trivy: failed to download vulnerability DB using the docker image
Description
From one server, the DB can not be downloaded using docker:
$ docker run --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock -i aquasec/trivy:latest image --severity "MEDIUM,HIGH,CRITICAL" --no-progress --debug ubuntu:22.10
2022-09-01T13:22:12.806Z DEBUG Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T13:22:12.810Z DEBUG cache dir: /root/.cache/trivy
2022-09-01T13:22:12.810Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-09-01T13:22:12.811Z INFO Need to update DB
2022-09-01T13:22:12.811Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-01T13:22:12.811Z INFO Downloading DB...
2022-09-01T13:22:12.811Z DEBUG no metadata file
2022-09-01T13:22:41.910Z FATAL init error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:362
- DB error:
github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
- failed to download vulnerability DB:
github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
/home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).Download
/home/runner/work/trivy/trivy/pkg/db/db.go:154
- OCI artifact error:
github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
/home/runner/work/trivy/trivy/pkg/db/db.go:194
- OCI repository error:
github.com/aquasecurity/trivy/pkg/oci.NewArtifact
/home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
- Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io: i/o timeout
The exact same command works on my personal computer. They both use the same ubuntu and docker versions.
On the server, I can work-around it using --insecure
:
$ docker run --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock -i aquasec/trivy:latest image --severity "MEDIUM,HIGH,CRITICAL" --no-progress --insecure --debug ubuntu:22.10
2022-09-01T14:03:33.060Z DEBUG Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T14:03:33.063Z DEBUG cache dir: /root/.cache/trivy
2022-09-01T14:03:33.063Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-09-01T14:03:33.063Z INFO Need to update DB
2022-09-01T14:03:33.063Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-01T14:03:33.063Z INFO Downloading DB...
2022-09-01T14:03:33.063Z DEBUG no metadata file
2022-09-01T14:03:49.233Z DEBUG Updating database metadata...
2022-09-01T14:03:49.234Z DEBUG DB Schema: 2, UpdatedAt: 2022-09-01 12:06:40.991108038 +0000 UTC, NextUpdate: 2022-09-01 18:06:40.991107538 +0000 UTC, DownloadedAt: 2022-09-01 14:03:49.23375211 +0000 UTC
2022-09-01T14:03:49.234Z INFO Vulnerability scanning is enabled
2022-09-01T14:03:49.234Z DEBUG Vulnerability type: [os library]
2022-09-01T14:03:49.234Z INFO Secret scanning is enabled
2022-09-01T14:03:49.234Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-01T14:03:49.234Z INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-01T14:03:49.241Z DEBUG No secret config detected: trivy-secret.yaml
2022-09-01T14:03:49.242Z DEBUG Image ID: sha256:15a38249db7a639fe4781bc597b57ec2c936e5b576eb54f2f281658318d62613
2022-09-01T14:03:49.242Z DEBUG Diff IDs: [sha256:6f48304a39b941322886ad7cfddcb7a8689b26c05d13e814332e372fd03c6f1b]
2022-09-01T14:03:49.242Z DEBUG Base Layers: []
2022-09-01T14:03:49.242Z DEBUG Missing image ID in cache: sha256:15a38249db7a639fe4781bc597b57ec2c936e5b576eb54f2f281658318d62613
2022-09-01T14:03:49.242Z DEBUG Missing diff ID in cache: sha256:6f48304a39b941322886ad7cfddcb7a8689b26c05d13e814332e372fd03c6f1b
2022-09-01T14:03:50.940Z DEBUG Loading the the default license classifier...
2022-09-01T14:03:53.098Z INFO Detected OS: ubuntu
2022-09-01T14:03:53.098Z WARN This OS version is not on the EOL list: ubuntu 22.10
2022-09-01T14:03:53.098Z INFO Detecting Ubuntu vulnerabilities...
2022-09-01T14:03:53.098Z DEBUG ubuntu: os version: 22.10
2022-09-01T14:03:53.098Z DEBUG ubuntu: the number of packages: 94
2022-09-01T14:03:53.098Z INFO Number of language-specific files: 0
2022-09-01T14:03:53.098Z WARN This OS version is no longer supported by the distribution: ubuntu 22.10
2022-09-01T14:03:53.098Z WARN The vulnerability detection may be insufficient because security updates are not provided
ubuntu:22.10 (ubuntu 22.10)
===========================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)
This is very similar to issue https://github.com/aquasecurity/trivy/discussions/2689#discussioncomment-3407220
I tried docker logout ghcr.io
with no success.
I upgraded this server to ubuntu 20.04 and the latest docker version 20.10.17 today, so this is probably related.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 17 (5 by maintainers)
@afdesk, I managed to get it working even without having to include
--add-host
parameter. It was a proxy problem related to the proxy config, so nothing has to be fixed on trivy side.Thank you for your prompt replies and your awesome work! 🚀