microsoft
Nuget config issue when use Trivy scanner
Flaky installation of MSCLI Analysis nuget package.
From time to time, the installation fails.
Hi @rlachic -- I'm trying to reproduce this issue and have not been able to do so. Is there anything unique about your environment when running this that might cause it to fail? Can you share your configuration? Does it only occur when you are trying to run Trivy? The logs seem to indicate the failure occurs before MSDO even installs any tool packages.
I am having the issue inside an Azure DevOps agent, using ubuntu image pool. This is the configuration:
- task: MicrosoftSecurityDevOps@1
displayName: "Frontend Security Analysis"
inputs:
policy: 'microsoft'
command: 'run'
categories: 'code, secrets, artifacts'
languages: 'javascript,typescript'
tools: 'trivy'
artifactName: 'CodeAnalysisLogs'
Which ubuntu version are you using? I've still be unable to reproduce this despite copying your configuration. Here is the complete yaml I used that seems to work:
pool:
vmImage: ubuntu-latest
steps:
- task: MicrosoftSecurityDevOps@1
displayName: "Frontend Security Analysis"
inputs:
policy: 'microsoft'
command: 'run'
categories: 'code, secrets, artifacts'
languages: 'javascript,typescript'
tools: 'trivy'
artifactName: 'CodeAnalysisLogs'
pool: vmImage: ubuntu-latest
I am using as well ubuntu-latest. Is a issue which happens from time to time, not always. Perhaps is an issue with the agent.
However at the moment I have seen that now there is an issue with the DB used for the scanning cannot be downloaded:
/home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.TrivyRedist_linux_amd64.0.55.2/tools/trivy filesystem --exit-code 100 --format sarif --scanners vuln --output /home/vsts/work/1/s/.gdn/.r/trivy/001/trivy.sarif .
2024-10-15T10:21:04Z INFO [db] Need to update DB
2024-10-15T10:21:04Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T10:21:05Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:8dcb18f131bc5d8d17159f7682ebd49b2ea9c784edbb03aa87fe92927ff1d851: TOOMANYREQUESTS: retry-after: 1.146525ms, allowed: 44000/minute
To
Thanks in advance @chrisnielsen-MS
came here for the same reason - trivy has issues with DB Download. upgrade from Trivy 0.55.2 to 0.56+ allows to specify multiple vulnerability DB options - it would be great if that was exposed as env variable on the action.
see: https://github.com/aquasecurity/trivy/discussions/7640
We are planning an update to Trivy soon (in the next week or so) that will support the additional DB options via environment variables which should help address this.
Please @chrisnielsen-MS where can I find this new release or how to notice the update? Thanks!
This update has been pushed to production now. The fix was made in configuration package which gets pulled down at runtime, so it should be automatically applied to your pipelines. Please re-open this issue or create a new one if you continue to experience any issues.
Hello @karpikpl @rlachic , I'm the Product Manager for this GH Action and I'm hoping you can help me gather some feedback on your experience using this action. If you don't mind taking this 3 minute anonymous survey, it would be greatly appreciated!
https://forms.microsoft.com/r/tciV74znSh
James Brotsos - [email protected]
