Scanning of Java App in Airgap Environment #1057
Comments
leopold2410
added
the
triage/support
|
Currently, Java scanning requires Internet access. And, we don't have an option to turn it off. |
|
Is there any workaround? Can I use a maven mirror? |
|
+1 . we are facing the same issue . we need to be able to scan java components in an airgap environment since our CI servers sit behind a corporate firewall and are blocked from the internet . we have some servers with limited internet access (https/443) only . and these also failed since in java scans it is reaching out to http/80 endpoints any suggestions of a workaround with a local maven mirror for an airgap run ? |
|
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
+1. We are facing same issue as below Any suggested workaround or option to use maven mirror ? |
|
Hi, Best regards, |
github-actions
bot
removed
the
lifecycle/stale
|
Hi @leopold2410 , jar scan is added from v0.17.0 and since we would like to scan jars, going back to v0.16.0 is not a feasible option for us. |
|
+1 Same problem. We decided to go back to 0.16 but it's a BAD solution. |
|
Thanks for your patience. v0.20.0 is finally out. You can use |
|
I'd rather us know it failed to reach out. Right now it just acts like a clear scan. That's mildly frustrating when you are trying to trust this tool. |
Hi,
I tried to use trivy image scan in standalone mode in a gitlab CI Runner. The environment is air-gapped.
The scan is executed on a OCI tarball produced with kaniko.
The scan starts as expected (the configured cached offline DB seems to work), but then issues a lot of HTTP requests to search.maven.org and finally I got:
2021-06-09T17:35:59.540Z DEBUG request failed {"error": "Get "http://search.maven.org/solrsearch/select?q=g%3A%22org.hibernate%22+AND+a%3A%22hibernate-commons-annotations%22&rows=1\": dial tcp: lookup search.maven.org on 10.43.0.10:53: no such host", "method": "GET", "url": "http://search.maven.org/solrsearch/select?q=g%3A%22org.hibernate%22+AND+a%3A%22hibernate-commons-annotations%22&rows=1"}
2021-06-09T17:35:59.540Z DEBUG retrying request {"request": "GET http://search.maven.org/solrsearch/select?q=g%3A%22org.hibernate%22+AND+a%3A%22hibernate-commons-annotations%22&rows=1", "timeout": "2m40s", "remaining": 2}
2021-06-09T17:38:38.241Z FATAL scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:67
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:163
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:98
github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/image/image.go:95
github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
/home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/image/image.go:158
The timeout parameter is not really an option (I already used 30m) because of the exponential back-off strategy on each of these search requests.
Is there any option to turn off network requests completely?
Best regards,
Leo
The text was updated successfully, but these errors were encountered: