Trivy Syntax change Incorrect Usage. flag provided but not defined after upgrade to 2.4.2

[Krumbelfix]

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior:
After upgrading Harbor from v2.2.2 to 2.4.2 the Trivy scanner shows the following in the log:

Mar 17 15:37:48 172.18.0.1 trivy-adapter[2107]: {"error":"running trivy: exit status 1: Incorrect Usage. flag provided but not defined: -format\n\n NAME:\n
   trivy - A simple and comprehensive vulnerability scanner for containers\n\n USAGE:\n
   trivy [global options] command [command options] target\n\n
VERSION:\n   0.24.2\n\n

COMMANDS:\n
   image, i          scan an image\n
   filesystem, fs    scan local filesystem for language-specific dependencies and config files\n
   rootfs            scan rootfs\n
   repository, repo  scan remote repository\n
   client, c         client mode\n
   server, s         server mode\n
   config, conf      scan config files\n
   plugin, p         manage plugins\n
   help, h           Shows a list of commands or help for one command\n\n

GLOBAL OPTIONS:\n
   --quiet, -q        suppress progress bar and log output (default: false) [$TRIVY_QUIET]\n
   --debug, -d        debug mode (default: false) [$TRIVY_DEBUG]\n
   --cache-dir value  cache directory (default: \"/home/scanner/.cache/trivy\") [$TRIVY_CACHE_DIR]\n
   --help, -h         show help (default: false)\n
   --version, -v      print the version (default: false)\n

I found the following issue,maybe its related:
aquasecurity/trivy#1656

Steps to reproduce the problem:
Update harbor (trivy) from 2.2.2 to 2.4.2

Versions:
Please specify the versions of following systems.

• harbor version: 2.4.2
• docker engine version: Docker version 20.10.9-ce, build 79ea9d308018
• docker-compose version: docker-compose version 1.24.1, build 4667896b

Additional context:

• Harbor config files:

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: <snipped fqdn>

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /etc/harbor/certs/<snipped fqdn>.crt
  private_key: /etc/harbor/certs/<snipped fqdn>.key

# Uncomment following will enable tls communication between all harbor components
internal_tls:
  # set enabled to true means internal tls is enabled
  enabled: true
  # put your cert and key files on dir
  dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: <snipped>

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: <snipped>
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 900

# The default data volume
data_volume: /data

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # timeout The duration to wait for scan completion
  timeout: 5m0s
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: false
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false
  # github_token The GitHub access token to download Trivy DB
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  #
  # github_token: xxx

jobservice:
  # Maximum number of job workers in job service
  max_job_workers: 10

notification:
  # Maximum retry count for webhook job
  webhook_job_max_retry: 10

chart:
  # Change the value of absolute_url to enabled can enable absolute url in chart
  absolute_url: enabled

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log
    location: /var/log/harbor
    # Uncomment following lines to enable external syslog endpoint.
    # external_endpoint:
    #   # protocol used to transmit log to external endpoint, options is tcp or udp
    #   protocol: tcp
    #   # The host of external endpoint
    #   host: localhost
    #   # Port of external endpoint
    #   port: 5140


#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.4.0
# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_
name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Umcomments external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password:
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca


# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
  http_proxy: http://<snipped>:80
  https_proxy: http://<snipped>:80
  no_proxy: 127.0.0.1,localhost,core,registry,<snipped>,<snipped>,10.0.0.0/8
  components:
    - trivy

# metric:
#   enabled: false
#   port: 9090
#   path: /metric

# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
#   enabled: true
#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
#   sample_rate: 1
#   # # namespace used to differenciate different harbor services
#   # namespace:
#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
#   # attributes:
#   #   application: harbor
#   # jaeger:
#   #   endpoint: http://hostname:14268/api/traces
#   #   username:
#   #   password:
#   #   agent_host: hostname
#   #   agent_port: 6832
#   # otel:
#   #   endpoint: hostname:4318
#   #   url_path: /v1/traces
#   #   compression: false
#   #   insecure: true
#   #   timeout: 10s

• Log files: You can get them by package the /var/log/harbor/ .

[danielpacak]

Related to aquasecurity/harbor-scanner-trivy#222

[danielpacak]

Note that this functionality should not have impact on scan results. However, it has impact on parsing vulnerability DB metadata, e.g. last update timestamp that's not shown in scanner metadata in Harbor UI.

[Sudershan17]

We're facing the same issue after upgrading from Harbor v2.2.0 to v2.5.0. Trivy version upgraded from 0.16.0 to 0.24.2.

[bcp2021]

We're facing the same issue after upgrading from Harbor v2.2.0 to v2.4.2/2.5.0.
Is there a way to upgrade trivy from v0.24.2 to v0.28.0 offline (airgap environment)

[danielpacak]

You can always take the latest aquasec/harbor-scanner-trivy:0.28.0 image and update your docker-compose.yml or K8s pod spec to use the latest version of Trivy adapter until we release new version of Harbor with bumped up dependencies.