trivy
trivy copied to clipboard
aquasecurity
download-db stalled when using PROXY and TRIVY_INSECURE=true
Description
Trivy is unable to download trivy-db when we set PROXY and TRIVY_INSECURE=true in env variable ,
What did you expect to happen?
Be able to download db either TRIVY_INSECURE is set to true or false
What happened instead?
download-db stalled when using PROXY and TRIVY_INSECURE=true
Output of run with -debug:
export HTTP_PROXY=http://proxy.xxxxx3128 export HTTPS_PROXY=http://proxy.xxxxx:3128
** SUCCESS **
TRIVY_INSECURE=false trivy --debug image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db
2022-07-05T06:12:31.540Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-07-05T06:12:31.549Z DEBUG cache dir: /root/.cache/trivy
2022-07-05T06:12:31.549Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-07-05T06:12:31.549Z INFO Need to update DB
2022-07-05T06:12:31.549Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-07-05T06:12:31.549Z INFO Downloading DB...
2022-07-05T06:12:31.549Z DEBUG no metadata file
32.83 MiB / 32.83 MiB [-------------------------------------------------------------------------------------------------------------------------------] 100.00% 24.74 MiB p/s 1.5s
** FAILED **
TRIVY_INSECURE=true trivy --debug image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db
2022-07-05T06:13:08.877Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-07-05T06:13:08.881Z DEBUG cache dir: /root/.cache/trivy
2022-07-05T06:13:08.881Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-07-05T06:13:08.881Z INFO Need to update DB
2022-07-05T06:13:08.881Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-07-05T06:13:08.881Z INFO Downloading DB...
2022-07-05T06:13:08.881Z DEBUG no metadata file
2022-07-05T06:24:03.482Z FATAL init error:
github.com/aquasecurity/trivy/pkg/commands/artifact.run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:347
- DB error:
github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
- failed to download vulnerability DB:
github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
/home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:114
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).Download
/home/runner/work/trivy/trivy/pkg/db/db.go:153
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).populateOCIArtifact
/home/runner/work/trivy/trivy/pkg/db/db.go:190
- OCI repository error:
github.com/aquasecurity/trivy/pkg/oci.NewArtifact
/home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
- Get "https://ghcr.io/v2/": dial tcp 140.82.121.34:443: connect: connection timed out
Output of trivy -v:
Version: 0.29.1
I can confirm that proxy settings are ignored when --insecure is on.
We're behind a corporate proxy and I'm testing Trivy on our test GitLab instance, which uses a self-signed certificate for HTTPS. I use http_proxy and https_proxy environment variables. The problem is:
-
if I don't use "--insecure", Trivy successfully downloads its database but can't connect to my GitLab instance, which is expected
-
if I do use "--insecure", Trivy can benefit from a previously downloaded DB but fails to download a new version, with this message:
cloudadm@gitlab-tools-01 ~]$ trivy -d repository https://my.host/my-silly-repo.git --insecure
2022-07-26T14:39:54.904+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-07-26T14:39:54.907+0200 DEBUG cache dir: /home/cloudadm/.cache/trivy
2022-07-26T14:39:54.907+0200 DEBUG There is no valid metadata file: unable to open a file: open /home/cloudadm/.cache/trivy/db/metadata.json: no such file or directory
2022-07-26T14:39:54.907+0200 INFO Need to update DB
2022-07-26T14:39:54.907+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-07-26T14:39:54.907+0200 INFO Downloading DB...
2022-07-26T14:39:54.907+0200 DEBUG no metadata file
2022-07-26T14:39:54.913+0200 FATAL init error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:359
- DB error:
github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:118
- failed to download vulnerability DB:
github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
/home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).Download
/home/runner/work/trivy/trivy/pkg/db/db.go:153
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).populateOCIArtifact
/home/runner/work/trivy/trivy/pkg/db/db.go:190
- OCI repository error:
github.com/aquasecurity/trivy/pkg/oci.NewArtifact
/home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
- Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io on 10.156.32.33:53: no such host
The "no such host" message shows that instead of using the http proxy to download the DB, it tries a direct download which won't work because our DNS doesn't resolve external names. But without the "--insecure" option, the database download works fine and uses my proxy settings.
See the same issue with version 0.30.4
2022-08-08T09:12:57.391+0200 INFO Need to update DB
2022-08-08T09:12:57.391+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-08-08T09:12:57.[39]+0200 INFO Downloading DB...
2022-08-08T09:12:57.445+0200 FATAL init error: DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get "https://ghcr.io/v2/": dial tcp 140.82.121.33:443: connect: connection refused```
