Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image on Docker Hub broken? #208

Open
mayrstefan opened this issue May 3, 2022 · 10 comments
Open

Image on Docker Hub broken? #208

mayrstefan opened this issue May 3, 2022 · 10 comments

Comments

@mayrstefan
Copy link
Contributor

Should https://hub.docker.com/r/aquasec/trivy-db/ not be the same as https://ghcr.io/aquasecurity/trivy-db? The image on Docker Hub is regularly updated but seems to be empty (32 Byte). Or is this on purpose?
@mayrstefan
Copy link
Contributor Author

Same for https://public.ecr.aws/aquasecurity/trivy-db (781Byte)?

@maltewhiite
Copy link

I am getting

$ docker pull ghcr.io/aquasecurity/trivy-db:2
2: Pulling from aquasecurity/trivy-db
21f3602e4efe: Pulling fs layer 
unexpected end of JSON input

Also it is 0B.

Isn't this image supposed to contain the Vulnerability DB for Trivy?

So you can use this image in an airgapped environment as the DB via the ENV variable TRIVY_DB_REPOSITORY in your .gitlab-ci.yml like TRIVY_DB_REPOSITORY: "${CI_REGISTRY}/aquasec/trivy-db"

@afdesk
Copy link
Contributor

afdesk commented May 16, 2022

I'm not sure that it should work.
you can read more about air-gapped mode here: https://aquasecurity.github.io/trivy/latest/docs/advanced/air-gap/

@maltewhiite
Copy link

@afdesk Is it intentional that the image is 32 byte?

@afdesk
Copy link
Contributor

afdesk commented Jun 2, 2022

@mayrstefan @maltewhiite so sorry, i missed this issue.

It is old version of Trivy DB and is deprecated now: aquasecurity/trivy#1653

you need to use oras for downloading the vulnerability database:

$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a

@toddysm
Copy link

toddysm commented Jun 18, 2022
edited
Loading

I am experiencing a similar issue on a Mac (nothing to do with air-gap - fully connected to the Internet). Here the details:

~  trivy --debug image ubuntu:jammy-20220404 
2022-06-18T11:57:14.769-0700	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-06-18T11:57:14.900-0700	DEBUG	cache dir:  /Users/toddysm/Library/Caches/trivy
2022-06-18T11:57:14.900-0700	DEBUG	There is no valid metadata file: unable to open a file: open /Users/toddysm/Library/Caches/trivy/db/metadata.json: no such file or directory
2022-06-18T11:57:14.900-0700	INFO	Need to update DB
2022-06-18T11:57:14.900-0700	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-06-18T11:57:14.900-0700	INFO	Downloading DB...
2022-06-18T11:57:14.900-0700	DEBUG	no metadata file
2022-06-18T11:57:44.875-0700	FATAL	init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:347
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:114
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:153
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).populateOCIArtifact
        /home/runner/work/trivy/trivy/pkg/db/db.go:190
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.NewArtifact
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
  - Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io: i/o timeout

ghcr.io is accessible via ping:

~  ping ghcr.io
PING ghcr.io (192.30.255.165): 56 data bytes
64 bytes from 192.30.255.165: icmp_seq=0 ttl=55 time=5.504 ms
64 bytes from 192.30.255.165: icmp_seq=1 ttl=55 time=5.826 ms
64 bytes from 192.30.255.165: icmp_seq=2 ttl=55 time=5.541 ms

Pulling the DB gives the above error:

~  docker pull ghcr.io/aquasecurity/trivy-db  
Using default tag: latest
latest: Pulling from aquasecurity/trivy-db
0560839ebf7d: Pulling fs layer 
unexpected end of JSON input

Here is Trivy vestion:

~  trivy --version
Version: 0.29.0

Shouldn't Trivy automatically pull the DB and use it? Why do we need to use ORAS separately to pull the DB?

Interestingly exactly the same commands are working on Ubuntu 22.04.

The MacOS version is 12.4 (Intel based)

Docker version is 4.9.1

@afdesk
Copy link
Contributor

afdesk commented Jun 24, 2022

@toddysm your issue looks temporary.
could you confirm that it still appears?

also trivy-db is an artifact, it's not a docker image.
please use oras for downloading:

$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a

@afdesk
Copy link
Contributor

afdesk commented Jun 24, 2022

@toddysm Trivy automatically pulls and updates the DB.

@maltewhiite
Copy link

maltewhiite commented Jun 24, 2022
edited
Loading

We have updated to 0.29.2 now, so this is no longer a problem for me and my team.
We now use Oras to get the vulnerability database.

@toddysm
Copy link

toddysm commented Jun 27, 2022

I upgraded to 0.29.2 but still hitting the error. I have the suspicion that this may be a local issue but seem pretty hard to troubleshoot.

@rrgadeev rrgadeev mentioned this issue Sep 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@toddysm @mayrstefan @afdesk @maltewhiite