Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy vulnerability DB does not download #15761

Closed
robert-hermanson opened this issue Oct 12, 2021 · 2 comments
Closed

Trivy vulnerability DB does not download #15761

robert-hermanson opened this issue Oct 12, 2021 · 2 comments
Assignees
@danielpacak
Labels
kind/question

Comments

@robert-hermanson
Copy link

Steps to reproduce the problem:
I installed Harbor 2.3.3, uploaded a nice image and triggered a scan through the user interface.

Later, I saw this in the log:

2021-10-12T00:00:07.380Z	�[34mINFO�[0m	Need to update DB
2021-10-12T00:00:07.380Z	�[34mINFO�[0m	Downloading DB...
2021-10-12T00:00:17.387Z	�[31mFATAL�[0m	DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:39070->127.0.0.11:53: i/o timeout
: general response handler: unexpected status code: 500, expected: 200: check scan report with mime type application/vnd.security.vulnerability.report; version=1.1: running trivy wrapper: running trivy: exit status 1: 2021-10-12T00:00:07.380Z	�[34mINFO�[0m	Need to update DB
2021-10-12T00:00:07.380Z	�[34mINFO�[0m	Downloading DB...
2021-10-12T00:00:17.387Z	�[31mFATAL�[0m	DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:39070->127.0.0.11:53: i/o timeout
: general response handler: unexpected status code: 500, expected: 200

I exec'ed into the container and tried to curl:

$ docker exec -it trivy-adapter bash
scanner [ / ]$ curl https://api.github.com/repos/aquasecurity/trivy-db/releases
curl: (6) Could not resolve host: api.github.com

Then I tried updating /etc/resolv.conf in the container as root.

$ docker exec -u 0 -it trivy-adapter bash
root [ / ]# echo "nameserver 127.0.0.11
> nameserver 78.129.140.65
> options edns0 ndots:0" > /etc/resolv.conf

I triggered the scan again through the UI and it succeeded.

So I conclude that trivy-adapter-photon:v2.3.3 maybe has some dns configuration issue. How is this supposed to work normally? What did I do wrong?

Versions:

  • harbor version: 2.3.3
  • docker engine version: 20.10.8
  • docker-compose version: 1.25.5
@danielpacak danielpacak self-assigned this Oct 12, 2021
@danielpacak
Copy link
Contributor

danielpacak commented Oct 12, 2021
edited
Loading

It's a Docker DNS config or firewall issue. Trivy scanner requires internet connection to periodically download vulnerability database from GitHub to show up to date risks.

Instead of exec-ing to the trivy-adapter container as root or trying other undocumented hacks just add DNS in docker-compose.yml created by Harbor installer.

NOTE This is just an example configuration. Adjust IP addresses accordingly.

version: 2
services:
 trivy-adapter:
  dns:
   - 8.8.8.8
   - 192.168.1.1

Alternatively, configure Docker daemon to use the same DNS server as host operating system. How to do that is version / OS specific, but is also well documented on https://docs.docker.com/config/containers/container-networking/#dns-services

@robert-hermanson
Copy link
Author

Thanks @danielpacak . That worked for me.

@zyyw zyyw mentioned this issue Jun 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielpacak danielpacak

Labels
kind/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danielpacak @robert-hermanson