search

aquasecurity / trivy-azure-pipelines-task

An Azure Pipelines Task for trivy
https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official
MIT License
46 stars 33 forks source link

filesystem scan error #12

Open vitelize1 opened 2 years ago

vitelize1 commented 2 years ago

Hi ! I'm trying this product and i'm stuck by those errors (seems it want to call something not there ?) What did i do wrong ?

2022-09-27T16:24:20.941+0200 WARN Increase --timeout value 2022-09-27T16:24:20.941+0200 FATAL filesystem scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.run /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:359 scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:217 image scan failed: github.com/aquasecurity/trivy/pkg/commands/artifact.scan /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:515 failed analysis: github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact /home/runner/work/trivy/trivy/pkg/scanner/scan.go:112 failed to call hooks: github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:126 post handler error: github.com/aquasecurity/trivy/pkg/fanal/handler.Manager.PostHandle /home/runner/work/trivy/trivy/pkg/fanal/handler/handler.go:75 scan config error: github.com/aquasecurity/trivy/pkg/fanal/handler/misconf.misconfPostHandler.Handle /home/runner/work/trivy/trivy/pkg/fanal/handler/misconf/misconf.go:239 context deadline exceeded

Here is build yml

trigger:

  • master resources:
  • repo: self variables: tag: '$(Build.BuildId)' stages:
  • stage: Scan displayName: Scan Repo jobs:
    • job: Scan displayName: Scan pool: Ubuntu steps:
    • task: trivy@1 inputs: version: 'latest' docker: false debug: true exitCode: '0' devMode: true path: $(Build.SourcesDirectory)
AErmie commented 1 year ago

I'm experiencing similar errors.

2023-02-23T18:57:25.742Z    FATAL   filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:428
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:263
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:655
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - walk filesystem:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:139
  - walk error:
    github.com/aquasecurity/trivy/pkg/fanal/walker.walkFast
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:82
  - lstat /home/vsts/work/1/s/Application-Source-Code/src/Web: no such file or directory

I'm running Trivy using an Azure Pipeline. I'm trying to use the official Azure DevOps Extension, with the following:

- task: AquaSecurityOfficial.trivy-official.custom-build-release-task.trivy@1
  displayName: Run AquaSec Trivy Filesystem Scan
  inputs:
    version: 'latest'
    debug: true
    path: $(System.DefaultWorkingDirectory)/Application-Source-Code/src/Web/

NOTE: Within the task, I tried using trivy@1 like the Marketplace example shows, but encountered the following error. Note that it makes reference to 2 different Trivy tasks, even though only the single Azure DevOps Extension is installed.

Error: Job TrivyJob: Step task reference is invalid. The task name trivy is ambiguous. Specify one of the following identifiers to resolve the ambiguity: AquaSecurityOfficial.trivy-official.custom-build-release-task.trivy, securedevelopmentteam.vss-secure-development-tools.build-task-trivy.Trivy

UPDATE

This last error, about the abiguous trivy task name, was due to having the Microsoft Secure Development Tools (Guardian) extension installed, which is odd because Trivy is not listed in the tools for that extension.

Maxim-Durand commented 1 year ago

I'm having the same issue : 

/usr/bin/docker run --rm -v /home/vsts/.docker:/root/.docker -v /tmp:/tmp -v /home/vsts/work/1/s:/src --workdir /src aquasec/trivy:latest --debug fs --exit-code 0 --format json --output /tmp/trivy-results-0.9334618675689792.json --security-checks vuln,config,secret /home/vsts/work/1/s
2023-04-19T14:00:57.938Z    WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-04-19T14:00:57.942Z    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-19T14:00:57.945Z    DEBUG   cache dir:  /root/.cache/trivy
2023-04-19T14:00:57.945Z    INFO    Need to update DB
2023-04-19T14:00:57.945Z    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-04-19T14:00:57.945Z    INFO    Downloading DB...
2023-04-19T14:00:57.945Z    DEBUG   no metadata file
36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.64 MiB / 36.64 MiB [-------------------------------------------------] 100.00% 29.00 MiB p/s 1.5s2023-04-19T14:01:00.190Z    DEBUG   Updating database metadata...
2023-04-19T14:01:00.190Z    DEBUG   DB Schema: 2, UpdatedAt: 2023-04-19 12:09:06.654926416 +0000 UTC, NextUpdate: 2023-04-19 18:09:06.654926216 +0000 UTC, DownloadedAt: 2023-04-19 14:01:00.190557558 +0000 UTC
2023-04-19T14:01:00.190Z    INFO    Vulnerability scanning is enabled
2023-04-19T14:01:00.190Z    DEBUG   Vulnerability type:  [os library]
2023-04-19T14:01:00.190Z    INFO    Misconfiguration scanning is enabled
2023-04-19T14:01:00.191Z    DEBUG   Failed to open the policy metadata: open /root/.cache/trivy/policy/metadata.json: no such file or directory
2023-04-19T14:01:00.191Z    INFO    Need to update the built-in policies
2023-04-19T14:01:00.191Z    INFO    Downloading the built-in policies...
40.47 KiB / 40.47 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2023-04-19T14:01:00.943Z    DEBUG   Digest of the built-in policies: sha256:d19c4c0d48ed4641862e020ff7eba7fd3ba449f66b532b09d79a6023bc65bd5b
2023-04-19T14:01:00.943Z    DEBUG   Policies successfully loaded from disk
2023-04-19T14:01:00.943Z    INFO    Secret scanning is enabled
2023-04-19T14:01:00.943Z    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-19T14:01:00.944Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.40/docs/secret/scanning/#recommendation for faster secret detection
2023-04-19T14:01:00.947Z    DEBUG   No secret config detected: trivy-secret.yaml
2023-04-19T14:01:00.947Z    DEBUG   Walk the file tree rooted at '/home/vsts/work/1/s' in parallel
2023-04-19T14:01:00.956Z    FATAL   filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:679
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - walk filesystem:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:156
  - walk error:
    github.com/aquasecurity/trivy/pkg/fanal/walker.walkFast
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:82
  - lstat /home/vsts/work/1/s: no such file or directory
Publishing JSON results...
Done!
Finishing: trivy

Here is my pipeline definition : 

  - task: trivy@1
    inputs:
      # $(Build.SourcesDirectory) == /home/vsts/work/1/s
      path: $(Build.SourcesDirectory)
      debug: true
      # Avoids pipeline failing if trivy fails
      exitCode: 0

I'm probably wrong but isn't there a problem in the docker command ?
Since it's mounting the correct path /home/vsts/work/1/s to /src in container but then executing on /home/vsts/work/1/s again at the end.

Full docker command used by trivy below: /usr/bin/docker run --rm -v /home/vsts/.docker:/root/.docker -v /tmp:/tmp -v /home/vsts/work/1/s:/src --workdir /src aquasec/trivy:latest --debug fs --exit-code 0 --format json --output /tmp/trivy-results-0.9334618675689792.json --security-checks vuln,config,secret /home/vsts/work/1/s