trivy image scan suddenly timing out

[stealthrabbi]

Trivy image scan was taking less than 1 minute as of yesterday. Now suddenly it is timing out.

Settting ``--security-checks vuln` has no effect, as was suggested from output.

Tried this with v0.24.2 and current latest

2023-01-12T12:46:56.932Z	INFO	Need to update DB
2023-01-12T12:46:56.932Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-12T12:46:56.932Z	INFO	Downloading DB...
10.64 MiB / 36.04 MiB [------------------>__________________________________________] 29.53% ? p/s ?23.69 MiB / 36.04 MiB [---------------------------------------->____________________] 65.75% ? p/s ?36.04 MiB / 36.04 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 42.35 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 42.35 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 42.35 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 39.62 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 39.62 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 39.62 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 37.07 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 37.07 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 37.07 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [---------------------------------------------->] 100.00% 34.67 MiB p/s ETA 0s36.04 MiB / 36.04 MiB [-------------------------------------------------] 100.00% 14.56 MiB p/s 2.7s2023-01-12T12:47:00.337Z	INFO	Vulnerability scanning is enabled
2023-01-12T12:56:56.932Z	WARN	Increase --timeout value
2023-01-12T12:56:56.932Z	FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: timeout: context deadline exceeded

[Hugo-D]

Hello, I am having the same issue there.
Worked perfectly fine this morning until the Vulnerability DB updates:

trivy -v
Version: 0.33.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-12 06:07:03.840852771 +0000 UTC
  NextUpdate: 2023-01-12 12:07:03.840852271 +0000 UTC
  DownloadedAt: 2023-01-12 06:41:12.347924267 +0000 UTC

[dusik66]

Hello,

maybe it is related to search.maven.org:
2023-01-12T12:55:15.461Z DEBUG request failed {"error": "Get \"https://search.maven.org/solrsearch/select?q=1%3A%22185ae7422deb18aa14464b18cf9ce997d4710a57%22&rows=1&wt=json\": net/http: TLS handshake timeout", "method": "GET", "url": "https://search.maven.org/solrsearch/select?q=1%3A%22185ae7422deb18aa14464b18cf9ce997d4710a57%22&rows=1&wt=json"}

[knqyf263]

Looks like GitHub Container Registry distributing Trivy DB is something wrong now. Please try it again later.

[aaron-hastings-travelport]

Seeing the same issue with Trivy 0.32.1.

[knqyf263]

Is everyone scanning images with JAR files? If so, maven might be relevant like @dusik66 pointed out. --offline-scan may help until the server is back.

[stealthrabbi]

In my case, yes, I am scanning an image for a java proj.

[knqyf263]

Can you try --offline-scan then? It doesn't try to connect to search.maven.org.

[pioneer2k]

I reported the same issue here: aquasecurity/trivy-action#190

[DaspawnW]

If you run with --offline-scan then you even get additional features ;-)

In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify --offline-scan since Trivy tries to issue API requests for scanning Java applications by default.

https://aquasecurity.github.io/trivy/v0.36/docs/advanced/air-gap/

[stealthrabbi]

so --offline-scan won't prevent the main trivy DB from being downloaded, it just will not reach out to internet for the actual scanning portion?

[knqyf263]

so --offline-scan won't prevent the main trivy DB from being downloaded, it just will not reach out to internet for the actual scanning portion?

Right.

[knqyf263]

To skip downloading DB, you can pass --skip-db-update, but you need to have the old database locally. Otherwise, the scanning will fail.

[dmitry-weirdo]

We are probably facing a similar issue — starting from today (the first fail was at Jan 12, 2023, 11:30 AM GMT), the GitLab pipelines started to fail.

• Trivy version was not changed, remains 0.36.1.
• Same configuration was successfully working in around 2-3.5 minutes.
• First it was a timeout issue.
• I increased the timeout to 10m and then to 30m.
• Now it's failing on log4j or other artifacts like this, after 7-25 minutes of execution:

$ trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@/contrib/junit.tpl" --output "$CI_PROJECT_DIR/container-scan-junit.xml" "$FULL_IMAGE_NAME" --timeout 30m0s
2023-01-12T18:01:31.130Z	INFO	Need to update DB
2023-01-12T18:01:31.130Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-12T18:01:31.130Z	INFO	Downloading DB...
2023-01-12T18:01:33.467Z	INFO	Vulnerability scanning is enabled
2023-01-12T18:01:33.467Z	INFO	Secret scanning is enabled
2023-01-12T18:01:33.467Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T18:01:33.467Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T18:06:55.053Z	FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer:  : walk error: failed to process the file: failed to analyze file: failed to analyze app/BOOT-INF/lib/log4j-core-2.19.0.jar: unable to open app/BOOT-INF/lib/log4j-core-2.19.0.jar: failed to open: unable to read the file: read tcp 172.17.0.2:47734->3.5.139.107:443: read: connection reset by peer
Uploading artifacts for failed job

Setting --offline-scan option is helping, but I am not sure whether it's a good long-term solution.

[dmitry-weirdo]

What happens if we set --offline-scan? The documentation is not very clear about it.
If it stops to refresh the CVE database, this isn't the best constant solution.

[knqyf263]

@dmitry-weirdo Please see my comment above.
#3421 (comment)

Ref. https://aquasecurity.github.io/trivy/v0.36/docs/references/troubleshooting/#maven-rate-limiting-inconsistent-jar-vulnerability-reporting

[paultung]

Still happening in my case and works after retrying 3 times:

...
2023-01-13T02:20:42.699Z	INFO	Need to update DB
2023-01-13T02:20:42.699Z	INFO	Downloading DB...
16.89 MiB / 36.05 MiB [---------------------------->________________________________] 46.86% ? p/s ?
32.95 MiB / 36.05 MiB [------------------------------------------------------->_____] 91.42% ? p/s ?
36.05 MiB / 36.05 MiB [----------------------------------------------------------->] 100.00% ? p/s ?
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 32.10 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 32.10 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 32.10 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 30.03 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 30.03 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 30.03 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [---------------------------------------------->] 100.00% 28.10 MiB p/s ETA 0s
36.05 MiB / 36.05 MiB [-------------------------------------------------] 100.00% 19.06 MiB p/s 2.1s
2023-01-13T02:25:42.822Z	FATAL	scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded
...

[DmitriyLewen]

Hello guys!!

I checked this problem now. Looks like it was temporal down and it works now.
I tried to reproduce this problem, but got correct response from maven 1000 times in a row.
Can you check it and write if there are still errors?

@paultung may be your problem has different reason. Can you send your jar file for more investigate?

[Dmitry-Dymnov]

Hello, the problem still exists.

2023-01-13T06:34:39Z [INFO] [/pkg/scan/job.go:385]: {
  "uuid": "bf9b6744-ebbc-11eb-bcb0-fef69661a874",
  "name": "Trivy",
  "description": "The Trivy scanner adapter",
  "url": "http://registry-harbor-trivy:8080",
  "disabled": false,
  "is_default": true,
  "health": "healthy",
  "auth": "",
  "access_credential": "[HIDDEN]",
  "skip_certVerify": false,
  "use_internal_addr": true,
  "adapter": "Trivy",
  "vendor": "Aqua Security",
  "version": "v0.32.1",
  "create_time": "2021-07-23T13:49:06.678883Z",
  "update_time": "2021-07-27T11:34:11.007996Z"
}
2023-01-13T06:34:39Z [INFO] [/pkg/scan/job.go:385]: {
  "registry": {
    "url": "http://registry-harbor-core:80",
    "authorization": "[HIDDEN]"
  },
  "artifact": {
    "namespace_id": 135,
    "repository": "*******",
    "tag": "latest",
    "digest": "sha256:3cd2b01db4c4299f6bddcf1b93d6bf51f0953dd1998f295cccc56f34c4ff486c",
    "mime_type": "application/vnd.docker.distribution.manifest.v2+json"
  }
}
2023-01-13T06:34:39Z [INFO] [/pkg/scan/job.go:167]: Report mime types: [application/vnd.security.vulnerability.report; version=1.1]
2023-01-13T06:34:39Z [INFO] [/pkg/scan/job.go:222]: Get report for mime type: application/vnd.security.vulnerability.report; version=1.1
2023-01-13T06:34:41Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:34:46Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:34:51Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:34:56Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:01Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:06Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:11Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:16Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:21Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:26Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:31Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:36Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:41Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:46Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:51Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:35:56Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:36:01Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:36:06Z [INFO] [/pkg/scan/job.go:243]: Report with mime type application/vnd.security.vulnerability.report; version=1.1 is not ready yet, retry after 5 seconds
2023-01-13T06:36:11Z [ERROR] [/pkg/scan/job.go:292]: check scan report with mime type application/vnd.security.vulnerability.report; version=1.1: running trivy wrapper: running trivy: exit status 1: 2023-01-13T06:34:40.074Z	�[34mINFO�[0m	Vulnerability scanning is enabled
2023-01-13T06:36:06.461Z	�[31mFATAL�[0m	image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer:  : walk error: failed to process the file: failed to analyze file: failed to analyze liquibase/internal/lib/ojdbc8.jar: unable to open liquibase/internal/lib/ojdbc8.jar: failed to open: unable to read the file: unexpected EOF
: general response handler: unexpected status code: 500, expected: 200

[DmitriyLewen]

Hello @Dmitry-Dymnov
Looks like problem is not with maven repository.
Trivy can't read liquibase/internal/lib/ojdbc8.jar file in your liquibase***.jar(am not sure of file name).
Can you submit this file for investigation?

Also can you say version of Trivy? We fixed case where Trivy would stop scanning after receiving error for internal jars.(#2989)

Regards, Dmitriy

[Dmitry-Dymnov]

@DmitriyLewen, until yesterday, these images were scanned without problems. I'm sorry, but I can't give you the file (((
Trivy used as part of the harbor. ("version": "v0.32.1")

[monwolf]

Hello guys!!

I checked this problem now. Looks like it was temporal down and it works now. I tried to reproduce this problem, but got correct response from maven 1000 times in a row. Can you check it and write if there are still errors?

@paultung may be your problem has different reason. Can you send your jar file for more investigate?

I've just run a trivy execution and it's failing again

+ /opt/trivy-scan/trivy -d --cache-dir /opt/trivy-scan/.trivycache/ image --no-progress --format json -o /tmp/reports/aea-chapi-omnichannel-trivy-report-1673595621.json aea-tp/channel:alpha-91d20501-91340-241 --ignorefile /tmp/.trivyignore
2023-01-13T07:40:21.965Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-13T07:40:21.970Z	DEBUG	cache dir:  /opt/trivy-scan/.trivycache/
2023-01-13T07:40:21.970Z	DEBUG	There is no valid metadata file: unable to open a file: open /opt/trivy-scan/.trivycache/db/metadata.json: no such file or directory
2023-01-13T07:40:21.970Z	INFO	Need to update DB
2023-01-13T07:40:21.970Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-13T07:40:21.970Z	INFO	Downloading DB...
2023-01-13T07:40:21.970Z	DEBUG	no metadata file
2023-01-13T07:40:24.300Z	DEBUG	Updating database metadata...
2023-01-13T07:40:24.301Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-01-13 06:07:02.14805908 +0000 UTC, NextUpdate: 2023-01-13 12:07:02.14805848 +0000 UTC, DownloadedAt: 2023-01-13 07:40:24.301082232 +0000 UTC
2023-01-13T07:40:24.301Z	INFO	Vulnerability scanning is enabled
2023-01-13T07:40:24.302Z	DEBUG	Vulnerability type:  [os library]
2023-01-13T07:40:24.302Z	INFO	Secret scanning is enabled
2023-01-13T07:40:24.302Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-13T07:40:24.302Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-13T07:40:24.319Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-01-13T07:40:24.320Z	DEBUG	Image ID: sha256:e0ea4be578c1e55dfc047dc4621a3c8e460cf2cc080dc2c56c36d08858ca80ba
2023-01-13T07:40:24.320Z	DEBUG	Diff IDs: [sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3 sha256:9dc38e038a4b30a44a39340027b138e3d52f5256e5449ce32b74f7f21475a796 sha256:0c6a8c08d9664f51203017fe0dd63a0ad69a0da2fc6cb01bd021314ae5bdecd3 sha256:29e51557cb02f590cef20e0a9ba769e030c27e8bd42076d42f2acaa49cfd5f38 sha256:13a14e21710e57c5e06cfa617638216e95b066f0b3f38663fed6a85563e89dce sha256:916158f15540724646ab7f924d27542c47aa1ca392333c03b1d19386793f9a3f sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:df59f20536381fbafd8002f10f4d38a62516da52d6f0e610341a7426ebe99f4f sha256:c9ec7b8d4aea08c7884108ce8ab2dd96883998b57f1ebb33af014149956c396d sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2023-01-13T07:40:24.320Z	DEBUG	Base Layers: [sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3]
2023-01-13T07:40:24.320Z	DEBUG	Missing image ID in cache: sha256:e0ea4be578c1e55dfc047dc4621a3c8e460cf2cc080dc2c56c36d08858ca80ba
2023-01-13T07:40:24.320Z	DEBUG	Missing diff ID in cache: sha256:13a14e21710e57c5e06cfa617638216e95b066f0b3f38663fed6a85563e89dce
2023-01-13T07:40:24.320Z	DEBUG	Missing diff ID in cache: sha256:9dc38e038a4b30a44a39340027b138e3d52f5256e5449ce32b74f7f21475a796
2023-01-13T07:40:24.320Z	DEBUG	Missing diff ID in cache: sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3
2023-01-13T07:40:24.320Z	DEBUG	Missing diff ID in cache: sha256:29e51557cb02f590cef20e0a9ba769e030c27e8bd42076d42f2acaa49cfd5f38
2023-01-13T07:40:24.320Z	DEBUG	Missing diff ID in cache: sha256:0c6a8c08d9664f51203017fe0dd63a0ad69a0da2fc6cb01bd021314ae5bdecd3
2023-01-13T07:40:26.786Z	DEBUG	Missing diff ID in cache: sha256:916158f15540724646ab7f924d27542c47aa1ca392333c03b1d19386793f9a3f
2023-01-13T07:40:26.855Z	DEBUG	Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
2023-01-13T07:40:26.859Z	DEBUG	Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
2023-01-13T07:40:26.862Z	DEBUG	Missing diff ID in cache: sha256:df59f20536381fbafd8002f10f4d38a62516da52d6f0e610341a7426ebe99f4f
2023-01-13T07:40:27.125Z	DEBUG	Parsing Java artifacts...	{"file": "home/docker/app/app.jar"}
2023-01-13T07:40:27.127Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/logback-access-spring-boot-starter-2.7.1.jar"}
2023-01-13T07:40:27.127Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/tomcat-embed-websocket-9.0.65.jar"}
2023-01-13T07:40:27.241Z	DEBUG	Missing diff ID in cache: sha256:c9ec7b8d4aea08c7884108ce8ab2dd96883998b57f1ebb33af014149956c396d
2023-01-13T07:40:27.305Z	DEBUG	Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
2023-01-13T07:40:29.355Z	DEBUG	Parsing Java artifacts...	{"file": "opt/java/openjdk/lib/jrt-fs.jar"}
2023-01-13T07:40:29.792Z	DEBUG	No such POM in the central repositories	{"file": "jrt-fs.jar"}
2023-01-13T07:41:27.790Z	DEBUG	retrying request	{"request": "GET https://search.maven.org/solrsearch/select?q=g%3A%22org.apache%22+AND+a%3A%22javax.websocket%22&rows=1 (status: 504)", "timeout": "20s", "remaining": 5}
2023-01-13T07:42:47.932Z	DEBUG	retrying request	{"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%22bd70dfeb39cc83c6934be24fa377b21e541dbe76%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
2023-01-13T07:43:08.005Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/tomcat-embed-core-9.0.31.jar"}
2023-01-13T07:43:08.152Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/logback-access-1.2.11.jar"}
2023-01-13T07:43:08.152Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/logstash-logback-encoder-4.11.jar"}
2023-01-13T07:43:08.153Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/logback-core-1.2.11.jar"}
2023-01-13T07:43:08.153Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/spring-security-oauth2-autoconfigure-2.6.8.jar"}
2023-01-13T07:44:08.220Z	DEBUG	retrying request	{"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%22d9ce52f45c4689c1f445d08550ed7c4adcb920e3%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
2023-01-13T07:44:28.292Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/spring-security-oauth2-2.5.2.RELEASE.jar"}
2023-01-13T07:44:28.292Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/springdoc-openapi-ui-1.6.6.jar"}
2023-01-13T07:44:28.292Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/springdoc-openapi-webmvc-core-1.6.6.jar"}
2023-01-13T07:44:28.293Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/spring-webmvc-5.3.22.jar"}
2023-01-13T07:44:28.366Z	DEBUG	Parsing Java artifacts...	{"file": "BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.7.3.jar"}
2023-01-13T07:45:21.991Z	WARN	Increase --timeout value
2023-01-13T07:45:21.991Z	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run

        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:397

  - scan error:

    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact

        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:257

  - scan failed:

    github.com/aquasecurity/trivy/pkg/commands/artifact.scan

        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:588

  - failed analysis:

    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact

        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146

  - analyze error:

    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect

        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:127

  - timeout:

    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect

        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:248

  - context deadline exceeded

[michael-mader]

seems like search.maven.org is still unstable or has a more aggressive rate limiting.
After some requests (where the response is really fast) I get "504 Gateway Timeout".

What is search.maven.org used for? Only for checking whether an update fixing a vulnerability of maven dependency is available?

[exiett]

Can someone explain how Trivy checks if a given image is a Java image and takes the decision to invoke the Maven endpoint which seems to be going down this last week? Also...

Agreed on this. The true solution would be for search maven to be stable or dependency on it removed(not recommended).

Why is it not recommended to remove the Maven dependency? (Truly out of curiosity, does it plays a great part into Java vulnerabilities?)

[13CSherman]

Can someone explain how Trivy checks if a given image is a Java image and takes the decision to invoke the Maven endpoint which seems to be going down this last week? Also...

Agreed on this. The true solution would be for search maven to be stable or dependency on it removed(not recommended).

Why is it not recommended to remove the Maven dependency? (Truly out of curiosity, does it plays a great part into Java vulnerabilities?)

Correct me if I am wrong. I think we want to keep the maven search functionality as needed as mentioned above for jar identification method sake. Removing the maven search dependency doesn't really help unless there is a better way for jar identification as durcon mentioned above.

[exiett]

Hey guys, just letting you know I'm still observing the timeout error in my pipeline flow. When running Trivy with --debug option enabled, I can observe that Trivy struggles while trying to call search.maven.org still:

2023-02-01T00:04:35.742Z	DEBUG	retrying request	{"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%22053aae0415da5e4be7a7dfbae6d63880d0765b97%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
2023-02-01T00:04:36.282Z	DEBUG	retrying request	{"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%228eed85a5337c7b4e84156cc0f3921930fb0d780b%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
.
.
.
2023-02-01T00:07:12.147Z	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:397
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:257
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:588
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:[146](https://code.ifoodcorp.com.br/ifood/local-commerce/oms/connection/gateway-core/-/jobs/22925032#L146)
  - analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:127
  - timeout:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:248
  - context deadline exceeded
[INFO] - Generating JSON report...
2023-02-01T00:12:12.456Z	FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: timeout: context deadline exceeded

Maven status page reported a downtime of 23 minutes earlier today. Although the timeout, I can still make the request locally from my machine using an HTTP client just fine, with the request being answered in 1.5s:

[knqyf263]

@cpach Thanks for the heads-up.
@StevDa86 I created another issue. We're looking into it.
#3514

I've hidden your comments so that people who came to this issue can see relevant discussion. We can keep discussing this issue in #3514.

[knqyf263]

Thanks all for your patience. We managed to include the improvement in v0.37.0 🎉🎉 We're grateful for everyone who helped make it happen.

Trivy no longer relies on the third-party API and instead uses the pre-built database for Java scanning. The Java index database will be downloaded when JAR files are found. The scan results should be almost the same as before. You don't have to use --offline-scan anymore. You can see more detail below.
#3518

It can be used even in air-gapped environments💯
https://aquasecurity.github.io/trivy/v0.37/docs/advanced/air-gap/#download-the-java-index-database1

[knqyf263]

It may have a critical issue. We're on it.
#3520

[canthony]

It may have a critical issue. We're on it. #3520

Oh no - I was just about to test it in our pipeline!

Thankyou for the quick notification though.

[markbaird]

It may have a critical issue. We're on it. #3520

It's working fine for me this morning. Both locally, and in AWS CodePipeline.

[knqyf263]

v0.37.0 has a critical issue. Please try v0.37.1 instead.
https://github.com/aquasecurity/trivy/releases/tag/v0.37.1

[canthony]

v0.37.1 works for us

Thankyou.

[pgpx]

Hi, looks good, but I'm running a central Trivy server to support CI pipelines, but the Java DB seems to get downloaded by each client (taking about 10s) instead of being downloaded and cached by the server. Is that intended (or have I misconfigured something)? I guess ideally only the server would directly download the Java DB every few days, potentially transferring it to the clients if necessary.

[knqyf263]

Is that intended (or have I misconfigured something)?

Good question. Yes, we're aware of that and it is intended for now as most users are running Trivy in standalone mode. We needed to get the Java scan working as soon as possible, so we put client/server aside. Improving client/server will be the next task.

[knqyf263]

FYI: there are two known issues.

• Performance: Trivy performance bad because of missing indexes trivy-java-db#8
• Fatal error: Unable to open JAR files #3514

[sll552]

Just a quick question as we updated today to 0.37.1:

We run a central trivy server for trivy clients that run in our build pipelines to minimize download traffic. This works perfectly fine for the existing vuln-db(s?) but not for the java-db, it seems that the clients try to download the java-db individually and do not use the server for that.
Is it possible to have this provided by the server?

[eva-mueller-coremedia]

Just a quick question as we updated today to 0.37.1:

We run a central trivy server for trivy clients that run in our build pipelines to minimize download traffic. This works perfectly fine for the existing vuln-db(s?) but not for the java-db, it seems that the clients try to download the java-db individually and do not use the server for that. Is it possible to have this provided by the server?

Do you use the flags --skip-java-db-update and --download-java-db-only?
Mentioned here aquasecurity/trivy-java-db#8

[cpach]

Is it possible to have this provided by the server?

Please scroll up and see the question from @pgpx and the answer to that question by @knqyf263.

[sll552]

Is it possible to have this provided by the server?

Please scroll up and see the question from @pgpx and the answer to that question by @knqyf263.

😳 I am sorry, I totally missed that, consider this a +1 for the feature then. Thanks for pointing it out

[knqyf263]

We cut v0.37.2 and it should improve the performance. Please let us know if you still see the same issue with v0.37.2.
https://github.com/aquasecurity/trivy/releases/tag/v0.37.2

Those who are using v0.37.0 and v0.37.1 need to update Trivy to v0.37.2 as it has a breaking change. You may see the following error message. Please clear the cached database with trivy image --reset and try scanning again.

2023-02-09T23:59:38.633+0900 ERROR Unable to initialize the Java DB: Java DB open error: can't run auto migration for db: failed to look up field artifact_id from DDL CREATE TABLE indices(artifact_id INTEGER, version TEXT, sha1 BLOB, archive_type TEXT, group_id text, foreign key (artifact_id) references artifacts(id))

Also, we added mitigation for #3514. We think it will not happen in most cases, but we will try to fix the root cause in v0.38.0.

You can track the topic of the Java DB in client/server mode here.
#3560

Summary

• Performance issue (Trivy performance bad because of missing indexes trivy-java-db#8): Should be fixed in v0.37.2
• EOF error (Unable to open JAR files #3514): Mitigated in v0.37.2
• Client/Server mode: Please track Trivy Java DB as part of server mode #3560

Thanks for your patience.

[VictorDelCampo]

@knqyf263 please urgently update the trivy-action as well with this new version. This is a big breaking change in our pipeline since you release trivy v0.37.2

[flaxel]

@knqyf263 please urgently update the trivy-action as well with this new version. This is a big breaking change in our pipeline since you release trivy v0.37.2

I created already a PR for it and wait for approval so that the pipeline is running. 😆

[maltewhiite]

What about people using "skip-update" in an off-line environment?

db:
  # We are air-gapped
  skip-update: true 

Edit: Oh.. Apparently we now also need to download a separate "Java index database"....

https://aquasecurity.github.io/trivy/v0.37/docs/advanced/air-gap/#download-the-java-index-database1