Added --only-update option #43
Conversation
|
LGTM😄 |
|
@Code-Hex Thanks! LGTM! However, please wait for a while as we may consider |
pkg/vulnsrc/vulnsrc.go
Outdated
| vulnerability.Ubuntu: ubuntu.Update, | ||
| } | ||
|
|
||
| func UpdateAll() (err error) { |
There was a problem hiding this comment.
Would you commonize UpdateAll() and OnlyUpdate()?
pkg/vulnsrc/vulnsrc.go
Outdated
| if err = redhat.Update(dir, updatedFiles); err != nil { | ||
| return xerrors.Errorf("error in RedHat update: %w", err) | ||
| } | ||
| func OnlyUpdate(names []string) error { |
There was a problem hiding this comment.
| func OnlyUpdate(names []string) error { | |
| func Update(names []string) error { |
pkg/run.go
Outdated
| if err = vulnsrc.Update(); err != nil { | ||
| // this condition is already validated by skipUpdate && onlyUpdate != "" | ||
| if onlyUpdate != "" { | ||
| if err = vulnsrc.OnlyUpdate(strings.Split(onlyUpdate, ",")); err != nil { |
There was a problem hiding this comment.
| if err = vulnsrc.OnlyUpdate(strings.Split(onlyUpdate, ",")); err != nil { | |
| if err = vulnsrc.Update(strings.Split(onlyUpdate, ",")); err != nil { |
pkg/run.go
Outdated
| return xerrors.Errorf("error in vulnerability DB update: %w", err) | ||
| } | ||
| } else { | ||
| if err = vulnsrc.UpdateAll(); err != nil { |
There was a problem hiding this comment.
| if err = vulnsrc.UpdateAll(); err != nil { | |
| if err = vulnsrc.Update(vunerability.DBNames); err != nil { |
|
In this comment
I have fixed at knqyf263@48ae91e . Is the above means correct in this? |
|
@Code-Hex Thanks! Seems good! |
|
I think no problem. if we feel necessary these, we may use |
|
@Code-Hex There is no information in NVD, but there may be information in Red Hat DB. So, even if we must enable NVD, there may be no information. Therefore, it is best to use all DBs. However, if we display a warning, the I'm sorry for asking many times, but would you display a warning if the |
|
@knqyf263 I'm OK to display warning 👍 BTW, why depends vulnerability information on each databases? |
|
@Code-Hex Please use The vulnerability information of each distribution has two roles in Trivy. The first is vulnerability detection of each distribution. For example, only vulnerability information of Alpine Linux is necessary to detect vulnerabilities in an image of Alpine Linux. And it is also used when displaying vulnerability details such as a severity and title. The details are different for each distribution. In the case of CVE-2018-10875: However, Alpine Linux has no information. On the other hand, in the case of CVE-2018-5743: NVD has no information. As mentioned above, it is unknown which distribution has the detailed information. So, Trivy uses all DBs. And when showing vulnerability details, Trivy selects the distribution that has details. |
|
@knqyf263 done! please review it. |
|
Thanks a lot!! |
* Added --only-update flag * Added feature for --only-update flag * Added README of --only-update * Fixed README * Use only Update function * Added warning message
* Added --only-update flag * Added feature for --only-update flag * Added README of --only-update * Fixed README * Use only Update function * Added warning message
* Added --only-update flag * Added feature for --only-update flag * Added README of --only-update * Fixed README * Use only Update function * Added warning message
What
Added
--only-updateoption. use this option, we can update vulnerability database only that we are specified distributions.Why
If we are creating an docker image based on one distribution (for example, use only alpine image), it is too much to update all DBs. therefore we necessary to wait to update for long time.