search

CycloneDX / cdxgen-plugins-bin

Binary plugins for @cyclonedx/cdxgen npm package
Apache License 2.0
1 stars 1 forks source link

Trouble with trivy and java db #9

Open prabhu opened 10 months ago

prabhu commented 10 months ago

cdxgen doesn't require the java db with the trivy plugin. Since the plugin has now started failing consistently, we should try to move away and reimplement the OS package image parsing natively.

node bin/cdxgen.js -t docker docker.io/library/eclipse-temurin:11-alpine -o /tmp/bom.json                                                                                                                                    ok  8s 
Docker service in rootless mode detected.
About to export image docker.io/library/eclipse-temurin:11-alpine to /tmp/docker-images-lmAxdt
Image docker.io/library/eclipse-temurin:11-alpine successfully exported to directory /tmp/docker-images-lmAxdt
Extracting layer afd2ec152c1bb9e40973ee0bfade03c146c1a9be79a02ff430caf3b1713fbaca/layer.tar to /tmp/docker-images-lmAxdt/all-layers
Extracting layer ae89a5eb8afb969a614a7c3b5db8d0b44f83a25956e431ae835a3c06bd42bc33/layer.tar to /tmp/docker-images-lmAxdt/all-layers
Extracting layer b151220b588f08629428fa3debf26a4289ade49c880eb02c4a92dae0d415308f/layer.tar to /tmp/docker-images-lmAxdt/all-layers
Extracting layer ff7b60bb4ba35391f0b3b4d27c2fe45f02702fa3f6551b116a5cc90ac01e340d/layer.tar to /tmp/docker-images-lmAxdt/all-layers
Extracting layer 8d7dc6857fc3fbba070dafb4a59f92606e377771156e01be797f798a64e4bf95/layer.tar to /tmp/docker-images-lmAxdt/all-layers
pathList [
  '/tmp/docker-images-lmAxdt/all-layers/usr/local/go',
  '/tmp/docker-images-lmAxdt/all-layers/usr/local/lib',
  '/tmp/docker-images-lmAxdt/all-layers/usr/local/lib64',
  '/tmp/docker-images-lmAxdt/all-layers/opt',
  '/tmp/docker-images-lmAxdt/all-layers/home',
  '/tmp/docker-images-lmAxdt/all-layers/usr/share',
  '/tmp/docker-images-lmAxdt/all-layers/usr/src',
  '/tmp/docker-images-lmAxdt/all-layers/var/www/html',
  '/tmp/docker-images-lmAxdt/all-layers/var/lib',
  '/tmp/docker-images-lmAxdt/all-layers/mnt',
  '/tmp/docker-images-lmAxdt/all-layers/usr/lib',
  '/tmp/docker-images-lmAxdt/all-layers/usr/lib64'
]
Executing /mnt/work/CycloneDX/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin/plugins/trivy/trivy-cdxgen-linux-amd64 rootfs --skip-db-update --offline-scan --no-progress --exit-code 0 --format cyclonedx --output /tmp/trivy-cdxgen-d0qmNR/trivy-bom.json /tmp/docker-images-lmAxdt/all-layers
 2023-10-20T13:09:48.501+0100   INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-10-20T13:09:48.516+0100    INFO    JAR files found
2023-10-20T13:09:48.516+0100    INFO    Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-10-20T13:09:48.516+0100    INFO    Downloading the Java DB...
2023-10-20T13:09:48.964+0100    ERROR   Unable to initialize the Java DB: Java DB update failed: Java DB update error: DB download error: OCI repository error: 1 error occurred:
        * GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-java-db%3Apull&service=ghcr.io: DENIED: denied

Found 0 OS packages at /tmp/docker-images-lmAxdt/all-layers
prabhu commented 9 months ago

There is some workaround but this is another annoyance that we need to live with before we eventually implement OS packages parsing natively.