Image scan error: open analyzer-fs permission denied

[d-t-w]

Discussed in https://github.com/aquasecurity/trivy/discussions/6076

^{Originally posted by **d-t-w** February 7, 2024} ### Description Container scan fails with a permissions issue related to internal trivy directories: ``` > trivy --debug image factorhouse/kpow-ee:92.3 .. open /var/folders/sy/5ps2fmdj7t9bg8zbwvc3k27w0000gn/T/analyzer-fs-1955605263/file-2599813741: permission denied ``` **Background** We push containers to ArtifactHub who scan them with trivy. On 19/05/23 our containers (including historic ones that had previously scanned just fine) started to fail with this 'permission denied' error. See: https://github.com/artifacthub/hub/issues/3152 Our container is fairly simple, it just contains a Java JAR file and little else. Further, I find if I scan very old version of our container they work, up to version 73. ``` trivy --debug image operatr/kpow:73 operatr/kpow:73 (amazon 2 (Karoo)) ================================== Total: 507 (UNKNOWN: 0, LOW: 18, MEDIUM: 270, HIGH: 196, CRITICAL: 23) ``` From version 74 they fail. ``` trivy --debug image operatr/kpow:74 ... open /var/folders/sy/5ps2fmdj7t9bg8zbwvc3k27w0000gn/T/analyzer-fs-3664091650/file-4117161213: permission denied ``` There is non significant difference in the dockerfile between [v73](https://hub.docker.com/layers/operatr/kpow/73/images/sha256-a74946ba5f4ea5b9ee0f53fb8de58daa49e119df4d3a3923d866725fda2959d7?context=explore) and [v74](https://hub.docker.com/layers/operatr/kpow/74/images/sha256-a19c71e9bd8c82a0bbfa5f3fd298823d53da235e9c17fdb8cd3a369c320c44c4?context=explore). **Note**: ArtifactHub very happily scanned version 74+ until they presumably updated their trivy dependency. **Related issues:** These are not my project, but appear to be the same root cause. https://github.com/goharbor/harbor/issues/18824 https://github.com/goharbor/harbor/issues/19405 ### Desired Behavior I expect trivy to scan the container successfully (as it has previously done). ### Actual Behavior Trivy no longer scans the container correctly ### Reproduction Steps ```bash 1. Scan any Kpow container from v74+ 2. Observe output ``` ### Target Container Image ### Scanner Vulnerability ### Output Format Table ### Mode Standalone ### Debug Output ```bash ❯ trivy --debug image factorhouse/kpow-ee:92.3 2024-02-07T16:35:56.844+1100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-02-07T16:35:56.844+1100 DEBUG Ignore statuses {"statuses": null} 2024-02-07T16:35:56.884+1100 DEBUG cache dir: /Users/derek/Library/Caches/trivy 2024-02-07T16:35:56.884+1100 DEBUG DB update was skipped because the local DB is the latest 2024-02-07T16:35:56.884+1100 DEBUG DB Schema: 2, UpdatedAt: 2024-02-07 00:17:20.624621944 +0000 UTC, NextUpdate: 2024-02-07 06:17:20.624621574 +0000 UTC, DownloadedAt: 2024-02-07 04:58:07.290152 +0000 UTC 2024-02-07T16:35:56.884+1100 INFO Vulnerability scanning is enabled 2024-02-07T16:35:56.884+1100 DEBUG Vulnerability type: [os library] 2024-02-07T16:35:56.884+1100 INFO Secret scanning is enabled 2024-02-07T16:35:56.884+1100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-02-07T16:35:56.884+1100 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection 2024-02-07T16:35:56.884+1100 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan] 2024-02-07T16:35:56.895+1100 DEBUG No secret config detected: trivy-secret.yaml 2024-02-07T16:35:56.895+1100 DEBUG The nuget packages directory couldn't be found. License search disabled 2024-02-07T16:35:56.895+1100 DEBUG No secret config detected: trivy-secret.yaml 2024-02-07T16:35:56.895+1100 DEBUG Image ID: sha256:678e4e9055aac7e38a84f1382e1f731ffaec1dc395dbc502690d4ac46ca97ff9 2024-02-07T16:35:56.895+1100 DEBUG Diff IDs: [sha256:7b4c2da934115ede0bc3410d05bb16a7244cc87af9f25be60dc246970174358a sha256:a85839ad5057e51ecd43240ba701a3411229a5a2c2a0b3ea5ced562518274d09 sha256:f62c311f29be7f58a8fa2f46364a4ca117a3e77d60a13f4031a7206bf95a17ac sha256:33bb96d2184bdac8c797036966ca47543a37bb606fd1f7ecbae6f550f5a784fc] 2024-02-07T16:35:56.895+1100 DEBUG Base Layers: [sha256:7b4c2da934115ede0bc3410d05bb16a7244cc87af9f25be60dc246970174358a] 2024-02-07T16:35:56.907+1100 DEBUG Missing image ID in cache: sha256:678e4e9055aac7e38a84f1382e1f731ffaec1dc395dbc502690d4ac46ca97ff9 2024-02-07T16:35:56.907+1100 DEBUG Missing diff ID in cache: sha256:33bb96d2184bdac8c797036966ca47543a37bb606fd1f7ecbae6f550f5a784fc 2024-02-07T16:36:00.661+1100 FATAL image scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.Run /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:425 - scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269 - scan failed: github.com/aquasecurity/trivy/pkg/commands/artifact.scan /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:706 - failed analysis: github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148 - analyze error: github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:126 - pipeline error: github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:229 - failed to analyze layer (sha256:33bb96d2184bdac8c797036966ca47543a37bb606fd1f7ecbae6f550f5a784fc): github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1 /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:216 - post analysis error: github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:298 - post analysis error: github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:496 - walk dir error: github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar.(*javaLibraryAnalyzer).PostAnalyze /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/java/jar/jar.go:74 - file open error: github.com/aquasecurity/trivy/pkg/parallel.walk[...] /home/runner/work/trivy/trivy/pkg/parallel/walk.go:94 - open /var/folders/sy/5ps2fmdj7t9bg8zbwvc3k27w0000gn/T/analyzer-fs-1193466270/file-1946701379: permission denied ``` ### Operating System macOS Monterey ### Version ```bash trivy --version Version: 0.49.1 Vulnerability DB: Version: 2 UpdatedAt: 2024-02-07 00:17:20.624621944 +0000 UTC NextUpdate: 2024-02-07 06:17:20.624621574 +0000 UTC DownloadedAt: 2024-02-07 04:58:07.290152 +0000 UTC Java DB: Version: 1 UpdatedAt: 2024-02-06 00:43:50.236466389 +0000 UTC NextUpdate: 2024-02-09 00:43:50.236466208 +0000 UTC DownloadedAt: 2024-02-07 00:13:00.720032 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)

[github-actions[bot]]

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/

[d-t-w]

Well I raised a github discussion for this ticket, it sat dormant for a month, and I completely forgot about it.

It seems that contributing anything to this repository is a complete waste of time, so feel free to consider the ticket closed even though it is clearly an issue. Not sure what else I could do here.