trivy: failed to download vulnerability DB in trivy 0.32.0+

Description

I’ve been having trouble using trivy versions 0.32.0 and higher for several weeks. Trivy cli 0.32.0 and higher cannot seem to download the vulnerability DB from github. I can use these versions of trivy successfully if i first scan an image with trivy version 0.31.3, which downloads the DB and then scan the image again with 0.32.0+ which uses the cached db.

ryandens@Ryans-MacBook-Pro ge % TRIVY_TEMP_DIR=$(mktemp -d)
ryandens@Ryans-MacBook-Pro ge % ~/Downloads/trivy_0.34.0_macOS-ARM64/trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only 
2022-11-07T17:04:36.630-0800	INFO	Need to update DB
2022-11-07T17:04:36.630-0800	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-07T17:04:36.630-0800	INFO	Downloading DB...

2022-11-07T17:05:05.739-0800	FATAL	init error: DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io: i/o timeout
ryandens@Ryans-MacBook-Pro ge % 
ryandens@Ryans-MacBook-Pro ge % ~/Downloads/trivy_0.31.3_macOS-ARM64/trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only 
2022-11-07T17:05:23.780-0800	INFO	Need to update DB
2022-11-07T17:05:23.780-0800	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-07T17:05:23.780-0800	INFO	Downloading DB...
34.84 MiB / 34.84 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 7.98 MiB p/s 4.6s
ryandens@Ryans-MacBook-Pro ge % rm -rf $TRIVY_TEMP_DIR

What did you expect to happen?

Any version of trivy should be able to download the trivy db

What happened instead?

An older version of trivy must be used to scan an image first to cache the DB, which is burdensome.

Output of run with -debug:

(paste your output here)

ryandens@Ryans-MacBook-Pro ge % ~/Downloads/trivy_0.34.0_macOS-ARM64/trivy --debug --cache-dir $TRIVY_TEMP_DIR image --download-db-only
2022-11-07T17:11:22.072-0800	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-07T17:11:22.099-0800	DEBUG	cache dir:  /var/folders/c0/r4nk44951y14twd7j25r6h9h0000gn/T/tmp.i6E0Etc1
2022-11-07T17:11:22.099-0800	DEBUG	There is no valid metadata file: unable to open a file: open /var/folders/c0/r4nk44951y14twd7j25r6h9h0000gn/T/tmp.i6E0Etc1/db/metadata.json: no such file or directory
2022-11-07T17:11:22.099-0800	INFO	Need to update DB
2022-11-07T17:11:22.099-0800	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-07T17:11:22.099-0800	INFO	Downloading DB...
2022-11-07T17:11:22.099-0800	DEBUG	no metadata file
2022-11-07T17:11:51.289-0800	FATAL	init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:362
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:154
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
        /home/runner/work/trivy/trivy/pkg/db/db.go:194
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.NewArtifact
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
  - Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io: i/o timeout

Output of trivy -v:

ryandens@Ryans-MacBook-Pro ge % ~/Downloads/trivy_0.34.0_macOS-ARM64/trivy -v     
Version: 0.34.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-11-07 18:07:31.473970035 +0000 UTC
  NextUpdate: 2022-11-08 00:07:31.473969535 +0000 UTC
  DownloadedAt: 2022-11-08 00:09:19.37135 +0000 UTC

Additional details (base image name, container registry info…):

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 24 (3 by maintainers)

Most upvoted comments

@afdesk I don’t remember ever setting a token and I don’t usually have it exported it as a variable unless I need it, is it something new?

But even with GITHUB_TOKEN exported it keeps failing… (and it’s not expired)

Trivy uses default docker permissions to download the database. so if you login to ghcr.io and your token is expired the error will appears…