search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.14k stars 2.18k forks source link

Images with deleted timestamps break with Docker 26 #6947

Closed DmitriyLewen closed 2 weeks ago

DmitriyLewen commented 3 weeks ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6944

Originally posted by **aaronmondal** June 15, 2024 ### Description GitHub updated the GHA runner's docker from 24 to 26 in https://github.com/actions/runner-images/commit/619f9fd372f7aed204a8e2c46f2d7ce10d4b868c. Since then the trivy workflows in our repo broke. ### Desired Behavior Trivy working without the above patch. ### Actual Behavior ``` 2024-06-14T19:21:21+02:00 INFO Vulnerability scanning is enabled 2024-06-14T19:21:21+02:00 INFO Secret scanning is enabled 2024-06-14T19:21:21+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-06-14T19:21:21+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection 2024-06-14T19:21:21+02:00 FATAL Fatal error image scan error: scan error: scan failed: failed analysis: unable to get the image's config file: failed parsing crea ted : parsing time "" as "2006-01-02T15:04:05Z07:00": cannot parse "" as "2006" ``` ### Reproduction Steps ```bash Check out e.g. https://github.com/TraceMachina/nativelink/commit/bf9edc9c0a034cfedaa51f039123cb29278d3f7e, enter the nix environment and run `local-image-test`. This effectively creates a container image with an erased timestamp that triggers the failure. ``` ### Target Container Image ### Scanner Vulnerability ### Output Format None ### Mode Standalone ### Debug Output ```bash 2024-06-14T22:15:27+02:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL] 2024-06-14T22:15:27+02:00 DEBUG Ignore statuses statuses=[] 2024-06-14T22:15:27+02:00 DEBUG Cache dir dir="/home/aaron/.cache/trivy" 2024-06-14T22:15:27+02:00 DEBUG DB update was skipped because the local DB is the latest 2024-06-14T22:15:27+02:00 DEBUG DB info schema=2 updated_at=2024-06-14T18:11:12.454689304Z next_update=2024-06-15T00:11:12.454689174Z downloaded_at=2024-06-14T20:00:1 3.760242809Z 2024-06-14T22:15:27+02:00 INFO Vulnerability scanning is enabled 2024-06-14T22:15:27+02:00 DEBUG Vulnerability type type=[os library] 2024-06-14T22:15:27+02:00 INFO Secret scanning is enabled 2024-06-14T22:15:27+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-06-14T22:15:27+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection 2024-06-14T22:15:27+02:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json ter raformplan-snapshot] 2024-06-14T22:15:27+02:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml" 2024-06-14T22:15:27+02:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-06-14T22:15:27+02:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml" 2024-06-14T22:15:27+02:00 DEBUG [image] Detected image ID image_id="sha256:5be469194a73a54dd0c065b816107c82f0d3f7a7b069a61389eb80dc9a2c55aa" 2024-06-14T22:15:27+02:00 FATAL Fatal error - image scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.Run github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:422 - scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:266 - scan failed: github.com/aquasecurity/trivy/pkg/commands/artifact.scan github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:693 - failed analysis: github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact github.com/aquasecurity/trivy/pkg/scanner/scan.go:148 - unable to get the image's config file: github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:85 - failed parsing created : github.com/aquasecurity/trivy/pkg/fanal/image/daemon.(*image).ConfigFile github.com/aquasecurity/trivy/pkg/fanal/image/daemon/image.go:115 - parsing time "" as "2006-01-02T15:04:05.999999999Z07:00": cannot parse "" as "2006" ``` ### Operating System Linux 6.9.2-gentoo x86_64 GNU/Linux ### Version ```bash Version: v0.52.2 Vulnerability DB: Version: 2 UpdatedAt: 2024-06-14 18:11:12.454689304 +0000 UTC NextUpdate: 2024-06-15 00:11:12.454689174 +0000 UTC DownloadedAt: 2024-06-14 20:00:13.760242809 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)