I've some enterprise docker images downloaded locally in my mac and I want to scan them using trivy. I tried without setting any config and I get this

trivy docker.artifactory.aws.*****com/****-base-centos7:0.0.7
2020-04-29T00:34:09.890+0530	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to extract files: failed to extract the archive: unexpected EOF

please suggest.

Description

We use Trivy in our CI builds to scan local images. Since v0.10.0, trivy is not able to find the local images and expecting the image to exist in docker hub.

What did you expect to happen? Expected trivy to scan local images.

What happened instead? Trivy failed with the following error: Command ran: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/tmp/.cache/ aquasec/trivy myimage:local Where myimage:local was generated locally before running trivy. Trivy failed with this error

 FATAL   unable to initialize a scanner: unable to initialize a docker scanner: 2 errors occurred:
        * unable to inspect the image (index.docker.io/library/myimage:local): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/index.docker.io/library/myimage:local/json: dial unix /var/run/docker.sock: connect: permission denied
        * GET https://index.docker.io/v2/library/myimage/manifests/local: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/myimage Type:repository]]

Output of run with -debug:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/tmp/.cache/ aquasec/trivy --debug myimage:local2020-07-30T14:40:12.246Z        DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-07-30T14:40:12.257Z        DEBUG   cache dir:  /home/appuser/.cache/trivy
2020-07-30T14:40:12.257Z        DEBUG   There is no valid metadata file: unable to open a file: open /home/appuser/.cache/trivy/db/metadata.json: no such file or directory
2020-07-30T14:40:12.257Z        INFO    Need to update DB
2020-07-30T14:40:12.257Z        INFO    Downloading DB...
2020-07-30T14:40:12.257Z        DEBUG   no metadata file
2020-07-30T14:40:12.788Z        DEBUG   release name: v1-2020073012
2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-light-offline.db.tgz
2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-light.db.gz
2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy-offline.db.tgz
2020-07-30T14:40:12.788Z        DEBUG   file name doesn't match
2020-07-30T14:40:12.788Z        DEBUG   asset name: trivy.db.gz
2020-07-30T14:40:12.889Z        DEBUG   asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/41262880-d25e-11ea-9f0d-69c6ece1083c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200730T143846Z&X-Amz-Expires=300&X-Amz-Signature=8962d7139933af30f139c0238307e1cefb4f262c886ef8dd8fbcb5f0301a5b97&X-Amz-SignedHeaders=host&actor_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
92.58 KiB / 17.57 MiB [>_____________________________________________________________] 0.51% ? p/s ?390.58 KiB / 17.57 MiB [->___________________________________________________________] 2.17% ? p/s ?713.58 KiB / 17.57 MiB [-->__________________________________________________________] 3.97% ? p/s ?917.58 KiB / 17.57 MiB [-->_____________________________________________] 5.10% 1.34 MiB p/s ETA 12s1.63 MiB / 17.57 MiB [---->_____________________________________________] 9.26% 1.34 MiB p/s ETA 11s2.06 MiB / 17.57 MiB [----->___________________________________________] 11.71% 1.34 MiB p/s ETA 11s2.46 MiB / 17.57 MiB [------>__________________________________________] 13.98% 1.42 MiB p/s ETA 10s2.85 MiB / 17.57 MiB [------->_________________________________________] 16.22% 1.42 MiB p/s ETA 10s3.24 MiB / 17.57 MiB [--------->_______________________________________] 18.42% 1.42 MiB p/s ETA 10s3.64 MiB / 17.57 MiB [---------->_______________________________________] 20.69% 1.46 MiB p/s ETA 9s4.02 MiB / 17.57 MiB [----------->______________________________________] 22.86% 1.46 MiB p/s ETA 9s4.42 MiB / 17.57 MiB [------------>_____________________________________] 25.13% 1.46 MiB p/s ETA 9s4.81 MiB / 17.57 MiB [------------->____________________________________] 27.40% 1.49 MiB p/s ETA 8s5.21 MiB / 17.57 MiB [-------------->___________________________________] 29.67% 1.49 MiB p/s ETA 8s5.61 MiB / 17.57 MiB [--------------->__________________________________] 31.93% 1.49 MiB p/s ETA 8s6.03 MiB / 17.57 MiB [----------------->________________________________] 34.30% 1.53 MiB p/s ETA 7s6.42 MiB / 17.57 MiB [------------------>_______________________________] 36.56% 1.53 MiB p/s ETA 7s6.87 MiB / 17.57 MiB [------------------->______________________________] 39.11% 1.53 MiB p/s ETA 7s7.29 MiB / 17.57 MiB [-------------------->_____________________________] 41.48% 1.56 MiB p/s ETA 6s7.72 MiB / 17.57 MiB [--------------------->____________________________] 43.93% 1.56 MiB p/s ETA 6s8.13 MiB / 17.57 MiB [----------------------->__________________________] 46.30% 1.56 MiB p/s ETA 6s8.55 MiB / 17.57 MiB [------------------------>_________________________] 48.66% 1.60 MiB p/s ETA 5s8.96 MiB / 17.57 MiB [------------------------->________________________] 51.01% 1.60 MiB p/s ETA 5s9.40 MiB / 17.57 MiB [-------------------------->_______________________] 53.48% 1.60 MiB p/s ETA 5s9.81 MiB / 17.57 MiB [--------------------------->______________________] 55.83% 1.63 MiB p/s ETA 4s10.24 MiB / 17.57 MiB [---------------------------->____________________] 58.30% 1.63 MiB p/s ETA 4s10.71 MiB / 17.57 MiB [----------------------------->___________________] 60.94% 1.63 MiB p/s ETA 4s11.12 MiB / 17.57 MiB [------------------------------->_________________] 63.30% 1.67 MiB p/s ETA 3s11.56 MiB / 17.57 MiB [-------------------------------->________________] 65.81% 1.67 MiB p/s ETA 3s12.00 MiB / 17.57 MiB [--------------------------------->_______________] 68.31% 1.67 MiB p/s ETA 3s12.45 MiB / 17.57 MiB [---------------------------------->______________] 70.86% 1.70 MiB p/s ETA 3s12.87 MiB / 17.57 MiB [----------------------------------->_____________] 73.23% 1.70 MiB p/s ETA 2s13.28 MiB / 17.57 MiB [------------------------------------->___________] 75.59% 1.70 MiB p/s ETA 2s13.71 MiB / 17.57 MiB [-------------------------------------->__________] 78.04% 1.73 MiB p/s ETA 2s14.16 MiB / 17.57 MiB [--------------------------------------->_________] 80.60% 1.73 MiB p/s ETA 1s14.64 MiB / 17.57 MiB [---------------------------------------->________] 83.33% 1.73 MiB p/s ETA 1s15.09 MiB / 17.57 MiB [------------------------------------------>______] 85.89% 1.76 MiB p/s ETA 1s15.55 MiB / 17.57 MiB [------------------------------------------->_____] 88.48% 1.76 MiB p/s ETA 1s16.00 MiB / 17.57 MiB [-------------------------------------------->____] 91.08% 1.76 MiB p/s ETA 0s16.47 MiB / 17.57 MiB [--------------------------------------------->___] 93.73% 1.80 MiB p/s ETA 0s16.92 MiB / 17.57 MiB [----------------------------------------------->_] 96.28% 1.80 MiB p/s ETA 0s17.38 MiB / 17.57 MiB [------------------------------------------------>] 98.93% 1.80 MiB p/s ETA 0s17.57 MiB / 17.57 MiB [----------------------------------------------------] 100.00% 2.12 MiB p/s 9s2020-07-30T14:40:22.179Z    DEBUG   Updating database metadata...
2020-07-30T14:40:22.179Z        DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2020-07-30 12:13:03.860403389 +0000 UTC, NextUpdate: 2020-07-31 00:13:03.860403189 +0000 UTC
2020-07-30T14:40:24.452Z        FATAL   unable to initialize a scanner:
    github.com/aquasecurity/trivy/internal/artifact.run
        /home/circleci/project/internal/artifact/run.go:72
  - unable to initialize a docker scanner:
    github.com/aquasecurity/trivy/internal/artifact.dockerScanner
        /home/circleci/project/internal/artifact/image.go:28
  - 2 errors occurred:
        * unable to inspect the image (index.docker.io/library/myimage:local): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/index.docker.io/library/myimage:local/json: dial unix /var/run/docker.sock: connect: permission denied
        * GET https://index.docker.io/v2/library/myimage/manifests/local: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/myimage Type:repository]]

Output of trivy -v:

Version: 0.10.0

Additional details (base image name, container registry info...): If we revert to trivy v0.9.0, the scan works successfully so something is broken in v0.10.0

Has there been any change that either affects detecting local images over the docker socket?

I would really appreciate if this has been paid attention as our builds are currently broken and as a workaround we have reverted to v0.9.0

Regards,

Nas

Description

trivy rootfs -s HIGH -f json / shows several packages are vulnerable due to incorrect version comparison.

For example, the debian package named zabbix-get with version 1:5.0.20-1+bionic is flagged as a "HIGH" severity vulnerability, but the details indicate that only versions before 2.2.x, 3.0.31 and 3.2 are vulnerable.

What did you expect to happen?

I expected that the epoch 1: value would be handled correctly (see http://manpages.ubuntu.com/manpages/trusty/man5/deb-version.5.html ), and Trivy would see that version 5.0.20 is more recent than the vulnerable versions.

What happened instead?

It incorrectly declares multiple packages to be vulnerable:

{
  "VulnerabilityID": "CVE-2020-11800",
  "PkgName": "zabbix-get",
  "InstalledVersion": "1:5.0.20-1+bionic",
  "Layer": {},
  "SeveritySource": "ubuntu",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-11800",
  "DataSource": {
    "ID": "ubuntu",
    "Name": "Ubuntu CVE Tracker",
    "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
  },
  "Title": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote att ...",
  "Description": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.",
  "Severity": "HIGH",
  "CVSS": {
    "nvd": {
      "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "V2Score": 7.5,
      "V3Score": 9.8
    }
  },
  "References": [
    "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11800",
    "https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/85453e04656fc7bd8a6790f5295d79410101745c",
    "https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html",
    "https://support.zabbix.com/browse/DEV-1538",
    "https://support.zabbix.com/browse/ZBX-17600",
    "https://support.zabbix.com/browse/ZBXSEC-30",
    "https://support.zabbix.com/browse/ZBXSEC-30 (not public)"
  ],
  "PublishedDate": "2020-10-07T16:15:00Z",
  "LastModifiedDate": "2022-01-01T18:16:00Z"
}

Output of run with -debug:

(2237 lines of files scanned, not very useful for this report.)

Output of trivy -v:

Version: 0.24.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-03-29 06:06:20.605614808 +0000 UTC
  NextUpdate: 2022-03-29 12:06:20.605614408 +0000 UTC
  DownloadedAt: 2022-03-29 06:17:15.692256189 +0000 UTC

Additional details (base image name, container registry info...):

OS: Ubuntu 18.04

We're evaluating Trivy for use in our organization.

:wave: Hello - I am from the GitHub code scanning team! :bow:

We have noticed that your tool is currently generating unstable sarif identifiers. 🕵️ This is against the SARIF specification 😱.

Unstable identifiers result in suboptimal experience for users of GitHub Code Scanning:

• Users are not able to easily group similar results (for example results for the same CVE in different images)
• Users find results that have been dismissed reappear if the image name or tag changes
• We have a hard limit of 500k identifiers per tool, beyond this point it is not possible to enumerate them all

I've proposed a possible fix that would make your sarif identifier stable. Once you have found something that works for you I can migrate your existing rules. :+1:

Gitlab codequality report for misconfigurations was missing

Usage example: trivy fs --security-checks config,vuln --format template --template "@contrib/gitlab-codequality.tpl" -o report.json {folder}

Checklist

• [x] I've read the guidelines for contributing to this repository.
• [x] I've followed the conventions in the PR title.
• [x] I've added tests that prove my fix is effective or that my feature works.
• [x] I've updated the documentation with the relevant information (if needed).
• [x] I've added usage information (if the PR introduces new options)
• [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

Rocky Linux should be detected as RHEL/CentOS. See https://rockylinux.org/ for details. Similar to classic CentOS, Rocky Linux is a RHEL clone so Red Hat Security advisories apply to it. This is the same exact situation as AlmaLinux https://github.com/aquasecurity/trivy/issues/1021

BUG REPORT INFORMATION

I am running trivy installed from debian package (currently 0.1.1) instide a Gitlab CI worker. The worker is a docker container which can build images (docker socket is mounted).

Description In my pipeline I would like to scan the images before pushing the to the repository. But trivy fails with the error above although the image is currently built.

$ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
Sending build context to Docker daemon  84.48kB
Step 1/2 : FROM postgres:11-alpine
11-alpine: Pulling from library/postgres
e7c96db7181b: Already exists
ddab92d60ba9: Pulling fs layer
... snipped ...
79d684a466de: Pull complete
1929cdd74131: Pull complete
Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
Status: Downloaded newer image for postgres:11-alpine
 ---> 0223e4d872f4
Step 2/2 : LABEL MAINTAINER Oz123 <[email protected]>
 ---> Running in 86c97c84674b
Removing intermediate container 86c97c84674b
 ---> a4b10056be0e
Successfully built a4b10056be0e
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:0.0.1
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:latest
$ trivy -q --auto-refresh ${IMAGE}:${VERSION}
2019-05-27T15:06:46.237Z	INFO	Updating vulnerability database...
2019-05-27T15:07:34.298Z	INFO	Updating NVD data...
2019-05-27T15:08:04.259Z	INFO	Updating Alpine data...
2019-05-27T15:08:05.058Z	INFO	Updating RedHat data...
2019-05-27T15:08:08.466Z	INFO	Updating Debian data...
2019-05-27T15:08:10.155Z	INFO	Updating Debian OVAL data...
2019-05-27T15:08:15.279Z	INFO	Updating Ubuntu data...
2019-05-27T15:08:20.303Z	FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key
ERROR: Job failed: exit code 1

Output of trivy -v: 0.1.1

I suspect the docker image should also mount the directory where the image built files are stored, but I can't confirm this.

Is it correct that the current Trivy Server Mode Vulnerability DB update is normal?

The UpdatedAt/NextUpdate date will not change after the time you ran. I would appreciate it if you can check if it is being updated normally.

$ trivy -v
Version: 0.27.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-05-12 06:06:17.231057123 +0000 UTC
  NextUpdate: 2022-05-12 12:06:17.231056623 +0000 UTC
  DownloadedAt: 2022-05-26 23:35:53.026928539 +0000 UTC


$ ls -alth
-rw-r--r-- 1 test test  153  5 27 08:35 metadata.json
-rw------- 1 test test 298M  5 27 08:35 trivy.db

Container scanning schemas below 14.0.0 have been deprecated.

blob/main/contrib/gitlab.tpl:3 is using a deprecated version:

"version": "2.3",

The latest version of the schema is 14.1.0. There are other schemas available; any version from 14.0.0 is supported.

From GitLab 15.0, any reports submitted using an unsupported version will be rejected.

Description

I'm scanning a docker image and want to upload the result via the github/codeql-action/upload-sarif@v1 action.

name: Trivy Analysis

on:
  push:

jobs:
  trivy_analysis:
    name: Trivy Analysis
    runs-on: "ubuntu-18.04"
    steps:
      - name: Run Trivy on python:3.6-slim-buster
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'python:3.6-slim-buster'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-slim-buster.sarif'
          severity: 'CRITICAL,HIGH'

      # Upload works fine, but analysis fails
      - name: Upload Trivy slim-buster scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-slim-buster.sarif'

What did you expect to happen?

sarif file gets analyzed correctly.

What happened instead?

The error 'Analysis failed for trivy-workflow' is shown on the Code scanning alerts tab.

Output of run with -debug:

not available

Output of trivy -v:

Run aquasecurity/trivy-action@master
  with:
    image-ref: python:3.6-slim-buster
    format: template
    template: @/contrib/sarif.tpl
    output: trivy-slim-buster.sarif
    severity: CRITICAL,HIGH
    scan-type: image
    scan-ref: .
    exit-code: 0
    ignore-unfixed: false
    vuln-type: os,library
/usr/bin/docker run --name a33c1b243f0bb5ad54f939442448bb6a70f7e_e14d32 --label 8a33c1 --workdir /github/workspace --rm -e INPUT_IMAGE-REF -e INPUT_FORMAT -e INPUT_TEMPLATE -e INPUT_OUTPUT -e INPUT_SEVERITY -e INPUT_SCAN-TYPE -e INPUT_INPUT -e INPUT_SCAN-REF -e INPUT_EXIT-CODE -e INPUT_IGNORE-UNFIXED -e INPUT_VULN-TYPE -e INPUT_SKIP-DIRS -e INPUT_CACHE-DIR -e INPUT_TIMEOUT -e INPUT_IGNORE-POLICY -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/indy-node-container/indy-node-container":"/github/workspace" 8a33c1:b243f0bb5ad54f939442448bb6a70f7e  "-a image" "-b template" "-c @/contrib/sarif.tpl" "-d 0" "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-slim-buster.sarif" "-i python:3.6-slim-buster" "-j ." "-k " "-l " "-m " "-n " "-o "
Running trivy with options:  --no-progress  --format  template --template  @/contrib/sarif.tpl --exit-code  0 --vuln-type  os,library --severity  CRITICAL,HIGH --output  trivy-slim-buster.sarif  python:3.6-slim-buster
Global options:  
2021-06-02T06:51:17.428Z	INFO	Need to update DB
2021-06-02T06:51:17.429Z	INFO	Downloading DB...
2021-06-02T06:51:20.595Z	INFO	Detecting Debian vulnerabilities...
2021-06-02T06:51:20.605Z	INFO	Trivy skips scanning programming language libraries because no supported file was detected

Additional details (base image name, container registry info...):

Uploading the result file to the Microsoft SARIF validator shows these problems:

• GH1003: runs[0].results[0].locations[0].physicalLocation: The 'region' property is absent. GitHub Advanced Security code scanning can display the correct location only for results that provide a 'region' object with line and optional column information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults.
• GH1005: runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: 'python:3.6-slim-buster' is not a file path. GitHub Advanced Security code scanning only displays results whose locations are specified by file paths, either as relative URIs or as absolute URIs that use the 'file' scheme.
• SARIF1004: runs[0].results[0].locations[0].physicalLocation.artifactLocation: This 'artifactLocation' object has a 'uriBaseId' property 'ROOTPATH', but its 'uri' property 'python:3.6-slim-buster' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI.
• SARIF2012: runs[0].tool.driver.rules[0].name: 'OS Package Vulnerability (Debian)' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.

I don't know whether these problems are the cause of the error, but maybe they can be fixed by adjusting this block

https://github.com/aquasecurity/trivy/blob/fb19abd09acc39c06a132fab8d0b9181f1556dcb/contrib/sarif.tpl#L76-L80

if a Docker image is scanned.

Trivy 0.2.0, run under docker-dind - gitlabCI - scan always ends with 'null' result

What did you expect to happen? Conduct a scan

What happened instead? Trivy does something, reports success and exits after 1 second

Output of run with -debug:

2019-11-14T18:51:04.070Z	DEBUG	cache dir:  /root/.cache/trivy
2019-11-14T18:51:04.074Z	DEBUG	This is the first run
[                    ] Downloading Lightweight DB file... 
[=>                  ] Downloading Lightweight DB file... 
[===>                ] Downloading Lightweight DB file... 2019-11-14T18:51:04.362Z	DEBUG	release name: v1-2019111418
2019-11-14T18:51:04.362Z	DEBUG	asset name: trivy-light.db.gz
[=====>              ] Downloading Lightweight DB file... 
[======>             ] Downloading Lightweight DB file... 2019-11-14T18:51:04.534Z	DEBUG	asset URL: https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/fa14f900-0709-11ea-9b7f-1f882f72ad9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191114%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191114T185104Z&X-Amz-Expires=300&X-Amz-Signature=4ae948a4ce0501f0edb9eb5585d397ef276d725f95f8ea2af8ade4659264494d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dtrivy-light.db.gz&response-content-type=application%2Foctet-stream
[========>           ] 
Downloading Lightweight DB file... 
[==========>         ]
Downloading Lightweight DB file... [============>       ] 
Downloading Lightweight DB file... [==============>     ] 
Downloading Lightweight DB file... [================>   ] 
Downloading Lightweight DB file... ==================> ] 
Downloading Lightweight DB file... [===================>] 
Downloading Lightweight DB file... [                    ] 
Downloading Lightweight DB file... [=>                  ] 
Downloading Lightweight DB file... [===>                ]
 Downloading Lightweight DB file... [=====>              ] 
Downloading Lightweight DB file... [======>             ]
 Downloading Lightweight DB file... [========>           ] 
Downloading Lightweight DB file... 019-11-14T18:51:05.858Z	INFO	Reopening vulnerability DB
2019-11-14T18:51:05.858Z	DEBUG	Vulnerability type:  [os library]
2019-11-14T18:51:08.814Z	DEBUG	OS family: alpine, OS version: 3.8.4
2019-11-14T18:51:08.814Z	DEBUG	the number of packages: 36
2019-11-14T18:51:09.612Z	DEBUG	the number of packages from commands: 26
2019-11-14T18:51:09.612Z	DEBUG	the number of packages: 36
2019-11-14T18:51:09.612Z	INFO	Detecting Alpine vulnerabilities...
2019-11-14T18:51:09.612Z	DEBUG	alpine: os version: 3.8
2019-11-14T18:51:09.612Z	DEBUG	alpine: the number of packages: 36

Output of trivy -v:

trivy version 0.2.0

Additional details (base image name, container registry info...): checked image trivy --light alpine:3.8.4 -debug dind image - docker:19.03-dind

result:

[
  {
    "Target": "myimage(alpine 3.8.4)",
    "Vulnerabilities": null
  }
]

scan outside gitlabci

alpine:3.8.4 (alpine 3.8.4)
===========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+---------+------------------+----------+-------------------+---------------+
| musl    | CVE-2019-14697   | HIGH     | 1.1.19-r10        | 1.1.19-r11    |
+---------+------------------+----------+-------------------+---------------+

Description

update code owners so that @knqyf263 @AnaisUrlichs @itaysk are owning all docs. the previous dir-by-dir approach skipped some folders

Related issues

Related PRs

Remove this section if you don't have related PRs.

Checklist

• [ ] I've read the guidelines for contributing to this repository.
• [ ] I've followed the conventions in the PR title.
• [ ] I've added tests that prove my fix is effective or that my feature works.
• [ ] I've updated the documentation with the relevant information (if needed).
• [ ] I've added usage information (if the PR introduces new options)
• [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

Description

we don't need all the tests to run on every docs PR

Related issues

Related PRs

Remove this section if you don't have related PRs.

Checklist

• [ ] I've read the guidelines for contributing to this repository.
• [ ] I've followed the conventions in the PR title.
• [ ] I've added tests that prove my fix is effective or that my feature works.
• [ ] I've updated the documentation with the relevant information (if needed).
• [ ] I've added usage information (if the PR introduces new options)
• [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

Description

We have implemented a nginx proxy for search.maven.org according to the documentation from https://aquasecurity.github.io/trivy/v0.36/docs/references/troubleshooting/

What did you expect to happen?

The proxy should cache and deliver requests to search.maven.org/solrseach/select which works fine, when search.maven.org is accessible

What happened instead?

The api-request returned http 405, 502 or 504 instead of the real result. This errors was cached by nginx, so trivy didn't get any valid result as long as the cache further exists (eg. 1h).

Output of run with -debug:

Does not apply to trivy, problem is nginx-specific

Additional details (base image name, container registry info...):

As described in https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid "any" means "Sets caching time for different response codes." You should never cache "any" result to avoid caching http failure responses.

Suggestion

Fix the trobleshooting maven nginx example from: .. proxy_cache_valid any 1h; to .. proxy_cache_valid 200 1h;

Thanks

Trivy is great, we love it.

Regards Frank

github.com/aquasecurity/trivy/pkg/sbom/cyclonedx

/root/GOPATH/pkg/mod/github.com/aquasecurity/[email protected]/pkg/sbom/cyclonedx/marshal.go:286:63: cannot use &componentDependencies (value of type *[]"github.com/CycloneDX/cyclonedx-go".Dependency) as type *[]string in struct literal /root/GOPATH/pkg/mod/github.com/aquasecurity/[email protected]/pkg/sbom/cyclonedx/marshal.go:299:45: cannot use &metadataDependencies (value of type *[]"github.com/CycloneDX/cyclonedx-go".Dependency) as type *[]string in struct literal /root/GOPATH/pkg/mod/github.com/aquasecurity/[email protected]/pkg/sbom/cyclonedx/unmarshal.go:106:17: cannot use bom.SpecVersion (variable of type "github.com/CycloneDX/cyclonedx-go".SpecVersion) as type string in struct literal /root/GOPATH/pkg/mod/github.com/aquasecurity/[email protected]/pkg/sbom/cyclonedx/unmarshal.go:206:26: d.Ref undefined (type string has no field or method Ref)

github.com/aquasecurity/trivy/pkg/module

/root/GOPATH/pkg/mod/github.com/aquasecurity/[email protected]/pkg/module/module.go:246:3: r.NewHostModuleBuilder("env").ExportFunctions undefined (type wazero.HostModuleBuilder has no field or method ExportFunctions)

Description

Discover conda (aka Anaconda) packages to include them in SBOMs.

Related issues

• Close #3321

Related PRs

• https://github.com/aquasecurity/go-dep-parser/pull/151

Checklist

• [x] I've read the guidelines for contributing to this repository.
• [x] I've followed the conventions in the PR title.
• [x] I've added tests that prove my fix is effective or that my feature works.
• [x] I've updated the documentation with the relevant information (if needed).
• [ ] I've added usage information (if the PR introduces new options)
• [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).