Unable to get the Trivy analyser working

[nigellh]

Hi

I followed the instructions on here https://docs.dependencytrack.org/datasources/trivy/ to add Trivy into the Docker File and used port 8082. It started ok and I have disabled the internal and Sonatype analysers.

I created a project and added a component manually

Names: krb5
Version: 1.20.1
Purl: pkg:conda/krb5@1.20.1

On saving it and then looking in the logs I get the message:

[TrivyAnalysisTask] No API token provided; Skipping

So I added the Base URL and just left the token that was there as it was, guessing (probably incorrectly) that it was the default one.

Do I need to create a specific one or where can I get an API token from.

Many thanks, N

[nigellh]

Digging into this a little bit more

  trivy:
    image: aquasec/trivy:latest
    command:
    - server
    - --listen
    - :8082
    - --token
    - yourAuthToken
    volumes:
    - "trivy-cache:/root/.cache/trivy"
    restart: unless-stopped

Might be feeling a bit dumb. Do I just make up a toke and replace yourAuthToken above and then use that in the Trivy configuration?

I will try it anyway.

[nigellh]

OK, seems that was it

apiserver-1 | 2024-12-19 14:02:40,184 INFO [TrivyAnalysisTask] Starting Trivy vulnerability analysis task
apiserver-1 | 2024-12-19 14:02:40,946 INFO [TrivyAnalysisTask] Trivy vulnerability analysis complete

So no error, but also no vulnerabilities that I know this package has.

[nigellh]

Ignore that. It might have correctly analysed that. Sonatype is showing a vulnerability against this package which is incorrect and so Trivy seems to have got it correct.

I imported an SBOM that had 268 vulnerabilities, a good number were wrong using NVD and Sonatype. This is only showing 216 vulnerabilities against this SBOM.

So it is working, just needed the API Token putting in place. Appears it can be anything. I just used a 256 checksum I had around and put it in the docker-compose.yaml file and the Trivy set up.