feat: optional config to disable external api calls (#84)

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
kyverno · Feb 11, 2025 · 4d505d6 · 4d505d6
1 parent 4534b8d
commit 4d505d6
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 4 deletions.
diff --git a/plugins/trivy/pkg/config/config.go b/plugins/trivy/pkg/config/config.go
@@ -47,12 +47,18 @@ func (a CoreAPI) FromValues(values secrets.Values) CoreAPI {
 	return a
 }
 
+type API struct {
+	Disable bool `mapstructure:"disable"`
+}
+
 type Trivy struct {
 	DBDir string `mapstructure:"dbDir"`
+	API   API    `mapstructure:"api"`
 }
 
 type Github struct {
-	Token string `mapstructure:"token"`
+	Disable bool   `mapstructure:"disable"`
+	Token   string `mapstructure:"token"`
 }
 
 type Config struct {

diff --git a/plugins/trivy/pkg/config/resolver.go b/plugins/trivy/pkg/config/resolver.go
@@ -201,6 +201,10 @@ func (r *Resolver) CoreClient(ctx context.Context) (*core.Client, error) {
 }
 
 func (r *Resolver) CVEClient() (*cveawg.Client, error) {
+	if r.config.Trivy.API.Disable {
+		return nil, nil
+	}
+
 	options := []api.ClientOption{}
 
 	if r.config.Logging.API && r.config.Logging.LogLevel < 0 {
@@ -211,6 +215,10 @@ func (r *Resolver) CVEClient() (*cveawg.Client, error) {
 }
 
 func (r *Resolver) GHClient() *gh.Client {
+	if r.config.Github.Disable {
+		return nil
+	}
+
 	options := []gh.ClientOption{}
 
 	if r.config.Logging.API && r.config.Logging.LogLevel < 0 {

diff --git a/plugins/trivy/pkg/server/vulnr/v1/handler.go b/plugins/trivy/pkg/server/vulnr/v1/handler.go
@@ -47,11 +47,13 @@ func (h *APIHandler) List(ctx *gin.Context) {
 	for _, p := range list {
 		p := p
 		g.Go(func() error {
+			zap.L().Debug("fetching finding details", zap.String("name", p.Name))
 			v, err := h.service.GetDescription(ctx, p.Name)
 			if err != nil {
 				return fmt.Errorf("%s: %w", p.Name, err)
 			}
 
+			zap.L().Debug("finding details found", zap.String("name", p.Name))
 			v.Category = p.Category
 			v.Severity = p.Severity
 

diff --git a/plugins/trivy/pkg/vulnr/service.go b/plugins/trivy/pkg/vulnr/service.go
@@ -24,14 +24,14 @@ func (s *Service) Get(ctx context.Context, name string) (*Vulnerability, error)
 	}
 
 	var details *Vulnerability
-	if strings.HasPrefix(name, "GHSA") {
+	if s.ghClient != nil && strings.HasPrefix(name, "GHSA") {
 		ghsa, err := s.ghClient.Get(ctx, name)
 		if err != nil {
 			return nil, err
 		}
 
 		details = MapSecurityAdvisory(ghsa)
-	} else {
+	} else if s.cveAPI != nil {
 		cve, err := s.cveAPI.GetCVE(ctx, name)
 		if err != nil {
 			return nil, err
@@ -43,6 +43,13 @@ func (s *Service) Get(ctx context.Context, name string) (*Vulnerability, error)
 		}
 
 		details = MapCVE(cve, trivyCVE)
+	} else {
+		trivyCVE, err := s.db.Get(name)
+		if err != nil {
+			zap.L().Warn("unable to load CVE from TrivyDB", zap.String("cve", name), zap.Error(err))
+		}
+
+		details = MapFromTrivyDB(name, trivyCVE)
 	}
 
 	s.cache.Set(name, details, gocache.DefaultExpiration)
@@ -55,7 +62,7 @@ func (s *Service) GetDescription(ctx context.Context, name string) (*Vulnerabili
 		return cached.(*Vulnerability), nil
 	}
 
-	if strings.HasPrefix(name, "GHSA") {
+	if s.ghClient != nil && strings.HasPrefix(name, "GHSA") {
 		ghsa, err := s.ghClient.Get(ctx, name)
 		if err != nil {
 			return nil, err
@@ -76,6 +83,13 @@ func (s *Service) GetDescription(ctx context.Context, name string) (*Vulnerabili
 		zap.L().Warn("unable to load CVE from TrivyDB", zap.String("cve", name), zap.Error(err))
 	}
 
+	if s.cveAPI == nil {
+		return &Vulnerability{
+			ID:    name,
+			Title: name,
+		}, nil
+	}
+
 	cve, err := s.cveAPI.GetCVE(ctx, name)
 	if err != nil {
 		zap.L().Error("unable to load CVE from CVEAWG API", zap.String("cve", name), zap.Error(err))