vulnerability-db
vulnerability-db copied to clipboard
AppThreat
Exception when running inside a container
When running the VDB inside a Docker container (through depscan image), we got the following exception:
Performing regular scan for / using plugin bom
Traceback (most recent call last):
File "/usr/local/bin/depscan", line 8, in <module>
sys.exit(main())
^^^^^^
File "/opt/dep-scan/depscan/cli.py", line 1032, in main
vdb_results, pkg_aliases, sug_version_dict, purl_aliases = scan(
^^^^^
File "/opt/dep-scan/depscan/cli.py", line 318, in scan
results, pkg_aliases, purl_aliases = utils.search_pkgs(
^^^^^^^^^^^^^^^^^^
File "/opt/dep-scan/depscan/lib/utils.py", line 242, in search_pkgs
raw_results = db_lib.pkg_bulk_search(db, quick_res)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/vdb/lib/db.py", line 307, in pkg_bulk_search
datas = storage.stream_bulk_search(pkg_key_list, _key_func, db_file=db["db_file"])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/vdb/lib/storage.py", line 93, in stream_bulk_search
fp.seek(int(store_pos))
OSError: [Errno 25] Inappropriate ioctl for device
For now, this is not being reproduced on Linux but only on mac os.
@bh86 may be a permission issue. Can you set the environment variable VDB_HOME to a directory that is accessible via the volume mount. Eg:
docker run -v /tmp:/tmp -e VDB_HOME=/tmp
Thanks @prabhu. I'm mounting the directory:
docker run -v /opt/data/vdb:/vdb:rw -t ghcr.io/owasp-dep-scan/dep-scan:v5.0.1 -e VDB_HOME=/vdb
I haven't change this for a long time, it just stopped working few weeks ago. Even for older images I had locally (such as version 4.3.2), which used to work, are not working anymore after I deleted their images locally and pull a new image.
@bh86, I am unable to replicate this on my mac. Did anything else change in your machine?
It happens on other macs as well. I'm putting the full docker run command, maybe it's related:
docker run -v "/some-output-dir":/output:rw -v /opt/data/vdb:/vdb:rw -e VDB_HOME=/vdb -e SCAN_DEBUG_MODE=true -e NVD_START_YEAR=2014 -t ghcr.io/owasp-dep-scan/dep-scan:v5.0.1 --bom "/output/sbon.vex.json --reports-dir /output/reports --no-suggest --no-banner"
@bh86, can you try -it instead of just -t? On my mac, it works with or without the -i. Is there any EDR tool or security feature enabled in all the macs tested?
I'm sorry but I forgot to mention something important - I'm running the docker from nodeJS :-;
I'm using spawn to run Docker, so this is probably related.
I've tried with -it (and all possible combinations) - still got the errors :-(
Something like:
const runCommand = `run -v "/some-output-dir":/output:rw -v /opt/data/vdb:/vdb:rw -e VDB_HOME=/vdb -e SCAN_DEBUG_MODE=true -e NVD_START_YEAR=2014 -t ghcr.io/owasp-dep-scan/dep-scan:v5.0.1 --bom "/output/sbon.vex.json" --reports-dir /output/reports --no-suggest --no-banner`;
const args = runCommand.split(' ');
const process = spawn('docker', args, {
shell: true,
cwd: process.cwd(),
});
process.stdout?.on('data', (data) => {});
process.stderr?.on('data', (data) => {});
process.on('exit', (code) => {});
Thank you for your help!
Maybe try stdio: 'pipe' or inherit with spawn? Or use a bash script and invoke that from node directly.
Thanks! We will look into this, but I think it's still worth supporting a non-interactive mode. It used to work few weeks ago, so maybe something changed in one of the previous versions.
@bh86, interesting. Let's keep this issue open since I'm not sure what changed in the dockerfile to cause this issue.