-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added --only-update option #43
Conversation
LGTM😄 |
@Code-Hex Thanks! LGTM! However, please wait for a while as we may consider |
pkg/vulnsrc/vulnsrc.go
Outdated
vulnerability.Ubuntu: ubuntu.Update, | ||
} | ||
|
||
func UpdateAll() (err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you commonize UpdateAll() and OnlyUpdate()?
pkg/vulnsrc/vulnsrc.go
Outdated
if err = redhat.Update(dir, updatedFiles); err != nil { | ||
return xerrors.Errorf("error in RedHat update: %w", err) | ||
} | ||
func OnlyUpdate(names []string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func OnlyUpdate(names []string) error { | |
func Update(names []string) error { |
pkg/run.go
Outdated
if err = vulnsrc.Update(); err != nil { | ||
// this condition is already validated by skipUpdate && onlyUpdate != "" | ||
if onlyUpdate != "" { | ||
if err = vulnsrc.OnlyUpdate(strings.Split(onlyUpdate, ",")); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if err = vulnsrc.OnlyUpdate(strings.Split(onlyUpdate, ",")); err != nil { | |
if err = vulnsrc.Update(strings.Split(onlyUpdate, ",")); err != nil { |
pkg/run.go
Outdated
return xerrors.Errorf("error in vulnerability DB update: %w", err) | ||
} | ||
} else { | ||
if err = vulnsrc.UpdateAll(); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if err = vulnsrc.UpdateAll(); err != nil { | |
if err = vulnsrc.Update(vunerability.DBNames); err != nil { |
In this comment
I have fixed at knqyf263@48ae91e . Is the above means correct in this? |
@Code-Hex Thanks! Seems good! |
I think no problem. if we feel necessary these, we may use |
@Code-Hex There is no information in NVD, but there may be information in Red Hat DB. So, even if we must enable NVD, there may be no information.
Therefore, it is best to use all DBs. However, if we display a warning, the I'm sorry for asking many times, but would you display a warning if the |
@knqyf263 I'm OK to display warning 👍 BTW, why depends vulnerability information on each databases? |
@Code-Hex Please use The vulnerability information of each distribution has two roles in Trivy. The first is vulnerability detection of each distribution. For example, only vulnerability information of Alpine Linux is necessary to detect vulnerabilities in an image of Alpine Linux. And it is also used when displaying vulnerability details such as a severity and title. The details are different for each distribution. In the case of CVE-2018-10875: However, Alpine Linux has no information. On the other hand, in the case of CVE-2018-5743: NVD has no information. As mentioned above, it is unknown which distribution has the detailed information. So, Trivy uses all DBs. And when showing vulnerability details, Trivy selects the distribution that has details. |
@knqyf263 done! please review it. |
Thanks a lot!! |
* Added --only-update flag * Added feature for --only-update flag * Added README of --only-update * Fixed README * Use only Update function * Added warning message
* Added --only-update flag * Added feature for --only-update flag * Added README of --only-update * Fixed README * Use only Update function * Added warning message
* Added --only-update flag * Added feature for --only-update flag * Added README of --only-update * Fixed README * Use only Update function * Added warning message
What
Added
--only-update
option. use this option, we can update vulnerability database only that we are specified distributions.Why
If we are creating an docker image based on one distribution (for example, use only alpine image), it is too much to update all DBs. therefore we necessary to wait to update for long time.