search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23k stars 2.27k forks source link

Trivy Config Check Fails #4124

Closed ahmedelnaggartmr closed 1 year ago

ahmedelnaggartmr commented 1 year ago

Description

When running 

trivy config .

I get the following errors:

2023-04-27T16:50:17.417+1000    INFO    Misconfiguration scanning is enabled
2023-04-27T16:50:17.778+1000    FATAL   filesystem scan error: scan error: scan failed: failed analysis: failed to call hooks: post handler error: misconfiguration scan error: scan config error: 3 errors occurred:
home/dev/.cache/trivy/policy/content/policies/cloud/policies/aws/autoscaling/asg_multiaz.rego:22: rego_type_error: undefined ref: input.aws.autoscaling.autoscalinggroupslist[_]
    input.aws.autoscaling.autoscalinggroupslist[_]
              ^
              have: "autoscaling"
              want (one of): ["accessanalyzer" "apigateway" "athena" "cloudfront" "cloudtrail" "cloudwatch" "codebuild" "config" "documentdb" "dynamodb" "ec2" "ecr" "ecs" "efs" "eks" "elasticache" "elasticsearch" "elb" "emr" "iam" "kinesis" "kms" "lambda" "mq" "msk" "neptune" "rds" "redshift" "s3" "sam" "sns" "sqs" "ssm" "workspaces"]
home/dev/.cache/trivy/policy/content/policies/cloud/policies/aws/autoscaling/elb_health_check_active.rego:22: rego_type_error: undefined ref: input.aws.autoscaling.autoscalinggroupslist[_]
    input.aws.autoscaling.autoscalinggroupslist[_]
              ^
              have: "autoscaling"
              want (one of): ["accessanalyzer" "apigateway" "athena" "cloudfront" "cloudtrail" "cloudwatch" "codebuild" "config" "documentdb" "dynamodb" "ec2" "ecr" "ecs" "efs" "eks" "elasticache" "elasticsearch" "elb" "emr" "iam" "kinesis" "kms" "lambda" "mq" "msk" "neptune" "rds" "redshift" "s3" "sam" "sns" "sqs" "ssm" "workspaces"]
home/dev/.cache/trivy/policy/content/policies/cloud/policies/aws/autoscaling/empty_asg.rego:22: rego_type_error: undefined ref: input.aws.autoscaling.autoscalinggroupslist[_]
    input.aws.autoscaling.autoscalinggroupslist[_]
              ^
              have: "autoscaling"
              want (one of): ["accessanalyzer" "apigateway" "athena" "cloudfront" "cloudtrail" "cloudwatch" "codebuild" "config" "documentdb" "dynamodb" "ec2" "ecr" "ecs" "efs" "eks" "elasticache" "elasticsearch" "elb" "emr" "iam" "kinesis" "kms" "lambda" "mq" "msk" "neptune" "rds" "redshift" "s3" "sam" "sns" "sqs" "ssm" "workspaces"]

What did you expect to happen?

The scan to complete

What happened instead?

An error occurred.

Output of run with --debug:

2023-04-27T16:46:46.888+1000    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-27T16:46:46.889+1000    DEBUG   cache dir:  /home/dev/.cache/trivy
2023-04-27T16:46:46.889+1000    INFO    Misconfiguration scanning is enabled
2023-04-27T16:46:46.889+1000    DEBUG   Policies successfully loaded from disk
2023-04-27T16:46:46.891+1000    DEBUG   Walk the file tree rooted at '.' in parallel
2023-04-27T16:46:47.232+1000    FATAL   filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:679
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - failed to call hooks:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:182
  - post handler error:
    github.com/aquasecurity/trivy/pkg/fanal/handler.Manager.PostHandle
        /home/runner/work/trivy/trivy/pkg/fanal/handler/handler.go:75
  - misconfiguration scan error:
    github.com/aquasecurity/trivy/pkg/fanal/handler/misconf.misconfPostHandler.Handle
        /home/runner/work/trivy/trivy/pkg/fanal/handler/misconf/misconf.go:45
  - scan config error:
    github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan
        /home/runner/work/trivy/trivy/pkg/misconf/scanner.go:227
  - 3 errors occurred:
home/dev/.cache/trivy/policy/content/policies/cloud/policies/aws/autoscaling/asg_multiaz.rego:22: rego_type_error: undefined ref: input.aws.autoscaling.autoscalinggroupslist[_]
    input.aws.autoscaling.autoscalinggroupslist[_]
              ^
              have: "autoscaling"
              want (one of): ["accessanalyzer" "apigateway" "athena" "cloudfront" "cloudtrail" "cloudwatch" "codebuild" "config" "documentdb" "dynamodb" "ec2" "ecr" "ecs" "efs" "eks" "elasticache" "elasticsearch" "elb" "emr" "iam" "kinesis" "kms" "lambda" "mq" "msk" "neptune" "rds" "redshift" "s3" "sam" "sns" "sqs" "ssm" "workspaces"]
home/dev/.cache/trivy/policy/content/policies/cloud/policies/aws/autoscaling/elb_health_check_active.rego:22: rego_type_error: undefined ref: input.aws.autoscaling.autoscalinggroupslist[_]
    input.aws.autoscaling.autoscalinggroupslist[_]
              ^
              have: "autoscaling"
              want (one of): ["accessanalyzer" "apigateway" "athena" "cloudfront" "cloudtrail" "cloudwatch" "codebuild" "config" "documentdb" "dynamodb" "ec2" "ecr" "ecs" "efs" "eks" "elasticache" "elasticsearch" "elb" "emr" "iam" "kinesis" "kms" "lambda" "mq" "msk" "neptune" "rds" "redshift" "s3" "sam" "sns" "sqs" "ssm" "workspaces"]
home/dev/.cache/trivy/policy/content/policies/cloud/policies/aws/autoscaling/empty_asg.rego:22: rego_type_error: undefined ref: input.aws.autoscaling.autoscalinggroupslist[_]
    input.aws.autoscaling.autoscalinggroupslist[_]
              ^
              have: "autoscaling"
              want (one of): ["accessanalyzer" "apigateway" "athena" "cloudfront" "cloudtrail" "cloudwatch" "codebuild" "config" "documentdb" "dynamodb" "ec2" "ecr" "ecs" "efs" "eks" "elasticache" "elasticsearch" "elb" "emr" "iam" "kinesis" "kms" "lambda" "mq" "msk" "neptune" "rds" "redshift" "s3" "sam" "sns" "sqs" "ssm" "workspaces"]

Output of trivy -v:

Version: 0.40.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-27 00:11:45.61744178 +0000 UTC
  NextUpdate: 2023-04-27 06:11:45.61744138 +0000 UTC
  DownloadedAt: 2023-04-27 02:46:30.866455689 +0000 UTC
Policy Bundle:
  Digest: sha256:4ea401a8703f667578bdde8a8b9973788618e8b29a99e23e132f1191753e4c55
  DownloadedAt: 2023-04-27 02:49:59.301783978 +0000 UTC

Additional details (base image name, container registry info...):

This started happening recently around a few hours ago. Not sure if this is related.

pawelrakoczy commented 1 year ago

We're experiencing the same issue, started out of blue today with no configuraton changes. Extra info: we're using the official Trivy task for Azure DevOps ( https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official ) - although in the documentation it's mentioned that it defaults to "latest" version if no version is specified the pipeline run uses v0.38.2 - hope this helps

sherifkayad commented 1 year ago

Same issue here .. also out of the blue since today morning. I was using trivy v0.38.3 and an upgrade to v0.40.0 didn't help.

remy-tiitre commented 1 year ago

Seems to be this rule https://github.com/aquasecurity/defsec/blame/master/rules/cloud/policies/aws/autoscaling/asg_multiaz.rego which was released 7 hours ago https://github.com/aquasecurity/defsec/releases/tag/v0.87.0

knqyf263 commented 1 year ago

We're sorry for the inconvenience. We've rolled back misconfiguration policies. Could you guys try scanning again? https://github.com/aquasecurity/defsec/issues/1296

ahmedelnaggartmr commented 1 year ago

Seems to work now. Thank you!

sherifkayad commented 1 year ago

works like a charm again. Thanks for the prompt help 😄

zadigus commented 1 year ago

I am still getting the very same errors.

knqyf263 commented 1 year ago

@zadigus Would you try trivy config --clear-cache?

zadigus commented 1 year ago

Now for a scan that used to take 30 seconds, it takes forever and breaks with a timeout. After timeout, if I run the same cli command again, it works. So now I need to the tool twice. Even on our CI/CD.

unki commented 1 year ago

Now for a scan that used to take 30 seconds, it takes forever and breaks with a timeout. After timeout, if I run the same cli command again, it works. So now I need to the tool twice. Even on our CI/CD.

Might be a GitHub issue (see the timeout trivy pulling from ghcr.io): https://www.githubstatus.com/

Update - Packages is now experiencing degraded availability. We are continuing to investigate.

muellerst-hg commented 1 year ago

@zadigus Would you try trivy config --clear-cache?

Did not work for me, but removing the cache-dir from filesystem helped

zadigus commented 1 year ago

I have it working now. Thanks for everything.

simar7 commented 1 year ago

@zadigus Would you try trivy config --clear-cache?

Did not work for me, but removing the cache-dir from filesystem helped

I've added the support for this here: https://github.com/aquasecurity/trivy/pull/4167

simar7 commented 1 year ago

Marking as complete as this particular issue has been resolved.