Trivy Java DB as part of server mode

[computeralex92]

Currently the Trivy client itself downloads the Java DB if a java package is detected, regardless if it's configured to use a central server (client / server mode).
It would be great if the server is storing the Java DB itself and the client is using it for detecting security issues in java packages; without the need to download the DB on client side.

[DaspawnW]

is there any information / plan when this will be implemented?

Imagine you have a set of hosts where it's running or containers used for trivy vuln scanning this is a huge amount of traffic.

[knqyf263]

We were thinking about the design and realized that simply putting the DB on the server side would generate a lot of HTTP requests to the server since the DB is accessed sequentially. HTTP requests need to be reduced by aggregating DB access, but this will require significant modifications to the code. We'd say unfortunately it is not coming soon. It's still in our backlog, though.

Instead, you can host the database in your own registry and use --java-db-repository.
https://aquasecurity.github.io/trivy/v0.41/docs/scanner/vulnerability/#private-hosting_1

Or download the DB manually and copy it to your machine.
https://aquasecurity.github.io/trivy/v0.41/docs/advanced/air-gap/#download-the-java-index-database1

[gerbil]

--skip-db-update --skip-java-db-update - is not working via Trivy operator in client-server mode

[sastorsl]

Is this still the issue, that the client needs to download the java-db?

[andyerms]

Is this still the issue, that the client needs to download the java-db?

Yes, it is (

[sastorsl]

I think it would be good if this was highlighted in the docs on https://aquasecurity.github.io/trivy/v0.55/docs/references/modes/client-server/

One can have a redis cache as a backend, but what is then the use of the trivy server?
Should one do one or the other, or is there any benefit in doing both a trivy server and a redis cache, for instance.

[sastorsl]

#7528