Vulnerability DB
Skip update of vulnerability DB
If you want to skip downloading the vulnerability database, use the --skip-db-update option.
$ trivy image --skip-db-update python:3.4-alpine3.9
Result
2019-05-16T12:48:08.703+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
Only download vulnerability database
You can also ask Trivy to simply retrieve the vulnerability database.
This is useful to initialize workers in Continuous Integration systems.
$ trivy image --download-db-only
DB Repository
Trivy could also download the vulnerability database from an external OCI registry by using --db-repository option.
$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
Java Vulnerability DB
The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the --skip-java-db-update option, while --download-java-db-only can be used to only download the Java index DB.
Downloading the Java index DB from an external OCI registry can be done by using the --java-db-repository option.
$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only