From 88a78814f4f74648c4ae87a5d2780c605e17b98c Mon Sep 17 00:00:00 2001 From: Squiddim <82903357+Squiddim@users.noreply.github.com> Date: Thu, 5 Sep 2024 14:42:48 +0200 Subject: [PATCH 1/2] Update db.md Add Note about expected Media Type of Trivy OCI Artifact --- docs/docs/configuration/db.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/docs/configuration/db.md b/docs/docs/configuration/db.md index f6525fb61568..84560fb95026 100644 --- a/docs/docs/configuration/db.md +++ b/docs/docs/configuration/db.md @@ -53,12 +53,15 @@ $ trivy image --download-db-only ``` $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db ``` - + !!!note Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used: `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`. +!!!note + Trivy expects the OCI Artifact to have the media type `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` + ## Java Index Database The same options are also available for the Java index DB, which is used for scanning Java applications. Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB. @@ -84,4 +87,4 @@ $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-produ $ trivy clean --vuln-db --java-db 2024-06-24T11:42:31+06:00 INFO Removing vulnerability database... 2024-06-24T11:42:31+06:00 INFO Removing Java database... -``` \ No newline at end of file +``` From 2b974e41dad18b0f6d8bffdae4ac208393771b9b Mon Sep 17 00:00:00 2001 From: Squiddim <82903357+Squiddim@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:46:01 +0000 Subject: [PATCH 2/2] edited comment to add java db media type --- docs/docs/configuration/db.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/docs/configuration/db.md b/docs/docs/configuration/db.md index 84560fb95026..5fa4046668a9 100644 --- a/docs/docs/configuration/db.md +++ b/docs/docs/configuration/db.md @@ -53,14 +53,15 @@ $ trivy image --download-db-only ``` $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db ``` - !!!note Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used: `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`. !!!note - Trivy expects the OCI Artifact to have the media type `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` + Trivy expects the OCI Artifacts to have a Specific media type: + - Vulnerability DB `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` + - Java DB `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip` ## Java Index Database The same options are also available for the Java index DB, which is used for scanning Java applications.