trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
Trivy stopped working from behind http proxy
Description
Since upgrading to version 0.37.2 Trivy does not work anymore from behind an http proxy
What did you expect to happen?
Trivy should work seamlessly from behind an http proxy
What happened instead?
Trivy hangs before scanning the image
Output of run with -debug:
$ trivy --debug image alpine:3.17.0
2023-02-10T16:59:42.816+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-10T16:59:42.817+0100 DEBUG cache dir: /home/ubuntu/.cache/trivy
2023-02-10T16:59:42.818+0100 DEBUG DB update was skipped because the local DB is the latest
2023-02-10T16:59:42.818+0100 DEBUG DB Schema: 2, UpdatedAt: 2023-02-10 12:07:56.846216503 +0000 UTC, NextUpdate: 2023-02-10 18:07:56.846216103 +0000 UTC, DownloadedAt: 2023-02-10 15:39:22.130978576 +0000 UTC
2023-02-10T16:59:42.818+0100 INFO Vulnerability scanning is enabled
2023-02-10T16:59:42.818+0100 DEBUG Vulnerability type: [os library]
2023-02-10T16:59:42.818+0100 INFO Secret scanning is enabled
2023-02-10T16:59:42.818+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-10T16:59:42.818+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
Output of trivy -v:
$ trivy -v
Version: 0.37.2
Vulnerability DB:
Version: 2
UpdatedAt: 2023-02-10 12:07:56.846216503 +0000 UTC
NextUpdate: 2023-02-10 18:07:56.846216103 +0000 UTC
DownloadedAt: 2023-02-10 15:39:22.130978576 +0000 UTC
Additional details (base image name, container registry info...):
strace shows that Trivy 0.37.2 does not use the http_proxy and https_proxy env variables:
# env | grep proxy
https_proxy=http://10.0.2.2:3128
http_proxy=http://10.0.2.2:3128
# strace -f -s 512 -e connect trivy --debug image alpine:3.17.0 2>&1 | grep -v SIGURG
strace: Process 35360 attached
strace: Process 35361 attached
strace: Process 35362 attached
strace: Process 35363 attached
strace: Process 35364 attached
strace: Process 35365 attached
strace: Process 35366 attached
strace: Process 35367 attached
strace: Process 35368 attached
strace: Process 35369 attached
2023-02-10T17:06:34.200+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-10T17:06:34.202+0100 DEBUG cache dir: /root/.cache/trivy
2023-02-10T17:06:34.202+0100 DEBUG DB update was skipped because the local DB is the latest
2023-02-10T17:06:34.203+0100 DEBUG DB Schema: 2, UpdatedAt: 2023-02-10 12:07:56.846216503 +0000 UTC, NextUpdate: 2023-02-10 18:07:56.846216103 +0000 UTC, DownloadedAt: 2023-02-10 15:47:46.966593361 +0000 UTC
2023-02-10T17:06:34.203+0100 INFO Vulnerability scanning is enabled
2023-02-10T17:06:34.203+0100 DEBUG Vulnerability type: [os library]
2023-02-10T17:06:34.203+0100 INFO Secret scanning is enabled
2023-02-10T17:06:34.204+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-10T17:06:34.204+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
[pid 35365] connect(10, {sa_family=AF_UNIX, sun_path="/var/run/docker.sock"}, 23) = 0
[pid 35361] connect(10, {sa_family=AF_UNIX, sun_path="/run/containerd/containerd.sock"}, 34) = 0
[pid 35367] connect(11, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
[pid 35365] connect(12, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
[pid 35365] connect(11, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("52.1.184.176")}, 16) = 0
[pid 35365] connect(11, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("34.194.164.123")}, 16) = 0
[pid 35365] connect(11, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("18.215.138.58")}, 16) = 0
[pid 35365] connect(11, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("52.1.184.176")}, 16) = -1 EINPROGRESS (Operation now in progress)
With Trivy 0.37.1, the proxy is used:
# strace -f -s 512 -e connect trivy --debug image alpine:3.17.0 2>&1 | grep -v SIGURG
strace: Process 35408 attached
strace: Process 35409 attached
strace: Process 35410 attached
strace: Process 35411 attached
strace: Process 35412 attached
strace: Process 35413 attached
strace: Process 35414 attached
strace: Process 35415 attached
strace: Process 35416 attached
strace: Process 35417 attached
2023-02-10T17:07:44.524+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-10T17:07:44.526+0100 DEBUG cache dir: /root/.cache/trivy
2023-02-10T17:07:44.526+0100 DEBUG DB update was skipped because the local DB is the latest
2023-02-10T17:07:44.527+0100 DEBUG DB Schema: 2, UpdatedAt: 2023-02-10 12:07:56.846216503 +0000 UTC, NextUpdate: 2023-02-10 18:07:56.846216103 +0000 UTC, DownloadedAt: 2023-02-10 15:47:46.966593361 +0000 UTC
2023-02-10T17:07:44.527+0100 INFO Vulnerability scanning is enabled
2023-02-10T17:07:44.527+0100 DEBUG Vulnerability type: [os library]
2023-02-10T17:07:44.527+0100 INFO Secret scanning is enabled
2023-02-10T17:07:44.527+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-10T17:07:44.528+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
[pid 35407] connect(10, {sa_family=AF_UNIX, sun_path="/var/run/docker.sock"}, 23) = 0
[pid 35409] connect(10, {sa_family=AF_UNIX, sun_path="/run/containerd/containerd.sock"}, 34) = 0
[pid 35411] connect(11, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("10.0.2.2")}, 16) = -1 EINPROGRESS (Operation now in progress)
[pid 35409] connect(12, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("10.0.2.2")}, 16) = -1 EINPROGRESS (Operation now in progress)
2023-02-10T17:07:45.556+0100 DEBUG No secret config detected: trivy-secret.yaml
[pid 35409] connect(13, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("10.0.2.2")}, 16) = -1 EINPROGRESS (Operation now in progress)
2023-02-10T17:07:45.789+0100 DEBUG Image ID: sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da
2023-02-10T17:07:45.790+0100 DEBUG Diff IDs: [sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf]
2023-02-10T17:07:45.791+0100 DEBUG Base Layers: []
2023-02-10T17:07:45.791+0100 DEBUG Missing image ID in cache: sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da
2023-02-10T17:07:45.792+0100 DEBUG Missing diff ID in cache: sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf
2023-02-10T17:07:46.219+0100 DEBUG No secrets found in container image config
2023-02-10T17:07:46.220+0100 INFO Detected OS: alpine
2023-02-10T17:07:46.220+0100 INFO Detecting Alpine vulnerabilities...
2023-02-10T17:07:46.220+0100 DEBUG alpine: os version: 3.17
2023-02-10T17:07:46.220+0100 DEBUG alpine: package repository: 3.17
2023-02-10T17:07:46.220+0100 DEBUG alpine: the number of packages: 15
2023-02-10T17:07:46.221+0100 INFO Number of language-specific files: 0
alpine:3.17.0 (alpine 3.17.0)
=============================
Total: 18 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 4, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2022-3996 │ HIGH │ 3.0.7-r0 │ 3.0.7-r2 │ openssl: double locking leads to denial of service │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │
│ ├───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ 3.0.8-r0 │ There is a type confusion vulnerability relating to X.400 │
│ │ │ │ │ │ address proc ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├───────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4203 │ MEDIUM │ │ │ [openssl: X.509 Name Constraints Read Buffer Overflow] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4203 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4304 │ │ │ │ A timing based side channel exists in the OpenSSL RSA │
│ │ │ │ │ │ Decryption imple... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4304 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4450 │ │ │ │ The function PEM_read_bio_ex() reads a PEM file from a BIO │
│ │ │ │ │ │ and parses... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ The public API function BIO_new_NDEF is a helper function │
│ │ │ │ │ │ used for str... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0216 │ │ │ │ An invalid pointer dereference on read can be triggered when │
│ │ │ │ │ │ an applic... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0216 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0217 │ │ │ │ An invalid pointer dereference on read can be triggered when │
│ │ │ │ │ │ an applic... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0217 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0401 │ │ │ │ A NULL pointer can be dereferenced when signatures are being │
│ │ │ │ │ │ verified ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0401 │
├────────────┼───────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2022-3996 │ HIGH │ │ 3.0.7-r2 │ openssl: double locking leads to denial of service │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │
│ ├───────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ 3.0.8-r0 │ There is a type confusion vulnerability relating to X.400 │
│ │ │ │ │ │ address proc ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├───────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4203 │ MEDIUM │ │ │ [openssl: X.509 Name Constraints Read Buffer Overflow] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4203 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4304 │ │ │ │ A timing based side channel exists in the OpenSSL RSA │
│ │ │ │ │ │ Decryption imple... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4304 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4450 │ │ │ │ The function PEM_read_bio_ex() reads a PEM file from a BIO │
│ │ │ │ │ │ and parses... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ The public API function BIO_new_NDEF is a helper function │
│ │ │ │ │ │ used for str... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0216 │ │ │ │ An invalid pointer dereference on read can be triggered when │
│ │ │ │ │ │ an applic... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0216 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0217 │ │ │ │ An invalid pointer dereference on read can be triggered when │
│ │ │ │ │ │ an applic... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0217 │
│ ├───────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0401 │ │ │ │ A NULL pointer can be dereferenced when signatures are being │
│ │ │ │ │ │ verified ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0401 │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
[pid 35411] +++ exited with 0 +++
[pid 35410] +++ exited with 0 +++
[pid 35417] +++ exited with 0 +++
[pid 35416] +++ exited with 0 +++
[pid 35414] +++ exited with 0 +++
[pid 35415] +++ exited with 0 +++
[pid 35412] +++ exited with 0 +++
[pid 35409] +++ exited with 0 +++
[pid 35408] +++ exited with 0 +++
[pid 35413] +++ exited with 0 +++
+++ exited with 0 +++
