search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
839 stars 241 forks source link

Unable to Detect OS on ECS-Optimized AMI #368

Open jbestcs opened 5 months ago

jbestcs commented 5 months ago

Hello,

When running trivy-action scans on ECS-Optimized Amazon Machine Images (AMIs) in a GitHub Actions workflow, I've found Trivy fails to detect the operating system and reports a 'filesystem walk error'. The issue persists across different scan configurations, including vulnerability scans, misconfiguration scans, and attempts to skip specific directories.

Steps to reproduce the behavior:

  1. Configure a GitHub Actions workflow to build ECS-Optimized AMIs.
  2. Add trivy-action to the workflow to scan the AMIs.
  3. Run the workflow.
  4. Observe the error output indicating an inability to detect the OS and issues parsing files.

Expected behavior Trivy should correctly detect the operating system and perform a complete scan without errors.

GitHub Actions Workflow Configuration

- name: Run Trivy Scan
  uses: aquasecurity/trivy-action@0.23.0
  with:
    scan-type: vm
    image-ref: "ami:${{ image_ref }}"
    format: 'json'
    output: 'trivy-results.json'
    hide-progress: false
    scanners: vuln,misconfig
    severity: HIGH,CRITICAL

Output Logs

2024-06-20T04:50:23Z    INFO    Timeout is set to less than 30 min - upgrading to 30 min for this command.
2024-06-20T04:50:23Z    INFO    Need to update DB
2024-06-20T04:50:23Z    INFO    Downloading DB...
2024-06-20T04:50:27Z    INFO    Misconfiguration scanning is enabled
2024-06-20T04:50:27Z    INFO    Need to update the built-in policies
2024-06-20T04:50:27Z    INFO    Downloading the built-in policies...
2024-06-20T04:50:29Z    INFO    [ami] Snapshot found    snapshot_id="snap-123456789abcdefgh"
2024-06-20T04:50:58Z    WARN    [vm] Partition error    err="filesystem walk error: fs.Walk error: read directory /var/lib/docker/volumes/backingFsBlockDev: failed to list directory entries inode: 58720422: failed to list entries: not found entries"
2024-06-20T04:50:58Z    INFO    Detected OS family="none" version=""
2024-06-20T04:50:58Z    WARN    Unsupported os  family="none"
2024-06-20T04:50:58Z    INFO    Number of language-specific files   num=0
2024-06-20T04:50:58Z    INFO    Detected config files   num=0

OS Information

NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.4.20240611"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2028-03-15"

Additional context

Request for Assistance

simar7 commented 5 months ago

Do you see the same issue if you run Trivy as a CLI tool locally? If so, it'd be an issue with Trivy itself and not the Action. In that case, could you file this as a discussion in the Trivy repo so we can take a look?

jbestcs commented 5 months ago

Good point! Thank you.

So when I ran it locally I got this:

2024-06-21T01:38:06.401Z        INFO    Need to update DB
2024-06-21T01:38:06.402Z        INFO    Downloading DB...
2024-06-21T01:38:17.648Z        INFO    Detected OS: unknown
2024-06-21T01:38:17.649Z        INFO    Number of PL dependency files: 1
2024-06-21T01:38:17.649Z        INFO    Detecting gobinary vulnerabilities...

and then a list of vulnerabilities. It still doesn't detect the OS, but that's much less important than the fact that it didn't hit that filesystem walk error

simar7 commented 5 months ago

Are you able to provide an input image which we can use to reproduce this?

jbestcs commented 5 months ago

This image should do: ami-0fda48b6c27c921ad

simar7 commented 5 months ago

Is this a public image? If so, where is it available? I'm unable to find it in the regions I looked at.

jbestcs commented 5 months ago

In other regions it's in the AWS Marketplace, but in ap-southeast2 it's a Community AMI

aconlin-scottlogic commented 2 months ago

seeing the same issue with a generic AL2023 image with the ECS agent installed, unfortunately the AMI isn't public but thought it worthwhile highlighting that this isn't an issue that's only affecting the ECS optimised AMI that AWS provide

however the issue is also seen when scanning using the CLI locally

currently using version 0.54.1, will try 0.55 to see if that fixes the issue...

simar7 commented 2 months ago

however the issue is also seen when scanning using the CLI locally

Please file the discussion in the Trivy repo in this case as it would be a Trivy bug not specific to the action itself. Thank you.

aconlin-scottlogic commented 2 months ago

however the issue is also seen when scanning using the CLI locally

Please file the discussion in the Trivy repo in this case as it would be a Trivy bug not specific to the action itself. Thank you.

ah ok, sorry i missed that this was the action repo :)