Trivy 0.42.0 crashes with "unsupported type bitnami" message

[afdesk]

Discussed in #4562

^{Originally posted by elchenberg June 5, 2023}

Description

Trivy 0.42.0 crashes with "unsupported type bitnami" message when scanning the image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2.

Desired Behavior

No crash.

Actual Behavior

Crash.

Reproduction Steps

$ trivy version | head -n1
Version: 0.42.0

$ trivy image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2
2023-06-05T12:16:17.383+0200	INFO	Vulnerability scanning is enabled
2023-06-05T12:16:17.383+0200	INFO	Secret scanning is enabled
2023-06-05T12:16:17.383+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-05T12:16:17.383+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-05T12:16:18.775+0200	INFO	Detected OS: debian
2023-06-05T12:16:18.775+0200	INFO	Detecting Debian vulnerabilities...
2023-06-05T12:16:18.800+0200	INFO	Number of language-specific files: 1
2023-06-05T12:16:18.800+0200	INFO	Detecting bitnami vulnerabilities...
2023-06-05T12:16:18.800+0200	FATAL	image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to initialize a driver: unsupported type bitnami

### Target

Container Image

### Scanner

None

### Output Format

None

### Mode

Standalone

### Debug Output

```bash
$ trivy image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2 --debug
2023-06-05T12:28:39.197+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-05T12:28:39.208+0200	DEBUG	cache dir:  /home/$USERNAME/.cache/trivy
2023-06-05T12:28:39.208+0200	DEBUG	There is no valid metadata file: unable to open a file: open /home/helgeeichelberg/.cache/trivy/db/metadata.json: no such file or directory
2023-06-05T12:28:39.208+0200	INFO	Need to update DB
2023-06-05T12:28:39.208+0200	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-05T12:28:39.208+0200	INFO	Downloading DB...
2023-06-05T12:28:39.208+0200	DEBUG	no metadata file
37.36 MiB / 37.36 MiB [-------------------------------------------------------------------------------------] 100.00% 5.65 MiB p/s 6.8s
2023-06-05T12:28:46.907+0200	DEBUG	Updating database metadata...
2023-06-05T12:28:46.907+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-06-05 06:08:14.618801312 +0000 UTC, NextUpdate: 2023-06-05 12:08:14.618800712 +0000 UTC, DownloadedAt: 2023-06-05 10:28:46.907497592 +0000 UTC
2023-06-05T12:28:46.907+0200	INFO	Vulnerability scanning is enabled
2023-06-05T12:28:46.907+0200	DEBUG	Vulnerability type:  [os library]
2023-06-05T12:28:46.907+0200	INFO	Secret scanning is enabled
2023-06-05T12:28:46.907+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-05T12:28:46.907+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-05T12:28:48.036+0200	DEBUG	No secret config detected: trivy-secret.yaml
2023-06-05T12:28:48.333+0200	DEBUG	Image ID: sha256:11bd5852655ef13a59af279e1574e5a57f9d76b72eab270581f755a55d095fd5
2023-06-05T12:28:48.333+0200	DEBUG	Diff IDs: [sha256:c38d7c6f14f7ac58167166952d65facfa188098f77173c54febef4c4aae32e36]
2023-06-05T12:28:48.333+0200	DEBUG	Base Layers: []
2023-06-05T12:28:48.333+0200	DEBUG	Missing image ID in cache: sha256:11bd5852655ef13a59af279e1574e5a57f9d76b72eab270581f755a55d095fd5
2023-06-05T12:28:48.333+0200	DEBUG	Missing diff ID in cache: sha256:c38d7c6f14f7ac58167166952d65facfa188098f77173c54febef4c4aae32e36
2023-06-05T12:28:50.177+0200	DEBUG	Analysis error: SBOM decode error: failed to decode: failed to unmarshal spdx: failed to parse package: external references error: failed to parse purl from string: failed to parse purl(purl:bitnami/erlang@25.3.2): scheme is missing
2023-06-05T12:28:59.915+0200	DEBUG	Skipping directory: sys
2023-06-05T12:28:59.915+0200	DEBUG	Skipping directory: dev
2023-06-05T12:29:02.987+0200	DEBUG	Skipping directory: proc
2023-06-05T12:29:03.161+0200	DEBUG	No secrets found in container image config
2023-06-05T12:29:03.167+0200	INFO	Detected OS: debian
2023-06-05T12:29:03.167+0200	INFO	Detecting Debian vulnerabilities...
2023-06-05T12:29:03.167+0200	DEBUG	debian: os version: 11
2023-06-05T12:29:03.167+0200	DEBUG	debian: the number of packages: 111
2023-06-05T12:29:03.193+0200	INFO	Number of language-specific files: 1
2023-06-05T12:29:03.193+0200	INFO	Detecting bitnami vulnerabilities...
2023-06-05T12:29:03.193+0200	DEBUG	Detecting library vulnerabilities, type: bitnami, path: opt/bitnami/rabbitmq/bin/rabbitmq
2023-06-05T12:29:03.194+0200	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:426
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:268
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:683
  - scan failed:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:154
  - failed to detect vulnerabilities:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:102
  - failed to scan application libraries:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:189
  - failed vulnerability detection of libraries:
    github.com/aquasecurity/trivy/pkg/scanner/langpkg.(*scanner).Scan
        /home/runner/work/trivy/trivy/pkg/scanner/langpkg/scan.go:80
  - failed to initialize a driver:
    github.com/aquasecurity/trivy/pkg/detector/library.Detect
        /home/runner/work/trivy/trivy/pkg/detector/library/detect.go:19
  - unsupported type bitnami:
    github.com/aquasecurity/trivy/pkg/detector/library.NewDriver
        /home/runner/work/trivy/trivy/pkg/detector/library/driver.go:72

### Operating System

Ubuntu 20

### Version

```bash
Version: 0.42.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-05 06:08:14.618801312 +0000 UTC
  NextUpdate: 2023-06-05 12:08:14.618800712 +0000 UTC
  DownloadedAt: 2023-06-05 08:48:12.274325097 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-06-05 00:55:01.046797024 +0000 UTC
  NextUpdate: 2023-06-08 00:55:01.046796423 +0000 UTC
  DownloadedAt: 2023-06-05 08:58:54.678190662 +0000 UTC
Policy Bundle:
  Digest: sha256:2f95caeff50df1f00efdf5cb619c3b5488bbbb9bb08ef0890f52352464d35c79
  DownloadedAt: 2023-04-03 06:43:06.135944368 +0000 UTC

### Checklist

- [X] Run `trivy --reset`
- [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)</div>

[carrodher]

Thanks for the quick fix! Just curious, why this happens just with some images but not in others? I was able to reproduce the issue using trivy image bitnami/rabbitmq and trivy image bitnami/postgresql but not using trivy image bitnami/aws-cli or trivy image bitnami/wordpress.

In the same way, what should be needed so the "bitnami library type" is supported instead of showing the warning and ignoring it?

2023-06-07T12:23:37.587+0600	WARN	The bitnami library type is not supported. Skipping vulnerability detection

[afdesk]

@carrodher some Bitnami's images contain SBOM files with type bitnami, that isn't accepted in purl-spec yet
https://github.com/package-url/purl-spec/pull/231/files

[afdesk]

@carrodher bitnami type will be added when we add support for bitnami vulndb.

[carrodher]

Nice, thanks for the info, happy to help if there is something we can do on our side. Thanks again!