trivy: trivy image scan not detecting jar files
Description
I configured trivy in my pipeline. It was working normally since yesterday. I put the “–debug” option please check below. Is it related to bugs ?
What did you expect to happen?
Normal scan with vulnerability report
What happened instead?
Parsing Java artifacts… {“file”: “usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/dnsns.jar”} No such POM in the central ****sitories {“file”: “cldrdata.jar”}
and etc
Output of run with -debug
:
DEBUG Parsing Java artifacts... {"file": "opt/test/presentation-api/lib/presentation-api.jar"}
2022-04-26T13:15:31.828Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:31.903Z DEBUG Parsing Java artifacts... {"file": "opt/psdl/presentation-api/lib/presentation-api.jar"}
2022-04-26T13:15:31.904Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:32.295Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/cldrdata.jar"}
2022-04-26T13:15:32.347Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/charsets.jar"}
2022-04-26T13:15:33.344Z DEBUG No such POM in the central ****sitories {"file": "charsets.jar"}
2022-04-26T13:15:33.344Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/dnsns.jar"}
2022-04-26T13:15:33.345Z DEBUG No such POM in the central ****sitories {"file": "cldrdata.jar"}
2022-04-26T13:15:33.347Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/jaccess.jar"}
2022-04-26T13:15:33.573Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/localedata.jar"}
2022-04-26T13:15:33.799Z DEBUG Analysis error: unable to decode JSON (opt/test/presentation-api/lib/phoenix-client/com/amazonaws/internal/config/awssdk_config_default.json): invalid character '/' looking for beginning of object key string
2022-04-26T13:15:33.860Z DEBUG No such POM in the central ****sitories {"file": "jaccess.jar"}
2022-04-26T13:15:33.861Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/nashorn.jar"}
2022-04-26T13:15:33.968Z DEBUG No such POM in the central ****sitories {"file": "dnsns.jar"}
2022-04-26T13:15:33.969Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunec.jar"}
2022-04-26T13:15:34.071Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunjce_provider.jar"}
2022-04-26T13:15:34.072Z DEBUG No such POM in the central ****sitories {"file": "localedata.jar"}
2022-04-26T13:15:34.072Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/sunpkcs11.jar"}
2022-04-26T13:15:34.245Z DEBUG No such POM in the central ****sitories {"file": "nashorn.jar"}
2022-04-26T13:15:34.246Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/ext/zipfs.jar"}
2022-04-26T13:15:34.386Z DEBUG No such POM in the central ****sitories {"file": "sunec.jar"}
2022-04-26T13:15:34.386Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jce.jar"}
2022-04-26T13:15:34.477Z DEBUG No such POM in the central ****sitories {"file": "sunjce_provider.jar"}
2022-04-26T13:15:34.502Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jsse.jar"}
2022-04-26T13:15:34.509Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/jfr.jar"}
2022-04-26T13:15:34.512Z DEBUG No such POM in the central ****sitories {"file": "sunpkcs11.jar"}
2022-04-26T13:15:34.522Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/management-agent.jar"}
2022-04-26T13:15:34.537Z DEBUG No such POM in the central ****sitories {"file": "zipfs.jar"}
2022-04-26T13:15:34.562Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/resources.jar"}
2022-04-26T13:15:34.726Z DEBUG No such POM in the central ****sitories {"file": "jce.jar"}
2022-04-26T13:15:34.766Z DEBUG No such POM in the central ****sitories {"file": "management-agent.jar"}
2022-04-26T13:15:34.807Z DEBUG No such POM in the central ****sitories {"file": "resources.jar"}
2022-04-26T13:15:34.813Z DEBUG No such POM in the central ****sitories {"file": "jsse.jar"}
2022-04-26T13:15:34.813Z DEBUG No such POM in the central ****sitories {"file": "jfr.jar"}
2022-04-26T13:15:35.069Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/unlimited/local_policy.jar"}
2022-04-26T13:15:35.071Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/rt.jar"}
2022-04-26T13:15:35.086Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/limited/US_export_policy.jar"}
2022-04-26T13:15:35.086Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/limited/local_policy.jar"}
2022-04-26T13:15:35.086Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/policy/unlimited/US_export_policy.jar"}
2022-04-26T13:15:35.314Z DEBUG No such POM in the central ****sitories {"file": "US_export_policy.jar"}
2022-04-26T13:15:35.315Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.315Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.315Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas-1.8.0.jar"}
2022-04-26T13:15:35.316Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.316Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jaas.jar"}
2022-04-26T13:15:35.316Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.316Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.317Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.317Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce-1.8.0.jar"}
2022-04-26T13:15:35.317Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.317Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jce.jar"}
2022-04-26T13:15:35.318Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.318Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.318Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.318Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-1.8.0.jar"}
2022-04-26T13:15:35.319Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.319Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext-3.0.jar"}
2022-04-26T13:15:35.319Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jdbc-stdext.jar"}
2022-04-26T13:15:35.320Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.320Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.320Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-1.8.0.jar"}
2022-04-26T13:15:35.321Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.321Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.321Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.321Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos-1.8.0.jar"}
2022-04-26T13:15:35.321Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-cos.jar"}
2022-04-26T13:15:35.322Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.322Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.322Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap-1.8.0.jar"}
2022-04-26T13:15:35.323Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.323Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-ldap.jar"}
2022-04-26T13:15:35.323Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.323Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.323Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi-1.8.0.jar"}
2022-04-26T13:15:35.324Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi-rmi.jar"}
2022-04-26T13:15:35.324Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.324Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jndi.jar"}
2022-04-26T13:15:35.325Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.325Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.325Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.325Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse-1.8.0.jar"}
2022-04-26T13:15:35.326Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.326Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jsse.jar"}
2022-04-26T13:15:35.326Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl-1.8.0.322.b06.jar"}
2022-04-26T13:15:35.327Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl-1.8.0.jar"}
2022-04-26T13:15:35.327Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.327Z DEBUG Parsing Java artifacts... {"file": "usr/lib/jvm-exports/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/sasl.jar"}
2022-04-26T13:15:35.327Z DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-04-26T13:15:35.375Z DEBUG No such POM in the central ****sitories {"file": "local_policy.jar"}
2022-04-26T13:15:35.464Z DEBUG No such POM in the central ****sitories {"file": "local_policy.jar"}
2022-04-26T13:15:35.465Z DEBUG No such POM in the central ****sitories {"file": "US_export_policy.jar"}
2022-04-26T13:15:35.815Z DEBUG No such POM in the central ****sitories {"file": "rt.jar"}
2022-04-26T13:24:53.978Z WARN Increase --timeout value
2022-04-26T13:24:54.068Z FATAL scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:92
- image scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
- failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:112
- analyze error:
github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
/home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:116
- timeout:
github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
/home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20220425071928-af75d05f1e6e/artifact/image/image.go:196
Output of trivy -v
:
Version: 0.27.0
Additional details (base image name, container registry info…):
base image: centos:7 container reg: Custom image for java app artifacts: Jar files installed via rpm
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 16
yes @DmitriyLewen same issue. Can you please help in this
hm… it is strange… Looks like problem with one jar file(
not a valid zip file
). But we have not changed the logic of opening jars.Can you scan your image again with
slow
flag, please? Then we can find wrong file.