Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable library analyzer for OS only scan type #1191

Merged
merged 6 commits into from
Sep 29, 2021
Merged

Disable library analyzer for OS only scan type #1191

merged 6 commits into from
Sep 29, 2021

Conversation

fawind
Copy link
Contributor

@fawind fawind commented Aug 20, 2021
edited
Loading

We are running into the issue that with the addition of JAR scanning in v0.17.0, Trivy tries to reach out to "maven.org" in order to resolve maven artifacts. This breaks running the scanner in an air-gapped environment where these requests time out (#1185, #982).

The proper solution in my opinion would be to mark analyzers that don't require network access as offline capable and add a separate offline flag that only runs those analyzers (we could start with just excluding the jar analyzer). Happy to contribute this if you agree with this approach!

As a more workaround solution, we should also exclude programming language analyzers when only running with --vulnType os (and maybe vice-versa exclude OS analyzers when running with --vulnType library?) (list of all analyzers).

This is a draft PR to start the discussion for the latter one. If you're happy with this approach I would clean this up and add some tests.

@CLAassistant
Copy link

CLAassistant commented Aug 20, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@schdief
Copy link

schdief commented Sep 9, 2021

@knqyf263 any chance that you can have a look at this soon, seems like an easy fix, but is quite troubling for us

thanks a lot for providing trivy!

@dmivankov dmivankov mentioned this pull request Sep 15, 2021
Closed
dmivankov added a commit to dmivankov/trivy that referenced this pull request Sep 15, 2021
@dmivankov
Add trivy image --skip-analyzers option
caafcc9 
Allows disabling analyzers from outside.

Mainly to disable jar analyzer which can go to network which may be
undesired and introduce scan flakiness. But sounds generic enough
to have other uses too.

related to aquasecurity#1191 and aquasecurity#1233
@dmivankov dmivankov mentioned this pull request Sep 15, 2021
Closed
@schdief
Copy link

schdief commented Sep 28, 2021

@fawind could you please sign the CLA to get this merged?

@fawind
Copy link
Contributor Author

fawind commented Sep 28, 2021

I think the CLA expires after a while. Re-signed it.

@knqyf263 knqyf263 mentioned this pull request Sep 29, 2021
Merged
@knqyf263
Copy link
Collaborator

@fawind I'm sorry for the inconvenience. We recently updated our CLA. All contributors need to resign and that's why you needed to sign it again.
https://blog.aquasec.com/open-source-contributor-license

@knqyf263 knqyf263 merged commit 9027dc3 into aquasecurity:main Sep 29, 2021
@knqyf263
Copy link
Collaborator

Thanks!

@fawind
Copy link
Contributor Author

fawind commented Sep 29, 2021

Thanks for taking the time and bringing this over the line @knqyf263!

Do you know if there is a timeline for the next release that will include this fix?

@knqyf263
Copy link
Collaborator

We plan to release it by next week.

@jackroberts-gh jackroberts-gh mentioned this pull request Oct 17, 2021
Closed
liamg pushed a commit that referenced this pull request Jun 7, 2022
@fawind
Disable library analyzer for OS only scan type (#1191)
5a2ef3a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fawind @CLAassistant @schdief @knqyf263