Description
We have encountered an issue where older Trivy versions (e.g., 0.58.2) are being removed and replaced with newer versions (e.g., 0.59.0) in the Trivy repository. This replacement breaks our DevContainer builds and CI/CD pipelines, which rely on a fixed version to maintain version consistency.
Issue Details
- Our Dockerfile installs Trivy using the recommended approach:
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | tee /usr/share/keyrings/trivy.gpg > /dev/null \
&& echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends trivy=0.58.2
The build fails with the error:
E: Version '0.58.2' for 'trivy' was not found
Upon investigating the repository, we found that older versions are being directly replaced with newer ones, instead of being retained.
Example:
This means that specific versions cannot be pinned, leading to unexpected updates and potential compatibility issues.
Impact
-
Builds fail when a specific version is specified, as the version no longer exists in the repository.
-
Lack of reproducibility: Teams relying on pinned versions cannot ensure a stable environment.
-
Unexpected version upgrades: New versions might introduce breaking changes that teams are not prepared for.
Expected Behavior
-
Older versions should remain available in the repository, allowing users to install specific versions as needed.
-
If versions must be removed, there should be clear documentation or a deprecation policy so users can plan accordingly.
Request
- Could you clarify the reasoning behind replacing older versions instead of keeping them? Would it be possible to retain all past versions to allow users to pin specific versions in their pipelines?
This change significantly impacts teams relying on Trivy for security scanning in automated environments.
Thanks for your support! 🙏
Description
We have encountered an issue where older Trivy versions (e.g., 0.58.2) are being removed and replaced with newer versions (e.g., 0.59.0) in the Trivy repository. This replacement breaks our DevContainer builds and CI/CD pipelines, which rely on a fixed version to maintain version consistency.
Issue Details
The build fails with the error:
E: Version '0.58.2' for 'trivy' was not foundUpon investigating the repository, we found that older versions are being directly replaced with newer ones, instead of being retained.
Example:
This means that specific versions cannot be pinned, leading to unexpected updates and potential compatibility issues.
Impact
Builds fail when a specific version is specified, as the version no longer exists in the repository.
Lack of reproducibility: Teams relying on pinned versions cannot ensure a stable environment.
Unexpected version upgrades: New versions might introduce breaking changes that teams are not prepared for.
Expected Behavior
Older versions should remain available in the repository, allowing users to install specific versions as needed.
If versions must be removed, there should be clear documentation or a deprecation policy so users can plan accordingly.
Request
This change significantly impacts teams relying on Trivy for security scanning in automated environments.
Thanks for your support! 🙏