In Air gapped environment, Harbor Trivy DB and Trivy Java DB needs to be downloaded from internet and copied to the harbor pod manually.

This KB applies to Harbor Supervisor Service versions prior to v2.14.2 verion. Starting from Harbor Supervisor Service 2.14.2, support for configuring a self-hosted repository has been introduced, which significantly reduces the below changes. 

Steps to update "Skip TrivyDB" (trivy.db) configuration in Air gapped environment:

1. For Harbor Supervisor Service, to update trivy.db configuration follow the below steps:
   • Update the harbor package with skipUpdate=true and offlineScan=true for the trivy configuration.

   • ## edit your harbor-data-values file with below values
     trivy:
       enabled: true
       skipUpdate: true
       offlineScan: true
     
     ## Then update your package
     ## For Harbor supervisor service, from the VC UI go to WorkPlane Management> Supervisor> Service > Configure > Supervisor Service Overview > Select Kubernetes Service > Manage Service, you should directly update the above harbor-data-values yaml config, package should be updated wait for "Reconcile Succeeded" 

2. Download the vulnerability database using Trivy client  

   • # install trivy binary first
     # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.58.0
     TRIVY_TEMP_DIR=$(mktemp -d)
     trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
     chmod o+r $TRIVY_TEMP_DIR/db/metadata.json
     chmod o+r $TRIVY_TEMP_DIR/db/trivy.db
     
     

3. Copy the downloaded file trivy.db in Trivy's cache directory
   • POD=$(kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> get pod -l component=trivy -o jsonpath="{.items[0].metadata.name}") kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -- mkdir -p /home/scanner/.cache/trivy/db cat $TRIVY_TEMP_DIR/db/metadata.json | kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -i -- tee /home/scanner/.cache/trivy/db/metadata.json 1>/dev/null
cat $TRIVY_TEMP_DIR/db/trivy.db | kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -i -- tee /home/scanner/.cache/trivy/db/trivy.db 1>/dev/null

Steps to update "Skip TrivyJavaDB" (trivy-java.db) configuration in Air gapped environment:

1. For Harbor Supervisor Service. If the version < v2.14.2 version then follow below Step1, Step3, Step4 and Step5.  
   1. Take a SSH/Putty session to Supervisor Control Plane node
   2. Create a yaml file with name trivy-skipjavadb-overlay.yaml 
      • vi trivy-skipjavadb-overlay.yaml
      • Copy the below content to trivy-skipjavadb-overlay.yaml file
         

         

        #@ load("@ytt:overlay", "overlay")

        #@overlay/match by=overlay.and_op(overlay.subset({"kind": "StatefulSet"}), overlay.subset({"metadata": {"name": "harbor-trivy"}})) --- spec: template: spec: containers: #@overlay/match by="name" - name: trivy env: #@overlay/match by="name" - name: SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE value: #@ "{}".format(True).lower()
         
   3. Create a secret for Harbor Supervisor Service package
      • kubectl get pkgi -A | grep harbor
      • kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> create secret generic trivy-skipjavadb-overlay -o yaml --dry-run=client --from-file=trivy-skipjavadb-overlay.yaml | kubectl apply -f -
   4. Patch Harbor Instance using below command
      • kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> annotate packageinstalls harbor ext.packaging.carvel.dev/ytt-paths-from-secret-name.0=trivy-skipjavadb-overlay
   5. Check the Harbor Supervisor Service status after patching using below command
      • kubectl get pkgi -A | grep harbor
   6. Set the environment value to skip JAVADB as true using below command
      • kubectl exec -it harbor-trivy-0 -n <SVC-HARBOR-PKGI-NAMESPACE> -- env | grep SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE
      • Output should be similar to below
        • ~# kubectl exec -it harbor-trivy-0 -n <SVC-HARBOR-PKGI-NAMESPACE> -- env | grep SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE
          SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE=true
2. If the version >=v2.14.2 version then apply Step2, Step3, Step4 and Step 5.
   1. Update the harbor-data-values.yaml file directly and update the package.
   2. From the VC UI, go to WorkPlane Management> Supervisor> Service > Configure > Supervisor Service Overview > Select Kubernetes Service > Manage Service
   3. Select the Supervisor> Next
   4. To set skipJavaDBUpdate to true. 
      • ## edit your harbor-data-values file with below values
trivy:
  enabled: true
  skipUpdate: true
  skipJavaDBUpdate: true
  offlineScan: true
3. Download the java vulnerability database using Trivy client

   • Note: Trivy version >= v0.23.0

      

     # install trivy binray first
     # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.58.0
     TRIVY_TEMP_DIR=$(mktemp -d)
     trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
     chmod o+r $TRIVY_TEMP_DIR/java-db/metadata.json
     chmod o+r $TRIVY_TEMP_DIR/java-db/trivy-java.db

4. Copy the downloaded trivy-java.db file in Trivy's cache directory
   •  

     POD=$(kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> get pod -l component=trivy -o jsonpath="{.items[0].metadata.name}") kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -- mkdir -p /home/scanner/.cache/trivy/java-db cat $TRIVY_TEMP_DIR/java-db/metadata.json | kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -i -- tee /home/scanner/.cache/trivy/java-db/metadata.json 1>/dev/null cat $TRIVY_TEMP_DIR/java-db/trivy-java.db | kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -i -- tee /home/scanner/.cache/trivy/java-db/trivy-java.db 1>/dev/null # check the file existence within container. kubectl -n <SVC-HARBOR-PKGI-NAMESPACE> exec ${POD} -- ls /home/scanner/.cache/trivy/java-db metadata.json trivy-java.db
      
5. Access Harbor UI page and verify if scan is working as expected.