diff --git a/plugins/trivy/pkg/config/config.go b/plugins/trivy/pkg/config/config.go index a651711..ea296a8 100644 --- a/plugins/trivy/pkg/config/config.go +++ b/plugins/trivy/pkg/config/config.go @@ -47,12 +47,18 @@ func (a CoreAPI) FromValues(values secrets.Values) CoreAPI { return a } +type API struct { + Disable bool `mapstructure:"disable"` +} + type Trivy struct { DBDir string `mapstructure:"dbDir"` + API API `mapstructure:"api"` } type Github struct { - Token string `mapstructure:"token"` + Disable bool `mapstructure:"disable"` + Token string `mapstructure:"token"` } type Config struct { diff --git a/plugins/trivy/pkg/config/resolver.go b/plugins/trivy/pkg/config/resolver.go index 2801191..e6335c2 100644 --- a/plugins/trivy/pkg/config/resolver.go +++ b/plugins/trivy/pkg/config/resolver.go @@ -201,6 +201,10 @@ func (r *Resolver) CoreClient(ctx context.Context) (*core.Client, error) { } func (r *Resolver) CVEClient() (*cveawg.Client, error) { + if r.config.Trivy.API.Disable { + return nil, nil + } + options := []api.ClientOption{} if r.config.Logging.API && r.config.Logging.LogLevel < 0 { @@ -211,6 +215,10 @@ func (r *Resolver) CVEClient() (*cveawg.Client, error) { } func (r *Resolver) GHClient() *gh.Client { + if r.config.Github.Disable { + return nil + } + options := []gh.ClientOption{} if r.config.Logging.API && r.config.Logging.LogLevel < 0 { diff --git a/plugins/trivy/pkg/server/vulnr/v1/handler.go b/plugins/trivy/pkg/server/vulnr/v1/handler.go index f621d42..9ebf83d 100644 --- a/plugins/trivy/pkg/server/vulnr/v1/handler.go +++ b/plugins/trivy/pkg/server/vulnr/v1/handler.go @@ -47,11 +47,13 @@ func (h *APIHandler) List(ctx *gin.Context) { for _, p := range list { p := p g.Go(func() error { + zap.L().Debug("fetching finding details", zap.String("name", p.Name)) v, err := h.service.GetDescription(ctx, p.Name) if err != nil { return fmt.Errorf("%s: %w", p.Name, err) } + zap.L().Debug("finding details found", zap.String("name", p.Name)) v.Category = p.Category v.Severity = p.Severity diff --git a/plugins/trivy/pkg/vulnr/service.go b/plugins/trivy/pkg/vulnr/service.go index b1787a3..0cad375 100644 --- a/plugins/trivy/pkg/vulnr/service.go +++ b/plugins/trivy/pkg/vulnr/service.go @@ -24,14 +24,14 @@ func (s *Service) Get(ctx context.Context, name string) (*Vulnerability, error) } var details *Vulnerability - if strings.HasPrefix(name, "GHSA") { + if s.ghClient != nil && strings.HasPrefix(name, "GHSA") { ghsa, err := s.ghClient.Get(ctx, name) if err != nil { return nil, err } details = MapSecurityAdvisory(ghsa) - } else { + } else if s.cveAPI != nil { cve, err := s.cveAPI.GetCVE(ctx, name) if err != nil { return nil, err @@ -43,6 +43,13 @@ func (s *Service) Get(ctx context.Context, name string) (*Vulnerability, error) } details = MapCVE(cve, trivyCVE) + } else { + trivyCVE, err := s.db.Get(name) + if err != nil { + zap.L().Warn("unable to load CVE from TrivyDB", zap.String("cve", name), zap.Error(err)) + } + + details = MapFromTrivyDB(name, trivyCVE) } s.cache.Set(name, details, gocache.DefaultExpiration) @@ -55,7 +62,7 @@ func (s *Service) GetDescription(ctx context.Context, name string) (*Vulnerabili return cached.(*Vulnerability), nil } - if strings.HasPrefix(name, "GHSA") { + if s.ghClient != nil && strings.HasPrefix(name, "GHSA") { ghsa, err := s.ghClient.Get(ctx, name) if err != nil { return nil, err @@ -76,6 +83,13 @@ func (s *Service) GetDescription(ctx context.Context, name string) (*Vulnerabili zap.L().Warn("unable to load CVE from TrivyDB", zap.String("cve", name), zap.Error(err)) } + if s.cveAPI == nil { + return &Vulnerability{ + ID: name, + Title: name, + }, nil + } + cve, err := s.cveAPI.GetCVE(ctx, name) if err != nil { zap.L().Error("unable to load CVE from CVEAWG API", zap.String("cve", name), zap.Error(err))