Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy image scan not detecting jar files #2054

Closed
amirdamirov opened this issue Apr 26, 2022 · 16 comments
Closed

trivy image scan not detecting jar files #2054

amirdamirov opened this issue Apr 26, 2022 · 16 comments
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.

Comments

@amirdamirov
Copy link

Description

I configured trivy in my pipeline. It was working normally since yesterday.
I put the "--debug" option please check below. Is it related to bugs ?

What did you expect to happen?

Normal scan with vulnerability report

What happened instead?

Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/dnsns.jar"}
No such POM in the central ****sitories {"file": "cldrdata.jar"}

and etc

Output of run with -debug:

DEBUG	Parsing Java artifacts...	{"file": "opt/test/presentation-api/lib/presentation-api.jar"}
2022-04-26T13:15:31.828Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:31.903Z	DEBUG	Parsing Java artifacts...	{"file": "opt/psdl/presentation-api/lib/presentation-api.jar"}
2022-04-26T13:15:31.904Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:32.295Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/cldrdata.jar"}
2022-04-26T13:15:32.347Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/charsets.jar"}
2022-04-26T13:15:33.344Z	DEBUG	No such POM in the central ****sitories	{"file": "charsets.jar"}
2022-04-26T13:15:33.344Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/dnsns.jar"}
2022-04-26T13:15:33.345Z	DEBUG	No such POM in the central ****sitories	{"file": "cldrdata.jar"}
2022-04-26T13:15:33.347Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/jaccess.jar"}
2022-04-26T13:15:33.573Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/localedata.jar"}
2022-04-26T13:15:33.799Z	DEBUG	Analysis error: unable to decode JSON (opt/test/presentation-api/lib/phoenix-client/com/amazonaws/internal/config/awssdk_config_default.json): invalid character '/' looking for beginning of object key string
2022-04-26T13:15:33.860Z	DEBUG	No such POM in the central ****sitories	{"file": "jaccess.jar"}
2022-04-26T13:15:33.861Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/nashorn.jar"}
2022-04-26T13:15:33.968Z	DEBUG	No such POM in the central ****sitories	{"file": "dnsns.jar"}
2022-04-26T13:15:33.969Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunec.jar"}
2022-04-26T13:15:34.071Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunjce_provider.jar"}
2022-04-26T13:15:34.072Z	DEBUG	No such POM in the central ****sitories	{"file": "localedata.jar"}
2022-04-26T13:15:34.072Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunpkcs11.jar"}
2022-04-26T13:15:34.245Z	DEBUG	No such POM in the central ****sitories	{"file": "nashorn.jar"}
2022-04-26T13:15:34.246Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/zipfs.jar"}
2022-04-26T13:15:34.386Z	DEBUG	No such POM in the central ****sitories	{"file": "sunec.jar"}
2022-04-26T13:15:34.386Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jce.jar"}
2022-04-26T13:15:34.477Z	DEBUG	No such POM in the central ****sitories	{"file": "sunjce_provider.jar"}
2022-04-26T13:15:34.502Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jsse.jar"}
2022-04-26T13:15:34.509Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jfr.jar"}
2022-04-26T13:15:34.512Z	DEBUG	No such POM in the central ****sitories	{"file": "sunpkcs11.jar"}
2022-04-26T13:15:34.522Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/management-agent.jar"}
2022-04-26T13:15:34.537Z	DEBUG	No such POM in the central ****sitories	{"file": "zipfs.jar"}
2022-04-26T13:15:34.562Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/resources.jar"}
2022-04-26T13:15:34.726Z	DEBUG	No such POM in the central ****sitories	{"file": "jce.jar"}
2022-04-26T13:15:34.766Z	DEBUG	No such POM in the central ****sitories	{"file": "management-agent.jar"}
2022-04-26T13:15:34.807Z	DEBUG	No such POM in the central ****sitories	{"file": "resources.jar"}
2022-04-26T13:15:34.813Z	DEBUG	No such POM in the central ****sitories	{"file": "jsse.jar"}
2022-04-26T13:15:34.813Z	DEBUG	No such POM in the central ****sitories	{"file": "jfr.jar"}
2022-04-26T13:15:35.069Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/unlimited/local_policy.jar"}
2022-04-26T13:15:35.071Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/rt.jar"}
2022-04-26T13:15:35.086Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/limited/US_export_policy.jar"}
2022-04-26T13:15:35.086Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/limited/local_policy.jar"}
2022-04-26T13:15:35.086Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/unlimited/US_export_policy.jar"}
2022-04-26T13:15:35.314Z	DEBUG	No such POM in the central ****sitories	{"file": "US_export_policy.jar"}
2022-04-26T13:15:35.315Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.315Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.315Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas-1.8.0.jar"}
2022-04-26T13:15:35.316Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.316Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas.jar"}
2022-04-26T13:15:35.316Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.316Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.317Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.317Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce-1.8.0.jar"}
2022-04-26T13:15:35.317Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.317Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce.jar"}
2022-04-26T13:15:35.318Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.318Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.318Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.318Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-1.8.0.jar"}
2022-04-26T13:15:35.319Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.319Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-3.0.jar"}
2022-04-26T13:15:35.319Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext.jar"}
2022-04-26T13:15:35.320Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.320Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-1.8.0.jar"}
2022-04-26T13:15:35.321Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.321Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.321Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.321Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos-1.8.0.jar"}
2022-04-26T13:15:35.321Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos.jar"}
2022-04-26T13:15:35.322Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.322Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap-1.8.0.jar"}
2022-04-26T13:15:35.323Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.323Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap.jar"}
2022-04-26T13:15:35.323Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.323Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.323Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi-1.8.0.jar"}
2022-04-26T13:15:35.324Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi.jar"}
2022-04-26T13:15:35.324Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi.jar"}
2022-04-26T13:15:35.325Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.325Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.325Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.325Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse-1.8.0.jar"}
2022-04-26T13:15:35.326Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.326Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse.jar"}
2022-04-26T13:15:35.326Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.327Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl-1.8.0.jar"}
2022-04-26T13:15:35.327Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl.jar"}
2022-04-26T13:15:35.327Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.375Z	DEBUG	No such POM in the central ****sitories	{"file": "local_policy.jar"}
2022-04-26T13:15:35.464Z	DEBUG	No such POM in the central ****sitories	{"file": "local_policy.jar"}
2022-04-26T13:15:35.465Z	DEBUG	No such POM in the central ****sitories	{"file": "US_export_policy.jar"}
2022-04-26T13:15:35.815Z	DEBUG	No such POM in the central ****sitories	{"file": "rt.jar"}
2022-04-26T13:24:53.978Z	WARN	Increase --timeout value
2022-04-26T13:24:54.068Z	FATAL	scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:92
  - image scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:112
  - analyze error:
    github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:116
  - timeout:
    github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:196

Output of trivy -v:

Version: 0.27.0

Additional details (base image name, container registry info...):

base image: centos:7
container reg: Custom image for java app
artifacts: Jar files installed via rpm
@amirdamirov amirdamirov added the kind/bug Categorizes issue or PR as related to a bug. label Apr 26, 2022
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Apr 27, 2022
edited
Loading

Hello @amirdamirov
Thanks for your report!

can you try to scan your image with --offline-scan flag.

Regards, Dmitriy

@amirdamirov
Copy link
Author

amirdamirov commented Apr 27, 2022
edited
Loading

@DmitriyLewen thanks.
I tried with --offline-scan the result is :

2022-04-27T18:14:19.097+0400 DEBUG Parsing Java artifacts... {"file": "opt/test/presentation-api/lib/presentation-api.jar"}
2022-04-27T18:14:19.098+0400 DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-27T18:14:19.180+0400 DEBUG Parsing Java artifacts... {"file": "opt/test/presentation-api/lib/presentation-api.jar"}
2022-04-27T18:14:19.181+0400 DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-27T18:18:58.709+0400 WARN Increase --timeout value
2022-04-27T18:18:58.709+0400 FATAL scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:92

  • image scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  • failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
    /home/runner/work/trivy/trivy/pkg/scanner/scan.go:112
  • analyze error:
    github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
    /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:116
  • timeout:
    github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
    /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:196
  • context deadline exceeded

@DmitriyLewen
Copy link
Contributor

@amirdamirov Thanks for your answer!

Can I get your image or dockerfile (or part of it with a reproduction of your issue)?

and 1 more question: have you tried using a timeout with a larger value?

@amirdamirov
Copy link
Author

unfortunately cant share the image. Because it is a custom image.
But what the reason that trivy behaves like this. Is there any other method to troubleshoot it ?

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Apr 29, 2022
edited
Loading

okay, i understand you.

Trivy doesn't stop scanning if it has errors with java files.
If jar file doesn't contain pom file (No such POM in the central repositories...), Trivy tries to find dependencies in MANIFEST file.

can you try using --timeout 60m and --security-checks vuln flags and scan your image again. Your image may be so large and Trivy can't finish scan in 5 minutes. Send me result of the scan after that, please.

@amirdamirov
Copy link
Author

With this key --security-checks vuln it worked.
But isn't trivy do it by default ?

@DmitriyLewen
Copy link
Contributor

In version 0.27.0 we added a secret scan. Secret scan is currently enabled by default.
With it, Trivy can scan slowly. That is why you're getting the error WARNING about increasing --timeout value. Trivy doesn't have enough timeout time for the scan to complete.

@amirdamirov
Copy link
Author

When i removed --security-checks vuln again it was failing. Only with this key trivy scans succeed.

@thiago-gitlab thiago-gitlab mentioned this issue May 12, 2022
Closed
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jun 29, 2022
@josephkishan
Copy link

josephkishan commented Mar 4, 2023
edited
Loading

@DmitriyLewen I am facing the same issue "no pom file in the central repository". It is working fine for the trivy 0.37.3 but after upgrading further it is displaying the error message. please help in this. I have also tried using --timeout 60m and --security-checks vuln flags. @amirdamirov Can you please reopen this issue as its we started facing it after upgrading from 0.37.3

@DmitriyLewen
Copy link
Contributor

Hello @josephkishan
We added new logic to detect jar files without GAV inside jar.
Can you update Trivy to v0.38.1 and try again.

If it doesn't help - can you send me your jar file and i will try to understand why Trivy can't parse this file.

Regards, Dmitriy

@josephkishan
Copy link

josephkishan commented Mar 6, 2023
edited
Loading

Sorry @DmitriyLewen i cannot share the details. But now if i tried 0.37.3 it works fine. Not working with the latest trivy(0.38.1). This is the --debug output
2023-03-06T03:55:39.070Z FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:427

  • scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  • scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:660
  • failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
    /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  • analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:139
  • failed to analyze layer (sha256:9796535d8ed3a7fb1a2fb6fe5ea110f5ca40e4ce7b5f90ffe75a440752f52d45):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:242
  • post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:320
  • post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:483
  • walk dir error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:91
  • on file:
    github.com/aquasecurity/trivy/pkg/parallel.walk[...]
    /home/runner/work/trivy/trivy/pkg/parallel/walk.go:97
  • jar/war/ear/par parse error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze.func2
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:75
  • zip error:
    github.com/aquasecurity/go-dep-parser/pkg/java/jar.(*Parser).parseArtifact
    /home/runner/go/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230302111817-e4068021315b/pkg/java/jar/parse.go:82
  • zip: not a valid zip file

@DmitriyLewen
Copy link
Contributor

hm... it is strange...
Looks like problem with one jar file(not a valid zip file).
But we have not changed the logic of opening jars.

Can you scan your image again with slow flag, please?
Then we can find wrong file.

@josephkishan
Copy link

josephkishan commented Mar 6, 2023
edited
Loading

@DmitriyLewen Below is the --slow output
2023-03-06T07:08:21.794Z FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:427

  • scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  • scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:660
  • failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
    /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  • analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:139
  • failed to analyze layer (sha256:e7235ba5bcea7d52e97a38f6f98e2f8677483ef485278820c583f1e8c76631c7):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:242
  • post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:320
  • post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:483
  • walk dir error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:91
  • on file:
    github.com/aquasecurity/trivy/pkg/parallel.walk[...]
    /home/runner/work/trivy/trivy/pkg/parallel/walk.go:97
  • jar/war/ear/par parse error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze.func2
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:75
  • zip error:
    github.com/aquasecurity/go-dep-parser/pkg/java/jar.(*Parser).parseArtifact
    /home/runner/go/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230302111817-e4068021315b/pkg/java/jar/parse.go:82
  • zip: not a valid zip file

@DmitriyLewen
Copy link
Contributor

@josephkishan looks like there is same issue - #3760

@josephkishan
Copy link

yes @DmitriyLewen same issue. Can you please help in this

@katrinleinweber katrinleinweber mentioned this issue May 3, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@amirdamirov @josephkishan @DmitriyLewen