Improve Trivy configuration (#7154)

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

Dockerfile.dapper

@@ -19,19 +19,19 @@ RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget c
 
 RUN python3 -m pip install awscli
 
-RUN if [ "$(go env GOARCH)" = "arm64" ]; then                                                               \
-    wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-ARM64.tar.gz && \
-    tar -zxvf trivy_0.36.1_Linux-ARM64.tar.gz                                                            && \
-    mv trivy /usr/local/bin;                                                                                \
-    elif [ "$(go env GOARCH)" = "arm" ]; then                                                               \
-    wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-ARM.tar.gz   && \
-    tar -zxvf trivy_0.36.1_Linux-ARM.tar.gz                                                              && \
-    mv trivy /usr/local/bin;                                                                                \
-    elif [ "$(go env GOARCH)" = "amd64" ]; then                                                             \
-    wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.tar.gz && \
-    tar -zxvf trivy_0.36.1_Linux-64bit.tar.gz                                                            && \
-    mv trivy /usr/local/bin;                                                                                \
+RUN TRIVY_VERSION="0.38.3"                                                                                                                          && \
+    if [ "$(go env GOARCH)" = "arm64" ] || [ "$(go env GOARCH)" = "arm" ]; then                                                                        \
+    # Turn arm64 and arm into uppercase ARM64 and ARM, respectively, for Trivy's download
+    TRIVY_ARCH=$(go env GOARCH | tr "[:lower:]" "[:upper:]")                                                                                        && \
+    wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" && \
+    tar -zxvf "trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz"                                                                                   && \
+    mv trivy /usr/local/bin;                                                                                                                           \
+    elif [ "$(go env GOARCH)" = "amd64" ]; then                                                                                                        \
+    wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"         && \
+    tar -zxvf "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"                                                                                           && \
+    mv trivy /usr/local/bin;                                                                                                                           \
     fi
+
 # this works for both go 1.17 and 1.18
 RUN GOPROXY=direct go install golang.org/x/tools/cmd/goimports@gopls/v0.11.0
 RUN rm -rf /go/src /go/pkg

scripts/image_scan.sh

@@ -18,11 +18,20 @@ if [ -n ${DEBUG} ]; then
     set -x
 fi
 
-
-
 IMAGE=$1
 SEVERITIES="HIGH,CRITICAL"
-
-trivy --quiet image --severity ${SEVERITIES}  --no-progress --ignore-unfixed ${IMAGE}
+TRIVY_TEMPLATE='{{- $critical := 0 }}{{- $high := 0 }}
+{{- println "Target - Severity - ID - Package - Vulnerable Version - Fixed Version" -}}{{ print }}
+{{ range . }}
+    {{- $target := .Target -}}
+    {{ range .Vulnerabilities }}
+        {{- if  eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}
+        {{- if  eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}
+        {{- list $target .Severity .VulnerabilityID .PkgName .InstalledVersion .FixedVersion | join " - " | println -}}
+    {{- end -}}
+{{ end }}
+Vulnerabilities - Critical: {{ $critical }}, High: {{ $high }}{{ println }}'
+
+trivy --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed --format template --template "${TRIVY_TEMPLATE}" ${IMAGE}
 
 exit 0

updatecli/updatecli.d/trivy.yaml

@@ -0,0 +1,62 @@
+---
+name: "Bump Trivy version"
+scms:
+  k3s:
+    kind: "github"
+    spec:
+      user: "{{ .github.user }}"
+      email: "{{ .github.email }}"
+      username: "{{ .github.username }}"
+      token: "{{ requiredEnv .github.token }}"
+      owner: "{{ .k3s.org }}"
+      repository: "{{ .k3s.repo }}"
+      branch: "{{ .k3s.branch }}"
+      commitmessage:
+        title: "Bump Trivy version"
+
+actions:
+  github:
+    title: "Bump Trivy version"
+    kind: "github/pullrequest"
+    scmid: "k3s"
+    spec:
+      automerge: false
+      mergemethod: "squash"
+      usetitleforautomerge: true
+      labels:
+        - "dependencies"
+
+sources:
+  trivy-release:
+    name: "Get Trivy latest release"
+    kind: "githubrelease"
+    spec:
+      owner: "aquasecurity"
+      repository: "trivy"
+      token: "{{ requiredEnv .github.token }}"
+      versionfilter:
+        kind: "latest"
+    transformers:
+      - trimprefix: "v"
+
+conditions:
+  trivy-version:
+    name: "Check Trivy usage in Dockerfile.dapper"
+    kind: "file"
+    scmid: "k3s"
+    disablesourceinput: true
+    spec:
+      file: "Dockerfile.dapper"
+      matchpattern: 'TRIVY_VERSION="\d+\.\d+.\d+"'
+
+targets:
+  trivy-version:
+    name: "Update Trivy version in Dockerfile.dapper"
+    kind: "file"
+    scmid: "k3s"
+    disablesourceinput: true
+    spec:
+      file: "Dockerfile.dapper"
+      matchpattern: 'TRIVY_VERSION="\d+\.\d+.\d+"'
+      replacepattern: 'TRIVY_VERSION="{{ source `trivy-release` }}"'
+