Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--skip-files and --skip-dirs seem to have no effect for .jar files #1218

Closed
maxschlosser opened this issue Sep 6, 2021 · 0 comments · Fixed by #1249
Closed

--skip-files and --skip-dirs seem to have no effect for .jar files #1218

maxschlosser opened this issue Sep 6, 2021 · 0 comments · Fixed by #1249
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@maxschlosser
Copy link
Contributor

Description

I tried to find a workaround for #1185, so I tried to use --skip-files and --skip-dirs in an air-gapped environment.

This didn't work for the openjdk image and an image I made from scratch that only contains a HelloWorld one-liner.

FROM scratch
WORKDIR /opt/java
COPY java/HelloWorld.jar HelloWorld.jar
CMD "java -jar '/opt/java/HelloWorld.jar'"
docker run -u 0 -v ${PWD}:"/root/.cache" -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy \\
    --skip-update --skip-files "opt/java/HelloWorld.jar" --vuln-type os myjava:test

What did you expect to happen?

The scan ignores the files and directories that were passed to --skip-files/--skip-directories. Since the files are now not relevant anymore, trivy doesn't contact maven.

What happened instead?

Trivy finds the files and attempts to gather information from maven.org, which is impossible. The run fails due to a timeout.

Output of run with -debug:

2021-09-06T13:16:25.493Z        DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-09-06T13:16:25.508Z        DEBUG   cache dir:  /root/.cache/trivy
2021-09-06T13:16:25.515Z        DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-09-06 06:04:42.835689531 +0000 UTC, NextUpdate: 2021-09-06 12:04:42.835689131 +0000 UTC, DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
2021-09-06T13:16:25.524Z        DEBUG   Vulnerability type:  [os]
2021-09-06T13:16:25.536Z        DEBUG   Image ID: sha256:7fea0c8b32c6e3035ee17b537028577bc8dff6b5e299b2eab92183595ce50c1d
2021-09-06T13:16:25.536Z        DEBUG   Diff IDs: [sha256:dff96daf73bb2b28db9109cb128f26f1e9813722f9d2cf6644b07783961ac77c sha256:c0b1de65de956cd308be77862d6ec8f24dd754e3eee21eb79320d108c91dde8a]
2021-09-06T13:16:25.538Z        DEBUG   Missing image ID: sha256:7fea0c8b32c6e3035ee17b537028577bc8dff6b5e299b2eab92183595ce50c1d
2021-09-06T13:16:25.538Z        DEBUG   Missing diff ID: sha256:c0b1de65de956cd308be77862d6ec8f24dd754e3eee21eb79320d108c91dde8a
2021-09-06T13:16:25.555Z        DEBUG   Analysis error: unable to parse opt/java/HelloWorld.jar: failed to parse opt/java/HelloWorld.jar: unrecognized executable format
2021-09-06T13:16:25.555Z        DEBUG   Parsing Java artifacts...       {"file": "opt/java/HelloWorld.jar"}
2021-09-06T13:16:25.896Z        DEBUG   request failed  {"error": "Get \"http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json\": EOF", "method": "GET", "url": "http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json"}
2021-09-06T13:16:25.896Z        DEBUG   retrying request        {"request": "GET http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json", "timeout": "20s", "remaining": 5}
2021-09-06T13:16:46.209Z        DEBUG   request failed  {"error": "Get \"http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json\": EOF", "method": "GET", "url": "http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json"}
2021-09-06T13:16:46.210Z        DEBUG   retrying request        {"request": "GET http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json", "timeout": "40s", "remaining": 4}
2021-09-06T13:17:26.540Z        DEBUG   request failed  {"error": "Get \"http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json\": EOF", "method": "GET", "url": "http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json"}
2021-09-06T13:17:26.540Z        DEBUG   retrying request        {"request": "GET http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json", "timeout": "1m20s", "remaining": 3}
2021-09-06T13:18:46.871Z        DEBUG   request failed  {"error": "Get \"http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json\": EOF", "method": "GET", "url": "http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json"}
2021-09-06T13:18:46.872Z        DEBUG   retrying request        {"request": "GET http://search.maven.org/solrsearch/select?q=1%3A%2205e10c613b6ed45140bd4da12260c888d7e8c83a%22&rows=1&wt=json", "timeout": "2m40s", "remaining": 2}
2021-09-06T13:21:25.497Z        FATAL   scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:69
  - image scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:185
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:98
  - analyze error:
    github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/image/image.go:95
  - timeout:
    github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/image/image.go:159
  - context deadline exceeded

Output of trivy -v:

Version: 0.19.2
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-09-06 06:04:42.835689531 +0000 UTC
  NextUpdate: 2021-09-06 12:04:42.835689131 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Additional details (base image name, container registry info...):
@maxschlosser maxschlosser added the kind/bug Categorizes issue or PR as related to a bug. label Sep 6, 2021
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed kind/bug Categorizes issue or PR as related to a bug. labels Sep 22, 2021
@knqyf263 knqyf263 mentioned this issue Sep 22, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: improve --skip-dirs and --skip-files aquasecurity/trivy
2 participants
@knqyf263 @maxschlosser