Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Image scan error: open analyzer-fs permission denied #6373

Closed
2 tasks done
DmitriyLewen opened this issue Mar 22, 2024 Discussed in #6076 · 0 comments · Fixed by #6386
Closed
2 tasks done

Image scan error: open analyzer-fs permission denied #6373

DmitriyLewen opened this issue Mar 22, 2024 Discussed in #6076 · 0 comments · Fixed by #6386
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #6076

Originally posted by d-t-w February 7, 2024

Description

Container scan fails with a permissions issue related to internal trivy directories:

> trivy --debug image factorhouse/kpow-ee:92.3
..
open /var/folders/sy/5ps2fmdj7t9bg8zbwvc3k27w0000gn/T/analyzer-fs-1955605263/file-2599813741: permission denied

Background

We push containers to ArtifactHub who scan them with trivy.

On 19/05/23 our containers (including historic ones that had previously scanned just fine) started to fail with this 'permission denied' error. See: artifacthub/hub#3152

Our container is fairly simple, it just contains a Java JAR file and little else.

Further, I find if I scan very old version of our container they work, up to version 73.

trivy --debug image operatr/kpow:73

operatr/kpow:73 (amazon 2 (Karoo))
==================================
Total: 507 (UNKNOWN: 0, LOW: 18, MEDIUM: 270, HIGH: 196, CRITICAL: 23)

From version 74 they fail.

trivy --debug image operatr/kpow:74
...
open /var/folders/sy/5ps2fmdj7t9bg8zbwvc3k27w0000gn/T/analyzer-fs-3664091650/file-4117161213: permission denied

There is non significant difference in the dockerfile between v73 and v74.

Note: ArtifactHub very happily scanned version 74+ until they presumably updated their trivy dependency.

Related issues:

These are not my project, but appear to be the same root cause.

goharbor/harbor#18824
goharbor/harbor#19405

Desired Behavior

I expect trivy to scan the container successfully (as it has previously done).

Actual Behavior

Trivy no longer scans the container correctly

Reproduction Steps

1. Scan any Kpow container from v74+
2. Observe output

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

❯ trivy --debug image factorhouse/kpow-ee:92.3
2024-02-07T16:35:56.844+1100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-07T16:35:56.844+1100	DEBUG	Ignore statuses	{"statuses": null}
2024-02-07T16:35:56.884+1100	DEBUG	cache dir:  /Users/derek/Library/Caches/trivy
2024-02-07T16:35:56.884+1100	DEBUG	DB update was skipped because the local DB is the latest
2024-02-07T16:35:56.884+1100	DEBUG	DB Schema: 2, UpdatedAt: 2024-02-07 00:17:20.624621944 +0000 UTC, NextUpdate: 2024-02-07 06:17:20.624621574 +0000 UTC, DownloadedAt: 2024-02-07 04:58:07.290152 +0000 UTC
2024-02-07T16:35:56.884+1100	INFO	Vulnerability scanning is enabled
2024-02-07T16:35:56.884+1100	DEBUG	Vulnerability type:  [os library]
2024-02-07T16:35:56.884+1100	INFO	Secret scanning is enabled
2024-02-07T16:35:56.884+1100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-07T16:35:56.884+1100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-07T16:35:56.884+1100	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-07T16:35:56.895+1100	DEBUG	No secret config detected: trivy-secret.yaml
2024-02-07T16:35:56.895+1100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-07T16:35:56.895+1100	DEBUG	No secret config detected: trivy-secret.yaml
2024-02-07T16:35:56.895+1100	DEBUG	Image ID: sha256:678e4e9055aac7e38a84f1382e1f731ffaec1dc395dbc502690d4ac46ca97ff9
2024-02-07T16:35:56.895+1100	DEBUG	Diff IDs: [sha256:7b4c2da934115ede0bc3410d05bb16a7244cc87af9f25be60dc246970174358a sha256:a85839ad5057e51ecd43240ba701a3411229a5a2c2a0b3ea5ced562518274d09 sha256:f62c311f29be7f58a8fa2f46364a4ca117a3e77d60a13f4031a7206bf95a17ac sha256:33bb96d2184bdac8c797036966ca47543a37bb606fd1f7ecbae6f550f5a784fc]
2024-02-07T16:35:56.895+1100	DEBUG	Base Layers: [sha256:7b4c2da934115ede0bc3410d05bb16a7244cc87af9f25be60dc246970174358a]
2024-02-07T16:35:56.907+1100	DEBUG	Missing image ID in cache: sha256:678e4e9055aac7e38a84f1382e1f731ffaec1dc395dbc502690d4ac46ca97ff9
2024-02-07T16:35:56.907+1100	DEBUG	Missing diff ID in cache: sha256:33bb96d2184bdac8c797036966ca47543a37bb606fd1f7ecbae6f550f5a784fc
2024-02-07T16:36:00.661+1100	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:425
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:706
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148
  - analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:126
  - pipeline error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:229
  - failed to analyze layer (sha256:33bb96d2184bdac8c797036966ca47543a37bb606fd1f7ecbae6f550f5a784fc):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:216
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:298
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:496
  - walk dir error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:74
  - file open error:
    github.com/aquasecurity/trivy/pkg/parallel.walk[...]
        /home/runner/work/trivy/trivy/pkg/parallel/walk.go:94
  - open /var/folders/sy/5ps2fmdj7t9bg8zbwvc3k27w0000gn/T/analyzer-fs-1193466270/file-1946701379: permission denied

Operating System

macOS Monterey

Version

trivy --version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-07 00:17:20.624621944 +0000 UTC
  NextUpdate: 2024-02-07 06:17:20.624621574 +0000 UTC
  DownloadedAt: 2024-02-07 04:58:07.290152 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-06 00:43:50.236466389 +0000 UTC
  NextUpdate: 2024-02-09 00:43:50.236466208 +0000 UTC
  DownloadedAt: 2024-02-07 00:13:00.720032 +0000 UTC

Checklist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant