trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Secret scanning doesn't handle long lines of code

Open philnichol opened this issue 2 years ago • 1 comments

Description

We have a specific image which is returning a massive response and causing Trivy server to use a large amount of memory (currently being OOMKilled with 2GB memory). If running locally and directing the output to a file you can see the file is ~160Mb. At a quick glance I believe the cause is that this image includes very long single lines of code containing secrets, and the secrets reporting doesn't have an upper limit on how much gets printed out here https://github.com/aquasecurity/trivy/blob/b6e394dc803c4558cb81334726ab921e3efc0bab/pkg/fanal/types/misconf.go#L46. But I could be mistaken, so apologies if that's noise.

What did you expect to happen?

Scan should return a reasonable response size and use an expected amount of memory

What happened instead?

Scan results were far larger than the image itself, and when using trivy server we had to increase the memory to allow it to work.

Output of run with -debug:

contents of the scan file omitted due to size

$ trivy image gcr.io/kubecost1/frontend:prod-1.98.0 --debug > scan
2022-11-11T10:27:09.651Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-11T10:27:09.697Z	DEBUG	cache dir:  /Users/philipnichol/Library/Caches/trivy
2022-11-11T10:27:09.699Z	DEBUG	DB update was skipped because the local DB is the latest
2022-11-11T10:27:09.700Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-11-11 06:08:20.100096581 +0000 UTC, NextUpdate: 2022-11-11 12:08:20.100096281 +0000 UTC, DownloadedAt: 2022-11-11 10:04:24.607031 +0000 UTC
2022-11-11T10:27:09.703Z	INFO	Vulnerability scanning is enabled
2022-11-11T10:27:09.703Z	DEBUG	Vulnerability type:  [os library]
2022-11-11T10:27:09.704Z	INFO	Secret scanning is enabled
2022-11-11T10:27:09.704Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-11T10:27:09.704Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-11-11T10:27:09.757Z	DEBUG	No secret config detected: trivy-secret.yaml
2022-11-11T10:27:09.757Z	DEBUG	Image ID: sha256:f39aa8cdc05a0b51a4665ba7552ee1e5d0dad05735584943476431f2f220b197
2022-11-11T10:27:09.758Z	DEBUG	Diff IDs: [sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 sha256:b08a4d1163adbc6e4b2a6bdd2e205cd20c11739dd83a3674c6bbb2c3553c1db3 sha256:73207cd3cb1d9fb7c407fa39fb870fc498ff92daadfec1c86610c94e90800a9c sha256:e345f68ceafbdeb7ef872737560b3605cbaa20b4375973a57b40f6e8d5eee9d5 sha256:4289c38415091cdd32ee705fccfc53ef7c09267dba491dff56a00a72ea8ab8a2 sha256:f006a56faa6a174ee1f88c17823294e0fdd9e12f26ee0002a7b124876e90f92c sha256:d74c59e0489012116469b438c7174c12b4690034c78be02fcaa6f37705a3294b sha256:3dd5a45f39a2a2977cf83380e44c86dd5ea739e946240cfb09d8511e8dc0ee95 sha256:2f155525dbf69420c2968100c3de9569fe724f699f92b6bfca9b79d5c7a5ed09]
2022-11-11T10:27:09.758Z	DEBUG	Base Layers: [sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 sha256:b08a4d1163adbc6e4b2a6bdd2e205cd20c11739dd83a3674c6bbb2c3553c1db3 sha256:73207cd3cb1d9fb7c407fa39fb870fc498ff92daadfec1c86610c94e90800a9c sha256:e345f68ceafbdeb7ef872737560b3605cbaa20b4375973a57b40f6e8d5eee9d5 sha256:4289c38415091cdd32ee705fccfc53ef7c09267dba491dff56a00a72ea8ab8a2 sha256:f006a56faa6a174ee1f88c17823294e0fdd9e12f26ee0002a7b124876e90f92c sha256:d74c59e0489012116469b438c7174c12b4690034c78be02fcaa6f37705a3294b]
2022-11-11T10:27:19.846Z	INFO	Detected OS: alpine
2022-11-11T10:27:19.846Z	INFO	Detecting Alpine vulnerabilities...
2022-11-11T10:27:19.846Z	DEBUG	alpine: os version: 3.16
2022-11-11T10:27:19.846Z	DEBUG	alpine: package repository: 3.16
2022-11-11T10:27:19.846Z	DEBUG	alpine: the number of packages: 42
2022-11-11T10:27:19.861Z	INFO	Number of language-specific files: 0
2022-11-11T10:27:19.861Z	DEBUG	Secret file: /var/www/static/js/main.91664fdf.js
2022-11-11T10:27:19.861Z	DEBUG	Secret file: /var/www/static/js/main.91664fdf.js.map

Output of trivy -v:

Version: 0.34.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-11-10 12:08:54.807012953 +0000 UTC
  NextUpdate: 2022-11-10 18:08:54.807012553 +0000 UTC
  DownloadedAt: 2022-11-10 12:34:40.351866 +0000 UTC

Additional details (base image name, container registry info...):

This command will reproduce the issue:

trivy image gcr.io/kubecost1/frontend:prod-1.98.0 --debug > scan

Thanks in advance for looking into this!

philnichol avatar Nov 11 '22 10:11 philnichol

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jan 11 '23 00:01 github-actions[bot]