From 0f6aa3d5b1ebfef6b8f8536b5cf204f13d32853b Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Wed, 6 Nov 2024 15:45:26 +1300
Subject: [PATCH] Fix trivy scans

---
 .github/workflows/nightly.yml | 45 +++++++++++++++++++++++++++++++++--
 .github/workflows/pr-scan.yml | 10 ++++++--
 2 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 80d880244c..22e28f01b8 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,6 +5,36 @@ on:
   workflow_dispatch:
 
 jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
+
   scan-image:
     name: Scan Docker Image
     runs-on: ubuntu-latest
@@ -13,16 +43,22 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Build the Docker image
         run: docker build . -t appwrite_image:latest
+
       - name: Run Trivy vulnerability scanner on image
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           image-ref: 'appwrite_image:latest'
           format: 'sarif'
           output: 'trivy-image-results.sarif'
           ignore-unfixed: 'false'
           severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
       - name: Upload Docker Image Scan Results
         uses: github/codeql-action/upload-sarif@v2
         with:
@@ -34,13 +70,18 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+
       - name: Run Trivy vulnerability scanner on filesystem
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: 'fs'
           format: 'sarif'
           output: 'trivy-fs-results.sarif'
           severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
       - name: Upload Code Scan Results
         uses: github/codeql-action/upload-sarif@v2
         with:
diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml
index eded58985d..1289efce11 100644
--- a/.github/workflows/pr-scan.yml
+++ b/.github/workflows/pr-scan.yml
@@ -26,21 +26,27 @@ jobs:
         tags: pr_image:${{ github.sha }}
 
     - name: Run Trivy vulnerability scanner on image
-      uses: aquasecurity/trivy-action@0.20.0
+      uses: aquasecurity/trivy-action@0.28.0
       with:
         image-ref: 'pr_image:${{ github.sha }}'
         format: 'json'
         output: 'trivy-image-results.json'
         severity: 'CRITICAL,HIGH'
+      env:
+        TRIVY_SKIP_DB_UPDATE: true
+        TRIVY_SKIP_JAVA_DB_UPDATE: true
 
     - name: Run Trivy vulnerability scanner on source code
-      uses: aquasecurity/trivy-action@0.20.0
+      uses: aquasecurity/trivy-action@0.28.0
       with:
         scan-type: 'fs'
         scan-ref: '.'
         format: 'json'
         output: 'trivy-fs-results.json'
         severity: 'CRITICAL,HIGH'
+      env:
+        TRIVY_SKIP_DB_UPDATE: true
+        TRIVY_SKIP_JAVA_DB_UPDATE: true
 
     - name: Process Trivy scan results
       id: process-results