Merge branch '74-add-java-database-args-for-trivy-for-using-custom-java-db-url' into 'master'

| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis          | _(none)_ |

| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |

| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |

| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |

In addition to a textual report in the console, this job produces the following reports, kept for one day:

        },

        {

          "name": "DOCKER_TRIVY_DB_REPOSITORY",

          "description": "Custom OCI repository to retrieve Trivy Database from",

          "description": "OCI repository to retrieve Trivy Database from",

          "advanced": true

        },

        {

          "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",

          "description": "OCI repository to retrieve Trivy Java Database from",

          "advanced": true

        }

      ]

    trivy-db-repository:

      description: Custom OCI repository to retrieve Trivy Database from

      default: ''

    trivy-java-db-repository:

      description: Custom Java DB repository path 

      default: ''

    sbom-disabled:

      description: Disable Software Bill of Materials

      type: boolean

  DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]

  DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]

  DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]

  # SBOM genenration image and arguments

  DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]

    mkdir -p ./reports

    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"

      trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY}

      trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY}

      export trivy_opts="image"

    else

      log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"

      export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"

    fi

    # Add common trivy arguments

    export trivy_opts="${trivy_opts} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"

    # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository

    export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"

    # GitLab format (no fail)

    trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE

    # JSON format (no fail)