Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
github.com/aquasecurity/trivy-db
- Version published
- Created
trivy-db
Overview
trivy-db is a CLI tool and a library to manipulate Trivy DB.
Library
Trivy uses trivy-db internally to manipulate vulnerability DB. This DB has vulnerability information from NVD, Red Hat, Debian, etc.
CLI
The trivy-db CLI tool builds vulnerability DBs. A GitHub Actions workflow
periodically builds a fresh version of the vulnerability DB using trivy-db and uploads it to the GitHub
Container Registry (see Download the vulnerability database below).
NAME:
trivy-db - Trivy DB builder
USAGE:
main [global options] command [command options] image_name
VERSION:
0.0.1
COMMANDS:
build build a database file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
Building the DB
You can utilize make db-all to build the database, the DB artifact is outputted to the assets folder.
Alternatively Docker is supported, you can run docker build . -t trivy-db.
If you want to build a trivy integration test DB, please run make create-test-db
Update interval
Trivy DB is built every 6 hours. By default, the update interval specified in the metadata file is 24 hours. If you need to update Trivy DB more frequently, you can upload a new Trivy DB manually.
Download the vulnerability database
version 1 (deprecated)
Trivy DB v1 reached the end of support on February 2023. Please upgrade Trivy to v0.23.0 or later.
Read more about the Trivy DB v1 deprecation in the discussion.
version 2
Trivy DB v2 is hosted on GHCR.
Although GitHub displays the docker pull command by default, please note that it cannot be downloaded using docker pull as it is not a container image.
You can download the actual compiled database via Trivy or Oras CLI.
Trivy:
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR
oras >= v0.13.0:
$ oras pull ghcr.io/aquasecurity/trivy-db:2
oras < v0.13.0:
$ oras pull -a ghcr.io/aquasecurity/trivy-db:2
The database can be used for Air-Gapped Environment.
FAQs
Unknown package
Package last updated on 20 Nov 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024