trivy: failed to download vulnerability DB using the docker image

Description

From one server, the DB can not be downloaded using docker:

$ docker run --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock  -i aquasec/trivy:latest image  --severity "MEDIUM,HIGH,CRITICAL" --no-progress  --debug ubuntu:22.10
2022-09-01T13:22:12.806Z	DEBUG	Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T13:22:12.810Z	DEBUG	cache dir:  /root/.cache/trivy
2022-09-01T13:22:12.810Z	DEBUG	There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-09-01T13:22:12.811Z	INFO	Need to update DB
2022-09-01T13:22:12.811Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-01T13:22:12.811Z	INFO	Downloading DB...
2022-09-01T13:22:12.811Z	DEBUG	no metadata file
2022-09-01T13:22:41.910Z	FATAL	init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:362
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:121
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:117
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:154
  - OCI artifact error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).initOCIArtifact
        /home/runner/work/trivy/trivy/pkg/db/db.go:194
  - OCI repository error:
    github.com/aquasecurity/trivy/pkg/oci.NewArtifact
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:69
  - Get "https://ghcr.io/v2/": dial tcp: lookup ghcr.io: i/o timeout

The exact same command works on my personal computer. They both use the same ubuntu and docker versions.

On the server, I can work-around it using --insecure:

$ docker run --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock  -i aquasec/trivy:latest image  --severity "MEDIUM,HIGH,CRITICAL" --no-progress --insecure --debug ubuntu:22.10
2022-09-01T14:03:33.060Z	DEBUG	Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T14:03:33.063Z	DEBUG	cache dir:  /root/.cache/trivy
2022-09-01T14:03:33.063Z	DEBUG	There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-09-01T14:03:33.063Z	INFO	Need to update DB
2022-09-01T14:03:33.063Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-01T14:03:33.063Z	INFO	Downloading DB...
2022-09-01T14:03:33.063Z	DEBUG	no metadata file
2022-09-01T14:03:49.233Z	DEBUG	Updating database metadata...
2022-09-01T14:03:49.234Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-09-01 12:06:40.991108038 +0000 UTC, NextUpdate: 2022-09-01 18:06:40.991107538 +0000 UTC, DownloadedAt: 2022-09-01 14:03:49.23375211 +0000 UTC
2022-09-01T14:03:49.234Z	INFO	Vulnerability scanning is enabled
2022-09-01T14:03:49.234Z	DEBUG	Vulnerability type:  [os library]
2022-09-01T14:03:49.234Z	INFO	Secret scanning is enabled
2022-09-01T14:03:49.234Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-01T14:03:49.234Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-01T14:03:49.241Z	DEBUG	No secret config detected: trivy-secret.yaml
2022-09-01T14:03:49.242Z	DEBUG	Image ID: sha256:15a38249db7a639fe4781bc597b57ec2c936e5b576eb54f2f281658318d62613
2022-09-01T14:03:49.242Z	DEBUG	Diff IDs: [sha256:6f48304a39b941322886ad7cfddcb7a8689b26c05d13e814332e372fd03c6f1b]
2022-09-01T14:03:49.242Z	DEBUG	Base Layers: []
2022-09-01T14:03:49.242Z	DEBUG	Missing image ID in cache: sha256:15a38249db7a639fe4781bc597b57ec2c936e5b576eb54f2f281658318d62613
2022-09-01T14:03:49.242Z	DEBUG	Missing diff ID in cache: sha256:6f48304a39b941322886ad7cfddcb7a8689b26c05d13e814332e372fd03c6f1b
2022-09-01T14:03:50.940Z	DEBUG	Loading the the default license classifier...
2022-09-01T14:03:53.098Z	INFO	Detected OS: ubuntu
2022-09-01T14:03:53.098Z	WARN	This OS version is not on the EOL list: ubuntu 22.10
2022-09-01T14:03:53.098Z	INFO	Detecting Ubuntu vulnerabilities...
2022-09-01T14:03:53.098Z	DEBUG	ubuntu: os version: 22.10
2022-09-01T14:03:53.098Z	DEBUG	ubuntu: the number of packages: 94
2022-09-01T14:03:53.098Z	INFO	Number of language-specific files: 0
2022-09-01T14:03:53.098Z	WARN	This OS version is no longer supported by the distribution: ubuntu 22.10
2022-09-01T14:03:53.098Z	WARN	The vulnerability detection may be insufficient because security updates are not provided

ubuntu:22.10 (ubuntu 22.10)
===========================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

This is very similar to issue https://github.com/aquasecurity/trivy/discussions/2689#discussioncomment-3407220 I tried docker logout ghcr.io with no success.

I upgraded this server to ubuntu 20.04 and the latest docker version 20.10.17 today, so this is probably related.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

@afdesk, I managed to get it working even without having to include --add-host parameter. It was a proxy problem related to the proxy config, so nothing has to be fixed on trivy side.

/ # trivy --debug server --listen localhost:8080
2022-11-29T16:49:33.345Z        DEBUG   cache dir:  /root/.cache/trivy
2022-11-29T16:49:33.345Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-11-29T16:49:33.345Z        INFO    Need to update DB
2022-11-29T16:49:33.345Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-29T16:49:33.345Z        INFO    Downloading DB...
2022-11-29T16:49:33.345Z        DEBUG   no metadata file
2022-11-29T16:49:36.180Z        DEBUG   Updating database metadata...
2022-11-29T16:49:36.180Z        DEBUG   DB Schema: 2, UpdatedAt: 2022-11-29 12:08:16.282509734 +0000 UTC, NextUpdate: 2022-11-29 18:08:16.282509334 +0000 UTC, DownloadedAt: 2022-11-29 16:49:36.180694584 +0000 UTC
2022-11-29T16:49:36.181Z        INFO    Listening localhost:8080...

Thank you for your prompt replies and your awesome work! 🚀