Questions about pinning Trivy version ?

[sbernard31]

Question

Hi,

I have a weekly jenkins job with very limited right which scan my open source project to check about know vulnerability.

Until now, I was using
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ~/bin latest to get trivy.

Recently, trivy was compromised ( #10425 ) but luckily, it seems my job running the 21th march doesn't download an affected version :

+ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh
+ sh -s -- -b /home/jenkins/bin latest
aquasecurity/trivy info checking GitHub for tag 'latest'
aquasecurity/trivy info found version: 0.69.3 for v0.69.3/Linux/64bit
aquasecurity/trivy info installed /home/jenkins/bin/trivy
[Pipeline] sh

But this makes me think that probably it would be better to pin the version and check the binary with a checksum.

The issue with this way is how to be aware about CVE concerning trivy pinned version itself ?
Does trivy will raise me an error about itself ? (in case I pinned an old version for which we recently find an issue?)

Target

None

Scanner

None

Output Format

None

Mode

None

Operating System

No response

Version

No response

[simar7]

But this makes me think that probably it would be better to pin the version and check the binary with a checksum.

@sbernard31 you can also optionally verify binary integrity. See more details here #10425 (reply in thread)

As we've enabled immutable releases, the artifacts themselves should not change.

[sbernard31]

thx @simar7 🙏

What about :

The issue with this way is how to be aware about CVE concerning trivy pinned version itself ?
Does trivy will raise me an error about itself ? (in case I pinned an old version for which we recently find an issue?)

If I pin trivy version, how can I know when I MUST update trivy version ?

[DmitriyLewen]

Hello @sbernard31
Starting from version v0.69.3, all releases (and that's where the install script gets the binary file from) are immutable.
Therefore, starting from version v0.69.3, you can specify the version as an argument for the script (you don't need hash).

how can I know when I MUST update trivy version ?

As for the need to update - Trivy will correctly match the Trivy version (as well as all child dependencies) with versions from advisories.
If as a result of scanning you see that Trivy (or child packages) has vulnerabilities - it's better to update Trivy.

[sbernard31]

As for the need to update - Trivy will correctly match the Trivy version (as well as all child dependencies) with versions from advisories.

Great ! Good to know !

Starting from version v0.69.3, all releases (and that's where the install script gets the binary file from) are immutable.
Therefore, starting from version v0.69.3, you can specify the version as an argument for the script (you don't need hash).

This way I need to trust github about immutability and also trust the install script, right ?
Naively, it seems to me that this increase the attack surface ?

Is there drawback to directly download trivy using https://github.com/aquasecurity/trivy/releases/download/v0.69.3/trivy_0.69.3_Linux-64bit.tar.gz: link and use hard-coded checksum to ensure i get the excepted file ?
(This can be done at cost of 3 or 4 more bash lines)

[DmitriyLewen]

This way I need to trust github about immutability and also trust the install script, right ?
Naively, it seems to me that this increase the attack surface ?

As an additional security measure, you can consider using the script not from the main branch, but from the latest immutable tag. We will consider this option.

Is there drawback to directly download trivy using https://github.com/aquasecurity/trivy/releases/download/v0.69.3/trivy_0.69.3_Linux-64bit.tar.gz: link and use hard-coded checksum to ensure i get the excepted file ?
(This can be done at cost of 3 or 4 more bash lines)

No, there are no disadvantages, and it's also safer for you.
However, for this each user will have to write such a script for themselves, while the install script is a universal solution.

[sbernard31]

Thx a lot both of you for you answer.

Just in case I share the shell script of my jenkins files :

// =================================================================================
// Trivy Configuration
// =================================================================================
// HOW TO UPDATE:
//   1. Go to https://github.com/aquasecurity/trivy/releases
//   2. Download the checksums file (trivy_<ver>_checksums.txt)
//   3. Find the SHA256 for trivy_<ver>_Linux-64bit.tar.gz
//   4. Update TRIVY_VERSION and TRIVY_SHA256 below
// =================================================================================
def TRIVY_VERSION   = "0.69.3"
def TRIVY_SHA256    = "1816b632dfe529869c740c0913e36bd1629cb7688bd5634f4a858c1d57c88b75"

pipeline {
  .... ....
  stages {
    stage('Build') {
      steps {
        // install trivy
        sh """
          set -euo pipefail
          TARBALL="trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
          curl -sfL -o /tmp/\${TARBALL} https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/\${TARBALL}
          echo "${TRIVY_SHA256}  /tmp/\${TARBALL}" | sha256sum -c -
          mkdir -p ~/bin
          tar -xzf /tmp/\${TARBALL} -C ~/bin trivy
          rm -f /tmp/\${TARBALL}
          ~/bin/trivy --version
        """
      
        // Build (optional)
        ... ...