trivy: FATAL error in image scan: failed to analyze image: failed to extract files: Could not extract the archive

Description

Attempting to scan few public packages like openjdk and it fails to extract the archive, but downloading it locally and using the hash works fine It looks related to the tags because if i don’t specify one it works, even latest causes it to fail with Could not extract archive

What happened? OpenJDK

root@docker2:~# trivy --exit-code 0 --clear-cache --auto-refresh openjdk:11.0-jre
2019-08-28T11:40:12.337+0300    INFO    Removing image caches...
2019-08-28T11:40:12.344+0300    INFO    Updating vulnerability database...
2019-08-28T11:40:20.931+0300    FATAL   error in image scan: failed to analyze image: failed to extract files: Could not extract the archive

Docker

root@docker2:~# trivy --clear-cache --auto-refresh docker:stable-dind
2019-08-28T11:44:47.411+0300    INFO    Removing image caches...
2019-08-28T11:44:47.474+0300    INFO    Updating vulnerability database...
2019-08-28T11:44:58.257+0300    FATAL   error in image scan: failed to analyze image: failed to extract files: Could not extract the archive

Golang

root@docker2:~# trivy --clear-cache --auto-refresh golang:1.12-alpine
2019-08-28T11:46:45.829+0300    INFO    Removing image caches...
2019-08-28T11:46:45.848+0300    INFO    Updating vulnerability database...
2019-08-28T11:47:02.212+0300    FATAL   error in image scan: failed to analyze image: failed to extract files: Could not extract the archive

Output of run with -debug:

root@docker2:~# trivy -d --clear-cache --auto-refresh openjdk:11.0-jre
2019-08-28T11:42:45.246+0300    DEBUG   cache dir:  /root/.cache/trivy
2019-08-28T11:42:45.246+0300    INFO    Removing image caches...
2019-08-28T11:42:45.256+0300    DEBUG   db path: /root/.cache/trivy/db/trivy.db
2019-08-28T11:42:45.263+0300    INFO    Updating vulnerability database...
2019-08-28T11:42:45.263+0300    DEBUG   git pull
2019-08-28T11:42:46.437+0300    DEBUG   total updated files: 1
2019-08-28T11:42:46.441+0300    DEBUG   Vulnerability type:  [os library]
2019-08-28T11:42:53.927+0300    FATAL   error in image scan:
    github.com/aquasecurity/trivy/pkg.Run
        /root/project/pkg/run.go:164
  - failed to analyze image:
    github.com/aquasecurity/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:34
  - failed to extract files:
    github.com/aquasecurity/fanal/analyzer.Analyze
        /go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20190819081512-f04452b627c6/analyzer/analyzer.go:127
  - Could not extract the archive
    github.com/aquasecurity/fanal/extractor.init.ializers
        /go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20190819081512-f04452b627c6/extractor/extractor.go:12
    runtime.main
        /usr/local/go/src/runtime/proc.go:188
    runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1337
root@docker2:~#

Output of trivy -v:

root@docker2:~# trivy -v
trivy version 0.1.6
root@docker2:~#

Additional details (base image name, container registry info…): openjdk:11.0-jre openjdk:latest docker:stable-dind docker:latest golang:1.12-alpine golang:latest

And more

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 19 (1 by maintainers)

Commits related to this issue

Feat: Created analyzer for NuGet lockfiles. (#139) * Created analyzer for NuGet. Signed-off-by: Johannes Tegnér <johannes@jitesoft.com> * refactor(nuget): sort imports Co-authored-by: knqyf2... — committed to aquasecurity/trivy by Johannestegner 4 years ago
Feat: Created analyzer for NuGet lockfiles. (#139) * Created analyzer for NuGet. Signed-off-by: Johannes Tegnér <johannes@jitesoft.com> * refactor(nuget): sort imports Co-authored-by: knqyf2... — committed to aquasecurity/trivy by Johannestegner 4 years ago
feat: add unit tests for AWS SNS rules (#139) — committed to josedonizetti/trivy by vanesasejdiu 2 years ago

Most upvoted comments

@knqyf263 please add more debug lines here:

dump that archive to disk (i guess it sometimes may contain HTML or other responses)
print a warning with a file path to that dumped archive

A debug line, that informs me that “Updating vulnerability database…” has finished would be helpful, to be sure that “read: connection reset by peer” is from image download and not from DB download (less guessing, easyer to read logs).

Please also add messages that informs me if trivy had successful connected to local docker daemon but couldn’t find that image locally. Of if it skips the local daemon (could not find the daemon, etc.) and does a direct fallback to remote repo or if it is skipping local docker daemon because of using trivy cache - would be helpful on debugging (more clear situation).

christian-weiss on Dec 6, 2019