feat(cli): Add available version checking (#8553)

Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Co-authored-by: Itay <itay@itaysk.com>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>

Author: 4 people

docs/docs/advanced/air-gap.md

@@ -75,3 +75,8 @@ Trivy might attempt to connect (over HTTPS) to the following URLs:
 ### Offline mode
 
 There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
+
+## Check updates service
+
+Trivy [checks for updates](../configuration/others.md#check-for-updates) and [collects usage telemetry](../advanced/telemetry.md) by connecting to the following domain: `https://check.trivy.dev`.
+Connectivity with this domain is entirely optional and is not necessary for the normal operation of Trivy.

docs/docs/advanced/telemetry.md

@@ -0,0 +1,33 @@
+# Usage Telemetry
+
+Trivy collect anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.
+
+## Data collected
+
+The following information could be collected:
+
+- Environmental information
+  - Installation identifier
+  - Trivy version
+  - Operating system
+- Scan
+  - Non-revealing scan options
+
+## Privacy
+
+No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:
+
+- Installation identifier: one-way hash of machine fingerprint, resulting in opaque string.
+- Scaner: any option that is user controlled is omitted (never collected). For example, file paths, image names, etc are never collected.
+
+Trivy is an Aqua Security product and adheres to the company's privacy policy: <https://aquasec.com/privacy>.
+
+## Disabling telemetry
+
+You can disable telemetry altogether using the `--disable-telemetry` flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see [here](../configuration/index.md).
+
+For example:
+
+```bash
+trivy image --disable-metrics alpine
+```

docs/docs/configuration/others.md

@@ -160,3 +160,14 @@ When we want to get the image `alpine` with the settings above. The logic will b
 1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
 2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
 3. Get the image from `index.docker.io` (the original registry).
+
+## Check for updates
+
+Trivy periodically checks for updates and notices, and displays a message to the user with recommendations.  
+Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message.  
+You can disable updates checking by specifying the `--skip-version-check` flag.
+
+## Telemetry
+
+Trivy collected usage data for product improvement. More details in the [Telemetry document](../advanced/telemetry.md).
+You can disable telemetry collection using the `--disable-telemetry` flag.

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -35,6 +35,7 @@ trivy filesystem [flags] PATH
                                             - "precise": Prioritizes precise by minimizing false positives.
                                             - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                            (allowed values: precise,comprehensive) (default "precise")
+      --disable-telemetry                 disable sending anonymous usage data to Aqua
       --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -126,6 +127,7 @@ trivy filesystem [flags] PATH
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-version-check                suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
       --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
   -t, --template string                   output template

docs/docs/references/configuration/cli/trivy_image.md

@@ -49,6 +49,7 @@ trivy image [flags] IMAGE_NAME
                                             - "precise": Prioritizes precise by minimizing false positives.
                                             - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                            (allowed values: precise,comprehensive) (default "precise")
+      --disable-telemetry                 disable sending anonymous usage data to Aqua
       --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
       --docker-host string                unix domain socket path to use for docker scanning
       --download-db-only                  download/update vulnerability database but don't run a scan
@@ -148,6 +149,7 @@ trivy image [flags] IMAGE_NAME
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-version-check                suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
       --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
   -t, --template string                   output template

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -52,6 +52,7 @@ trivy kubernetes [flags] [CONTEXT]
                                             - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                            (allowed values: precise,comprehensive) (default "precise")
       --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
+      --disable-telemetry                 disable sending anonymous usage data to Aqua
       --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -138,6 +139,7 @@ trivy kubernetes [flags] [CONTEXT]
       --skip-files strings                specify the files or glob patterns to skip
       --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
       --skip-java-db-update               skip updating Java index database
+      --skip-version-check                suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules

docs/docs/references/configuration/cli/trivy_repository.md

@@ -35,6 +35,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
                                             - "precise": Prioritizes precise by minimizing false positives.
                                             - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                            (allowed values: precise,comprehensive) (default "precise")
+      --disable-telemetry                 disable sending anonymous usage data to Aqua
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
       --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -124,6 +125,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-version-check                suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
       --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
       --tag string                        pass the tag name to be scanned

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -37,6 +37,7 @@ trivy rootfs [flags] ROOTDIR
                                             - "precise": Prioritizes precise by minimizing false positives.
                                             - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                            (allowed values: precise,comprehensive) (default "precise")
+      --disable-telemetry                 disable sending anonymous usage data to Aqua
       --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -127,6 +128,7 @@ trivy rootfs [flags] ROOTDIR
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-version-check                suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
       --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
   -t, --template string                   output template

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -29,6 +29,7 @@ trivy sbom [flags] SBOM_PATH
                                          - "precise": Prioritizes precise by minimizing false positives.
                                          - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                         (allowed values: precise,comprehensive) (default "precise")
+      --disable-telemetry              disable sending anonymous usage data to Aqua
       --distro string                  [EXPERIMENTAL] specify a distribution, <family>/<version>
       --download-db-only               download/update vulnerability database but don't run a scan
       --download-java-db-only          download/update Java index database but don't run a scan
@@ -99,6 +100,7 @@ trivy sbom [flags] SBOM_PATH
       --show-suppressed                [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                 skip updating vulnerability database
       --skip-java-db-update            skip updating Java index database
+      --skip-version-check             suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update           [EXPERIMENTAL] Skip VEX Repository update
       --table-mode strings             [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
   -t, --template string                output template

docs/docs/references/configuration/cli/trivy_vm.md

@@ -33,6 +33,7 @@ trivy vm [flags] VM_IMAGE
                                             - "precise": Prioritizes precise by minimizing false positives.
                                             - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
                                            (allowed values: precise,comprehensive) (default "precise")
+      --disable-telemetry                 disable sending anonymous usage data to Aqua
       --distro string                     [EXPERIMENTAL] specify a distribution, <family>/<version>
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -115,6 +116,7 @@ trivy vm [flags] VM_IMAGE
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-version-check                suppress notices about version updates and Trivy announcements
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
       --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
   -t, --template string                   output template

docs/docs/references/configuration/config-file.md

@@ -586,6 +586,9 @@ scan:
   # Same as '--detection-priority'
   detection-priority: "precise"
 
+  # Same as '--disable-telemetry'
+  disable-telemetry: false
+
   # Same as '--distro'
   distro: ""
 
@@ -615,6 +618,9 @@ scan:
   # Same as '--skip-files'
   skip-files: []
 
+  # Same as '--skip-version-check'
+  skip-version-check: false
+
 ```
 ## Secret options
 

mkdocs.yml

@@ -158,6 +158,7 @@ nav:
                   - GCR (Google Container Registry): docs/advanced/private-registries/gcr.md
                   - ACR (Azure Container Registry): docs/advanced/private-registries/acr.md
                   - Self-Hosted: docs/advanced/private-registries/self.md
+          - Usage Telemetry: docs/advanced/telemetry.md
       - References:
           - Configuration:
               - CLI:

pkg/commands/artifact/run.go

@@ -26,6 +26,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 	"github.com/aquasecurity/trivy/pkg/module"
+	"github.com/aquasecurity/trivy/pkg/notification"
 	"github.com/aquasecurity/trivy/pkg/policy"
 	pkgReport "github.com/aquasecurity/trivy/pkg/report"
 	"github.com/aquasecurity/trivy/pkg/result"
@@ -92,6 +93,7 @@ type Runner interface {
 
 type runner struct {
 	initializeScanService InitializeScanService
+	versionChecker        *notification.VersionChecker
 	dbOpen                bool
 
 	// WASM modules
@@ -116,6 +118,13 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, opts ...RunnerOptio
 		opt(r)
 	}
 
+	// If the user has not disabled notices or is running in quiet mode
+	r.versionChecker = notification.NewVersionChecker(
+		notification.WithSkipVersionCheck(cliOptions.SkipVersionCheck),
+		notification.WithQuietMode(cliOptions.Quiet),
+		notification.WithTelemetryDisabled(cliOptions.DisableTelemetry),
+	)
+
 	// Update the vulnerability database if needed.
 	if err := r.initDB(ctx, cliOptions); err != nil {
 		return nil, xerrors.Errorf("DB error: %w", err)
@@ -137,6 +146,13 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, opts ...RunnerOptio
 	m.Register()
 	r.module = m
 
+	// Make a silent attempt to check for updates in the background
+	// only do this if the user has not disabled notices or is running
+	// in quiet mode
+	if r.versionChecker != nil {
+		r.versionChecker.RunUpdateCheck(ctx, os.Args[1:])
+	}
+
 	return r, nil
 }
 
@@ -152,6 +168,12 @@ func (r *runner) Close(ctx context.Context) error {
 	if err := r.module.Close(ctx); err != nil {
 		errs = multierror.Append(errs, err)
 	}
+
+	// silently check if there is notifications
+	if r.versionChecker != nil {
+		r.versionChecker.PrintNotices(os.Stderr)
+	}
+
 	return errs
 }
 

pkg/flag/scan_flags.go

@@ -118,6 +118,16 @@ var (
 		ConfigName: "scan.distro",
 		Usage:      "[EXPERIMENTAL] specify a distribution, <family>/<version>",
 	}
+	SkipVersionCheckFlag = Flag[bool]{
+		Name:       "skip-version-check",
+		ConfigName: "scan.skip-version-check",
+		Usage:      "suppress notices about version updates and Trivy announcements",
+	}
+	DisableTelemetryFlag = Flag[bool]{
+		Name:       "disable-telemetry",
+		ConfigName: "scan.disable-telemetry",
+		Usage:      "disable sending anonymous usage data to Aqua",
+	}
 )
 
 type ScanFlagGroup struct {
@@ -132,6 +142,8 @@ type ScanFlagGroup struct {
 	RekorURL          *Flag[string]
 	DetectionPriority *Flag[string]
 	DistroFlag        *Flag[string]
+	SkipVersionCheck  *Flag[bool]
+	DisableTelemetry  *Flag[bool]
 }
 
 type ScanOptions struct {
@@ -146,6 +158,8 @@ type ScanOptions struct {
 	RekorURL          string
 	DetectionPriority ftypes.DetectionPriority
 	Distro            ftypes.OS
+	SkipVersionCheck  bool
+	DisableTelemetry  bool
 }
 
 func NewScanFlagGroup() *ScanFlagGroup {
@@ -161,6 +175,8 @@ func NewScanFlagGroup() *ScanFlagGroup {
 		Slow:              SlowFlag.Clone(),
 		DetectionPriority: DetectionPriority.Clone(),
 		DistroFlag:        DistroFlag.Clone(),
+		SkipVersionCheck:  SkipVersionCheckFlag.Clone(),
+		DisableTelemetry:  DisableTelemetryFlag.Clone(),
 	}
 }
 
@@ -181,6 +197,8 @@ func (f *ScanFlagGroup) Flags() []Flagger {
 		f.RekorURL,
 		f.DetectionPriority,
 		f.DistroFlag,
+		f.SkipVersionCheck,
+		f.DisableTelemetry,
 	}
 }
 
@@ -220,6 +238,8 @@ func (f *ScanFlagGroup) ToOptions(opts *Options) error {
 		RekorURL:          f.RekorURL.Value(),
 		DetectionPriority: ftypes.DetectionPriority(f.DetectionPriority.Value()),
 		Distro:            distro,
+		SkipVersionCheck:  f.SkipVersionCheck.Value(),
+		DisableTelemetry:  f.DisableTelemetry.Value(),
 	}
 	return nil
 }

pkg/flag/scan_flags_test.go

@@ -14,11 +14,12 @@ import (
 
 func TestScanFlagGroup_ToOptions(t *testing.T) {
 	type fields struct {
-		skipDirs    []string
-		skipFiles   []string
-		offlineScan bool
-		scanners    string
-		distro      string
+		skipDirs         []string
+		skipFiles        []string
+		offlineScan      bool
+		scanners         string
+		distro           string
+		skipVersionCheck bool
 	}
 	tests := []struct {
 		name      string
@@ -127,6 +128,16 @@ func TestScanFlagGroup_ToOptions(t *testing.T) {
 			},
 			assertion: require.Error,
 		},
+		{
+			name: "skip version check flag",
+			fields: fields{
+				skipVersionCheck: true,
+			},
+			want: flag.ScanOptions{
+				SkipVersionCheck: true,
+			},
+			assertion: require.NoError,
+		},
 	}
 
 	for _, tt := range tests {
@@ -137,14 +148,16 @@ func TestScanFlagGroup_ToOptions(t *testing.T) {
 			setValue(flag.OfflineScanFlag.ConfigName, tt.fields.offlineScan)
 			setValue(flag.ScannersFlag.ConfigName, tt.fields.scanners)
 			setValue(flag.DistroFlag.ConfigName, tt.fields.distro)
+			setValue(flag.SkipVersionCheckFlag.ConfigName, tt.fields.skipVersionCheck)
 
 			// Assert options
 			f := &flag.ScanFlagGroup{
-				SkipDirs:    flag.SkipDirsFlag.Clone(),
-				SkipFiles:   flag.SkipFilesFlag.Clone(),
-				OfflineScan: flag.OfflineScanFlag.Clone(),
-				Scanners:    flag.ScannersFlag.Clone(),
-				DistroFlag:  flag.DistroFlag.Clone(),
+				SkipDirs:         flag.SkipDirsFlag.Clone(),
+				SkipFiles:        flag.SkipFilesFlag.Clone(),
+				OfflineScan:      flag.OfflineScanFlag.Clone(),
+				Scanners:         flag.ScannersFlag.Clone(),
+				DistroFlag:       flag.DistroFlag.Clone(),
+				SkipVersionCheck: flag.SkipVersionCheckFlag.Clone(),
 			}
 
 			flags := flag.Flags{f}