trivy: trivy image scan not detecting jar files

Description

I configured trivy in my pipeline. It was working normally since yesterday. I put the “–debug” option please check below. Is it related to bugs ?

What did you expect to happen?

Normal scan with vulnerability report

What happened instead?

Parsing Java artifacts… {“file”: “usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/dnsns.jar”} No such POM in the central ****sitories {“file”: “cldrdata.jar”}

and etc

Output of run with -debug:

DEBUG	Parsing Java artifacts...	{"file": "opt/test/presentation-api/lib/presentation-api.jar"}
2022-04-26T13:15:31.828Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:31.903Z	DEBUG	Parsing Java artifacts...	{"file": "opt/psdl/presentation-api/lib/presentation-api.jar"}
2022-04-26T13:15:31.904Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:32.295Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/cldrdata.jar"}
2022-04-26T13:15:32.347Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/charsets.jar"}
2022-04-26T13:15:33.344Z	DEBUG	No such POM in the central ****sitories	{"file": "charsets.jar"}
2022-04-26T13:15:33.344Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/dnsns.jar"}
2022-04-26T13:15:33.345Z	DEBUG	No such POM in the central ****sitories	{"file": "cldrdata.jar"}
2022-04-26T13:15:33.347Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/jaccess.jar"}
2022-04-26T13:15:33.573Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/localedata.jar"}
2022-04-26T13:15:33.799Z	DEBUG	Analysis error: unable to decode JSON (opt/test/presentation-api/lib/phoenix-client/com/amazonaws/internal/config/awssdk_config_default.json): invalid character '/' looking for beginning of object key string
2022-04-26T13:15:33.860Z	DEBUG	No such POM in the central ****sitories	{"file": "jaccess.jar"}
2022-04-26T13:15:33.861Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/nashorn.jar"}
2022-04-26T13:15:33.968Z	DEBUG	No such POM in the central ****sitories	{"file": "dnsns.jar"}
2022-04-26T13:15:33.969Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunec.jar"}
2022-04-26T13:15:34.071Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunjce_provider.jar"}
2022-04-26T13:15:34.072Z	DEBUG	No such POM in the central ****sitories	{"file": "localedata.jar"}
2022-04-26T13:15:34.072Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunpkcs11.jar"}
2022-04-26T13:15:34.245Z	DEBUG	No such POM in the central ****sitories	{"file": "nashorn.jar"}
2022-04-26T13:15:34.246Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/zipfs.jar"}
2022-04-26T13:15:34.386Z	DEBUG	No such POM in the central ****sitories	{"file": "sunec.jar"}
2022-04-26T13:15:34.386Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jce.jar"}
2022-04-26T13:15:34.477Z	DEBUG	No such POM in the central ****sitories	{"file": "sunjce_provider.jar"}
2022-04-26T13:15:34.502Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jsse.jar"}
2022-04-26T13:15:34.509Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jfr.jar"}
2022-04-26T13:15:34.512Z	DEBUG	No such POM in the central ****sitories	{"file": "sunpkcs11.jar"}
2022-04-26T13:15:34.522Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/management-agent.jar"}
2022-04-26T13:15:34.537Z	DEBUG	No such POM in the central ****sitories	{"file": "zipfs.jar"}
2022-04-26T13:15:34.562Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/resources.jar"}
2022-04-26T13:15:34.726Z	DEBUG	No such POM in the central ****sitories	{"file": "jce.jar"}
2022-04-26T13:15:34.766Z	DEBUG	No such POM in the central ****sitories	{"file": "management-agent.jar"}
2022-04-26T13:15:34.807Z	DEBUG	No such POM in the central ****sitories	{"file": "resources.jar"}
2022-04-26T13:15:34.813Z	DEBUG	No such POM in the central ****sitories	{"file": "jsse.jar"}
2022-04-26T13:15:34.813Z	DEBUG	No such POM in the central ****sitories	{"file": "jfr.jar"}
2022-04-26T13:15:35.069Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/unlimited/local_policy.jar"}
2022-04-26T13:15:35.071Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/rt.jar"}
2022-04-26T13:15:35.086Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/limited/US_export_policy.jar"}
2022-04-26T13:15:35.086Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/limited/local_policy.jar"}
2022-04-26T13:15:35.086Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/unlimited/US_export_policy.jar"}
2022-04-26T13:15:35.314Z	DEBUG	No such POM in the central ****sitories	{"file": "US_export_policy.jar"}
2022-04-26T13:15:35.315Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.315Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.315Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas-1.8.0.jar"}
2022-04-26T13:15:35.316Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.316Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas.jar"}
2022-04-26T13:15:35.316Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.316Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.317Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.317Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce-1.8.0.jar"}
2022-04-26T13:15:35.317Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.317Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce.jar"}
2022-04-26T13:15:35.318Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.318Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.318Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.318Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-1.8.0.jar"}
2022-04-26T13:15:35.319Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.319Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-3.0.jar"}
2022-04-26T13:15:35.319Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext.jar"}
2022-04-26T13:15:35.320Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.320Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-1.8.0.jar"}
2022-04-26T13:15:35.321Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.321Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.321Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.321Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos-1.8.0.jar"}
2022-04-26T13:15:35.321Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos.jar"}
2022-04-26T13:15:35.322Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.322Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap-1.8.0.jar"}
2022-04-26T13:15:35.323Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.323Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap.jar"}
2022-04-26T13:15:35.323Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.323Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.323Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi-1.8.0.jar"}
2022-04-26T13:15:35.324Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi.jar"}
2022-04-26T13:15:35.324Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi.jar"}
2022-04-26T13:15:35.325Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.325Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.325Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.325Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse-1.8.0.jar"}
2022-04-26T13:15:35.326Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.326Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse.jar"}
2022-04-26T13:15:35.326Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.327Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl-1.8.0.jar"}
2022-04-26T13:15:35.327Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z	DEBUG	Parsing Java artifacts...	{"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl.jar"}
2022-04-26T13:15:35.327Z	DEBUG	Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.375Z	DEBUG	No such POM in the central ****sitories	{"file": "local_policy.jar"}
2022-04-26T13:15:35.464Z	DEBUG	No such POM in the central ****sitories	{"file": "local_policy.jar"}
2022-04-26T13:15:35.465Z	DEBUG	No such POM in the central ****sitories	{"file": "US_export_policy.jar"}
2022-04-26T13:15:35.815Z	DEBUG	No such POM in the central ****sitories	{"file": "rt.jar"}
2022-04-26T13:24:53.978Z	WARN	Increase --timeout value
2022-04-26T13:24:54.068Z	FATAL	scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:92
  - image scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:112
  - analyze error:
    github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:116
  - timeout:
    github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:196

Output of trivy -v:

Version: 0.27.0

Additional details (base image name, container registry info…):

base image: centos:7 container reg: Custom image for java app artifacts: Jar files installed via rpm

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16

Most upvoted comments

yes @DmitriyLewen same issue. Can you please help in this

hm… it is strange… Looks like problem with one jar file(not a valid zip file). But we have not changed the logic of opening jars.

Can you scan your image again with slow flag, please? Then we can find wrong file.