Scans failed & giving "not a valid zip file" error

[angularprojects4all]

I think we are loosing basic scan feature here, according to 0.38.0 / 0.38.1
facing issue with python (and or java) based dockers.

the issue remained same irrespective of the option --offline-scan (and / or) --scanners vuln

2023-03-03T08:44:43.816Z INFO Vulnerability scanning is enabled
2023-03-03T08:44:43.816Z INFO Secret scanning is enabled
2023-03-03T08:44:43.816Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-03T08:44:43.816Z INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection

2023-03-03T08:44:49.420Z        INFO    JAR files found
2023-03-03T08:44:49.422Z        INFO    Analyzing JAR files takes a while...
2023-03-03T08:44:49.601Z        FATAL   image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer (sha256:125335cc58b0044b35fab83684d58e6ce76dd9f466af964e859fbe7bad8e5eea): post analysis error: post analysis error: walk dir error: on file: jar/war/ear/par parse error: zip error: zip: not a valid zip file

can you help in this?

[angularprojects4all]

--debug option resulted below output

2023-03-03T09:46:28.450Z        FATAL   image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:427
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:660
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:139
  - failed to analyze layer (sha256:e7094ea78db515d46b1340130d00c19c182a675aef4a993cf8917f4170e2e2d2):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:242
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:320
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:483
  - walk dir error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:91
  - on file:
    github.com/aquasecurity/trivy/pkg/parallel.walk[...]
        /home/runner/work/trivy/trivy/pkg/parallel/walk.go:97
  - jar/war/ear/par parse error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze.func2
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:75
  - zip error:
    github.com/aquasecurity/go-dep-parser/pkg/java/jar.(*Parser).parseArtifact
        /home/runner/go/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230228091112-63a15cdc6bc3/pkg/java/jar/parse.go:82
  - zip: not a valid zip file

[lucassaldanha]

We started to see the same issue in our CI setup. It started happening on v0.38.0 (it was working fine with v0.37.3).

Example: https://app.circleci.com/pipelines/github/ConsenSys/teku/24065/workflows/2e729ece-47fa-4a51-98da-81b64a72f5fc/jobs/174786

[knqyf263]

@DmitriyLewen Can we prioritize this issue?

[DmitriyLewen]

Hello @angularprojects4all , @lucassaldanha

Thanks a lot @lucassaldanha for your example!

I invistigated your image and found strange case - image contains dirs with *.jar names.
I created #3773 to skip those directories.

@angularprojects4all, @josephkishan can you check this case on your image?

Regards, Dmitriy!

[josephkishan]

Yes @DmitriyLewen, the same happening in our case

[DmitriyLewen]

@josephkishan thanks for your answer!

After PR merge, you will be able to use the canary build (image or binary) before a new release.

[josephkishan]

Thanks a lot, @DmitriyLewen for your fast response, we will check once PR is merged.

[josephkishan]

@knqyf263 @DmitriyLewen can we see this in the next release? If yes can I know how much time it may take for the release

[DmitriyLewen]

Hello @josephkishan

We will include these changes to next release.
Information about release of v0.39.0 here.

These is canary build(image or binary). You can use it until next release.

[knqyf263]

We may cut v0.38.2 this week, but can't promise.

[josephkishan]

👍 Thank you @knqyf263