the length of usernames and passwords must match with 2.8.2

[jbgomond]

What steps did you take and what happened:

I updated docker images from 2.8.0 to 2.8.2 (all docker harbor containers). I'm now having this error when I launch an analysis from harbor, using trivy. The service health is OK.

2023-07-08T19:48:55+02:00 [INFO] [/pkg/scan/job.go:387]: { "uuid": "02c8fdac-abdc-11ed-bf71-0242ac130008", "name": "Local Trivy", "description": "", "url": "http://localhost:8081", "disabled": false, "is_default": true, "health": "healthy", "auth": "", "access_credential": "[HIDDEN]", "skip_certVerify": false, "use_internal_addr": false, "adapter": "Trivy", "vendor": "Aqua Security", "version": "Unknown", "create_time": "2023-02-13T20:21:34.62387Z", "update_time": "2023-07-08T17:35:01.05781Z" } 2023-07-08T19:48:55+02:00 [INFO] [/pkg/scan/job.go:387]: { "registry": { "url": "https://XXXX", "authorization": "[HIDDEN]" }, "artifact": { "namespace_id": 2, "repository": "XXX/XXX", "tag": "8.1", "digest": "sha256:9b80c586e892182fe126c19382737c39334942b2a1ac412d56b64dc4277da16b", "mime_type": "application/vnd.docker.distribution.manifest.v2+json" } } 2023-07-08T19:48:55+02:00 [INFO] [/pkg/scan/job.go:167]: Report mime types: [application/vnd.security.vulnerability.report; version=1.1] 2023-07-08T19:48:55+02:00 [INFO] [/pkg/scan/job.go:224]: Get report for mime type: application/vnd.security.vulnerability.report; version=1.1 2023-07-08T19:48:57+02:00 [ERROR] [/pkg/scan/job.go:294]: check scan report with mime type application/vnd.security.vulnerability.report; version=1.1: running trivy wrapper: running trivy: exit status 1: 2023-07-08T19:48:57.341+0200 FATAL flag error: github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2 /bitnami/blacksmith-sandox/trivy-0.42.0/src/github.com/aquasecurity/trivy/pkg/commands/app.go:312 registry flag error: github.com/aquasecurity/trivy/pkg/flag.(Flags).ToOptions /bitnami/blacksmith-sandox/trivy-0.42.0/src/github.com/aquasecurity/trivy/pkg/flag/options.go:484 the length of usernames and passwords must match: github.com/aquasecurity/trivy/pkg/flag.(RegistryFlagGroup).ToOptions /bitnami/blacksmith-sandox/trivy-0.42.0/src/github.com/aquasecurity/trivy/pkg/flag/registry_flags.go:68 : general response handler: unexpected status code: 500, expected: 200

It seems to be linked with that change: https://github.com/aquasecurity/trivy/pull/3906.

What did you expect to happen:

Continue working as it was with the new version

Anything else you would like to add:

Environment:

• Harbor version: 2.8.2
• Harbor Scanner Adapter for Trivy version: v0.30.12 | v0.42.0
• Harbor installation process (Installer script, Helm chart, etc.): Docker

[piyush94]

We're also facing the same issue.

• Harbor version: 2.6.3
• Harbor Scanner Adapter for Trivy version: v0.30.12 | v0.42.0
• Harbor installation process (Installer script, Helm chart, etc.): Docker

[horeyes]

Also having this issue:

Harbor version: 2.7 Harbor Scanner Adapter: v0.30.15 Trivy: v0.44 Installation process: Helm Chart

[ByJacob]

I think this problem was created after add https://github.com/aquasecurity/trivy/pull/3906 feature.

I debug this i found problem. When name for Interrogation Services have space in name trivi think, that have 2 users and one password.

This variable are used for run trivy using this adapter

# local instance, so I don't have to mask it
TRIVY_USERNAME=robot$library+dDDZorvK-Exterlan check22asd-212df05f-3da5-11ee-afb8-0242ac190008
TRIVY_PASSWORD=A914JlE8Z19uvr5hOZ1egjIjmits2aUI

When I remove space from Scaner name all start working

[piyush94]

@ByJacob I'll have to disagree here. I have two instances of Harbor and both have spaces in the Interrogation Service name. The scanner is working in one instance and not working in the other one.

Instance one (not working):

Instance two (working):

[ByJacob]

@ByJacob I'll have to disagree here. I have two instances of Harbor and both have spaces in the Interrogation Service name. The scanner is working in one instance and not working in the other one.

Instance one (not working):

Instance two (working):

And both versions of harbor-scanner-triva areidentical and use the same versions of harbor-scanner-triva ?

Changing the name of the scanner (removing the spaces) helped in my case.

It is possible that there are some characters in the generated user or password string that cause trivy to split the given string into arrays. Try debugging the used users in the container with the following command, you may be able to find the problem.

1. run the command in the container

   while [ 1 ]
   do 
   cat /proc/$(pgrep /usr/local/bin/trivy | head -n 1)/environ | tr '\0' '\n' | grep -e TRIVY_
   sleep 0.1
   done

2. run a scan of some image
3. look for the variables TRIVY_USERNAME and TRIVY_PASSWORD and try to use them to manually start the triva scan.

[piyush94]

@ByJacob I tried removing the space from the Interrogation scanner name and it did help. The scanner is working now. So, thanks for the suggestion. I'll definitely try out the debug script to see what is the value of the variables in my second instance.

[piyush94]

@ByJacob Got the error in second instance as well. It was re-installed a few days ago so maybe that cleared the scan cache. Earlier I was not seeing the error here. So, I removed the space here as well and it's fine now. Again thanks for finding the cause and suggesting the work around.

[jbgomond]

Indeed, removing the space in the scanner name is fixing the issue. It seems there's a bug in that area.