Skip to content

fix(db): Dowload database when missing but metadata still exists #9393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 26, 2025
Merged

fix(db): Dowload database when missing but metadata still exists #9393

merged 1 commit into from
Sep 26, 2025

Conversation

@tom1299
Copy link
Contributor

@tom1299 tom1299 commented Aug 28, 2025
edited
Loading

Description

In the case where the trivy database has been deleted, but the metadata.json is still there and the database has not yet expired, the database is not downloaded.
Steps to reproduce:

trivy -d --cache-dir /tmp/trivy-cache image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db
rm /tmp/trivy-cache/db/trivy.db
trivy -d --cache-dir /tmp/trivy-cache image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db

This PR contains a change so that the database will be downloaded if trivy.db is missing even if the metadata is correct.
See also discussion here.

I could also change the implementation so that only a warning would be logged. That way the existing behaviour of the function would remain.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@tom1299 tom1299 marked this pull request as ready for review September 11, 2025 06:12
@tom1299 tom1299 requested a review from knqyf263 as a code owner September 11, 2025 06:12
DmitriyLewen
DmitriyLewen reviewed Sep 23, 2025
View reviewed changes
@tom1299 tom1299 force-pushed the fix_needsUpdate_on_missing_trivy_db branch from 4c58109 to 0f4fc19 Compare September 25, 2025 12:51
DmitriyLewen
DmitriyLewen approved these changes Sep 26, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

@DmitriyLewen DmitriyLewen added this pull request to the merge queue Sep 26, 2025
Merged via the queue into aquasecurity:main with commit 92ebc7e Sep 26, 2025
13 checks passed
@aqua-bot aqua-bot mentioned this pull request Sep 25, 2025
Merged
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Sep 30, 2025
@alexlebens
Update mirror.gcr.io/aquasec/trivy Docker tag to v0.67.0 (#1622)
c62e888 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.66.0` -> `0.67.0` |

---

### Release Notes

<details>
<summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary>

### [`v0.67.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0670-2025-09-30)

[Compare Source](aquasecurity/trivy@v0.66.0...v0.67.0)

##### Features

- add documentation URL for database lock errors ([#&#8203;9531](aquasecurity/trivy#9531)) ([eba48af](aquasecurity/trivy@eba48af))
- **cli:** change --list-all-pkgs default to true ([#&#8203;9510](aquasecurity/trivy#9510)) ([7b663d8](aquasecurity/trivy@7b663d8))
- **cloudformation:** support default values and list results in Fn::FindInMap ([#&#8203;9515](aquasecurity/trivy#9515)) ([42b3bf3](aquasecurity/trivy@42b3bf3))
- **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#&#8203;9439](aquasecurity/trivy#9439)) ([aff03eb](aquasecurity/trivy@aff03eb))
- **redhat:** add os-release detection for RHEL-based images ([#&#8203;9458](aquasecurity/trivy#9458)) ([cb25a07](aquasecurity/trivy@cb25a07))
- **sbom:** added support for CoreOS ([#&#8203;9448](aquasecurity/trivy#9448)) ([6d562a3](aquasecurity/trivy@6d562a3))
- **seal:** add seal support ([#&#8203;9370](aquasecurity/trivy#9370)) ([e4af279](aquasecurity/trivy@e4af279))

##### Bug Fixes

- **aws:** use `BuildableClient` insead of `xhttp.Client` ([#&#8203;9436](aquasecurity/trivy#9436)) ([fa6f1bf](aquasecurity/trivy@fa6f1bf))
- close file descriptors and pipes on error paths ([#&#8203;9536](aquasecurity/trivy#9536)) ([a4cbd6a](aquasecurity/trivy@a4cbd6a))
- **db:** Dowload database when missing but metadata still exists ([#&#8203;9393](aquasecurity/trivy#9393)) ([92ebc7e](aquasecurity/trivy@92ebc7e))
- **k8s:** disable parallel traversal with fs cache for k8s images ([#&#8203;9534](aquasecurity/trivy#9534)) ([c0c7a6b](aquasecurity/trivy@c0c7a6b))
- **misconf:** handle tofu files in module detection ([#&#8203;9486](aquasecurity/trivy#9486)) ([bfd2f6b](aquasecurity/trivy@bfd2f6b))
- **misconf:** strip build metadata suffixes from image history ([#&#8203;9498](aquasecurity/trivy#9498)) ([c938806](aquasecurity/trivy@c938806))
- **misconf:** unmark cty values before access ([#&#8203;9495](aquasecurity/trivy#9495)) ([8e40d27](aquasecurity/trivy@8e40d27))
- **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#&#8203;9497](aquasecurity/trivy#9497)) ([267a970](aquasecurity/trivy@267a970))
- **nodejs:** parse workspaces as objects for package-lock.json files ([#&#8203;9518](aquasecurity/trivy#9518)) ([404abb3](aquasecurity/trivy@404abb3))
- **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#&#8203;9330](aquasecurity/trivy#9330)) ([4517e8c](aquasecurity/trivy@4517e8c))
- **vex:** don't  suppress vulns for packages with infinity loop ([#&#8203;9465](aquasecurity/trivy#9465)) ([78f0d4a](aquasecurity/trivy@78f0d4a))
- **vuln:** compare `nuget` package names in lower case ([#&#8203;9456](aquasecurity/trivy#9456)) ([1ff9ac7](aquasecurity/trivy@1ff9ac7))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbWFnZSJdfQ==-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1622
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tom1299 @DmitriyLewen