FATAL DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error:

[eoraita]

We upgraded to trviy version 0.24.4 and when running the trivy Scan we are getting the following error:

FATAL DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get "https://ghcr.io/v2/": x509: certificate signed by unknown authority

We where using release 0.21.3 prior and had now issues and then yesterday afternoon we started getting 👍

FATAL DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": x509: certificate signed by unknown authority

[DmitriyLewen]

Hello @eoraita
Thank you for your report!

If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.:

• ghcr.io
• pkg-containers.githubusercontent.com

Read more about some of the issues here

Regards, Dmitriy

[eoraita]

Thankyou For the response. I will try this out [Ericsson]<http://www.ericsson.com/> ORAZIO ITALIANO Service Delivery Sr. Integration Engineer MANA ITC TI OSS Inventory Management Phone 1 913 241 5735 Mobile 732 910 2959 ***@***.******@***.***> Ericsson One Ericsson Drive, Bldg 6 08854-4182,Piscataway, New Jersey United States www.ericsson.com<http://www.ericsson.com/> [http://mediabank.ericsson.net/internet-media/Email_Message.gif]<http://www.ericsson.com/current_campaign> Our commitment to Technology for Good<http://www.ericsson.com/thecompany/sustainability-corporateresponsibility> and Diversity and Inclusion<http://www.ericsson.com/thecompany/diversity-inclusion> contributes to positive change in the Networked Society. Follow us on: Facebook<https://www.facebook.com/ericsson> LinkedIn<https://www.linkedin.com/company/ericsson> Twitter<https://twitter.com/Ericsson> Legal entity: Ericsson, registered office in Piscataway. This communication is confidential. Our email terms: www.ericsson.com/en/legal/privacy/email-disclaimer<https://www.ericsson.com/en/legal/privacy/email-disclaimer> From: DmitriyLewen ***@***.***> Sent: Friday, March 25, 2022 1:20 AM To: aquasecurity/trivy ***@***.***> Cc: Orazio Italiano ***@***.***>; Mention ***@***.***> Subject: Re: [aquasecurity/trivy] FATAL DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: (Issue #1877) Hello @eoraita<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b6a3fbf62e7dafc2&q=1&e=34678b7c-c8f0-4182-bc36-a41abc5b9298&u=https%3A%2F%2Fgithub.com%2Feoraita> Thank you for your report! If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.: * ghcr.io * pkg-containers.githubusercontent.com Read more about some of the issues here <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-cf824c40d60b9623&q=1&e=34678b7c-c8f0-4182-bc36-a41abc5b9298&u=https%3A%2F%2Faquasecurity.github.io%2Ftrivy%2Fv0.24.4%2Fgetting-started%2Ftroubleshooting> Regards, Dmitriy — Reply to this email directly, view it on GitHub<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4e946de7bec9fb93&q=1&e=34678b7c-c8f0-4182-bc36-a41abc5b9298&u=https%3A%2F%2Fgithub.com%2Faquasecurity%2Ftrivy%2Fissues%2F1877%23issuecomment-1078665505>, or unsubscribe<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3412ec6e1af80e5c&q=1&e=34678b7c-c8f0-4182-bc36-a41abc5b9298&u=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXYPPK2HPQ5WOZM5KGWQMB3VBVEJZANCNFSM5RRAS3CQ>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[github-actions]

This issue is stale because it has been labeled with inactivity.

[ghost]

I have the same error, but in my case I'm using a private oci registry for the trivy-db. The solution offered here to open firewalls to allow ghcr.io doesn't apply. Also worth noting that if I use a custom trivy image that includes my internal CA, everything works fine; however I would prefer to use the public aquasec/trivy: images. I should be able to pass something like the --insecure option when downloading the DB as well as images.

[afdesk]

@flngen could you take a look at #2373?

[ghost]

@flngen could you take a look at #2373?

I have seen that discussion. My local registry does not require authentication. As I mentioned above, there probably isn't an option to bypass ssl verification when downloading the DB. Granted I haven't taken the time to read the code. Pure guess.

[afdesk]

@flngen do you use the latest trivy with --insecure?

[ghost]

yes

[ghost]

I tried using the public trivy docker image and mounted the node certs path to the docker container on /etc/ssl/certs, and was able to download the db from my private repo. So that's probably an acceptable workaround, provided your docker nodes contain your local CA certs/chain.

[DmitriyLewen]

Hello @flngen

We added insecure skip to download Trivy-db earlier: #2140

To investigate your problem, can you send me:

1. Trivy installed version (command trivy -v );
2. Trivy result using -debug and --insecure flags(when you have error);

Regards, Dmitriy

[cathex-matt]

@DmitriyLewen
Hi,
For what it's worth, I run trivy --debug --insecure image --severity HIGH,CRITICAL,MEDIUM --exit-code 1 and got the logs below:

trivy 0.31.2 is already installed
2022-08-18T00:33:59.929+0100    DEBUG   Severities: ["HIGH" "CRITICAL" "MEDIUM"]
2022-08-18T00:33:59.970+0100    DEBUG   cache dir:  /Users/cathex-matt/Library/Caches/trivy
2022-08-18T00:33:59.970+0100    DEBUG   There is no valid metadata file: unable to open a file: open /Users/cathex-matt/Library/Caches/trivy/db/metadata.json: no such file or directory
2022-08-18T00:33:59.970+0100    INFO    Need to update DB
2022-08-18T00:33:59.970+0100    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-08-18T00:33:59.970+0100    INFO    Downloading DB...
2022-08-18T00:33:59.970+0100    DEBUG   no metadata file
2022-08-18T00:34:00.330+0100    FATAL   init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:362
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:154
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
        /home/runner/work/trivy/trivy/pkg/db/db.go:194
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.NewArtifact
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
  - GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
task: Failed to run task "docker:security:trivy": exit status 1

[DmitriyLewen]

hm... it looks like a problem with authorization.
Can you try logging into docker as written here?

[cathex-matt]

hm... it looks like a problem with authorization. Can you try logging into docker as written here?

Thanks! It worked simply with authenticating to ghcr. I wasn't aware it was a requirement, was wrongly assuming it was all public. The problem occured when bumping from trivy 0.22.0 to 0.31.2.

[knqyf263]

I think you had an expired token in local. You re-logged in ghcr.io and the expired token was overwritten. I suppose docker logout ghcr.io also addressed your issue.
#2689 (reply in thread)

[iSeiryu]

I just installed trivy on a pretty empty Ubuntu without any firewalls, ran this command

trivy k8s --report summary cluster --debug

and got this error

2022-11-23T22:52:05.060-0500    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-23T22:52:17.322-0500    DEBUG   cache dir:  /home/iseiryu/.cache/trivy
2022-11-23T22:52:17.323-0500    DEBUG   There is no valid metadata file: unable to open a file: open /home/iseiryu/.cache/trivy/db/metadata.json: no such file or directory
2022-11-23T22:52:17.323-0500    INFO    Need to update DB
2022-11-23T22:52:17.323-0500    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-23T22:52:17.323-0500    INFO    Downloading DB...
2022-11-23T22:52:17.323-0500    DEBUG   no metadata file
2022-11-23T22:52:49.935-0500    FATAL   init error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:74
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:154
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
        /home/runner/work/trivy/trivy/pkg/db/db.go:194
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.NewArtifact
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
  - Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io: i/o timeout

[afdesk]

@iSeiryu thanks for your report!
it looks like a duplicate of known issue #3146
we're working to fix it.
as a workaround you can try to use --insecure flag. is it ok for you?

[iSeiryu]

Not like this

trivy k8s --report summary cluster --debug --insecure

2022-11-28T16:39:57.865-0500    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-28T16:40:09.890-0500    DEBUG   cache dir:  /home/iseiryu/.cache/trivy
2022-11-28T16:40:09.892-0500    DEBUG   There is no valid metadata file: unable to open a file: open /home/iseiryu/.cache/trivy/db/metadata.json: no such file or directory
2022-11-28T16:40:09.892-0500    INFO    Need to update DB
2022-11-28T16:40:09.892-0500    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-28T16:40:09.892-0500    INFO    Downloading DB...
2022-11-28T16:40:09.892-0500    DEBUG   no metadata file
35.34 MiB / 35.34 MiB [------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 4.34 MiB p/s 8.3s
2022-11-28T16:40:33.917-0500    DEBUG   Updating database metadata...
2022-11-28T16:40:33.917-0500    DEBUG   DB Schema: 2, UpdatedAt: 2022-11-28 18:07:09.629105676 +0000 UTC, NextUpdate: 2022-11-29 00:07:09.629105376 +0000 UTC, DownloadedAt: 2022-11-28 21:40:33.9176202 +0000 UTC
16 / 198 [------------->_______________________________________________________________________________________________________________________________________________________] 8.08% 0 p/s
2022-11-28T16:45:11.955-0500    WARN    Increase --timeout value
2022-11-28T16:45:11.958-0500    FATAL   k8s scan error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:101
  - scanning misconfigurations error:
    github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).Scan
        /home/runner/work/trivy/trivy/pkg/k8s/scanner/scanner.go:73
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:230
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:555
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:127
  - failed to call hooks:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:126
  - post handler error:
    github.com/aquasecurity/trivy/pkg/fanal/handler.Manager.PostHandle
        /home/runner/work/trivy/trivy/pkg/fanal/handler/handler.go:75
  - scan config error:
    github.com/aquasecurity/trivy/pkg/fanal/handler/misconf.misconfPostHandler.Handle
        /home/runner/work/trivy/trivy/pkg/fanal/handler/misconf/misconf.go:293
  - context deadline exceeded

But it worked like this

trivy k8s --report summary cluster --debug --insecure --timeout 60m0s

2022-11-28T16:46:45.011-0500    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-28T16:46:57.666-0500    DEBUG   cache dir:  /home/iseiryu/.cache/trivy
2022-11-28T16:46:57.667-0500    DEBUG   DB update was skipped because the local DB is the latest
2022-11-28T16:46:57.667-0500    DEBUG   DB Schema: 2, UpdatedAt: 2022-11-28 18:07:09.629105676 +0000 UTC, NextUpdate: 2022-11-29 00:07:09.629105376 +0000 UTC, DownloadedAt: 2022-11-28 21:40:33.9176202 +0000 UTC
198 / 198 [------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s
2022-11-28T16:52:10.072-0500    ERROR   Error during vulnerabilities scan: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
        * <redacted>
        * unable to initialize Podman client: no podman socket found: stat /mnt/wslg/runtime-dir/podman/podman.sock: no such file or directory
        * containerd socket not found: /run/containerd/containerd.sock
        * <redacted>

What is that DB for? Cannot the process be simplified?
Do I need to install Podman as well?
I'm using AKS which should use containerd underneath. Why would it complain about it?

[iSeiryu]

A subsequent run causes it to download the DB again...why?