bug(k8s): trivy k8s scan throws panic: runtime error: slice bounds out of range error #8542
Description
Discussed in #8541
Originally posted by Nameisjohn247 March 12, 2025
Description
While scanning for k8s (EKS cluster) with --disable-node-collector , trivy fails with the below error
trivy k8s --cache-dir /Users/test/Library/Caches/trivy --timeout 2h --disable-node-collector --scanners=misconfig --severity=HIGH --report=all --debug --format json --output test-cluster-result.json
panic: runtime error: slice bounds out of range [::631757198] with length 268435455
goroutine 1 [running]:
go.etcd.io/bbolt/internal/common.UnsafeByteSlice(...)
go.etcd.io/bbolt@v1.4.0/internal/common/unsafe.go:26
go.etcd.io/bbolt/internal/common.WriteInodeToPage({0x1400d744340?, 0x1, 0x6?}, 0x14125538000)
go.etcd.io/bbolt@v1.4.0/internal/common/inode.go:81 +0x288
go.etcd.io/bbolt.(*node).write(0x1400748c000?, 0x96a0?)
go.etcd.io/bbolt@v1.4.0/node.go:199 +0xa0
go.etcd.io/bbolt.(*node).spill(0x1406236c0e0)
go.etcd.io/bbolt@v1.4.0/node.go:334 +0x1dc
go.etcd.io/bbolt.(*Bucket).spill(0x1400d744000)
go.etcd.io/bbolt@v1.4.0/bucket.go:786 +0x278
go.etcd.io/bbolt.(*Bucket).spill(0x1400748c018)
go.etcd.io/bbolt@v1.4.0/bucket.go:753 +0xc0
go.etcd.io/bbolt.(*Tx).Commit(0x1400748c000)
go.etcd.io/bbolt@v1.4.0/tx.go:204 +0x260
go.etcd.io/bbolt.(*DB).Update(0x109109be0?, 0x1406efc0ff0)
go.etcd.io/bbolt@v1.4.0/db.go:915 +0xc4
github.com/aquasecurity/trivy/pkg/cache.FSCache.PutBlob({, {, }}, {, }, {0x2, {0x0, 0x0}, {0x0, 0x0}, ...})
github.com/aquasecurity/trivy/pkg/cache/fs.go:88 +0x10c
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x1401e368e10, 0x43}, 0x1400267cb70, {0x1333e6908, 0x140252ebe18}, {0x109248b60, 0x10cc26da8}, {0x14010d8e620, {0x14003e0ce00, 0x1e, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:227 +0x80c
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0x1400017c0c0, 0x2, 0x2}, {0x140013d3c80, ...}, ...})
github.com/aquasecurity/trivy/pkg/scanner/scan.go:156 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:627 +0x2ec
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:259 +0x9c
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:204 +0xac
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:184 +0x1b8
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).scanMisconfigs(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a98c000?, 0x1fc4, 0x0?})
github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:178 +0x174
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).Scan(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:88 +0x4b4
github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run(0x1406efcb8f0, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:90 +0x450
github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun({, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, {0x16dd6b926, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:59 +0x434
github.com/aquasecurity/trivy/pkg/k8s/commands.Run({, }, {, _, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, ...}, ...})
github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:49 +0x30c
github.com/aquasecurity/trivy/pkg/commands.NewKubernetesCommand.func2(0x14001398008, {0x14001486a90, 0x0, 0xd})
github.com/aquasecurity/trivy/pkg/commands/app.go:1050 +0x188
github.com/spf13/cobra.(*Command).execute(0x14001398008, {0x140014869c0, 0xd, 0xd})
github.com/spf13/cobra@v1.9.1/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x140010ecc08)
github.com/spf13/cobra@v1.9.1/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x106c8fb76?)
github.com/spf13/cobra@v1.9.1/command.go:1071 +0x1c
main.run()
github.com/aquasecurity/trivy/cmd/trivy/main.go:45 +0x124
main.main()
github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20
Desired Behavior
Perform scan successfully
Actual Behavior
panic: runtime error: slice bounds out of range
Reproduction Steps
1.Have the AWS creds and EKS cluster context is set
2.Run trivy using trivy k8s --cache-dir /Users/test/Library/Caches/trivy --timeout 2h --disable-node-collector --scanners=misconfig --severity=HIGH --report=all --debug --format json --output test-cluster-result.json
3.The scan starts but throws error after sometime
...Target
Kubernetes
Scanner
Misconfiguration
Output Format
JSON
Mode
Standalone
Debug Output
trivy k8s --cache-dir /Users/test/Library/Caches/trivy --timeout 2h --disable-node-collector --scanners=misconfig --severity=HIGH --report=all --debug --format json --output test-cluster-result.json
2025-03-13T06:16:15+05:30 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-03-13T06:16:15+05:30 DEBUG Cache dir dir="/Users/test/Library/Caches/trivy"
2025-03-13T06:16:15+05:30 DEBUG Cache dir dir="/Users/test/Library/Caches/trivy"
2025-03-13T06:16:15+05:30 DEBUG Parsed severities severities=[HIGH]
2025-03-13T06:16:15+05:30 DEBUG Ignore statuses statuses=[]
2025-03-13T06:22:36+05:30 INFO Scanning K8s... K8s="test@test-cluster"
163.77 KiB / 163.77 KiB [--------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.10 MiB p/s 300ms
panic: runtime error: slice bounds out of range [::631757198] with length 268435455
goroutine 1 [running]:
go.etcd.io/bbolt/internal/common.UnsafeByteSlice(...)
go.etcd.io/bbolt@v1.4.0/internal/common/unsafe.go:26
go.etcd.io/bbolt/internal/common.WriteInodeToPage({0x1400d744340?, 0x1, 0x6?}, 0x14125538000)
go.etcd.io/bbolt@v1.4.0/internal/common/inode.go:81 +0x288
go.etcd.io/bbolt.(*node).write(0x1400748c000?, 0x96a0?)
go.etcd.io/bbolt@v1.4.0/node.go:199 +0xa0
go.etcd.io/bbolt.(*node).spill(0x1406236c0e0)
go.etcd.io/bbolt@v1.4.0/node.go:334 +0x1dc
go.etcd.io/bbolt.(*Bucket).spill(0x1400d744000)
go.etcd.io/bbolt@v1.4.0/bucket.go:786 +0x278
go.etcd.io/bbolt.(*Bucket).spill(0x1400748c018)
go.etcd.io/bbolt@v1.4.0/bucket.go:753 +0xc0
go.etcd.io/bbolt.(*Tx).Commit(0x1400748c000)
go.etcd.io/bbolt@v1.4.0/tx.go:204 +0x260
go.etcd.io/bbolt.(*DB).Update(0x109109be0?, 0x1406efc0ff0)
go.etcd.io/bbolt@v1.4.0/db.go:915 +0xc4
github.com/aquasecurity/trivy/pkg/cache.FSCache.PutBlob({_, {_, _}}, {_, _}, {0x2, {0x0, 0x0}, {0x0, 0x0}, ...})
github.com/aquasecurity/trivy/pkg/cache/fs.go:88 +0x10c
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x1401e368e10, 0x43}, 0x1400267cb70, {0x1333e6908, 0x140252ebe18}, {0x109248b60, 0x10cc26da8}, {0x14010d8e620, {0x14003e0ce00, 0x1e, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:227 +0x80c
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x1400017c0c0, 0x2, 0x2}, {0x140013d3c80, ...}, ...})
github.com/aquasecurity/trivy/pkg/scanner/scan.go:156 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:627 +0x2ec
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:259 +0x9c
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:204 +0xac
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:184 +0x1b8
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).scanMisconfigs(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a98c000?, 0x1fc4, 0x0?})
github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:178 +0x174
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).Scan(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:88 +0x4b4
github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run(0x1406efcb8f0, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:90 +0x450
github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun({_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, {0x16dd6b926, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:59 +0x434
github.com/aquasecurity/trivy/pkg/k8s/commands.Run({_, _}, {_, _, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, ...}, ...})
github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:49 +0x30c
github.com/aquasecurity/trivy/pkg/commands.NewKubernetesCommand.func2(0x14001398008, {0x14001486a90, 0x0, 0xd})
github.com/aquasecurity/trivy/pkg/commands/app.go:1050 +0x188
github.com/spf13/cobra.(*Command).execute(0x14001398008, {0x140014869c0, 0xd, 0xd})
github.com/spf13/cobra@v1.9.1/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x140010ecc08)
github.com/spf13/cobra@v1.9.1/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x106c8fb76?)
github.com/spf13/cobra@v1.9.1/command.go:1071 +0x1c
main.run()
github.com/aquasecurity/trivy/cmd/trivy/main.go:45 +0x124
main.main()
github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20Operating System
macOS Sonoma
Version
trivy --version
Version: 0.60.0
Check Bundle:
Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
DownloadedAt: 2025-03-13 00:52:48.612847 +0000 UTCChecklist
- Run
trivy clean --all - Read the troubleshooting
Metadata
Metadata
Type
Projects
Status