search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.59k stars 2.32k forks source link

bug: Image scanning panics when using certain combination of options #6613

Closed simar7 closed 6 months ago

simar7 commented 6 months ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6610

Originally posted by **psg18dhc** May 2, 2024 ### Description When trying to scan a container image on the ClI with 0.50. i cannot combine these cli parameters as it crashes. - when combined with --compliance docker-cis trivy image $Registry/$ImageName --compliance docker-cis --scanners misconfig --scanners license ### Desired Behavior Expect trivy to scan for misconfiguration and oss licences together ### Actual Behavior Scanning docker.io/alpine:latest using Vulns, Secret Scanning, CIS Compliance and Misconfigurations 2024-05-02T17:25:20.519+0100 INFO Container image config scanners: ["misconfig" "secret"] 2024-05-02T17:25:20.519+0100 INFO Vulnerability scanning is enabled 2024-05-02T17:25:20.519+0100 INFO Misconfiguration scanning is enabled 2024-05-02T17:25:20.682+0100 INFO Detected OS: alpine 2024-05-02T17:25:20.683+0100 INFO Detecting Alpine vulnerabilities... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x1c0 pc=0x4cd23cd] goroutine 1 [running]: go.etcd.io/bbolt.(*DB).beginTx(0x0) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:730 +0x2d go.etcd.io/bbolt.(*DB).Begin(0xc001cdf680?, 0xa0?) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:723 +0x25 go.etcd.io/bbolt.(*DB).View(0x20?, 0xc003c6ce68) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:901 +0x30 github.com/aquasecurity/trivy-db/pkg/db.Config.forEach({}, {0xc003275880?, 0x2, 0x2}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/db.go:186 +0xe5 github.com/aquasecurity/trivy-db/pkg/db.Config.ForEachAdvisory(...) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/advisory.go:20 github.com/aquasecurity/trivy-db/pkg/db.Config.GetAdvisories({}, {0xc000bf4d10, 0xb}, {0xc000de1bc0, 0x11}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/advisory.go:24 +0xd9 github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine.VulnSrc.Get({{0x96300a8?, 0xcc9a940?}}, {0xc000bf4c9c?, 0xc00274e000?}, {0xc000de1bc0, 0x11}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/vulnsrc/alpine/alpine.go:119 +0xa7 github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine.(*Scanner).Detect(0xc0017c03a0, {0xc00033a006, 0x6}, 0xc00033a000?, {0xc001e78000, 0xf, 0xc00274e000?}) /home/runner/work/trivy/trivy/pkg/detector/ospkg/alpine/alpine.go:91 +0x478 github.com/aquasecurity/trivy/pkg/detector/ospkg.Detect({0x96073f0, 0xc00133c770}, {0x0?, 0x3afe?}, {0xc00033a000, 0x6}, {0xc00033a006, 0x6}, 0xc001e70120?, {0x0, ...}, ...) /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:76 +0xfb github.com/aquasecurity/trivy/pkg/scanner/ospkg.(*scanner).Scan(_, {_, _}, {{0x7ffdcb2be0c6, 0x17}, {{0xc00033a000, 0x6}, {0xc00033a006, 0x6}, 0x0, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/scanner/ospkg/scan.go:54 +0x17d github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities({{_, _}, {_, _}, {_, _}, {{_, _}}}, {0x96073f0, 0xc00133c770}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:176 +0x165 github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.ScanTarget({{_, _}, {_, _}, {_, _}, {{_, _}}}, {0x96073f0, 0xc00133c770}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:124 +0x51e github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan({{0x9558e20, 0xc00391ecf0}, {0x9579f20, 0xcc9a940}, {_, _}, {{_, _}}}, {0x96073f0, 0xc00133c770}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:101 +0xcbe github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc003274560, 0x2, 0x2}, {0xc00391ea80, ...}, ...}) /home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x2d7 github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc00335d340, ...}, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:708 +0x397 github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:267 +0xac github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanImage(_, {_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:187 +0x134 github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc00335d340, ...}, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:424 +0xbad github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2(0xc000005200, {0xc00132e310?, 0x1?, 0x7?}) /home/runner/work/trivy/trivy/pkg/commands/app.go:307 +0xf2 github.com/spf13/cobra.(*Command).execute(0xc000005200, {0xc00132e2a0, 0x7, 0x7}) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:983 +0xabc github.com/spf13/cobra.(*Command).ExecuteC(0xc000004f00) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff github.com/spf13/cobra.(*Command).Execute(0x7fe77d0?) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039 +0x13 main.run() /home/runner/work/trivy/trivy/cmd/trivy/main.go:35 +0x198 main.main() /home/runner/work/trivy/trivy/cmd/trivy/main.go:17 +0x13 ### Reproduction Steps ```bash trivy image docker.io/ubuntu --compliance docker-cis --scanners misconfig --scanners license ``` ### Target Container Image ### Scanner License ### Output Format Table ### Mode Standalone ### Debug Output ```bash $ trivy image docker.io/ubuntu --compliance docker-cis --scanners misconfig --scanners license --debug 2024-05-02T17:29:00.878+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-05-02T17:29:00.884+0100 DEBUG Ignore statuses {"statuses": null} 2024-05-02T17:29:00.887+0100 DEBUG cache dir: /home/admin/.cache/trivy 2024-05-02T17:29:00.887+0100 INFO Container image config scanners: ["misconfig" "secret"] 2024-05-02T17:29:00.887+0100 INFO Vulnerability scanning is enabled 2024-05-02T17:29:00.887+0100 DEBUG Vulnerability type: [os library] 2024-05-02T17:29:00.887+0100 INFO Misconfiguration scanning is enabled 2024-05-02T17:29:00.887+0100 DEBUG Policies successfully loaded from disk 2024-05-02T17:29:00.887+0100 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-05-02T17:29:00.900+0100 DEBUG The nuget packages directory couldn't be found. License search disabled 2024-05-02T17:29:00.951+0100 DEBUG Image ID: sha256:ca2b0f26964cf2e80ba3e084d5983dab293fdb87485dc6445f3f7bbfc89d7459 2024-05-02T17:29:00.951+0100 DEBUG Diff IDs: [sha256:5498e8c22f6996f25ef193ee58617d5b37e2a96decf22e72de13c3b34e147591] 2024-05-02T17:29:00.951+0100 DEBUG Base Layers: [] 2024-05-02T17:29:00.996+0100 INFO Detected OS: ubuntu 2024-05-02T17:29:00.996+0100 INFO Detecting Ubuntu vulnerabilities... 2024-05-02T17:29:00.996+0100 DEBUG ubuntu: os version: 22.04 2024-05-02T17:29:00.996+0100 DEBUG ubuntu: the number of packages: 101 panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x1c0 pc=0x4cd23cd] goroutine 1 [running]: go.etcd.io/bbolt.(*DB).beginTx(0x0) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:730 +0x2d go.etcd.io/bbolt.(*DB).Begin(0xc002f84570?, 0x0?) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:723 +0x25 go.etcd.io/bbolt.(*DB).View(0x20?, 0xc0037bae80) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:901 +0x30 github.com/aquasecurity/trivy-db/pkg/db.Config.forEach({}, {0xc003a7f8e0?, 0x2, 0x2}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/db.go:186 +0xe5 github.com/aquasecurity/trivy-db/pkg/db.Config.ForEachAdvisory(...) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/advisory.go:20 github.com/aquasecurity/trivy-db/pkg/db.Config.GetAdvisories({}, {0xc0038bea10, 0xc}, {0xc003bd4060, 0x7}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/advisory.go:24 +0xd9 github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu.VulnSrc.Get({0x88754c0?, {0x96300a8?, 0xcc9a940?}}, {0xc003bd4016?, 0xff?}, {0xc003bd4060, 0x7}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/vulnsrc/ubuntu/ubuntu.go:142 +0xb5 github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu.(*Scanner).Detect(0xc0017b81c8, {0xc003bd4016, 0x5}, 0xc003bd4010?, {0xc00112a000, 0x65, 0xc0013304e8?}) /home/runner/work/trivy/trivy/pkg/detector/ospkg/ubuntu/ubuntu.go:87 +0x28f github.com/aquasecurity/trivy/pkg/detector/ospkg.Detect({0x96073f0, 0xc0017ce000}, {0x0?, 0x3afc?}, {0xc003bd4010, 0x6}, {0xc003bd4016, 0x5}, 0xc0035f2e10?, {0x0, ...}, ...) /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:76 +0xfb github.com/aquasecurity/trivy/pkg/scanner/ospkg.(*scanner).Scan(_, {_, _}, {{0x7ffcb3c7c0c5, 0x10}, {{0xc003bd4010, 0x6}, {0xc003bd4016, 0x5}, 0x0, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/scanner/ospkg/scan.go:54 +0x17d github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities({{_, _}, {_, _}, {_, _}, {{_, _}}}, {0x96073f0, 0xc0017ce000}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:176 +0x165 github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.ScanTarget({{_, _}, {_, _}, {_, _}, {{_, _}}}, {0x96073f0, 0xc0017ce000}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:124 +0x51e github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan({{0x9558e20, 0xc003594b90}, {0x9579f20, 0xcc9a940}, {_, _}, {{_, _}}}, {0x96073f0, 0xc0017ce000}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:101 +0xcbe github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc003a7e840, 0x2, 0x2}, {0xc003594820, ...}, ...}) /home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x2d7 github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc003600ae0, ...}, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:708 +0x397 github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:267 +0xac github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanImage(_, {_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:187 +0x134 github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc003600ae0, ...}, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:424 +0xbad github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2(0xc000ac7200, {0xc00386f580?, 0x1?, 0x8?}) /home/runner/work/trivy/trivy/pkg/commands/app.go:307 +0xf2 github.com/spf13/cobra.(*Command).execute(0xc000ac7200, {0xc00386f500, 0x8, 0x8}) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:983 +0xabc github.com/spf13/cobra.(*Command).ExecuteC(0xc000005b00) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff github.com/spf13/cobra.(*Command).Execute(0x7fe77d0?) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039 +0x13 main.run() /home/runner/work/trivy/trivy/cmd/trivy/main.go:35 +0x198 main.main() /home/runner/work/trivy/trivy/cmd/trivy/main.go:17 +0x13 After resetting it still fails $ trivy image --reset 2024-05-02T17:35:48.500+0100 INFO Removing DB file... 2024-05-02T17:35:48.660+0100 INFO Removing artifact caches... [gse-admin@gse-jenkins-agent01 ~]$ trivy image docker.io/ubuntu --compliance docker-cis --scanners misconfig --scanners license --debug 2024-05-02T17:35:54.364+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-05-02T17:35:54.364+0100 DEBUG Ignore statuses {"statuses": null} 2024-05-02T17:35:54.371+0100 DEBUG cache dir: /home/admin/.cache/trivy 2024-05-02T17:35:54.371+0100 INFO Container image config scanners: ["misconfig" "secret"] 2024-05-02T17:35:54.371+0100 INFO Vulnerability scanning is enabled 2024-05-02T17:35:54.372+0100 DEBUG Vulnerability type: [os library] 2024-05-02T17:35:54.372+0100 INFO Misconfiguration scanning is enabled 2024-05-02T17:35:54.372+0100 DEBUG Failed to open the policy metadata: open /home/admin/.cache/trivy/policy/metadata.json: no such file or directory 2024-05-02T17:35:54.372+0100 INFO Need to update the built-in policies 2024-05-02T17:35:54.372+0100 INFO Downloading the built-in policies... 2024-05-02T17:35:54.372+0100 DEBUG Using URL: ghcr.io/aquasecurity/trivy-policies:0 to load policy bundle 50.41 KiB / 50.41 KiB [----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms 2024-05-02T17:35:54.789+0100 DEBUG Digest of the built-in policies: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590 2024-05-02T17:35:54.790+0100 DEBUG Policies successfully loaded from disk 2024-05-02T17:35:54.790+0100 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-05-02T17:35:54.905+0100 DEBUG The nuget packages directory couldn't be found. License search disabled 2024-05-02T17:35:54.917+0100 DEBUG Image ID: sha256:ca2b0f26964cf2e80ba3e084d5983dab293fdb87485dc6445f3f7bbfc89d7459 2024-05-02T17:35:54.918+0100 DEBUG Diff IDs: [sha256:5498e8c22f6996f25ef193ee58617d5b37e2a96decf22e72de13c3b34e147591] 2024-05-02T17:35:54.918+0100 DEBUG Base Layers: [] 2024-05-02T17:35:54.963+0100 DEBUG Missing image ID in cache: sha256:ca2b0f26964cf2e80ba3e084d5983dab293fdb87485dc6445f3f7bbfc89d7459 2024-05-02T17:35:54.963+0100 DEBUG Missing diff ID in cache: sha256:5498e8c22f6996f25ef193ee58617d5b37e2a96decf22e72de13c3b34e147591 2024-05-02T17:35:59.169+0100 DEBUG Skipping directory: dev 2024-05-02T17:35:59.176+0100 DEBUG Skipping directory: proc 2024-05-02T17:35:59.176+0100 DEBUG Skipping directory: sys 2024-05-02T17:35:59.748+0100 DEBUG No secrets found in container image config 2024-05-02T17:35:59.749+0100 DEBUG Scanning Dockerfile files for misconfigurations... 2024-05-02T17:35:59.753+0100 DEBUG [misconf] 35:59.753534968 dockerfile.scanner.rego Overriding filesystem for policies! 2024-05-02T17:36:00.064+0100 DEBUG [misconf] 36:00.064962321 dockerfile.scanner.rego Loaded 194 policies from disk. 2024-05-02T17:36:00.066+0100 DEBUG [misconf] 36:00.066149933 dockerfile.scanner.rego Overriding filesystem for data! 2024-05-02T17:36:01.856+0100 DEBUG [misconf] 36:01.856524306 dockerfile.scanner.rego Scanning 1 inputs... 2024-05-02T17:36:02.022+0100 INFO Detected OS: ubuntu 2024-05-02T17:36:02.023+0100 INFO Detecting Ubuntu vulnerabilities... 2024-05-02T17:36:02.023+0100 DEBUG ubuntu: os version: 22.04 2024-05-02T17:36:02.023+0100 DEBUG ubuntu: the number of packages: 101 panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x1c0 pc=0x4cd23cd] goroutine 1 [running]: go.etcd.io/bbolt.(*DB).beginTx(0x0) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:730 +0x2d go.etcd.io/bbolt.(*DB).Begin(0xc002927110?, 0x0?) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:723 +0x25 go.etcd.io/bbolt.(*DB).View(0x20?, 0xc003760e80) /home/runner/go/pkg/mod/go.etcd.io/bbolt@v1.3.8/db.go:901 +0x30 github.com/aquasecurity/trivy-db/pkg/db.Config.forEach({}, {0xc0000152c0?, 0x2, 0x2}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/db.go:186 +0xe5 github.com/aquasecurity/trivy-db/pkg/db.Config.ForEachAdvisory(...) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/advisory.go:20 github.com/aquasecurity/trivy-db/pkg/db.Config.GetAdvisories({}, {0xc001c78020, 0xc}, {0xc000ed2619, 0x7}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/db/advisory.go:24 +0xd9 github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu.VulnSrc.Get({0x88754c0?, {0x96300a8?, 0xcc9a940?}}, {0xc000ed20f0?, 0xc0037613ff?}, {0xc000ed2619, 0x7}) /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20231005141211-4fc651f7ac8d/pkg/vulnsrc/ubuntu/ubuntu.go:142 +0xb5 github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu.(*Scanner).Detect(0xc000d58c30, {0xc000ed20f0, 0x5}, 0xc000ed20c8?, {0xc002f86000, 0x65, 0xc002cf4ea8?}) /home/runner/work/trivy/trivy/pkg/detector/ospkg/ubuntu/ubuntu.go:87 +0x28f github.com/aquasecurity/trivy/pkg/detector/ospkg.Detect({0x96073f0, 0xc001883f10}, {0x0?, 0x3afc?}, {0xc000ed20c8, 0x6}, {0xc000ed20f0, 0x5}, 0xc001df1e60?, {0x0, ...}, ...) /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:76 +0xfb github.com/aquasecurity/trivy/pkg/scanner/ospkg.(*scanner).Scan(_, {_, _}, {{0x7ffe16e9d0c5, 0x10}, {{0xc000ed20c8, 0x6}, {0xc000ed20f0, 0x5}, 0x0, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/scanner/ospkg/scan.go:54 +0x17d github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities({{_, _}, {_, _}, {_, _}, {{_, _}}}, {0x96073f0, 0xc001883f10}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:176 +0x165 github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.ScanTarget({{_, _}, {_, _}, {_, _}, {{_, _}}}, {0x96073f0, 0xc001883f10}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:124 +0x51e github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan({{0x9558e20, 0xc004072480}, {0x9579f20, 0xcc9a940}, {_, _}, {{_, _}}}, {0x96073f0, 0xc001883f10}, ...) /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:101 +0xcbe github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc000556f80, 0x2, 0x2}, {0xc004072630, ...}, ...}) /home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x2d7 github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc001ec5160, ...}, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:708 +0x397 github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:267 +0xac github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanImage(_, {_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:187 +0x134 github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x7f7f64c, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc001ec5160, ...}, ...}, ...}, ...) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:424 +0xbad github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2(0xc000881b00, {0xc002658980?, 0x1?, 0x8?}) /home/runner/work/trivy/trivy/pkg/commands/app.go:307 +0xf2 github.com/spf13/cobra.(*Command).execute(0xc000881b00, {0xc002658900, 0x8, 0x8}) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:983 +0xabc github.com/spf13/cobra.(*Command).ExecuteC(0xc000881800) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff github.com/spf13/cobra.(*Command).Execute(0x7fe77d0?) /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039 +0x13 main.run() /home/runner/work/trivy/trivy/cmd/trivy/main.go:35 +0x198 main.main() /home/runner/work/trivy/trivy/cmd/trivy/main.go:17 +0x13 ls -la /home/admin/.cache/trivy/policy/metadata.json. - exists. ``` ### Operating System Linux centos.8 ### Version ```bash Trivy on CentOS. $ trivy version Version: 0.50.4 Vulnerability DB: Version: 2 UpdatedAt: 2024-05-02 12:12:32.908385138 +0000 UTC NextUpdate: 2024-05-02 18:12:32.908384848 +0000 UTC DownloadedAt: 2024-05-02 16:15:01.959039491 +0000 UTC Policy Bundle: Digest: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590 DownloadedAt: 2024-05-02 16:11:30.734006795 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
simar7 commented 6 months ago

cc @DmitriyLewen does license scanner do anything special with the DB? I haven't investigated but the panic stack trace looks interesting.

psg18dhc commented 6 months ago

Thanks guys. If there's anything I can do to help let me know #ExAquarian #askKevBeedle

DmitriyLewen commented 6 months ago

Hello @simar7 , @psg18dhc I investigated this. Trivy always uses default scanners - https://github.com/aquasecurity/trivy/blob/770b14113cbbaaf55ff26ac8ba160800951b4386/pkg/commands/artifact/run.go#L547-L552

I will create a PR to disable the option to change scanners (with notification).