Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy scan results are unstable even when air-gapped #1233

Closed
dmivankov opened this issue Sep 14, 2021 · 9 comments
Closed

trivy scan results are unstable even when air-gapped #1233

dmivankov opened this issue Sep 14, 2021 · 9 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.

Comments

@dmivankov
Copy link
Contributor

Description

while true; do 
  rm -rf ~/.cache/trivy/fanal/
  trivy i --skip-update -i SOME_IMAGE.tar --ignorefile IGNORE_FILE --exit-code 1 && break;
done

this script can run for tens of iterations reporting a finding in the image until on one of the runs it says image is cve-free.
There are no concurrent trivy invocations running, db updates are disabled and image tar is fixed, each scan takes around 6 seconds, so not a timeout issue either.

What did you expect to happen?

scan results should be reproducible

What happened instead?

scan results are flaky

Output of run with -debug:

(pending)

Output of trivy -v:

Version: 0.19.1
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-09-14 12:05:26.334155039 +0000 UTC
  NextUpdate: 2021-09-14 18:05:26.334154639 +0000 UTC
  DownloadedAt: 2021-09-14 13:43:40.563573963 +0000 UTC

Additional details (base image name, container registry info...):
@dmivankov dmivankov added the kind/bug Categorizes issue or PR as related to a bug. label Sep 14, 2021
@dmivankov dmivankov mentioned this issue Sep 14, 2021
Closed
@dmivankov dmivankov changed the title trivy scan results are unstable trivy scan results are unstable even when air-gapped Sep 14, 2021
@dmivankov
Copy link
Contributor Author

the issue seems to be that scan isn't air-gapped and doesn't fail on network errors
lines like following are present on abnormal scans

Analysis error: jar/war/ear parse error: failed to search by SHA1: status 403 Forbidden from http://search.maven.org/solrsearch/select?q=1%3A%22fc219a023416a6fe6172f61d0d7bf64ed3645969%22&rows=1&wt=json

@dmivankov
Copy link
Contributor Author

similar reports
#1185
#1173
#1057

@dmivankov
Copy link
Contributor Author

dmivankov commented Sep 14, 2021
edited
Loading

this seems to be the line that says - something failed in analyzer - great, let's report scan target is clean
https://github.com/aquasecurity/fanal/blob/45c48ce8280d04572d4fabbaca4fddc030883a1b/analyzer/analyzer.go#L214
and line that sometimes fails in analyzer is around
https://github.com/aquasecurity/go-dep-parser/blob/main/pkg/java/jar/parse.go#L158

@dmivankov
Copy link
Contributor Author

another thing to consider is moving sha1->artifactid resolution inside trivy db (how much data is that?)

  • helps with air-gapping
  • reduces load on maven hosting
  • makes scans more reproducible

@dmivankov
Copy link
Contributor Author

workaround for java would be to use some other tool (github security scan for example)

@dmivankov
Copy link
Contributor Author

sadly env http_proxy=nothing https_proxy=nothing trivy image --skip-update -i SOME_IMAGE.tar doesn't help as trivy tries and retries to connect to proxy. Running inside linux network namespace aka network sandbox also makes trivy retry for a long time rather than give up quickly. Setting --timeout 1s makes it terminate fast but with scan failure rather than ignoring artifact resolution which it does in case of 403 responses

@dmivankov
Copy link
Contributor Author

also related #1191

dmivankov added a commit to dmivankov/trivy that referenced this issue Sep 15, 2021
@dmivankov
Add trivy image --skip-analyzers option
caafcc9 
Allows disabling analyzers from outside.

Mainly to disable jar analyzer which can go to network which may be
undesired and introduce scan flakiness. But sounds generic enough
to have other uses too.

related to aquasecurity#1191 and aquasecurity#1233
@dmivankov dmivankov mentioned this issue Sep 15, 2021
Closed
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Nov 15, 2021
@github-actions github-actions bot closed this as completed Dec 5, 2021
@dmivankov
Copy link
Contributor Author

this is still an issue with trivy 0.34.0

@dmivankov dmivankov mentioned this issue Nov 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmivankov