trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
Trying to scan a mico native image failed
Description
I have followed the instructions on quarkus.io to build a native image from my quarkus java programm (for demonstration the getting-started works well). When I want to scan the image with trivy I fail.
$ trivy image quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPHOT
2022-08-10T11:53:49.537+0200 INFO Need to update DB
2022-08-10T11:53:49.537+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-08-10T11:53:49.537+0200 INFO Downloading DB...
33.58 MiB / 33.58 MiB [------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3.58 MiB p/s 9.6s
2022-08-10T11:54:00.097+0200 INFO Vulnerability scanning is enabled
2022-08-10T11:54:00.097+0200 INFO Secret scanning is enabled
2022-08-10T11:54:00.097+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-10T11:54:00.097+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-10T11:54:00.968+0200 FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
* unable to inspect the image (quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPHOT): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat /mnt/wslg/runtime-dir/podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
* GET https://quay.io/v2/tofuatwork/quarkus-getting-started/manifests/1.0.0-SNAPHOT: MANIFEST_UNKNOWN: manifest unknown; map[]
I have podman installed on this machine but no socket/daemon running. Should not neccessary as far as I know.
$ podman -v
podman version 3.4.4
However, what I have tried already:
- scanning the base-image
$ trivy image quay.io/quarkus/quarkus-micro-image:1.0
2022-08-10T11:59:22.561+0200 INFO Vulnerability scanning is enabled
2022-08-10T11:59:22.561+0200 INFO Secret scanning is enabled
2022-08-10T11:59:22.561+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-10T11:59:22.561+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-10T11:59:26.558+0200 INFO Detected OS: redhat
2022-08-10T11:59:26.558+0200 INFO Detecting RHEL/CentOS vulnerabilities...
2022-08-10T11:59:26.564+0200 INFO Number of language-specific files: 0
quay.io/quarkus/quarkus-micro-image:1.0 (redhat 8.6)
Total: 11 (UNKNOWN: 0, LOW: 6, MEDIUM: 5, HIGH: 0, CRITICAL: 0)
works good
- scanning a none native image. Just compiled the java code and build an image with quarkus
$ trivy image quay.io/tofuatwork/quarkus-getting-started:0.0.1
2022-08-10T11:54:49.829+0200 INFO Vulnerability scanning is enabled
2022-08-10T11:54:49.830+0200 INFO Secret scanning is enabled
2022-08-10T11:54:49.830+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-10T11:54:49.830+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-10T11:54:50.962+0200 INFO Detected OS: redhat
2022-08-10T11:54:50.962+0200 INFO Detecting RHEL/CentOS vulnerabilities...
2022-08-10T11:54:51.018+0200 INFO Number of language-specific files: 1
2022-08-10T11:54:51.018+0200 INFO Detecting jar vulnerabilities...
quay.io/tofuatwork/quarkus-getting-started:0.0.1 (redhat 8.6)
Total: 86 (UNKNOWN: 0, LOW: 39, MEDIUM: 47, HIGH: 0, CRITICAL: 0)
works also
What did you expect to happen?
I expect a scan result different to the none native build but similar to the scan result of the base-image
What happened instead?
FATAL image scan error: scan error: unable to initialize a scanner:
Output of run with -debug:
$ trivy image --debug quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPHOT
2022-08-10T12:04:36.620+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-10T12:04:36.629+0200 DEBUG cache dir: /home/xxx/.cache/trivy
2022-08-10T12:04:36.629+0200 DEBUG DB update was skipped because the local DB is the latest
2022-08-10T12:04:36.629+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-08-10 06:07:38.799610099 +0000 UTC, NextUpdate: 2022-08-10 12:07:38.799609599 +0000 UTC, DownloadedAt: 2022-08-10 09:54:00.096881755 +0000 UTC
2022-08-10T12:04:36.629+0200 INFO Vulnerability scanning is enabled
2022-08-10T12:04:36.629+0200 DEBUG Vulnerability type: [os library]
2022-08-10T12:04:36.629+0200 INFO Secret scanning is enabled
2022-08-10T12:04:36.629+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-10T12:04:36.629+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-10T12:04:37.479+0200 FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:367
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:227
- unable to initialize a scanner:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:525
- unable to initialize a docker scanner:
github.com/aquasecurity/trivy/pkg/commands/artifact.imageStandaloneScanner
/home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:22
- 4 errors occurred:
* unable to inspect the image (quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPHOT): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* unable to initialize Podman client: no podman socket found: stat /mnt/wslg/runtime-dir/podman/podman.sock: no such file or directory
* containerd socket not found: /run/containerd/containerd.sock
* GET https://quay.io/v2/tofuatwork/quarkus-getting-started/manifests/1.0.0-SNAPHOT: MANIFEST_UNKNOWN: manifest unknown; map[]
Output of trivy -v:
I'm using the latest trivy at this time on an Ubuntu 22.04 LTS WSL2
$ trivy -v
Version: 0.30.4
Vulnerability DB:
Version: 2
UpdatedAt: 2022-08-10 06:07:38.799610099 +0000 UTC
NextUpdate: 2022-08-10 12:07:38.799609599 +0000 UTC
DownloadedAt: 2022-08-10 09:54:00.096881755 +0000 UTC
Additional details (base image name, container registry info...):
To easy reproduce the issue I have published both images to quay.io in a public repository https://quay.io/repository/tofuatwork/quarkus-getting-started. tag 1.0.0-SNAPSHOT will be the native image tag 0.0.1 will be the "normal" java based image
Thanks for your help
Thomas
Hello @tofuatjava Thanks for your report!
Your scan target for 1.0.0-SNAPSHOT has a typo (missing S in "SNAPSHOT"):
trivy image --debug quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPHOT
Trivy works correctly with this image.
➜ trivy image quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPSHOT
2022-08-17T12:11:40.310+0600 INFO Vulnerability scanning is enabled
2022-08-17T12:11:40.311+0600 INFO Secret scanning is enabled
2022-08-17T12:11:40.311+0600 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-17T12:11:40.311+0600 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-17T12:11:41.918+0600 INFO Detected OS: redhat
2022-08-17T12:11:41.918+0600 INFO Detecting RHEL/CentOS vulnerabilities...
2022-08-17T12:11:41.921+0600 INFO Number of language-specific files: 0
quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPSHOT (redhat 8.6)
Total: 11 (UNKNOWN: 0, LOW: 6, MEDIUM: 5, HIGH: 0, CRITICAL: 0)
I close this issue. Feel free to reopen this issue if you still have a problem.
Best Regards, Dmitriy
