From 8da8e454d54ff2b419a22c74c7d73670414a63fa Mon Sep 17 00:00:00 2001
From: Sagar Khalasi <sagar@appsmith.com>
Date: Mon, 30 Dec 2024 12:54:27 +0530
Subject: [PATCH] CI: Update Trivy DB (#38397)

## Description
Update trivy db download failure.


Fixes #
https://app.zenhub.com/workspaces/stability-pod-6690c4814e31602e25cab7fd/issues/gh/appsmithorg/appsmith/38398


Tested: https://github.com/appsmithorg/appsmith/actions/runs/12543112349

## Automation

/ok-to-test tags=""

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!CAUTION]
> If you modify the content in this section, you are likely to disrupt
the CI result for your PR.

<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Enhanced script to automatically download Trivy vulnerability database
if not present
- Added capability to create and manage temporary database download
directory

- **Chores**
	- Cleaned up script by removing unnecessary line

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 scripts/trivy_vulnerabilities_data.sh | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/trivy_vulnerabilities_data.sh b/scripts/trivy_vulnerabilities_data.sh
index cf96a99a81..e8842ecc3a 100755
--- a/scripts/trivy_vulnerabilities_data.sh
+++ b/scripts/trivy_vulnerabilities_data.sh
@@ -71,6 +71,15 @@ case "$IMAGE" in
     *) product_name="UNKNOWN" ;;
 esac
 
+# Download Trivy DB if necessary
+if [ ! -d "$HOME/.cache/trivy/db" ]; then
+  echo "Trivy DB not found. Downloading..."
+  TRIVY_TEMP_DIR=$(mktemp -d)
+  trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+  tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+  rm -rf $TRIVY_TEMP_DIR
+fi
+
 # Run Trivy scan
 echo "Running Trivy scan for image: $IMAGE..."
 trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --insecure --format json "$IMAGE" > "trivy_vulnerabilities.json" || {
@@ -78,7 +87,6 @@ trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repos
     exit 1
 }
 
-
 # Process vulnerabilities and generate CSV
 if jq -e '.Results | length > 0' "trivy_vulnerabilities.json" > /dev/null; then
     jq -r --arg product "$product_name" '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID),\($product),TRIVY,\(.Severity)"' "trivy_vulnerabilities.json" | sort -u > "$NEW_VULN_FILE"