Merge branch 'feat/use-trivy-variables' into 'master'

| -------------------------------------- | ------------------------ | ------------------------------------------------- |

| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |

| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials  | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java`          |

| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |

| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning  | `registry.hub.docker.com/aquasec/trivy:latest` |

| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |

| `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os` |

Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).

Examples:

* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)

* `TRIVY_SERVER`: server address (enables client/server mode)

* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from

* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from

##### Jib build and publish configuration

        {

          "id": "mvn-trivy",

          "name": "Maven Trivy",

          "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",

          "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",

          "disable_with": "MAVEN_TRIVY_DISABLED",

          "variables": [

            {

              "default": "registry.hub.docker.com/aquasec/trivy:latest",

              "advanced": true

            },

            {

              "name": "MAVEN_TRIVY_ADDR",

              "type": "url",

              "description": "The Trivy server address"

            },

            {

              "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",

              "type": "enum",

              "values": [

                "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",

                "LOW,MEDIUM,HIGH,CRITICAL",

                "MEDIUM,HIGH,CRITICAL",

                "HIGH,CRITICAL",

                "CRITICAL"

              ],

              "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",

              "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"

            },

            {

              "name": "MAVEN_TRIVY_ARGS",

              "description": "Additional `trivy client` arguments",

              "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",

              "default": "--ignore-unfixed --vuln-type os",

              "advanced": true

            }

    trivy-image:

      description: The docker image used to scan images with Trivy

      default: registry.hub.docker.com/aquasec/trivy:latest

    trivy-addr:

      description: The Trivy server address

      default: ''

    trivy-security-level-threshold:

      description: 'Severities of vulnerabilities to be displayed (comma separated values:

        `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'

      options:

      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

      - LOW,MEDIUM,HIGH,CRITICAL

      - MEDIUM,HIGH,CRITICAL

      - HIGH,CRITICAL

      - CRITICAL

      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

    trivy-args:

      description: Additional `trivy client` arguments

      description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)

      default: --ignore-unfixed --vuln-type os

    sbom-image:

      default: registry.hub.docker.com/anchore/syft:debug

variables:

  MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]

  MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]

  MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]

  MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]

  MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]

  MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]

  MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]

  MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]

  MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]

  MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]

  MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]

  MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]

.mvn-jib-scripts: &mvn-jib-scripts |

  # BEGSCRIPT

    export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}

    export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    mkdir -p ./reports

    if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"

      trivy image --download-db-only

      export trivy_opts="image"

    else

      log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"

      export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"

    if [[ -z "$TRIVY_SERVER" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"

    fi

    # Add common trivy arguments

    export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}"

    # GitLab format (no fail)

    trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE

    # JSON format (no fail)

    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]

    then

      trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE

    fi

    # console output (fail)

    trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE

    # Generate the native JSON report that can later be converted to other formats

    trivy image --no-progress ${MAVEN_TRIVY_ARGS} --exit-code 1 --format json --output reports/jib-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE || exit_code=$?

    # Generate a report in the GitLab format

    trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/jib-trivy-${basename}.gitlab.json reports/jib-trivy-${basename}.native.json

    # console output

    trivy convert --format table reports/jib-trivy-${basename}.native.json

    exit $exit_code

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day