feat: Configure Trivy timeout (#191)

Resolves: #186

Signed-off-by: Daniel Pacak <[email protected]>

Author: danielpacak

CONTRIBUTING.md

@@ -38,13 +38,17 @@
    ```
    vagrant up
    ```
-3. SSH into a running Vagrant machine.
+   If everything goes well Harbor will be accessible at http://localhost:8181 (admin/Harbor12345).
+
+   To SSH into a running Vagrant machine.
    ```
    vagrant ssh
    ```
-4. Change directory to `/vagrant` in the development machine, which is shared between host and guest.
+   The `/vagrant` directory in the development machine is shared between host and guest. This, for example, allows you
+   to rebuild a container image for testing.
    ```
    vagrant@ubuntu-focal:~$ cd /vagrant
+   vagrant@ubuntu-focal:/vagrant$ make docker-build
    ```
 
 ## Build Binaries

README.md

@@ -130,10 +130,11 @@ Configuration of the adapter is done via environment variables at startup.
 | `SCANNER_TRIVY_VULN_TYPE`                 | `os,library`                       | Comma-separated list of vulnerability types. Possible values are `os` and `library`. |
 | `SCANNER_TRIVY_SEVERITY`                  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed                   |
 | `SCANNER_TRIVY_IGNORE_UNFIXED`            | `false`                            | The flag to display only fixed vulnerabilities                                       |
-| `SCANNER_TRIVY_IGNORE_POLICY`             | ``                                 | The path for the Trivy ignore policy OPA Rego file                                        |
+| `SCANNER_TRIVY_IGNORE_POLICY`             | ``                                 | The path for the Trivy ignore policy OPA Rego file                                   |
 | `SCANNER_TRIVY_SKIP_UPDATE`               | `false`                            | The flag to enable or disable [Trivy DB][trivy-db] downloads from GitHub             |
 | `SCANNER_TRIVY_GITHUB_TOKEN`              | N/A                                | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][gh-rate-limit]) |
 | `SCANNER_TRIVY_INSECURE`                  | `false`                            | The flag to skip verifying registry certificate                                      |
+| `SCANNER_TRIVY_TIMEOUT`                   | `5m0s`                             | The duration to wait for scan completion                                             |
 | `SCANNER_STORE_REDIS_NAMESPACE`           | `harbor.scanner.trivy:store`       | The namespace for keys in the Redis store                                            |
 | `SCANNER_STORE_REDIS_SCAN_JOB_TTL`        | `1h`                               | The time to live for persisting scan jobs and associated scan reports                |
 | `SCANNER_JOB_QUEUE_REDIS_NAMESPACE`       | `harbor.scanner.trivy:job-queue`   | The namespace for keys in the scan jobs queue backed by Redis                        |

Vagrantfile

@@ -9,9 +9,9 @@ Vagrant.configure("2") do |config|
     vb.memory = "2096"
   end
 
+  config.vm.provision "install-go", type: "shell", path: "vagrant/install-go.sh"
   config.vm.provision "install-docker", type: "shell", path: "vagrant/install-docker.sh"
   config.vm.provision "install-harbor", type: "shell", path: "vagrant/install-harbor.sh"
-  config.vm.provision "install-go", type: "shell", path: "vagrant/install-go.sh"
 
   config.vm.network :forwarded_port, guest: 80, host: 8181
 end

helm/harbor-scanner-trivy/README.md

@@ -94,6 +94,7 @@ The following table lists the configurable parameters of the scanner adapter cha
 | `scanner.trivy.ignorepolicy`          | The OPA rego script used by Trivy to evaluate each vulnerability | `     ` |
 | `scanner.trivy.severity`              | Comma-separated list of vulnerabilities severities to be displayed      | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
 | `scanner.trivy.ignoreUnfixed`         | The flag to display only fixed vulnerabilities                          | `false`        |
+| `scanner.trivy.timeout`               | The duration to wait for scan completion                                | `5m0s`         |
 | `scanner.trivy.skipUpdate`            | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
 | `scanner.trivy.gitHubToken`           | The GitHub access token to download Trivy DB                            |      |
 | `scanner.trivy.insecure`              | The flag to skip verifying registry certificate                         | `false` |

helm/harbor-scanner-trivy/templates/statefulset.yaml

@@ -69,6 +69,8 @@ spec:
               value: {{ .Values.scanner.trivy.severity | default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" | quote }}
             - name: "SCANNER_TRIVY_IGNORE_UNFIXED"
               value: {{ .Values.scanner.trivy.ignoreUnfixed | default false | quote }}
+            - name: "SCANNER_TRIVY_TIMEOUT"
+              value: {{ .Values.scanner.trivy.timeout | quote }}
             - name: "SCANNER_TRIVY_SKIP_UPDATE"
               value: {{ .Values.scanner.trivy.skipUpdate | default false | quote }}
             - name: "SCANNER_TRIVY_GITHUB_TOKEN"

helm/harbor-scanner-trivy/values.yaml

@@ -66,6 +66,8 @@ scanner:
     severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
     ## ignoreUnfixed the flag to display only fixed vulnerabilities
     ignoreUnfixed: false
+    ## timeout the duration to wait for scan completion
+    timeout: 5m0s
     ## skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
     ##
     ## You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.

pkg/etc/config.go

@@ -24,16 +24,17 @@ type Config struct {
 }
 
 type Trivy struct {
-	CacheDir      string `env:"SCANNER_TRIVY_CACHE_DIR" envDefault:"/home/scanner/.cache/trivy"`
-	ReportsDir    string `env:"SCANNER_TRIVY_REPORTS_DIR" envDefault:"/home/scanner/.cache/reports"`
-	DebugMode     bool   `env:"SCANNER_TRIVY_DEBUG_MODE" envDefault:"false"`
-	VulnType      string `env:"SCANNER_TRIVY_VULN_TYPE" envDefault:"os,library"`
-	Severity      string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"`
-	IgnoreUnfixed bool   `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"`
-	IgnorePolicy  string `env:"SCANNER_TRIVY_IGNORE_POLICY"`
-	SkipUpdate    bool   `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
-	GitHubToken   string `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
-	Insecure      bool   `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
+	CacheDir      string        `env:"SCANNER_TRIVY_CACHE_DIR" envDefault:"/home/scanner/.cache/trivy"`
+	ReportsDir    string        `env:"SCANNER_TRIVY_REPORTS_DIR" envDefault:"/home/scanner/.cache/reports"`
+	DebugMode     bool          `env:"SCANNER_TRIVY_DEBUG_MODE" envDefault:"false"`
+	VulnType      string        `env:"SCANNER_TRIVY_VULN_TYPE" envDefault:"os,library"`
+	Severity      string        `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"`
+	IgnoreUnfixed bool          `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"`
+	IgnorePolicy  string        `env:"SCANNER_TRIVY_IGNORE_POLICY"`
+	SkipUpdate    bool          `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
+	GitHubToken   string        `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
+	Insecure      bool          `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
+	Timeout       time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
 }
 
 type API struct {

pkg/etc/config_test.go

@@ -74,6 +74,7 @@ func TestGetConfig(t *testing.T) {
 					Severity:    "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 					Insecure:    false,
 					GitHubToken: "",
+					Timeout:     parseDuration(t, "5m0s"),
 				},
 				RedisPool: RedisPool{
 					URL:               "redis://localhost:6379",
@@ -111,6 +112,7 @@ func TestGetConfig(t *testing.T) {
 					Severity:    "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 					Insecure:    false,
 					GitHubToken: "",
+					Timeout:     parseDuration(t, "5m0s"),
 				},
 				RedisPool: RedisPool{
 					URL:               "redis://localhost:6379",
@@ -153,6 +155,7 @@ func TestGetConfig(t *testing.T) {
 				"SCANNER_TRIVY_INSECURE":       "true",
 				"SCANNER_TRIVY_SKIP_UPDATE":    "true",
 				"SCANNER_TRIVY_GITHUB_TOKEN":   "<GITHUB_TOKEN>",
+				"SCANNER_TRIVY_TIMEOUT":        "15m30s",
 
 				"SCANNER_STORE_REDIS_NAMESPACE":    "store.ns",
 				"SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s",
@@ -185,6 +188,7 @@ func TestGetConfig(t *testing.T) {
 					SkipUpdate:    true,
 					Insecure:      true,
 					GitHubToken:   "<GITHUB_TOKEN>",
+					Timeout:       parseDuration(t, "15m30s"),
 				},
 				RedisPool: RedisPool{
 					URL:               "redis://harbor-harbor-redis:6379",

pkg/http/api/v1/handler.go

@@ -225,6 +225,7 @@ func (h *requestHandler) GetMetadata(res http.ResponseWriter, _ *http.Request) {
 		"env.SCANNER_TRIVY_INSECURE":       strconv.FormatBool(h.config.Trivy.Insecure),
 		"env.SCANNER_TRIVY_VULN_TYPE":      h.config.Trivy.VulnType,
 		"env.SCANNER_TRIVY_SEVERITY":       h.config.Trivy.Severity,
+		"env.SCANNER_TRIVY_TIMEOUT":        h.config.Trivy.Timeout.String(),
 	}
 
 	vi, err := h.wrapper.GetVersion()

pkg/http/api/v1/handler_test.go

@@ -428,31 +428,32 @@ func TestRequestHandler_GetReady(t *testing.T) {
 func TestRequestHandler_GetMetadata(t *testing.T) {
 	testCases := []struct {
 		name             string
-		mockedBuildInfo  etc.BuildInfo
-		mockedVersion    trivy.VersionInfo
-		mockedConfig     etc.Config
+		buildInfo        etc.BuildInfo
+		version          trivy.VersionInfo
+		config           etc.Config
 		mockedError      error
 		expectedHTTPCode int
 		expectedResp     string
 		expectedError    error
 	}{
 		{
-			name:            "Should respond with a valid Metadata JSON and HTTP 200 OK",
-			mockedBuildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
-			mockedVersion: trivy.VersionInfo{
+			name:      "Should respond with a valid Metadata JSON and HTTP 200 OK",
+			buildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
+			version: trivy.VersionInfo{
 				Version: "v0.5.2-17-g3c9af62",
 				VulnerabilityDB: &trivy.Metadata{
 					NextUpdate: time.Unix(1584507644, 0).UTC(),
 					UpdatedAt:  time.Unix(1584517644, 0).UTC(),
 				},
 			},
-			mockedConfig: etc.Config{Trivy: etc.Trivy{
+			config: etc.Config{Trivy: etc.Trivy{
 				SkipUpdate:    false,
 				IgnoreUnfixed: true,
 				DebugMode:     true,
 				Insecure:      true,
 				VulnType:      "os,library",
 				Severity:      "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+				Timeout:       5 * time.Minute,
 			}},
 			expectedHTTPCode: http.StatusOK,
 			expectedResp: `{
@@ -485,23 +486,25 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
       "env.SCANNER_TRIVY_DEBUG_MODE": "true",
       "env.SCANNER_TRIVY_INSECURE": "true",
       "env.SCANNER_TRIVY_VULN_TYPE": "os,library",
-      "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+      "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+      "env.SCANNER_TRIVY_TIMEOUT": "5m0s"
    }
 }`,
 		},
 		{
-			name:            "Should respond with a valid Metadata JSON and HTTP 200 OK, when there's no trivy Metadata present",
-			mockedBuildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
-			mockedVersion: trivy.VersionInfo{
+			name:      "Should respond with a valid Metadata JSON and HTTP 200 OK, when there's no trivy Metadata present",
+			buildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
+			version: trivy.VersionInfo{
 				Version: "v0.5.2-17-g3c9af62",
 			},
-			mockedConfig: etc.Config{Trivy: etc.Trivy{
+			config: etc.Config{Trivy: etc.Trivy{
 				SkipUpdate:    false,
 				IgnoreUnfixed: true,
 				DebugMode:     true,
 				Insecure:      true,
 				VulnType:      "os,library",
 				Severity:      "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+				Timeout:       5 * time.Minute,
 			}},
 			expectedHTTPCode: http.StatusOK,
 			expectedResp: `{
@@ -532,18 +535,20 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
       "env.SCANNER_TRIVY_DEBUG_MODE": "true",
       "env.SCANNER_TRIVY_INSECURE": "true",
       "env.SCANNER_TRIVY_VULN_TYPE": "os,library",
-      "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+      "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+      "env.SCANNER_TRIVY_TIMEOUT": "5m0s"
    }
 }`,
 		},
 		{
-			name:            "Should respond with a valid Metadata JSON and HTTP 200 OK when GetVersion fails",
-			mockedError:     errors.New("get version failed"),
-			mockedBuildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
-			mockedConfig: etc.Config{
+			name:        "Should respond with a valid Metadata JSON and HTTP 200 OK when GetVersion fails",
+			mockedError: errors.New("get version failed"),
+			buildInfo:   etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"},
+			config: etc.Config{
 				Trivy: etc.Trivy{
 					VulnType: "os,library",
 					Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+					Timeout:  5 * time.Minute,
 				},
 			},
 			expectedHTTPCode: http.StatusOK,
@@ -575,7 +580,8 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
       "env.SCANNER_TRIVY_DEBUG_MODE": "false",
       "env.SCANNER_TRIVY_INSECURE": "false",
       "env.SCANNER_TRIVY_VULN_TYPE": "os,library",
-      "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+      "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+      "env.SCANNER_TRIVY_TIMEOUT": "5m0s"
    }
 }`,
 		},
@@ -586,14 +592,14 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 			enqueuer := mock.NewEnqueuer()
 			store := mock.NewStore()
 			wrapper := trivy.NewMockWrapper()
-			wrapper.On("GetVersion").Return(tc.mockedVersion, tc.mockedError)
+			wrapper.On("GetVersion").Return(tc.version, tc.mockedError)
 
 			rr := httptest.NewRecorder()
 
 			r, err := http.NewRequest(http.MethodGet, "/api/v1/metadata", nil)
 			require.NoError(t, err, tc.name)
 
-			NewAPIHandler(tc.mockedBuildInfo, tc.mockedConfig, enqueuer, store, wrapper).ServeHTTP(rr, r)
+			NewAPIHandler(tc.buildInfo, tc.config, enqueuer, store, wrapper).ServeHTTP(rr, r)
 
 			rs := rr.Result()