Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

内网环境无法使用trivy扫描,发现 trivy_server 工作出现错误 #280

Closed
paddy235 opened this issue Feb 1, 2023 · 8 comments
Closed

内网环境无法使用trivy扫描,发现 trivy_server 工作出现错误 #280

paddy235 opened this issue Feb 1, 2023 · 8 comments
Assignees
@alvin5840
Labels
状态:已完成 类型:bug 类型:优化

Comments

@paddy235
Copy link

paddy235 commented Feb 1, 2023

HummerRisk 版本

0.9.0

运行方式(安装包运行 or 源码运行 ?)

下载离线包安装运行

浏览器版本

严重程度(高、中、低)

Bug 描述
内网环境无法使用trivy扫描,经过排查发现 trivy_server 工作出现错误日志如下:

2023-02-01T02:29:53.900Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:29:53.900Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:29:54.723Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:29:54.723Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:29:55.630Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:29:55.630Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:29:56.749Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:29:56.749Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:29:58.266Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:29:58.267Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:30:00.607Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:30:00.607Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:30:04.565Z	ERROR	The first run cannot skip downloading DB
2023-02-01T02:30:04.565Z	FATAL	database error: --skip-update cannot be specified on the first run
2023-02-01T02:30:11.713Z	INFO	Listening 0.0.0.0:4975...
2023-02-01T03:30:11.715Z	INFO	Updating DB...
2023-02-01T03:30:33.125Z	ERROR	failed DB hot update:
    github.com/aquasecurity/trivy/pkg/rpc/server.dbWorker.update
        /home/runner/work/trivy/trivy/pkg/rpc/server/listen.go:135
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/rpc/server.dbWorker.hotUpdate
        /home/runner/work/trivy/trivy/pkg/rpc/server/listen.go:148
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:154
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
        /home/runner/work/trivy/trivy/pkg/db/db.go:194
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.NewArtifact
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
  - Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io on 127.0.0.11:53: server misbehaving

Bug 重现步骤(有截图更好)
1.
2.
3.
@paddy235
Copy link
Author

paddy235 commented Feb 1, 2023
edited
Loading

单独下载官方二进制执行文件trivy,发现独立执行也报错

(base) [paddy@paddy trivy_0.36.1_Linux-64bit]$ ll /home/paddy/.cache/trivy
总用量 337544
drwx------ 2 paddy paddy        22  2月  1 16:42 fanal
-rw------- 1 paddy paddy       143  1月 18 08:12 metadata.json
-rw------- 1 paddy paddy 345640960  1月 18 08:12 trivy.db


./trivy image --skip-update --offline-scan node-sass:sgeg.14.20
2023-02-01T17:21:49.948+0800	ERROR	The first run cannot skip downloading DB
2023-02-01T17:21:49.948+0800	FATAL	init error: DB error: database error: --skip-update cannot be specified on the first run

@paddy235
Copy link
Author

paddy235 commented Feb 6, 2023
edited
Loading

人工手动更新漏洞库后,人工命令行方式可以正常扫描,但是通过hummerrisk界面一直在“正在处理”状态

人工手动更新操作:(IP地址做了脱敏处理)

##在外网环境下执行:

TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
## 复制到内网
scp -P30022 db.tar.gz xxx.xxx.xxx.xxx:~/tools/Linux/devops/security/tools/trivy/

## hummerrisk主机上更新漏洞库 trivy_server
curl https://download.xx.xx.xx/devops/security/tools/trivy/db.tar.gz | tar -C "/opt/hummerrisk/data/trivy/db" -x

## 远程另一台电脑上测试  trivy_server == 0.0.0.0:4975->4975/tcp, :::4975->4975/tcp   trivy_server

trivy repository --skip-db-update --offline-scan --branch master --server http://xxx.xxx.xxx.xxx:4975 https://auth2:glpat-jMMuXTfHpgwmuyQKxzy3@xxxx/xxx/xxx/xxx.git 

2023-02-06T10:31:22.147+0800	INFO	Vulnerability scanning is enabled
2023-02-06T10:31:22.147+0800	INFO	Secret scanning is enabled
2023-02-06T10:31:22.147+0800	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-02-06T10:31:22.147+0800	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
Enumerating objects: 73, done.
Counting objects: 100% (73/73), done.
Compressing objects: 100% (58/58), done.
Total 73 (delta 3), reused 72 (delta 3), pack-reused 0

pom.xml (pom)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 5, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress │ CVE-2019-12402 │ HIGH     │ 1.18              │ 1.19          │ apache-commons-compress: Infinite loop in name encoding   │
│                                     │                │          │                   │               │ algorithm                                                 │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12402                │
│                                     ├────────────────┤          │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-35515 │          │                   │ 1.21          │ apache-commons-compress: infinite loop when reading a     │
│                                     │                │          │                   │               │ specially crafted 7Z archive                              │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35515                │
│                                     ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-35516 │          │                   │               │ apache-commons-compress: excessive memory allocation when │
│                                     │                │          │                   │               │ reading a specially crafted 7Z archive                    │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35516                │
│                                     ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-35517 │          │                   │               │ apache-commons-compress: excessive memory allocation when │
│                                     │                │          │                   │               │ reading a specially crafted TAR archive                   │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35517                │
│                                     ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-36090 │          │                   │               │ apache-commons-compress: excessive memory allocation when │
│                                     │                │          │                   │               │ reading a specially crafted ZIP archive                   │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36090                │
└─────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

命令行远程可以使用hummerrisk的trivy_server进行漏洞扫描,但是在hummerrisk界面上一直停留在 正在处理状态

@paddy235
Copy link
Author

paddy235 commented Feb 6, 2023

在docker容器内容的操作:
1.将自签名根证书加入系统
update-ca-certificates
2. 运行服务器参数可成功

root@08e8aefe48d9:~# trivy repository --skip-db-update --offline-scan --branch master --server http://trivy_server:4975 https://auth2:glpat-jMMuXTfHpgwmuyQKxzy3@xxx.xxx.xxx.xxx/xxx/projects/xxx.xxx/file-service.git
2023-02-06T03:20:05.000Z	INFO	Vulnerability scanning is enabled
2023-02-06T03:20:05.000Z	INFO	Secret scanning is enabled
2023-02-06T03:20:05.000Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-02-06T03:20:05.000Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
Enumerating objects: 73, done.
Counting objects: 100% (73/73), done.
Compressing objects: 100% (58/58), done.
Total 73 (delta 3), reused 72 (delta 3), pack-reused 0

pom.xml (pom)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 5, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress │ CVE-2019-12402 │ HIGH     │ 1.18              │ 1.19          │ apache-commons-compress: Infinite loop in name encoding   │
│                                     │                │          │                   │               │ algorithm                                                 │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12402                │
│                                     ├────────────────┤          │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-35515 │          │                   │ 1.21          │ apache-commons-compress: infinite loop when reading a     │
│                                     │                │          │                   │               │ specially crafted 7Z archive                              │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35515                │
│                                     ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-35516 │          │                   │               │ apache-commons-compress: excessive memory allocation when │
│                                     │                │          │                   │               │ reading a specially crafted 7Z archive                    │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35516                │
│                                     ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-35517 │          │                   │               │ apache-commons-compress: excessive memory allocation when │
│                                     │                │          │                   │               │ reading a specially crafted TAR archive                   │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-35517                │
│                                     ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-36090 │          │                   │               │ apache-commons-compress: excessive memory allocation when │
│                                     │                │          │                   │               │ reading a specially crafted ZIP archive                   │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36090                │
└─────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
root@08e8aefe48d9:~#
  1. 使用本地客户端方式 均卡死不动
root@08e8aefe48d9:~# trivy repository -d --skip-db-update --offline-scan --branch master https://auth2:glpat-jMMuXTfHpgwmuyQKxzy3@xxx.xxx.xxx.xxxom/xxx/projects/xxx/file-service.git
2023-02-06T03:16:49.920Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]

@paddy235
Copy link
Author

paddy235 commented Feb 6, 2023
edited
Loading

代码中没有使用server参数

CodeService.java

            CommandUtils.commonExecCmdWithResult(TrivyConstants.TRIVY_RM + TrivyConstants.TRIVY_JSON, TrivyConstants.DEFAULT_BASE_DIR);
            String command = _proxy + token + TrivyConstants.TRIVY_REPO + str + branch + " " + codeCredential.getUrl() + TrivyConstants.TRIVY_TYPE + TrivyConstants.DEFAULT_BASE_DIR + TrivyConstants.TRIVY_JSON;
            LogUtil.info(code.getId() + " {code scan}[command]: " + code.getName() + "   " + command);
            String resultStr = CommandUtils.commonExecCmdWithResult(command, TrivyConstants.DEFAULT_BASE_DIR);

@harris1943
Copy link
Collaborator

The first run cannot skip downloading DB.
首次执行需要更新漏洞库,源码这个地方不需要使用server,漏洞库已经在HummerRisk安装的时候挂载了宿主机的/opt/hummerrisk/data/trivy/db/目录下。
您可以docker exec -it hummer_risk bash进入容器,手动执行命令 trivy image --download-db-only 来更新库(网络需要可以连通github,更新完,宿主机的/opt/hummerrisk/data/trivy/db/目录文件随之更新)
或者,手动下载我们打包的漏洞库,https://company.hummercloud.com/offline-package/trivy/trivy-db/trivy-offline-v2-2023020607.db.tar.gz,解压到/opt/hummerrisk/data/trivy/db/目录下。

@paddy235
Copy link
Author

paddy235 commented Feb 7, 2023

手动更新漏洞库,然后使用server就是验证漏洞库是可用的,而且两个容器共用的同一个漏洞库,核心问题是在容器内执行 日志报的命令会卡着不动,不能完整运行,这个是主要原因

@alvin5840
Copy link
Collaborator

@paddy235 目前对 tirvy Server 做了问题修复,关于离线环境检测应该是正常的,等待 HummerRisk v0.9.1 发布后,可以更新看看是否解决你的问题。

@paddy235
Copy link
Author

paddy235 commented Feb 7, 2023
edited
Loading

找到问题原因了,由于docker的hummerrisk/hummerrisk:v0.9.0启动了hummer_risktrivy_server共享的漏洞库${HR_BASE}/data/trivy/db 导致。

如何解决?

  1. docker守护服务增加MountFlags=shared,无效
systemctl show --property=MountFlags docker.service
MountFlags=shared
  1. docker-compse-app.yml增加指定绑定,无效

docker inspect -f "{{json .Mounts}}" hummer_risk | jq

[
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/logs/hummerrisk",
    "Destination": "/opt/hummerrisk/logs",
    "Mode": "rw",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/data/trivy/cache",
    "Destination": "/opt/hummerrisk/trivy",
    "Mode": "rw,shared",
    "RW": true,
    "Propagation": "shared"
  },
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/conf/hummerrisk/aws-config",
    "Destination": "/root/.aws",
    "Mode": "rw",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/data/trivy/db",
    "Destination": "/root/.cache/trivy/db",
    "Mode": "rw,shared",
    "RW": true,
    "Propagation": "shared"
  },
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/conf/hummerrisk/hummerrisk.properties",
    "Destination": "/opt/hummerrisk/conf/hummerrisk.properties",
    "Mode": "rw",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "volume",
    "Name": "681f630bfef02e4cabfa2ec06c5f671f3f5e9339dc775e045651cefce6a5ba56",
    "Source": "/var/lib/docker/volumes/681f630bfef02e4cabfa2ec06c5f671f3f5e9339dc775e045651cefce6a5ba56/_data",
    "Destination": "/home/custodian",
    "Driver": "local",
    "Mode": "",
    "RW": true,
    "Propagation": ""
  },
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/data/hummerrisk/file",
    "Destination": "/opt/hummerrisk/file",
    "Mode": "rw",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "bind",
    "Source": "/opt/hummerrisk/data/hummerrisk/image",
    "Destination": "/opt/hummerrisk/image",
    "Mode": "rw",
    "RW": true,
    "Propagation": "rprivate"
  }
]
  1. 正确解决方式

使用安装包中的docker.service替换/usr/lib/systemd/system/docker.service ,重启动docker服务即可解决。

@paddy235 paddy235 closed this as completed Feb 8, 2023
@paddy235 paddy235 mentioned this issue Feb 8, 2023
Closed
@tcsecchen tcsecchen mentioned this issue Feb 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alvin5840 alvin5840

Labels
状态:已完成 类型:bug 类型:优化
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paddy235 @harris1943 @alvin5840