You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Trivy 0.42.0 crashes with "unsupported type bitnami" message when scanning the image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2.
Desired Behavior
No crash.
Actual Behavior
Crash.
Reproduction Steps
$ trivy version | head -n1
Version: 0.42.0
$ trivy image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2
2023-06-05T12:16:17.383+0200 INFO Vulnerability scanning is enabled
2023-06-05T12:16:17.383+0200 INFO Secret scanning is enabled
2023-06-05T12:16:17.383+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-05T12:16:17.383+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-05T12:16:18.775+0200 INFO Detected OS: debian
2023-06-05T12:16:18.775+0200 INFO Detecting Debian vulnerabilities...
2023-06-05T12:16:18.800+0200 INFO Number of language-specific files: 1
2023-06-05T12:16:18.800+0200 INFO Detecting bitnami vulnerabilities...
2023-06-05T12:16:18.800+0200 FATAL image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to initialize a driver: unsupported type bitnami
### Target
Container Image
### Scanner
None
### Output Format
None
### Mode
Standalone
### Debug Output
```bash
$ trivy image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2 --debug
2023-06-05T12:28:39.197+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-05T12:28:39.208+0200 DEBUG cache dir: /home/$USERNAME/.cache/trivy
2023-06-05T12:28:39.208+0200 DEBUG There is no valid metadata file: unable to open a file: open /home/helgeeichelberg/.cache/trivy/db/metadata.json: no such file or directory
2023-06-05T12:28:39.208+0200 INFO Need to update DB
2023-06-05T12:28:39.208+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-05T12:28:39.208+0200 INFO Downloading DB...
2023-06-05T12:28:39.208+0200 DEBUG no metadata file
37.36 MiB / 37.36 MiB [-------------------------------------------------------------------------------------] 100.00% 5.65 MiB p/s 6.8s
2023-06-05T12:28:46.907+0200 DEBUG Updating database metadata...
2023-06-05T12:28:46.907+0200 DEBUG DB Schema: 2, UpdatedAt: 2023-06-05 06:08:14.618801312 +0000 UTC, NextUpdate: 2023-06-05 12:08:14.618800712 +0000 UTC, DownloadedAt: 2023-06-05 10:28:46.907497592 +0000 UTC
2023-06-05T12:28:46.907+0200 INFO Vulnerability scanning is enabled
2023-06-05T12:28:46.907+0200 DEBUG Vulnerability type: [os library]
2023-06-05T12:28:46.907+0200 INFO Secret scanning is enabled
2023-06-05T12:28:46.907+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-05T12:28:46.907+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-05T12:28:48.036+0200 DEBUG No secret config detected: trivy-secret.yaml
2023-06-05T12:28:48.333+0200 DEBUG Image ID: sha256:11bd5852655ef13a59af279e1574e5a57f9d76b72eab270581f755a55d095fd5
2023-06-05T12:28:48.333+0200 DEBUG Diff IDs: [sha256:c38d7c6f14f7ac58167166952d65facfa188098f77173c54febef4c4aae32e36]
2023-06-05T12:28:48.333+0200 DEBUG Base Layers: []
2023-06-05T12:28:48.333+0200 DEBUG Missing image ID in cache: sha256:11bd5852655ef13a59af279e1574e5a57f9d76b72eab270581f755a55d095fd5
2023-06-05T12:28:48.333+0200 DEBUG Missing diff ID in cache: sha256:c38d7c6f14f7ac58167166952d65facfa188098f77173c54febef4c4aae32e36
2023-06-05T12:28:50.177+0200 DEBUG Analysis error: SBOM decode error: failed to decode: failed to unmarshal spdx: failed to parse package: external references error: failed to parse purl from string: failed to parse purl(purl:bitnami/erlang@25.3.2): scheme is missing
2023-06-05T12:28:59.915+0200 DEBUG Skipping directory: sys
2023-06-05T12:28:59.915+0200 DEBUG Skipping directory: dev
2023-06-05T12:29:02.987+0200 DEBUG Skipping directory: proc
2023-06-05T12:29:03.161+0200 DEBUG No secrets found in container image config
2023-06-05T12:29:03.167+0200 INFO Detected OS: debian
2023-06-05T12:29:03.167+0200 INFO Detecting Debian vulnerabilities...
2023-06-05T12:29:03.167+0200 DEBUG debian: os version: 11
2023-06-05T12:29:03.167+0200 DEBUG debian: the number of packages: 111
2023-06-05T12:29:03.193+0200 INFO Number of language-specific files: 1
2023-06-05T12:29:03.193+0200 INFO Detecting bitnami vulnerabilities...
2023-06-05T12:29:03.193+0200 DEBUG Detecting library vulnerabilities, type: bitnami, path: opt/bitnami/rabbitmq/bin/rabbitmq
2023-06-05T12:29:03.194+0200 FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:426
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:268
- scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:683
- scan failed:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:154
- failed to detect vulnerabilities:
github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan
/home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:102
- failed to scan application libraries:
github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities
/home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:189
- failed vulnerability detection of libraries:
github.com/aquasecurity/trivy/pkg/scanner/langpkg.(*scanner).Scan
/home/runner/work/trivy/trivy/pkg/scanner/langpkg/scan.go:80
- failed to initialize a driver:
github.com/aquasecurity/trivy/pkg/detector/library.Detect
/home/runner/work/trivy/trivy/pkg/detector/library/detect.go:19
- unsupported type bitnami:
github.com/aquasecurity/trivy/pkg/detector/library.NewDriver
/home/runner/work/trivy/trivy/pkg/detector/library/driver.go:72
### Operating System
Ubuntu 20
### Version
```bash
Version: 0.42.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-06-05 06:08:14.618801312 +0000 UTC
NextUpdate: 2023-06-05 12:08:14.618800712 +0000 UTC
DownloadedAt: 2023-06-05 08:48:12.274325097 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-06-05 00:55:01.046797024 +0000 UTC
NextUpdate: 2023-06-08 00:55:01.046796423 +0000 UTC
DownloadedAt: 2023-06-05 08:58:54.678190662 +0000 UTC
Policy Bundle:
Digest: sha256:2f95caeff50df1f00efdf5cb619c3b5488bbbb9bb08ef0890f52352464d35c79
DownloadedAt: 2023-04-03 06:43:06.135944368 +0000 UTC
Thanks for the quick fix! Just curious, why this happens just with some images but not in others? I was able to reproduce the issue using trivy image bitnami/rabbitmq and trivy image bitnami/postgresql but not using trivy image bitnami/aws-cli or trivy image bitnami/wordpress.
In the same way, what should be needed so the "bitnami library type" is supported instead of showing the warning and ignoring it?
2023-06-07T12:23:37.587+0600 WARN The bitnami library type is not supported. Skipping vulnerability detection
Discussed in #4562
Originally posted by elchenberg June 5, 2023
Description
Trivy 0.42.0 crashes with "unsupported type bitnami" message when scanning the image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2.
Desired Behavior
No crash.
Actual Behavior
Crash.
Reproduction Steps
The text was updated successfully, but these errors were encountered: