artifacthub / hub

Find, install and publish Cloud Native packages
https://artifacthub.io
Apache License 2.0
1.72k stars 235 forks source link

ArtifactHub 'Something went wrong scanning repository' Emails #3152

Closed d-t-w closed 1 year ago

d-t-w commented 1 year ago

On May 19th I started receiving emails from hub@artifacthub.io

I have received hundreds of emails now, sometimes dozens in a day. Many of them relate to old versions of our chart. Can you stop emailing me please? I'm not sure that there is anything I can do to fix the trivy error they describe.


Title: Something went wrong scanning repository kpow

error scanning image operatr/kpow:89.2: error running trivy on image operatr/kpow:89.2: 2023-05-19T11:51:52.577Z [33mWARN [0m '--security-checks' is deprecated. Use '--scanners' instead.

2023-05-19T11:51:57.691Z [31mFATAL [0m image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer (sha256:9784e2e285b4352b08d784ee5e9c171681f81e6b1ed9c4af3704e98a2972ed03): post analysis error: post analysis error: walk dir error: file open error: open /tmp/layers-334468937/layer-file-2226061772: permission denied

(package kpow:1.0.37)

This is our helm chart https://artifacthub.io/packages/helm/kpow/kpow

tegioz commented 1 year ago

Hi @d-t-w 👋

You can opt out of those notifications from the control panel if you'd like.

Hope that helps 🙂

d-t-w commented 1 year ago

Thanks @tegioz I will just opt out.

Is this a sign of a deeper system bug though? None of our chart versions are being security scanned anymore (they all appear to be continuously failing to scan with the error in the email).

tegioz commented 1 year ago

No worries!

Do you mean a problem in AH affecting more packages? I don't think so because I've just checked quite a few and they all seem to have been scanned successfully within the last 24 hours as expected (I went through some in the top starred list).

Please keep in mind that the error you got comes directly from Trivy. You can actually reproduce it by running the following command locally:

$ trivy image operatr/kpow:89.2
2023-06-29T12:06:01.128+0200    FATAL   image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:9784e2e285b4352b08d784ee5e9c171681f81e6b1ed9c4af3704e98a2972ed03): post analysis error: post analysis error: walk dir error: file open error: open /var/folders/xf/_lrkngc93b307_rchkx37bp40000gn/T/analyzer-fs-818305202/file-4176839629: permission denied

It'd be great if you could investigate this a bit further and, if there was a problem with Trivy, report it to them. It's possible that, if there was an issue in Trivy, it has already been fixed and we haven't upgraded to that version yet though.

tegioz commented 1 year ago

It's possible that, if there was an issue in Trivy, it has already been fixed and we haven't upgraded to that version yet though.

Although I just tried locally with Trivy 0.42.1, which I think it's the latest version available (but not the one used in AH in prod yet).

tegioz commented 1 year ago

Will close this one for now, please feel free to reopen if needed 🙂

If you find out what's causing the error when Trivy scans your images we'd appreciate if you could share it with us, just in case other users encounter the same problem 😇

d-t-w commented 1 year ago

Thanks @tegioz if I get to the bottom of it I'll add details here.

d-t-w commented 6 months ago

Resolved by https://github.com/aquasecurity/trivy/issues/6373

tegioz commented 6 months ago

Awesome, thanks!