-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable library analyzer for OS only scan type #1191
Disable library analyzer for OS only scan type #1191
Conversation
@knqyf263 any chance that you can have a look at this soon, seems like an easy fix, but is quite troubling for us thanks a lot for providing trivy! |
Allows disabling analyzers from outside. Mainly to disable jar analyzer which can go to network which may be undesired and introduce scan flakiness. But sounds generic enough to have other uses too. related to aquasecurity#1191 and aquasecurity#1233
@fawind could you please sign the CLA to get this merged? |
I think the CLA expires after a while. Re-signed it. |
@fawind I'm sorry for the inconvenience. We recently updated our CLA. All contributors need to resign and that's why you needed to sign it again. |
Thanks! |
Thanks for taking the time and bringing this over the line @knqyf263! Do you know if there is a timeline for the next release that will include this fix? |
We plan to release it by next week. |
We are running into the issue that with the addition of JAR scanning in v0.17.0, Trivy tries to reach out to "maven.org" in order to resolve maven artifacts. This breaks running the scanner in an air-gapped environment where these requests time out (#1185, #982).
The proper solution in my opinion would be to mark analyzers that don't require network access as offline capable and add a separate offline flag that only runs those analyzers (we could start with just excluding the jar analyzer). Happy to contribute this if you agree with this approach!
As a more workaround solution, we should also exclude programming language analyzers when only running with
--vulnType os
(and maybe vice-versa exclude OS analyzers when running with--vulnType library
?) (list of all analyzers).This is a draft PR to start the discussion for the latter one. If you're happy with this approach I would clean this up and add some tests.