Skip to content

Commit 4319978

Browse files
sbernard31sbernard31
committed
Trivy downloading hardening
1 parent 7ac606c commit 4319978

1 file changed

Lines changed: 24 additions & 2 deletions

File tree

.jenkins/weekly.jenkins

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,19 @@
44
Checks for vulnerability
55

66
*************************************************************************************/
7+
8+
// =================================================================================
9+
// Trivy Configuration
10+
// =================================================================================
11+
// HOW TO UPDATE:
12+
// 1. Go to https://github.com/aquasecurity/trivy/releases
13+
// 2. Download the checksums file (trivy_<ver>_checksums.txt)
14+
// 3. Find the SHA256 for trivy_<ver>_Linux-64bit.tar.gz
15+
// 4. Update TRIVY_VERSION and TRIVY_SHA256 below
16+
// =================================================================================
17+
def TRIVY_VERSION = "0.69.3"
18+
def TRIVY_SHA256 = "1816b632dfe529869c740c0913e36bd1629cb7688bd5634f4a858c1d57c88b75"
19+
720
pipeline {
821
agent any
922
tools {
@@ -27,7 +40,16 @@ pipeline {
2740
stage('Build') {
2841
steps {
2942
// install trivy
30-
sh ''' curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ~/bin latest '''
43+
sh """
44+
set -euo pipefail
45+
TARBALL="trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
46+
curl -sfL -o /tmp/\${TARBALL} https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/\${TARBALL}
47+
echo "${TRIVY_SHA256} /tmp/\${TARBALL}" | sha256sum -c -
48+
mkdir -p ~/bin
49+
tar -xzf /tmp/\${TARBALL} -C ~/bin trivy
50+
rm -f /tmp/\${TARBALL}
51+
~/bin/trivy --version
52+
"""
3153

3254
// Build (optional)
3355
sh ''' mvn -B com.github.ekryd.sortpom:sortpom-maven-plugin:verify -PallPom '''
@@ -43,7 +65,7 @@ pipeline {
4365
// check for vulnerabilities
4466
// "find" to search file
4567
// xargs to get correct exit code (find always return 0)
46-
// HACK because of : https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/5198
68+
// HACK because of : https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/5198
4769
sh ''' find . -type f -path '*/target/bom*.json' -print0 | xargs -0 -I {} sh -c 'echo "Scanning "{}""; trivy -q --exit-code 1 sbom "{}" --db-repository "ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db","aquasec/trivy-db:2" --java-db-repository "ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db:1","aquasec/trivy-java-db:1"' '''
4870
// sh ''' find . -type f -path '*/target/bom*.json' -print0 | xargs -0 -I {} sh -c 'echo "Scanning "{}""; trivy -q --exit-code 1 sbom "{}"' '''
4971

0 commit comments

Comments
 (0)