Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HTTP support for downloading HTTP #7891

Open
knqyf263 opened this issue Nov 8, 2024 · 6 comments · May be fixed by #7892
Open

Add HTTP support for downloading HTTP #7891

knqyf263 opened this issue Nov 8, 2024 · 6 comments · May be fixed by #7892
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@knqyf263
Copy link
Collaborator

knqyf263 commented Nov 8, 2024

Description

Adding HTTP support for downloading DBs in addition to OCI. If the DB repository starts with http:// or https://, Trivy downloads DBs via HTTP as below.

$ trivy image --scanners vuln --db-repository https://github.com/knqyf263/trivy-db/releases/download/v2/db.tar.gz alpine:3.20

OCI and HTTP locations can be used together.

$ trivy image --scanners vuln --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository https://github.com/knqyf263/trivy-db/releases/download/v2/db.tar.gz alpine:3.20
@knqyf263 knqyf263 added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 8, 2024
@knqyf263 knqyf263 added this to the v0.58.0 milestone Nov 8, 2024
@knqyf263 knqyf263 self-assigned this Nov 8, 2024
@knqyf263 knqyf263 linked a pull request Nov 8, 2024 that will close this issue
15 tasks
@orizerah
Copy link
Contributor

@knqyf263
Is it possible to add authorization to this feature?

@knqyf263 knqyf263 removed this from the v0.58.0 milestone Nov 18, 2024
@knqyf263
Copy link
Collaborator Author

Since we found mirror.gcr.io, we need to discuss it again.

@tamirkiviti13
Copy link
Contributor

Why is it related? How does it prevent the addition of HTTP support?

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Dec 9, 2024

We planned to host the vulnerability database on GitHub Releases or things like that, and this feature was supposed to help since we needed to download it via HTTP. However, we found another OCI registry, and OSS users no longer need this feature.

We should discuss whether we should add this feature even if OSS users will not benefit from that.

@tamirkiviti13
Copy link
Contributor

tamirkiviti13 commented Dec 9, 2024

This issue suggests another option for downloading the DBs vuln, checks, etc.).
Why is it problematic to add the option? Won't OSS users might use this feature? For example, if they want to host their own DB instance but don't want to use OCI registry for that.
It is an addition and not a change of the current behavior.

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Dec 9, 2024

All features are nice to have. But adding new features more or less increases maintenance costs. And it's hard to drop it once we add it.
We should consider whether the function is really necessary and how many people need it before adding it.

@tamirkiviti13 tamirkiviti13 moved this to Roadmap in Trivy Roadmap Dec 9, 2024
@tamirkiviti13 tamirkiviti13 removed the status in Trivy Roadmap Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

3 participants