Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fatal error TOOMANYREQUESTS during download of vuln db #82

Open
MCBBosch opened this issue Sep 23, 2024 · 4 comments
Open

Fatal error TOOMANYREQUESTS during download of vuln db #82

MCBBosch opened this issue Sep 23, 2024 · 4 comments

Comments

@MCBBosch
Copy link

When trying to scan container image in the pipeline, the trivy task fails with that error:

image

It is quite similar to #80, but the proposed fix doesn't help. After 2-3 retries, it can download the vuln db.
@corentinvds
Copy link

Hello!

I have the same problem.

I found this recent PR 440 which pushes db updates to the Amazon container registry in addition to GitHub but I'm not sure this will fix the issue since the Amazon's policy limits unauthenticated pull to 1 per second:

image

Would it be possible to catch this error within the task and expose a new variable allowing to specify the number of retries to attempt in case of a "rate limit" error ?

I cannot use the retryCountOnTaskFailure task parameter since it will also retry when a vulnerability is found.

@julienLemarie
Copy link

Hello,

Same issue for me:

image

@MCBBosch
Copy link
Author

MCBBosch commented Oct 8, 2024
edited
Loading

As a workaround, I've created a pipeline which fetches the trivy databases

trivy --cache-dir . config .
trivy image --cache-dir . --download-java-db-only
trivy image --cache-dir . --download-db-only

and publishes it as pipeline build artifact. This can then be consumed via

resources:
  pipelines:
  - pipeline: 'trivyCachePipeline'
    branch: 'master'
    source: 'name of the pipeline'

@MCBBosch
Copy link
Author

I just stumbled upon the fact that trivy supports from v0.56 a csv list of repositories for download which works perfectly. Those mirrors are also published by trivy:
https://github.com/aquasecurity/trivy-db/blob/32c63a9af03ffd449a6ffb4471745b6ec9714875/.github/workflows/cron.yml#L85
https://github.com/aquasecurity/trivy-java-db/blob/cfb7fef466315d85e48965f9b2d85a3f270aa8cc/.github/workflows/cron.yml#L56

--java-db-repository ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db
--db-repository ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db

This will do an auto fallback to the ecr repository if ghcr fails

@24mu13 24mu13 mentioned this issue Nov 8, 2024
Open
@TicianoH TicianoH mentioned this issue Dec 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julienLemarie @MCBBosch @corentinvds