aquasecurity / trivy Goto Github PK

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Home Page: https://aquasecurity.github.io/trivy

License: Apache License 2.0

Dockerfile 0.01% Shell 0.24% Go 98.26% Smarty 0.37% Open Policy Agent 0.08% Mustache 1.02% Yacc 0.02%

security security-tools docker containers vulnerability-scanners vulnerability-detection vulnerability golang go kubernetes

trivy's Introduction

📖 Documentation

Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

Container Image
Filesystem
Git Repository (remote)
Virtual Machine Image
Kubernetes
AWS

Scanners (what Trivy can find there):

OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the Scanning Coverage page.

To learn more, go to the Trivy homepage for feature highlights, or to the Documentation site for detailed information.

Quick Start

Get Trivy

Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples:

brew install trivy
docker run aquasec/trivy
Download binary from https://github.com/aquasecurity/trivy/releases/latest/
See Installation for more

Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:

Canary builds

There are canary builds (Docker Hub, GitHub, ECR images and binaries) as generated every push to main branch.

Please be aware: canary builds might have critical bugs, it's not recommended for use in production.

General usage

trivy <target> [--scanners <scanner1,scanner2>] <subject>

Examples:

trivy image python:3.4-alpine

Result

trivy-image.mov

trivy fs --scanners vuln,secret,misconfig myproject/

Result

trivy-fs.mov

trivy k8s --report summary cluster

Result

FAQ

How to pronounce the name "Trivy"?

tri is pronounced like trigger, vy is pronounced like envy.

Want more? Check out Aqua

If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users here.
In addition check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo

Community

Trivy is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here Join our Slack community to stay up to date with community efforts.

Please ensure to abide by our Code of Conduct during all interactions.

trivy's People

Contributors

Stargazers

Watchers

Forkers

fossabot tomoyamachi masahiro331 lomycisw svpn killix06 coredamage knurddongle kenxengineering qsdj isgasho cybermonitor ubata-mamezou shaunstanislauslau hhy5277 0xflotus xapima thebestrepos hmilkovi wo0dy victor141516 sandromelobrazil widegren sunny0826 rvirus0817 jithinraj withlin idkwim skymysky zerolugithub duzhanyuan jangocheng awesome-security mitsuyoshi4 dirkwilken orisano deltablot snipe code-hex b-xiang u53r55 yutachaos edify42 acumenix mallear infonig igorgorovoy ssgalitsky hcxiong modulexcite chrisweiss bamaao xiaolushuo yibit antonini laeeth jerusalemsbell orsoto sasqwatch fyesgo gungorugur kidmam stqp iukea1 kishorebolt03 ghanima dmyerscough sessin dnegreira ahamilton55 akshayjaing stkhr akerge hgsgtk benzaidfoued bianhezhen freegit9527 bailongwang1 wuqundong520 icysun wrestcody diggold lgromanowski arryboom tuhaolam hxl1987 m4d3bug 0x6b7966 jbravo artithw the7day imlonghao marcushyungseoklee korayagaya napsolutions lxkxc akihirosuda backwardn elisco-latour westonsteimel

trivy's Issues

Trivy behind corporate proxy?

We are behind a corporate proxy, we currently set proxy via http_proxy & https_proxy environment variables. It seems Trivy is not picking this up. When trying to run trivy against an image we are getting back:

2019-06-03T17:49:49.296Z FATAL error in vulnerability DB update: error in vulnsrc clone or pull: failed to clone repository: error in git clone: failed to exec: exit status 128

Json output change array name

Having the image as the array name in the json output makes it difficult for me to automate html from the json output using something like mustache

can we have the image key (and maybe some more kewl infos) seperate to the vunerablities array?

Gopkg.lock support

Description

Found your tool very usefull, but really curious, why golang-written tool does not support Gopkg.lock files for scanning?

scan local image fail on CircleCI

Scan local docker image fails on CircleCI if I set setup_remote_docker.

      - setup_remote_docker:
          version: 18.06.0-ce
          docker_layer_caching: true

trivy --exit-code 0 --quiet trivy-ci-test:${CIRCLE_SHA1}

2019-05-18T14:21:52.190Z	INFO	Updating vulnerability database...
2019-05-18T14:22:48.492Z	INFO	Updating NVD data...
2019-05-18T14:23:16.349Z	INFO	Updating Alpine data...
2019-05-18T14:23:17.585Z	INFO	Updating RedHat data...
2019-05-18T14:23:20.231Z	INFO	Updating Debian data...
2019-05-18T14:23:22.894Z	INFO	Updating Debian OVAL data...
2019-05-18T14:23:27.307Z	INFO	Updating Ubuntu data...
2019-05-18T14:23:31.515Z	FATAL	error in image scan: failed to analyze image: failed to extract files: Get https://registry-1.docker.io/v2/library/trivy-ci-test/manifests/2c4caa69fdfd1ddc1427aef9fb3f7a99497a6121: http: non-successful response (status=401 body="{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":[{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"library/trivy-ci-test\",\"Action\":\"pull\"}]}]}\n")

Please avoid using setup_remote_docker.version option on CircleCI.

False positive on CentOS up-to-date

Hi, I obtain a false positive result … packages are up-to-date and are fixed versions

Command used to launch trivy on my image:

trivy --ignore-unfixed colundrum/centos-builder-custom_nginx_rpms:latest

Output of trivy -v:

trivy version 0.1.3

Additional details (base image name, container registry info...):

GitHub with the Dockerfile : https://github.com/colundrum/centos-builder-custom_nginx_rpms
My docker image : https://hub.docker.com/r/colundrum/centos-builder-custom_nginx_rpms

Regards

cvss-vector

FEATURE REQUEST

Description

add cvss vector status

Getting sqlite & jdk vulnerability issues as part of alpine 3.9

Getting vulnerability issues with sqlite, using alpine OS 3.9.0 version. I tried apk update, apk upgrade but still the version shows 3.26.0-r03 instead of showing the latest version 3.28.0-r0.
Anybody can help?

bash-4.4# apk info sqlite
WARNING: Ignoring APKINDEX.4e9201c8.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.4c67d94b.tar.gz: No such file or directory
sqlite-3.26.0-r3 description:
C library that implements an SQL database engine

sqlite-3.26.0-r3 webpage:
http://www.sqlite.org

sqlite-3.26.0-r3 installed size:

Add option just to refresh database

Hello,

The command should also allow the refresh without an image being passed to be scanned:
To workaround this I just pass the scratch image but it fails with an error:

# /trivy -q --refresh scratch
....
2019-05-16T17:56:46.360Z	FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key

Is there a way just to refresh the database without passing an image? When I try to pass just the --refresh I get:

# /trivy -q --refresh
2019-05-16T19:03:13.273+0100    INFO    trivy" requires at least 1 argument or --input option.
NAME:
  trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
  trivy [options] image_name
...

Unknown os error

Description

Trying to run this tool against jaegertracing/all-in-one

What did you expect to happen?
Should run just fine

What happened instead?
got error

Output of run with -debug:

$ trivy jaegertracing/all-in-one:1.12
2019-05-25T21:59:43.389-0400	INFO	Updating vulnerability database...
2019-05-25T21:59:43.887-0400	FATAL	error in image scan: failed to scan image: failed to analyze OS: Unknown OS

Output of trivy -v:

trivy version 0.1.1

Additional details (base image name, container registry info...):
I'm not sure why the error is thrown. The docker file is here: https://github.com/jaegertracing/jaeger/blob/master/cmd/all-in-one/Dockerfile, doesn't seem to specify os?

docker image and binary semver mismatch

BUG REPORT INFORMATION

Description

Running trivy in a container (0.1.2 and 0.1.3) does not produce the semver that it does locally.

» docker run -it knqyf263/trivy:0.1.2 "--version"
trivy version dev

What did you expect to happen?

I expected it to output "trivy version 0.1.2"

Amazon Linux support

When trying to scan an amazon linux image I got the following

FATAL	error in image scan: failed to scan image: failed to analyze OS: Unknown OS

Is there a way to force detection to pin against redhat because it's derivative? Any plans to support amazon linux?

Question about Debian analysis

I've tried trivy with different containers that are based on different distributions.
It seems trivy finds lots of vulnerable packages even in updated Debian / Ubuntu images.
In the case of Debian it seems trivy is checking the container's vulnerabilities based of version of the package or library but as per official website https://www.debian.org/security/faq#version , it seems Debian keeps the original version, only adds "+debXuY" at the end of the version of the package.
Even we've tried to update the packages of a Debian 9.9 container to their latest version, then create a new image and analyze it with trivy and we still found the same vulnerabilities that we found before the update. It's supposed that if we updated the packages, then less vulnerabilities should be found.

How does trivy checks the package versions?
Does it checks for the debian-specific package versions?
How can we know if the packages are not affected by a vulnerability?

Thank you in advance.

Add option to ignore Unknown OS

Some images have just a binary (for example a go program) and trivy fails with the error:

2019-05-16T18:53:09.787+0100    FATAL   error in image scan: failed to scan image: failed to analyze OS: Unknown OS

It also returns error code=1

We should have an option in the command line to return 0 as error code when the image OS isn't found as I want all my images to be scanned in the pipeline but the pipeline shouldn't fail because the scanner can't find the OS. I could wrap trivy with a shell script but I find in useless as it would be better to be included in the trivy command.

Thanks,

Fanal caches accumulate endlessly

We embedded trivy to several our CI pipelines. Each time we build a new version of our product image, we run a security scan against it. 99% of the time, scanned image has a new unique tag:

Just after a few weeks of usage, our build agents accumulated 10-20 Gb of cached images.

We're going to run a daily clean-up job to just purge content of fanal folder. Is it the only one option? Maybe you can suggest a better way to not blow-up our build-agents disks?

And thank you for your work ;)

Hide notice about clear cache when flag is specified

You probably should hide

WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed

when the flag is specified.

FEAT: Compress the final binary using UPX

I'm proposing the make the final docker image smaller by using UPX in the Dockerfile.
I will also add several best practices to the Dockerfile.

This is how it looks like:

+ upx /usr/local/bin/trivy
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
  26868298 ->  12844512   47.81%   linux/amd64   trivy

Packed 1 file.
+ upx -t /usr/local/bin/trivy
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

testing /usr/local/bin/trivy [OK]

Please just confirm that you have time to review before I submit a PR.

Cheers!

Detect image type before downloading vuln DBs

Rather than download all the vulnerability databases, it would be nice if trivy could detect which base image the Docker image uses and download only that database.

policy support

It would be useful to have a mechanism to specify criteria for what should be considered a successful scan, including the ability to list results that should be ignored whether because there is no fix available or they are false positives.

One potential use-case would be for debian or ubuntu-based images where there are known vunerabilities which are either not going to be fixed or are marked as non-dsa, so we want to acknowledge that those vulnerabilities are expected and should not fail the build, but that any new vulnerabilities should result in a failure until they are either remediated or also added to the exception list. The --ignore-unfixed option provides similar functionality, but is also risky since it won't alert you to any new unfixed vulnerabilities where an explicit exception list would flag them until they can be investigated.

The policy could also specify what level(s) of vulnerabilities should warrant a non-zero exit code, to provide the ability to report on all found vulnerabilities in a single report and with a single run, but only fail the build if high or critical vulnerabilities are found.

Cannot scan distroless images

Description

Trivy cannot scan distroless docker images.

What did you expect to happen?

Trivy would be able to scan the distroless image for vulnerabilities

What happened instead?

Trivy failed with an unexpected error

Output of run with -debug:

trivy --debug gcr.io/distroless/java:11
2019-07-24T13:30:13.936+0200	DEBUG	cache dir:  /Users/andrew/Library/Caches/trivy
2019-07-24T13:30:13.936+0200	DEBUG	db path: /Users/andrew/Library/Caches/trivy/db/trivy.db
2019-07-24T13:30:13.939+0200	INFO	Updating vulnerability database...
2019-07-24T13:30:13.939+0200	DEBUG	git pull
2019-07-24T13:30:15.077+0200	DEBUG	total updated files: 1
2019-07-24T13:30:15.107+0200	DEBUG	Vulnerability type:  [os library]
2019-07-24T13:30:15.196+0200	DEBUG	OS family: debian, OS version: 9.9
2019-07-24T13:30:15.196+0200	FATAL	error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:166
  - failed to scan image:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:54
  - failed to analyze OS packages:
    github.com/knqyf263/trivy/pkg/scanner/ospkg.Scan
        /root/project/pkg/scanner/ospkg/scan.go:51
  - Failed to analyze packages:
    github.com/knqyf263/fanal/analyzer.init.ializers
        /go/pkg/mod/github.com/knqyf263/[email protected]/analyzer/analyzer.go:27

Output of trivy -v:

trivy version 0.1.4

Additional details (base image name, container registry info...):

Google publishes "distroless" docker images that are very slim and only contain packages critical to your runtime. See https://github.com/GoogleContainerTools/distroless

These images don't contain much, but they do still contain glibc, openssl, libssl, etc.

I briefy tried the nodejs image and the java11 image, both failed for the same reason

Authorization for Private Docker Registry does not take effect

Description
I used trivy in drone CI and add TRIVY_AUTH_URL& TRIVY_PASSWORD& TRIVY_USERNAME ,but it need authentication required.

What did you expect to happen?
I hope it can pull the image and scan it.

What happened instead?

Output of run with -debug:

trivy --exit-code 1 --quiet --severity MEDIUM,HIGH -d registry-vpc.cn-shanghai.aliyuncs.com/keking/kk-devops:prod-25
--
88 | 2019-05-27T03:44:27.336Z	DEBUG	cache dir: /root/.cache/trivy
89 | 2019-05-27T03:44:27.336Z	DEBUG	db path: /root/.cache/trivy/db/trivy.db
90 | 2019-05-27T03:44:27.339Z	INFO	Updating vulnerability database...
91 | 2019-05-27T03:44:27.339Z	DEBUG	git pull
92 | 2019-05-27T03:44:27.339Z	DEBUG	Retrieve the branch being pointed by HEAD
93 | 2019-05-27T03:44:27.339Z	DEBUG	Get the working directory for the repository
94 | 2019-05-27T03:44:27.339Z	DEBUG	Pull the latest changes from the origin remote and merge into the current branch
95 | 2019-05-27T03:44:28.442Z	DEBUG	total updated files: 0
96 | 2019-05-27T03:44:28.592Z	FATAL	error in image scan:
97 | github.com/knqyf263/trivy/pkg.Run
98 | /root/project/pkg/run.go:150
99 | - failed to analyze image:
100 | github.com/knqyf263/trivy/pkg/scanner.ScanImage
101 | /root/project/pkg/scanner/scan.go:29
102 | - failed to extract files:
103 | github.com/knqyf263/fanal/analyzer.Analyze
104 | /go/pkg/mod/github.com/knqyf263/[email protected]/analyzer/analyzer.go:123
105 | - Get https://registry-vpc.cn-shanghai.aliyuncs.com/v2/keking/kk-devops/manifests/prod-25: http: non-successful response (status=401 body="{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":[{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"keking/kk-devops\",\"Action\":\"pull\"}]}]}\n")

Output of trivy -v:

trivy version 0.1.1

Additional details (base image name, container registry info...):

poetry support

Hi @knqyf263! Thanks for building this tool.

It is awesome. But, I would like to suggest a new feature: poetry / pyproject.lock file support. Docs: https://github.com/sdispater/poetry

It is pretty much the same as pipenv.

We consider adding your tools to our project: wemake-services/wemake-django-template#780 But we miss poetry support.

Mess output

During the very first run in putty I've got broken output

The second run seems OK.

trivy v0.0.13
CentOS Linux release 7.4.1708 (Core)
PuTTY Release 0.71

feature request: junit output

As I'm looking into integrating this into my CI pipelines, I'm looking for a way to present the findings to the user without having to troll the build logs. One mechanism that I was thinking about was to present this to a job as tests. Since most ecosystems support junit that seems like it would makes sense.

Add option to specify the cache directory

By default the db cache is set to either the users .cache directory or temp directory. This is a problem when we attempt to use Gitlab CI/CD caching to cache this directory to S3 as Gitlab will not let you cache directories outside of the working directory. So I am unable to cache the db and am forced to redownload it for ever CI/CD run.

I'm working on a pull request to add a flag to set the cache directory.

Can't build with go get

Description

Can't build with go get

What did you expect to happen?

A successful build of trivy.

What happened instead?

$ go get -u github.com/knqyf263/trivy
package github.com/knqyf263/trivy: no Go files in /Users/f/go/src/github.com/knqyf263/trivy

$ go get github.com/knqyf263/trivy/cmd/trivy
# github.com/knqyf263/fanal/extractor/docker
go/src/github.com/knqyf263/fanal/extractor/docker/docker.go:125:21: cannot use auth (type "github.com/docker/docker/api/types".AuthConfig) as type "github.com/genuinetools/reg/vendor/github.com/docker/docker/api/types".AuthConfig in argument to "github.com/genuinetools/reg/registry".New
go/src/github.com/knqyf263/fanal/extractor/docker/docker.go:184:19: impossible type assertion:
	*"github.com/docker/distribution/manifest/schema2".DeserializedManifest does not implement "github.com/genuinetools/reg/vendor/github.com/docker/distribution".Manifest (wrong type for References method)
		have References() []"github.com/docker/distribution".Descriptor
		want References() []"github.com/genuinetools/reg/vendor/github.com/docker/distribution".Descriptor
go/src/github.com/knqyf263/fanal/extractor/docker/docker.go:199:41: cannot use d (type "github.com/opencontainers/go-digest".Digest) as type "github.com/genuinetools/reg/vendor/github.com/opencontainers/go-digest".Digest in argument to r.DownloadLayer
go/src/github.com/knqyf263/fanal/extractor/docker/token.go:43:2: cannot use "github.com/genuinetools/reg/vendor/github.com/docker/docker/api/types".AuthConfig as type "github.com/docker/docker/api/types".AuthConfig in return argument

Output of run with -debug:

N/A

Output of trivy -v:

N/A

Additional details (base image name, container registry info...):

N/A

Unknown OS when scanning knqyf263/cve-2018-11235

Description
Trivy 0.1.3 fails with "Unknown OS" when trying to scan knqyf263/cve-2018-11235 image (possibly some other as well). The image runs on CentOS 7.5 as far as I can tell, so it should be supported

I have fetched trivy last release by getting a binary like this:
export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/."v([^"]+)"./\1/')
wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz

What did you expect to happen?
Successful scan

What happened instead?
'Unknown OS' error message

Output of run with -debug:

`osboxes@osboxes:~/docker_tools$ ./trivy -debug --cache-dir ./.trivy_cache/ knqyf263/cve-2018-11235
2019-06-30T14:34:51.229Z        DEBUG   cache dir:  .trivy_cache/trivy
2019-06-30T14:34:51.231Z        DEBUG   db path: .trivy_cache/trivy/db/trivy.db
2019-06-30T14:34:51.242Z        INFO    Updating vulnerability database...
2019-06-30T14:34:51.243Z        DEBUG   git pull
2019-06-30T14:34:52.070Z        DEBUG   total updated files: 1
2019-06-30T14:34:52.131Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2019-06-30T14:34:52.132Z        DEBUG   Vulnerability type:  [os library]
2019-06-30T14:35:02.332Z        DEBUG   OS family: centos, OS version: 7.5.1804
2019-06-30T14:35:02.349Z        FATAL   error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:166
  - failed to scan image:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:54
  - failed to analyze OS packages:
    github.com/knqyf263/trivy/pkg/scanner/ospkg.Scan
        /root/project/pkg/scanner/ospkg/scan.go:51
  - Unknown OS:
    github.com/knqyf263/fanal/analyzer.init.ializers
        /go/pkg/mod/github.com/knqyf263/[email protected]/analyzer/analyzer.go:24
`

Output of trivy -v:

osboxes@osboxes:~/docker_tools$ ./trivy -v
trivy version 0.1.3

Additional details (base image name, container registry info...):
Was using your CVE image knqyf263/cve-2018-11235 on two separate environments

Local fresh ubuntu VM
GitLab Docker Executor (docker:dind image) that runs trivy in CI/CD job.

Both fail with cve-2018-11235 image but work with some other images like cloudinsky/cve-2017-5638

For some reason the scan went well on another instance of trivy, which I have installed (from .deb package) like couple weeks ago on a separate host:

$ trivy -d  --cache-dir /home/docker_swd/.cache/ knqyf263/cve-2018-11235
2019-06-30T15:09:47.223Z        DEBUG   cache dir:  /home/docker_swd/.cache/trivy
2019-06-30T15:09:47.224Z        DEBUG   db path: /home/docker_swd/.cache/trivy/db/trivy.db
2019-06-30T15:09:47.228Z        INFO    Updating vulnerability database...
2019-06-30T15:09:47.228Z        DEBUG   git pull
2019-06-30T15:09:47.575Z        DEBUG   total updated files: 1
2019-06-30T15:09:47.581Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2019-06-30T15:09:53.916Z        DEBUG   OS family: centos, OS version: 7.5.1804
2019-06-30T15:09:54.420Z        DEBUG   the number of packages: 191
2019-06-30T15:09:54.421Z        DEBUG   the number of packages from commands: 0
2019-06-30T15:09:54.421Z        DEBUG   the number of packages: 191
2019-06-30T15:09:54.421Z        INFO    Detecting RHEL/CentOS vulnerabilities...
2019-06-30T15:09:54.422Z        DEBUG   redhat: os version: 7
2019-06-30T15:09:54.422Z        DEBUG   redhat: the number of packages: %!s(int=191)

Downloading 0.1.2 release haven't fixed the issue

UPD: I have installed Trivy 0.1.3 from .deb package and it worked fine. Is there any differences between binary and packaged releases?

FEAT: Including the vulnerability database in the Docker image

Because at the moment, it takes forever to download these on my local machine.

By having the vulnerability database pre-cached in the Docker image that would make the Docker flow very quick.

Oracle Linux support

Hi knqyf263,

Is there any plans to support Oracle Linux?
Oracle Linux is like Amazon Linux (#44 ) a Redhat derivative.

Currently I get the following issue: FATAL error in image scan: failed to scan image: unsupported os : oracle

Thank you for this awesome tool 🥇

Best regards,
Ruba

support for private registry protected by basic auth

Would it be possible to allow following url to support basic auth without having docker installed?

user:pw@url

Docker image

Hey there, great project!

Maybe I've overlooked it, but do you think it would be possible to provide trivy in a docker image to be able to run it in eg. [Drone}(https://drone.io/)? Or is that difficult because of the way trivy analyzes docker images?

Consider different storage options

From bolt docs:

Please note that Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time.

Lets say you have a CI which would do something like docker run -v /tmp/cache:.cache/trivy mydockerimage trivy ... This would imply that two scans would try to access the same cachefile and likely bail.

For this reason, exploring other storage options that would allow concurrent access could make sense. Perhaps another pattern would be copying the cache for each run and separate updates to the cache?

Ubuntu Cosmic package

Maybe you're focusing on LTS release, but since it's a single binary, having an Ubuntu Cosmic release shouldn't be a problem ?

Best regards,

Cannot connect to Azure Container Registry

It appears that Trivy cannot connect to a Container Registry hosted in Azure.

C:\Users\SMcEnery>trivy --debug https://agrdev.azurecr.io/accumulo-1.9.2:12
2019-06-29T09:38:16.506-0400    �[35mDEBUG�[0m  cache dir:  C:\Users\SMcEnery\AppData\Local\trivy
2019-06-29T09:38:16.507-0400    �[35mDEBUG�[0m  db path: C:\Users\SMcEnery\AppData\Local\trivy\db\trivy.db
2019-06-29T09:38:16.513-0400    �[34mINFO�[0m   Updating vulnerability database...
2019-06-29T09:38:16.514-0400    �[35mDEBUG�[0m  git pull
2019-06-29T09:38:18.295-0400    �[35mDEBUG�[0m  total updated files: 1
2019-06-29T09:38:18.305-0400    �[31mFATAL�[0m  invalid image:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:153
  - parsing image "https://agrdev.azurecr.io/accumulo-1.9.2:12" failed: invalid reference format

I have the following Environment Variables set on my local machine;

TRIVY_AUTH_URL
TRIVY_NON_SSL
TRIVY_USERNAME
TRIVY_PASSWORD

Whether I use http or https, I get the same error above.

Bucket Name Required

Scanning a local Docker image with PHP and a composer.lock inside I get an error. The command

trivy --debug registry.example.com/project/image:tag

What did you expect to happen?

Just a report ;-)

What happened instead?

I get an error message.

Output of run with -debug:

2019-07-03T18:12:07.263+0200	DEBUG	cache dir:  /Users/johndoe/Library/Caches/trivy
2019-07-03T18:12:07.263+0200	DEBUG	db path: /Users/johndoe/Library/Caches/trivy/db/trivy.db
2019-07-03T18:12:07.266+0200	INFO	Updating vulnerability database...
2019-07-03T18:12:07.266+0200	DEBUG	git pull
2019-07-03T18:12:08.024+0200	DEBUG	total updated files: 1
2019-07-03T18:12:08.038+0200	DEBUG	Vulnerability type:  [os library]
2019-07-03T18:12:08.897+0200	DEBUG	OS family: debian, OS version: 9.7
2019-07-03T18:12:08.898+0200	DEBUG	the number of packages: 170
2019-07-03T18:12:08.898+0200	DEBUG	the number of packages from commands: 0
2019-07-03T18:12:08.898+0200	DEBUG	the number of packages: 170
2019-07-03T18:12:08.898+0200	INFO	Detecting Debian vulnerabilities...
2019-07-03T18:12:08.898+0200	DEBUG	debian: os version: 9
2019-07-03T18:12:08.898+0200	DEBUG	debian: the number of packages: 170
2019-07-03T18:12:08.925+0200	DEBUG	Detecting library vulnerabilities, path: tmp/composer.lock
2019-07-03T18:12:08.925+0200	INFO	Updating composer Security DB...
2019-07-03T18:12:08.925+0200	DEBUG	git pull
2019-07-03T18:12:09.598+0200	FATAL	error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:166
  - failed to scan libraries:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:65
  - failed to scan composer vulnerabilities:
    github.com/knqyf263/trivy/pkg/scanner/library.Scan
        /root/project/pkg/scanner/library/scan.go:76
  - failed to update composer advisories:
    github.com/knqyf263/trivy/pkg/scanner/library.scan
        /root/project/pkg/scanner/library/scan.go:106
  - error in batch update:
    github.com/knqyf263/trivy/pkg/db.BatchUpdate
        /root/project/pkg/db/db.go:110
  - failed to save composer vulnerability:
    github.com/knqyf263/trivy/pkg/scanner/library/composer.Scanner.saveVulnerabilities.func1
        /root/project/pkg/scanner/library/composer/advisory.go:98
  - failed to create a bucket:
    github.com/knqyf263/trivy/pkg/db.Put
        /root/project/pkg/db/db.go:99
  - bucket name required

Output of trivy -v:

trivy version 0.1.3

Installed via Brew

Additional details (base image name, container registry info...):

The local image is based on php:7.3-fpm-stretch

Totals all showing as zero

Please ignore. I found the non-zero totals in the output eventually.

But FYI it was confusing to see the following after a long list of vulnerabilities

app/package-lock.json
=====================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

By using -o option to redirect the output, the actual counts didn't disappear off the screen.

Add S3 as a cache storage

After trying AWS EFS for a central cache folder for our building nodes I want to ask if there is an option to implement S3 for the cache storage?

EFS is to slow in special with small files and there are many storage systems compatible with the S3 API (Minio etc).

Multiple records of the same CVE from json output

Description
Multiple records of the same CVE from json output
I am seeing the same entry of a CVE number multiple times on a single image

What did you expect to happen?
Scan the image and output the CVEs based on that image

What happened instead?
the output has duplicates which is unessacary

Output of run with -debug:

09:18 $ trivy -f json -o scan.json -debug jcowey/vs-coder
2019-05-31T09:21:40.852+0100	DEBUG	cache dir:  /Users/jcowey/Library/Caches/trivy
2019-05-31T09:21:40.852+0100	DEBUG	db path: /Users/jcowey/Library/Caches/trivy/db/trivy.db
2019-05-31T09:21:40.861+0100	INFO	Updating vulnerability database...
2019-05-31T09:21:40.861+0100	DEBUG	git pull
2019-05-31T09:21:41.671+0100	DEBUG	total updated files: 1
2019-05-31T09:21:41.709+0100	WARN	You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2019-05-31T09:21:51.016+0100	DEBUG	OS family: ubuntu, OS version: 18.04
2019-05-31T09:21:51.018+0100	DEBUG	the number of packages: 176
2019-05-31T09:21:51.018+0100	DEBUG	the number of packages from commands: 0
2019-05-31T09:21:51.018+0100	DEBUG	the number of packages: 176
2019-05-31T09:21:51.018+0100	INFO	Detecting Ubuntu vulnerabilities...
2019-05-31T09:21:51.018+0100	DEBUG	ubuntu: os version: 18.04
2019-05-31T09:21:51.018+0100	DEBUG	ubuntu: the number of packages: %!s(int=176)

Output of trivy -v:

09:22 $ trivy -v
trivy version 0.1.0

Additional details (base image name, container registry info...):

see here the dupes. While this maybe intresting on a docker image layer level theres no hit of on which layer the vun is on i would rather have uniq CVEs on the image as a whole and not layer by layer

09:17 $ cat scan.json | grep CVE-2018-7738
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",
        "VulnerabilityID": "CVE-2018-7738",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738",

unknown os

./trivy utrecht/bcbsn:2.0.1
2019-05-18T00:29:48.053+0200	INFO	Updating vulnerability database...
2019-05-18T00:30:46.361+0200	INFO	Updating NVD data...
 4713 / 122457 [=>----------------------------------------------]   3.85% 00m10 6853 / 122457 [==>---------------------------------------------]   5.60% 00m10 8693 / 122457 [===>-------------------------------------------]   7.10% 00m 122457 / 122457 [===============================================] 100.00% 28s
2019-05-18T00:31:14.550+0200	INFO	Updating Alpine data...
 11104 / 11104 [==================================================] 100.00% 0s
2019-05-18T00:31:15.267+0200	INFO	Updating RedHat data...
 19422 / 19422 [==================================================] 100.00% 3s
2019-05-18T00:31:18.643+0200	INFO	Updating Debian data...
 27788 / 27788 [==================================================] 100.00% 1s
2019-05-18T00:31:20.097+0200	INFO	Updating Debian OVAL data...
 59623 / 59623 [==================================================] 100.00% 4s
2019-05-18T00:31:24.750+0200	INFO	Updating Ubuntu data...
 30183 / 30183 [==================================================] 100.00% 4s
2019-05-18T00:31:29.935+0200	FATAL	error in image scan: failed to scan image: failed to analyze OS: Unknown OS

Ouput list of CVE's

Is it possible to get a list of CVE's only from the output?

Escaped ampersands in "References" urls with json format

$ trivy --auto-refresh --clear-cache --quiet -format json --output nginx-stable.json nginx:stable
$ grep -nF '\u0026' nginx-stable.json
200:        "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278",
414:        "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278",
1895:        "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278",
2281:        "http://marc.info/?l=bugtraq\u0026m=112327628230258\u0026w=2"

Full output: https://0x0.st/zmLe.json

Deb Update Broken

BUG REPORT INFORMATION

You do NOT have to include this information if this is a FEATURE REQUEST

If this is a BUG REPORT, provide key information from your environment:

Ubuntu:18:04

apt-update tivy won't work

What did you expect to happen?
tivy to update

What happened instead?

Ign:4 https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] InRelease
Err:5 https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] Release
404 Not Found [IP: 185.199.108.153 443]

error in image scan: failed to analyze image: failed to extract files: missing signature key

Hello,

I'm trying to run a scan using the Docker image and get this error.

These are the commands I ran:

mkdir ~/.cache/trivy
docker run -v /home/ktr/.cache/trivy:/root/.cache knqyf263/trivy elabftw/elabimg:3.2.0

If I try with "python:3.4-alpine" it works fine, so I'm guessing it's because this image is only tagged locally.

What is this error and how can it be fixed?

A git grep "missing signature key" didn't return anything in the trivy repo so I'm not sure where to start looking!

Cheers,
~Nico

How can I detect vulnerabilities in a container image using trivy?

Incorrect sqlite package version detected

Description

What did you expect to happen?

To detect correct installed package version

What happened instead?

Trivy reports older package is used.

Output of run with -debug:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.cache:/root/.cache/ knqyf263/trivy -debug eu.gcr.io/xxx/app-phpfpm:develop-xxx
2019-06-14T08:52:37.185Z        DEBUG   cache dir:  /root/.cache/trivy
2019-06-14T08:52:37.185Z        DEBUG   db path: /root/.cache/trivy/db/trivy.db
2019-06-14T08:52:37.188Z        INFO    Updating vulnerability database...
2019-06-14T08:52:37.188Z        DEBUG   git pull
2019-06-14T08:52:37.753Z        DEBUG   total updated files: 1
2019-06-14T08:52:37.756Z        DEBUG   Vulnerability type:  [os library]
2019-06-14T08:52:37.971Z        DEBUG   OS family: alpine, OS version: 3.9.4
2019-06-14T08:52:37.972Z        DEBUG   the number of packages: 127
2019-06-14T08:52:38.776Z        DEBUG   the number of packages from commands: 140
2019-06-14T08:52:38.776Z        DEBUG   the number of packages: 159
2019-06-14T08:52:38.776Z        INFO    Detecting Alpine vulnerabilities...
2019-06-14T08:52:38.776Z        DEBUG   alpine: os version: 3.9
2019-06-14T08:52:38.776Z        DEBUG   alpine: the number of packages: 159
2019-06-14T08:52:38.787Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/vendor/zendframework/zend-code/composer.lock
2019-06-14T08:52:38.787Z        INFO    Updating composer Security DB...
2019-06-14T08:52:38.787Z        DEBUG   git pull
2019-06-14T08:52:39.395Z        INFO    Detecting composer vulnerabilities...
2019-06-14T08:52:39.395Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/vendor/doctrine/doctrine-migrations-bundle/composer.lock
2019-06-14T08:52:39.395Z        INFO    Updating composer Security DB...
2019-06-14T08:52:39.395Z        DEBUG   git pull
2019-06-14T08:52:40.014Z        INFO    Detecting composer vulnerabilities...
2019-06-14T08:52:40.016Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/vendor/ocramius/package-versions/composer.lock
2019-06-14T08:52:40.016Z        INFO    Updating composer Security DB...
2019-06-14T08:52:40.016Z        DEBUG   git pull
2019-06-14T08:52:40.662Z        INFO    Detecting composer vulnerabilities...
2019-06-14T08:52:40.663Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/composer.lock
2019-06-14T08:52:40.663Z        INFO    Updating composer Security DB...
2019-06-14T08:52:40.663Z        DEBUG   git pull
2019-06-14T08:52:41.290Z        INFO    Detecting composer vulnerabilities...
2019-06-14T08:52:41.293Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/vendor/zendframework/zend-eventmanager/composer.lock
2019-06-14T08:52:41.293Z        INFO    Updating composer Security DB...
2019-06-14T08:52:41.293Z        DEBUG   git pull
2019-06-14T08:52:41.936Z        INFO    Detecting composer vulnerabilities...
2019-06-14T08:52:41.936Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/vendor/dshafik/php7-mysql-shim/composer.lock
2019-06-14T08:52:41.936Z        INFO    Updating composer Security DB...
2019-06-14T08:52:41.936Z        DEBUG   git pull
2019-06-14T08:52:42.522Z        INFO    Detecting composer vulnerabilities...
2019-06-14T08:52:42.522Z        DEBUG   Detecting library vulnerabilities, path: usr/share/nginx/html/vendor/jdorn/sql-formatter/composer.lock
2019-06-14T08:52:42.522Z        INFO    Updating composer Security DB...
2019-06-14T08:52:42.522Z        DEBUG   git pull
2019-06-14T08:52:43.136Z        INFO    Detecting composer vulnerabilities...

...
eu.gcr.io/xxx/xxx-phpfpm:develop-xxx (alpine 3.9.4)
=================================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| sqlite  | CVE-2019-8457    | HIGH     | 3.26.0-r3         | 3.28.0-r0     | sqlite3: heap out-of-bound     |
|         |                  |          |                   |               | read in function rtreenode()   |
+         +------------------+----------+                   +               +--------------------------------+
|         | CVE-2019-5018    | MEDIUM   |                   |               | An exploitable use after       |
|         |                  |          |                   |               | free vulnerability exists      |
|         |                  |          |                   |               | in the window function         |
|         |                  |          |                   |               | functionality...               |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Running same image and checking version of sqlite reports it's 3.28-r0 though

apk info sqlite
sqlite-3.28.0-r0 description:
C library that implements an SQL database engine

sqlite-3.28.0-r0 webpage:
https://www.sqlite.org/

sqlite-3.28.0-r0 installed size:
1056768

Output of trivy -v:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.cache:/root/.cache/ knqyf263/trivy -v
trivy version dev```

**Additional details (base image name, container registry info...):**

Base image: 
php:7.3.6-fpm-alpine3.9

FEAT: As a user, I expect the docker image to be rebuild everday

The latest image on docker hub is from 11 days ago.

Best practice — I don't think it's acceptable for a scanner docker image.
Updates — This will have the positive effect that we can use --skip-update more confidently.

Context: Updating Trivy CVE vulnerability catalog can take up to 5-15 min to complete. That's why many ppl would use --skip-update

I could help if you would like to set up a CI on Travis CI.

Cheers!

Trivy detecting vulnerabilities in yarn devDependencies

Hello there!

Trivy seems to detect vulnerabilities in yarn dependencies which are only in devDependencies, although running a yarn audit will exclude them by default and only check in dependencies.

Posting https://yarnpkg.com/en/docs/dependency-types for reference.

I'm wondering whether this is expected.

Thanks for your great tool and I'm available to discuss this in more details.

--skip-update not working?

Description

Command line option: --skip-update does not work?

What did you expect to happen?

I expect that trivy does not update the db.

What happened instead?

Trivy still updates the db.

Output of run with -debug:

[0] % ./trivy -d --skip-update --cache-dir ./cache debian:buster

2019-06-07T14:36:44.370+0200	DEBUG	cache dir:  cache/trivy
2019-06-07T14:36:44.370+0200	DEBUG	db path: cache/trivy/db/trivy.db
2019-06-07T14:36:44.382+0200	INFO	Updating vulnerability database...
2019-06-07T14:36:44.383+0200	DEBUG	git pull
2019-06-07T14:36:46.373+0200	DEBUG	total updated files: 1
2019-06-07T14:36:50.444+0200	DEBUG	OS family: debian, OS version: buster/sid
2019-06-07T14:36:50.447+0200	DEBUG	the number of packages: 91
2019-06-07T14:36:50.447+0200	DEBUG	the number of packages from commands: 0
2019-06-07T14:36:50.447+0200	DEBUG	the number of packages: 91
2019-06-07T14:36:50.447+0200	INFO	Detecting Debian vulnerabilities...
2019-06-07T14:36:50.447+0200	DEBUG	debian: os version: buster/sid
2019-06-07T14:36:50.447+0200	DEBUG	debian: the number of packages: 91

debian:buster (debian buster/sid)
=================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

without --skip-update

[0] % ./trivy -d --cache-dir ./cache debian:buster
2019-06-07T14:37:19.800+0200	DEBUG	cache dir:  cache/trivy
2019-06-07T14:37:19.801+0200	DEBUG	db path: cache/trivy/db/trivy.db
2019-06-07T14:37:19.824+0200	INFO	Updating vulnerability database...
2019-06-07T14:37:19.824+0200	DEBUG	git pull
2019-06-07T14:37:20.847+0200	DEBUG	total updated files: 1
2019-06-07T14:37:24.933+0200	DEBUG	OS family: debian, OS version: buster/sid
2019-06-07T14:37:24.935+0200	DEBUG	the number of packages: 91
2019-06-07T14:37:24.935+0200	DEBUG	the number of packages from commands: 0
2019-06-07T14:37:24.935+0200	DEBUG	the number of packages: 91
2019-06-07T14:37:24.935+0200	INFO	Detecting Debian vulnerabilities...
2019-06-07T14:37:24.935+0200	DEBUG	debian: os version: buster/sid
2019-06-07T14:37:24.935+0200	DEBUG	debian: the number of packages: 91

debian:buster (debian buster/sid)
=================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Output of trivy -v:

commit: f12284a

trivy version dev

Additional details (base image name, container registry info...):

trivy.exe doesn't work (windows)

Description

TITLE

What did you expect to happen?

work well.

What happened instead?

doesn't work

Output of run with -debug:

$ ./trivy.exe -debug alpine:latest
2019-06-14T10:01:18.315+0900    DEBUG   cache dir:  C:\Users\genxt\AppData\Local\trivy
2019-06-14T10:01:18.495+0900    DEBUG   db path: C:\Users\genxt\AppData\Local\trivy\db\trivy.db
2019-06-14T10:01:18.496+0900    INFO    Updating vulnerability database...
2019-06-14T10:01:18.496+0900    DEBUG   git pull
2019-06-14T10:01:25.978+0900    DEBUG   total updated files: 1
2019-06-14T10:01:25.983+0900    WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2019-06-14T10:01:30.910+0900    FATAL   error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:160
  - failed to scan image:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:53
  - failed to analyze OS:
    github.com/knqyf263/trivy/pkg/scanner/ospkg.Scan
        /root/project/pkg/scanner/ospkg/scan.go:31
  - Unknown OS:
    github.com/knqyf263/fanal/analyzer.init.ializers
        /go/pkg/mod/github.com/knqyf263/[email protected]/analyzer/analyzer.go:24

Output of trivy -v:

0.1.2

Additional details (base image name, container registry info...):

MSYS2

FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key

BUG REPORT INFORMATION

I am running trivy installed from debian package (currently 0.1.1) instide a Gitlab CI worker.
The worker is a docker container which can build images (docker socket is mounted).

Description
In my pipeline I would like to scan the images before pushing the to the repository.
But trivy fails with the error above although the image is currently built.

$ docker build --pull -t ${IMAGE}:${VERSION} -t ${IMAGE}:latest .
Sending build context to Docker daemon  84.48kB
Step 1/2 : FROM postgres:11-alpine
11-alpine: Pulling from library/postgres
e7c96db7181b: Already exists
ddab92d60ba9: Pulling fs layer
... snipped ...
79d684a466de: Pull complete
1929cdd74131: Pull complete
Digest: sha256:7507521549968d1506ba9748a1f86d4ac015544b07738da8d25cf670eb2a7279
Status: Downloaded newer image for postgres:11-alpine
 ---> 0223e4d872f4
Step 2/2 : LABEL MAINTAINER Oz123 <[email protected]>
 ---> Running in 86c97c84674b
Removing intermediate container 86c97c84674b
 ---> a4b10056be0e
Successfully built a4b10056be0e
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:0.0.1
Successfully tagged gitlab.xxx.net:5050/tech/postgresql/docker-image:latest
$ trivy -q --auto-refresh ${IMAGE}:${VERSION}
2019-05-27T15:06:46.237Z	INFO	Updating vulnerability database...
2019-05-27T15:07:34.298Z	INFO	Updating NVD data...
2019-05-27T15:08:04.259Z	INFO	Updating Alpine data...
2019-05-27T15:08:05.058Z	INFO	Updating RedHat data...
2019-05-27T15:08:08.466Z	INFO	Updating Debian data...
2019-05-27T15:08:10.155Z	INFO	Updating Debian OVAL data...
2019-05-27T15:08:15.279Z	INFO	Updating Ubuntu data...
2019-05-27T15:08:20.303Z	FATAL	error in image scan: failed to analyze image: failed to extract files: missing signature key
ERROR: Job failed: exit code 1

Output of trivy -v:
0.1.1

I suspect the docker image should also mount the directory where the image built files are stored, but I can't confirm this.

trivy doesn't work without `rpm` on some distribution

Description

When using trivy to scan a docker image from centos:latest I'm getting this error:
2019-05-28T12:48:44.679Z FATAL error in image scan: failed to scan image: failed to analyze OS packages: Unknown OS

What did you expect to happen?
The scan will be performed

What happened instead?
Scan interrupted

Output of run with -debug:

 11122 / 11122  100.00%
 11122 / 11122  100.00%
 11122 / 11122  100.00% 0s
2019-05-28T13:05:46.351Z	DEBUG	OS family: centos, OS version: 7.6.1810
2019-05-28T13:05:46.367Z	FATAL	error in image scan:
    github.com/knqyf263/trivy/pkg.Run
        /root/project/pkg/run.go:160
  - failed to scan image:
    github.com/knqyf263/trivy/pkg/scanner.ScanImage
        /root/project/pkg/scanner/scan.go:53
  - failed to analyze OS packages:
    github.com/knqyf263/trivy/pkg/scanner/ospkg.Scan
        /root/project/pkg/scanner/ospkg/scan.go:51
  - Unknown OS:
    github.com/knqyf263/fanal/analyzer.init.ializers
        /go/pkg/mod/github.com/knqyf263/[email protected]/analyzer/analyzer.go:24
ERROR: Job failed: exit code 1

Output of trivy -v:

$ trivy -v
trivy version 0.1.2

Additional details (base image name, container registry info...):
centos:latest

aquasecurity / trivy Goto Github PK

trivy's Introduction

Quick Start

Get Trivy

Canary builds

General usage

FAQ

How to pronounce the name "Trivy"?

Want more? Check out Aqua

Community

trivy's People

Contributors

Stargazers

Watchers

Forkers

trivy's Issues

FEATURE REQUEST

BUG REPORT INFORMATION

BUG REPORT INFORMATION

BUG REPORT INFORMATION

Recommend Projects

Recommend Topics

Recommend Org

Jobs