trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Cache fills to capacity then fails

Open zfLQ2qx2 opened this issue 2 years ago • 3 comments

Description

Using trivy as a service with a redis backing, it appears that nothing ever clears data from redis. It continued to fill until it hit 100% at which point scans started failing. To remediate I had to connect to redis with the cli and run FLUSHALL. trivy image -c --server x.y.z gave an error.

What did you expect to happen?

I had expected data to fall out of redis over time, perhaps driven by database updates which would invalidate the value of a scan done against an older database.

What happened instead?

Redis filled over several months until it hit 100% and started failing.

Output of run with -debug:

Output of trivy -v:

Varies, local copy is 0.28.1, service runs whatever was current three days ago.

zfLQ2qx2 avatar Aug 09 '22 18:08 zfLQ2qx2

It doesn't look like Trivy sets any expiration on the redis keys. Redis doesn't keep track of when keys are created but does keep track of when they were last accessed. Two potential solutions outside of Trivy are 1) set an eviction policy of allkeys-lru and 2) have a periodic job to iterate the keys are remove the ones that have not been accessed recently.

zfLQ2qx2 avatar Aug 11 '22 00:08 zfLQ2qx2

Do you use the --cache-ttl flag? With that flag all the keys in my redis server have a TTL.

  • redis server 7.0.4
  • trivy (client/server mode) 0.30.4

elchenberg avatar Aug 31 '22 13:08 elchenberg

I was nit aware of that flag, will try adding it

zfLQ2qx2 avatar Sep 06 '22 18:09 zfLQ2qx2

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Nov 27 '22 00:11 github-actions[bot]