#962: Added a GH workflow which uploads trivy databases (#963)

fixes #962

.github/workflows/update_trivy_cache.yaml

@@ -0,0 +1,54 @@
+name: Update trivy cache
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 0 * * *"
+
+jobs:
+  update_trivy_cache:
+    environment: AWS
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run install dependencies
+        run: |
+          sudo apt update && sudo apt install -y awscli curl wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+        env:
+          DEBIAN_FRONTEND: noninteractive
+
+      - name: Fetch trivy databases
+        run: |
+          trivy image --download-java-db-only
+          trivy image --download-db-only
+
+      - name: Create tar gz databases
+        run: |
+          pushd $HOME/.cache
+          tar -czf trivy_cache.tar.gz ./trivy
+          popd
+
+      - name: Copy trivy databases
+        run: aws s3 cp  "$HOME/.cache/trivy_cache.tar.gz" "$TRIVY_CACHE_LOCATION/trivy_cache.tar.gz"
+        env: # Set the secret as an env variable
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_SECRET }}
+          AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
+          TRIVY_CACHE_LOCATION: ${{ secrets.TRIVY_CACHE_LOCATION }}
+
+      - name: Report failure Status to Slack channel
+        id: report-failure-status-slack
+        # Also run this step in case of failures
+        if: ${{ always() }}
+        uses: ravsamhq/notify-slack-action@v2
+        with:
+          status: ${{ job.status }}
+          token: ${{ github.token }}
+          notification_title: "Update trivy build in {repo} has {status_message}"
+          message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>"
+          notify_when: "failure,cancelled,warnings,skipped"
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}

doc/changes/changes_8.4.0.md

@@ -11,6 +11,10 @@ t.b.d.
 
 This release uses version 1.0.0 of the container tool. 
 
+## Features
+
+ - #962: Add a GH workflow which uploads trivy databases and updated Ubuntu packages
+
 ## Security Issues
 
  - #956: Updated dependencies

flavors/standard-EXASOL-all/flavor_base/language_deps/packages/apt_get_packages

@@ -1,4 +1,4 @@
-ca-certificates|20230311ubuntu0.22.04.1
+ca-certificates|20240203~22.04.1
 python3.10-dev|3.10.12-1~22.04.6
 python3-distutils|3.10.8-1~22.04
 curl|7.81.0-1ubuntu1.18

flavors/template-Exasol-all-java-17/flavor_base/language_deps/packages/apt_get_packages

@@ -1,3 +1,3 @@
-ca-certificates|20230311ubuntu0.22.04.1
+ca-certificates|20240203~22.04.1
 curl|7.81.0-1ubuntu1.18
 openjdk-17-jdk-headless|17.0.12+7-1ubuntu2~22.04

flavors/template-Exasol-all-r-4/flavor_base/language_deps/packages/apt_get_packages

@@ -1,2 +1,2 @@
-ca-certificates|20230311ubuntu0.22.04.1
+ca-certificates|20240203~22.04.1
 curl|7.81.0-1ubuntu1.18