File trivy-database-refresh.sh of Package scanner-databases.40802

#!/bin/bash

# Strict mode
set -euo pipefail

CHANGELOG_FILE="trivy-database.changes"
#TRIVY_IMAGE_REPOSITORIES="public.ecr.aws/aquasecurity/trivy:latest,aquasec/trivy:latest"
TRIVY_DATABASE_REPOSITORIES="public.ecr.aws/aquasecurity/trivy-db:2,aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2"
TRIVY_JAVA_DATABASE_REPOSITORIES="public.ecr.aws/aquasecurity/trivy-java-db:1,aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1"

# Helper functions
log() {
    echo >&2 "$@"
}
idempotent_tar() {
    tar "$@" --sort=name --owner=root:0 --group=root:0 --mtime="0" --format=gnu
}
dbversion() {
    jq -r .UpdatedAt "$@" | sed -E 's/[a-zA-Z.:-]//g' | cut -c 1-12
}

if ! which jq >/dev/null 2>&1; then
    log "Do not have jq on the system. Please install jq."
    exit 1
fi
if ! which trivy >/dev/null 2>&1; then
    log "Do not have trivy on the system. Please install recent trivy."
    exit 1
fi

log "Downloading / Refreshing database"

trivy image --download-db-only --db-repository "$TRIVY_DATABASE_REPOSITORIES"
trivy image --download-java-db-only --java-db-repository "$TRIVY_JAVA_DATABASE_REPOSITORIES"

# Get the current database version (the latest update datestring)
DB_VERSION="$(dbversion "$HOME/.cache/trivy/db/metadata.json")"
if [[ ! $DB_VERSION =~ ^[0-9]{12}$ ]]; then
    log "Invalid format for Trivy db version: $DB_VERSION"
    exit 1
fi
JAVA_DB_VERSION="$(dbversion "$HOME/.cache/trivy/java-db/metadata.json")"
if [[ ! $JAVA_DB_VERSION =~ ^[0-9]{12}$ ]]; then
    log "Invalid format for Trivy java-db version: $JAVA_DB_VERSION"
    exit 1
fi
if (( DB_VERSION > JAVA_DB_VERSION )); then
    TRIVY_DB_VERSION="$DB_VERSION"
else
    TRIVY_DB_VERSION="$JAVA_DB_VERSION"
fi

log "Found database version: $TRIVY_DB_VERSION"

SPEC_FILE=scanner-databases.spec
DATABASE_FILE="trivy-database-$TRIVY_DB_VERSION.tar.xz"

rm -f newspec
cat $SPEC_FILE | while read xline
do
	if echo $xline | grep -Eq "%define trivydbversion"  ; then
		if echo $xline | grep -Eq "trivydbversion\s*$TRIVY_DB_VERSION$" ; then
		log "The database is up-to-date"
		rm newspec
		exit
	    else
		echo "%define trivydbversion	$TRIVY_DB_VERSION" >> newspec
	    fi
        else
	    echo "$xline" >> newspec
	fi
done

if [ ! -f newspec ] ; then
	exit
fi
diff -u $SPEC_FILE newspec || true
mv newspec $SPEC_FILE

# remove old version
rm trivy-database-2*.tar.xz
# Compress trivy database in an idempotent .tar.xz archive
log "Compressing database"
idempotent_tar -Jcf "$DATABASE_FILE" -C "$HOME/.cache/trivy/" db java-db