trivy: FATAL error in image scan: failed to analyze image: failed to extract files: Could not extract the archive
Description
Attempting to scan few public packages like openjdk and it fails to extract the archive, but downloading it locally and using the hash works fine It looks related to the tags because if i don’t specify one it works, even latest causes it to fail with Could not extract archive
What happened? OpenJDK
root@docker2:~# trivy --exit-code 0 --clear-cache --auto-refresh openjdk:11.0-jre
2019-08-28T11:40:12.337+0300 INFO Removing image caches...
2019-08-28T11:40:12.344+0300 INFO Updating vulnerability database...
2019-08-28T11:40:20.931+0300 FATAL error in image scan: failed to analyze image: failed to extract files: Could not extract the archive
Docker
root@docker2:~# trivy --clear-cache --auto-refresh docker:stable-dind
2019-08-28T11:44:47.411+0300 INFO Removing image caches...
2019-08-28T11:44:47.474+0300 INFO Updating vulnerability database...
2019-08-28T11:44:58.257+0300 FATAL error in image scan: failed to analyze image: failed to extract files: Could not extract the archive
Golang
root@docker2:~# trivy --clear-cache --auto-refresh golang:1.12-alpine
2019-08-28T11:46:45.829+0300 INFO Removing image caches...
2019-08-28T11:46:45.848+0300 INFO Updating vulnerability database...
2019-08-28T11:47:02.212+0300 FATAL error in image scan: failed to analyze image: failed to extract files: Could not extract the archive
Output of run with -debug
:
root@docker2:~# trivy -d --clear-cache --auto-refresh openjdk:11.0-jre
2019-08-28T11:42:45.246+0300 DEBUG cache dir: /root/.cache/trivy
2019-08-28T11:42:45.246+0300 INFO Removing image caches...
2019-08-28T11:42:45.256+0300 DEBUG db path: /root/.cache/trivy/db/trivy.db
2019-08-28T11:42:45.263+0300 INFO Updating vulnerability database...
2019-08-28T11:42:45.263+0300 DEBUG git pull
2019-08-28T11:42:46.437+0300 DEBUG total updated files: 1
2019-08-28T11:42:46.441+0300 DEBUG Vulnerability type: [os library]
2019-08-28T11:42:53.927+0300 FATAL error in image scan:
github.com/aquasecurity/trivy/pkg.Run
/root/project/pkg/run.go:164
- failed to analyze image:
github.com/aquasecurity/trivy/pkg/scanner.ScanImage
/root/project/pkg/scanner/scan.go:34
- failed to extract files:
github.com/aquasecurity/fanal/analyzer.Analyze
/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20190819081512-f04452b627c6/analyzer/analyzer.go:127
- Could not extract the archive
github.com/aquasecurity/fanal/extractor.init.ializers
/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20190819081512-f04452b627c6/extractor/extractor.go:12
runtime.main
/usr/local/go/src/runtime/proc.go:188
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1337
root@docker2:~#
Output of trivy -v
:
root@docker2:~# trivy -v
trivy version 0.1.6
root@docker2:~#
Additional details (base image name, container registry info…): openjdk:11.0-jre openjdk:latest docker:stable-dind docker:latest golang:1.12-alpine golang:latest
And more
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 19 (1 by maintainers)
Commits related to this issue
- Feat: Created analyzer for NuGet lockfiles. (#139) * Created analyzer for NuGet. Signed-off-by: Johannes Tegnér <johannes@jitesoft.com> * refactor(nuget): sort imports Co-authored-by: knqyf2... — committed to aquasecurity/trivy by Johannestegner 4 years ago
- Feat: Created analyzer for NuGet lockfiles. (#139) * Created analyzer for NuGet. Signed-off-by: Johannes Tegnér <johannes@jitesoft.com> * refactor(nuget): sort imports Co-authored-by: knqyf2... — committed to aquasecurity/trivy by Johannestegner 4 years ago
- feat: add unit tests for AWS SNS rules (#139) — committed to josedonizetti/trivy by vanesasejdiu 2 years ago
@knqyf263 please add more debug lines here:
A debug line, that informs me that “Updating vulnerability database…” has finished would be helpful, to be sure that “read: connection reset by peer” is from image download and not from DB download (less guessing, easyer to read logs).
Please also add messages that informs me if trivy had successful connected to local docker daemon but couldn’t find that image locally. Of if it skips the local daemon (could not find the daemon, etc.) and does a direct fallback to remote repo or if it is skipping local docker daemon because of using trivy cache - would be helpful on debugging (more clear situation).