18, 2024 08:30
@knqyf263 knqyf263 added this pull request to the merge queue Nov 18, 2024
benji78
benji78 suggested changes Nov 18, 2024
View reviewed changes
docs/docs/configuration/db.md
Comment on lines +99 to +102
#### Authenticated use of Registries
By authenticating with the registries that Trivy hosts its DBs on can significantly increase the limit for users. For Amazon ECR, the details for rate limits can be found [ecr-limits].

Please see more info on how to authenticate with ECR [auth-ecr].
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is Amazon ECR still relevant here if it has been replaced by GCR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still push trivy-db and trivy-java-db into ECR.
So this is still relevant for users using ECR.

docs/docs/configuration/db.md

#### Caching DBs
Trivy DB and Trivy Java DB are published every 6 hours and 24 hours, respectively. If you are running Trivy scans more often than this, you can significantly benefit from caching the DBs on each run and updating them as needed.
Once example of this can be seen in Trivy Action, where with caching multiple CI invocations can be performed with a single download of the DBs. More on info Trivy Action caching can be found [trivy-action-cache].
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an extra c in Once which should be One example of this …

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! We will fix that in another PR.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@benji78 - #7942

Merged via the queue into aquasecurity:main with commit 5ba9a83 Nov 18, 2024
17 checks passed
@aqua-bot aqua-bot mentioned this pull request Nov 18, 2024
Merged
@DmitriyLewen DmitriyLewen mentioned this pull request Nov 18, 2024
Closed
@DmitriyLewen
Copy link
Contributor

@aqua-bot backport release/v0.57

github-actions bot pushed a commit that referenced this pull request Nov 18, 2024
@simar7 @DmitriyLewen @actions-user
feat: Update registry fallbacks (#7679)
ea7a880 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@aqua-bot aqua-bot mentioned this pull request Nov 18, 2024
Merged
@aqua-bot
Copy link
Contributor

Backport PR created: #7944

@jinja2 jinja2 mentioned this pull request Nov 18, 2024
Merged
@stgdns stgdns mentioned this pull request Nov 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

@benji78 benji78 benji78 requested changes

@knqyf263 knqyf263 knqyf263 approved these changes

@nikpivkin nikpivkin Awaiting requested review from nikpivkin

Assignees

@simar7 simar7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Mitigate rate limit issues by utilizing mirror.gcr.io as default DB repository
10 participants
@simar7 @knqyf263 @DmitriyLewen @nvuillam @goatwu1993 @bgoareguer @afdesk @jeanmarcmoeckel @benji78 @aqua-bot