Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image cache not shared between scanning and sbom #3456

Closed
victornoel opened this issue Jan 18, 2023 · 10 comments
Closed

image cache not shared between scanning and sbom #3456

victornoel opened this issue Jan 18, 2023 · 10 comments
Assignees
@afdesk
Labels
scan/vulnerability Issues relating to vulnerability scanning triage/support Indicates an issue that is a support question.

Comments

@victornoel
Copy link

Description

Trivy does not seem to reuse the cache from one execution of image command for scanning vulnerabilities with a second execution of image commands to generate a SBOM.

Example

# docker run --rm -v $PWD/trivycache:/root/.cache/ docker.io/aquasec/trivy:0.36.1 image --debug python:3.4-alpine
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
2023-01-18T13:30:56.845Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-18T13:30:56.849Z	DEBUG	cache dir:  /root/.cache/trivy
2023-01-18T13:30:56.849Z	DEBUG	DB update was skipped because the local DB is the latest
2023-01-18T13:30:56.849Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-01-18 12:08:44.332733364 +0000 UTC, NextUpdate: 2023-01-18 18:08:44.332732964 +0000 UTC, DownloadedAt: 2023-01-18 13:30:24.044701617 +0000 UTC
2023-01-18T13:30:56.849Z	INFO	Vulnerability scanning is enabled
2023-01-18T13:30:56.849Z	DEBUG	Vulnerability type:  [os library]
2023-01-18T13:30:56.849Z	INFO	Secret scanning is enabled
2023-01-18T13:30:56.849Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-18T13:30:56.849Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-18T13:30:57.913Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-01-18T13:30:58.150Z	DEBUG	Image ID: sha256:c06adcf62f6ef21ae5c586552532b04b693f9ab6df377d7ea066fd682c470864
2023-01-18T13:30:58.150Z	DEBUG	Diff IDs: [sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1 sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a5ce45ff4e00909a4b757 sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743 sha256:58026b9b6bf1a7dbc0872462e9ea675cad54a45bc7682bd3631dd4f3c16b1332 sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346]
2023-01-18T13:30:58.150Z	DEBUG	Base Layers: [sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1]
2023-01-18T13:30:58.150Z	DEBUG	Missing image ID in cache: sha256:c06adcf62f6ef21ae5c586552532b04b693f9ab6df377d7ea066fd682c470864
2023-01-18T13:30:58.150Z	DEBUG	Missing diff ID in cache: sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346
2023-01-18T13:30:58.150Z	DEBUG	Missing diff ID in cache: sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a5ce45ff4e00909a4b757
2023-01-18T13:30:58.150Z	DEBUG	Missing diff ID in cache: sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743
2023-01-18T13:30:58.150Z	DEBUG	Missing diff ID in cache: sha256:58026b9b6bf1a7dbc0872462e9ea675cad54a45bc7682bd3631dd4f3c16b1332
2023-01-18T13:30:58.150Z	DEBUG	Missing diff ID in cache: sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1
2023-01-18T13:30:58.968Z	INFO	Detected OS: alpine
2023-01-18T13:30:58.968Z	INFO	Detecting Alpine vulnerabilities...
2023-01-18T13:30:58.968Z	DEBUG	alpine: os version: 3.9
2023-01-18T13:30:58.968Z	DEBUG	alpine: package repository: 3.9
2023-01-18T13:30:58.968Z	DEBUG	alpine: the number of packages: 28
2023-01-18T13:30:58.969Z	INFO	Number of language-specific files: 1
2023-01-18T13:30:58.969Z	INFO	Detecting python-pkg vulnerabilities...
2023-01-18T13:30:58.969Z	DEBUG	Detecting library vulnerabilities, type: python-pkg, path: 
2023-01-18T13:30:58.973Z	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2023-01-18T13:30:58.973Z	WARN	The vulnerability detection may be insufficient because security updates are not provided

# docker run --rm -v $PWD/trivycache:/root/.cache/ docker.io/aquasec/trivy:0.36.1 image --debug python:3.4-alpine
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
2023-01-18T13:31:13.567Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-18T13:31:13.571Z	DEBUG	cache dir:  /root/.cache/trivy
2023-01-18T13:31:13.571Z	DEBUG	DB update was skipped because the local DB is the latest
2023-01-18T13:31:13.571Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-01-18 12:08:44.332733364 +0000 UTC, NextUpdate: 2023-01-18 18:08:44.332732964 +0000 UTC, DownloadedAt: 2023-01-18 13:30:24.044701617 +0000 UTC
2023-01-18T13:31:13.571Z	INFO	Vulnerability scanning is enabled
2023-01-18T13:31:13.571Z	DEBUG	Vulnerability type:  [os library]
2023-01-18T13:31:13.571Z	INFO	Secret scanning is enabled
2023-01-18T13:31:13.571Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-18T13:31:13.571Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-18T13:31:14.552Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-01-18T13:31:14.792Z	DEBUG	Image ID: sha256:c06adcf62f6ef21ae5c586552532b04b693f9ab6df377d7ea066fd682c470864
2023-01-18T13:31:14.792Z	DEBUG	Diff IDs: [sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1 sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a5ce45ff4e00909a4b757 sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743 sha256:58026b9b6bf1a7dbc0872462e9ea675cad54a45bc7682bd3631dd4f3c16b1332 sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346]
2023-01-18T13:31:14.792Z	DEBUG	Base Layers: [sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1]
2023-01-18T13:31:14.793Z	INFO	Detected OS: alpine
2023-01-18T13:31:14.793Z	INFO	Detecting Alpine vulnerabilities...
2023-01-18T13:31:14.793Z	DEBUG	alpine: os version: 3.9
2023-01-18T13:31:14.793Z	DEBUG	alpine: package repository: 3.9
2023-01-18T13:31:14.793Z	DEBUG	alpine: the number of packages: 28
2023-01-18T13:31:14.794Z	INFO	Number of language-specific files: 1
2023-01-18T13:31:14.794Z	INFO	Detecting python-pkg vulnerabilities...
2023-01-18T13:31:14.794Z	DEBUG	Detecting library vulnerabilities, type: python-pkg, path: 
2023-01-18T13:31:14.795Z	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2023-01-18T13:31:14.795Z	WARN	The vulnerability detection may be insufficient because security updates are not provided

# docker run --rm -v $PWD/trivycache:/root/.cache/ docker.io/aquasec/trivy:0.36.1 image --debug --format cyclonedx --output sbom.json python:3.4-alpine
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
2023-01-18T13:34:18.433Z	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-01-18T13:34:18.433Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-18T13:34:18.434Z	INFO	"--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-01-18T13:34:18.438Z	DEBUG	cache dir:  /root/.cache/trivy
2023-01-18T13:34:19.655Z	DEBUG	Image ID: sha256:c06adcf62f6ef21ae5c586552532b04b693f9ab6df377d7ea066fd682c470864
2023-01-18T13:34:19.655Z	DEBUG	Diff IDs: [sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1 sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a5ce45ff4e00909a4b757 sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743 sha256:58026b9b6bf1a7dbc0872462e9ea675cad54a45bc7682bd3631dd4f3c16b1332 sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346]
2023-01-18T13:34:19.655Z	DEBUG	Base Layers: [sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1]
2023-01-18T13:34:19.656Z	DEBUG	Missing diff ID in cache: sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346
2023-01-18T13:34:19.656Z	DEBUG	Missing diff ID in cache: sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a5ce45ff4e00909a4b757
2023-01-18T13:34:19.656Z	DEBUG	Missing diff ID in cache: sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1
2023-01-18T13:34:19.656Z	DEBUG	Missing diff ID in cache: sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743
2023-01-18T13:34:19.656Z	DEBUG	Missing diff ID in cache: sha256:58026b9b6bf1a7dbc0872462e9ea675cad54a45bc7682bd3631dd4f3c16b1332

As you can see, while the second call seems to be reusing the cache results, the third one does not and thus will try to fetch dependencies if required (I'm experiencing this with an image with a lot of jars :).

Output of trivy -v:

docker run --rm -v $PWD/trivycache:/root/.cache/ docker.io/aquasec/trivy:0.36.1 -v      
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
Version: 0.36.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-18 12:08:44.332733364 +0000 UTC
  NextUpdate: 2023-01-18 18:08:44.332732964 +0000 UTC
  DownloadedAt: 2023-01-18 13:30:24.044701617 +0000 UTC
@victornoel victornoel added the kind/bug Categorizes issue or PR as related to a bug. label Jan 18, 2023
@itaysk itaysk added the scan/vulnerability Issues relating to vulnerability scanning label Jan 19, 2023
@knqyf263
Copy link
Collaborator

Thanks for the report. We'll look into it.

@knqyf263
Copy link
Collaborator

@afdesk I'm suspect on cache as the cache key is calculated according to enabled analyzers. We might enable different analyzers. Could you take a look?

@afdesk
Copy link
Contributor

afdesk commented Jan 25, 2023

@knqyf263 yes, sure. I'll take a look at this issue today.

@afdesk
Copy link
Contributor

afdesk commented Jan 26, 2023

@victornoel thanks for the report!

@knqyf263 you're right as usual, there is a problem with enabled analyzers.

there is a solution - using the same security checks:

$ trivy image --debug --security-checks vuln python:3.4-alpine

$ trivy image --debug --format cyclonedx --output sbom.json --security-checks vuln python:3.4-alpine

the second call used the cache in my case.

@afdesk
Copy link
Contributor

afdesk commented Jan 31, 2023

i caught it.
the default scanners for cyclonedx are vuln,secret.

The second run uses the cache:

$ trivy image --debug python:3.4-alpine

$ trivy image --debug --format cyclonedx --output sbom.json --security-checks vuln,secret python:3.4-alpine

@victornoel could you confirm it?

@knqyf263 should we change it?

@victornoel
Copy link
Author

@afdesk are you proposing to enable vuln/secret by default with BOM?

Ideally, I would expect that the cache is used to infer dependencies, so it's not dependent on the security checks, but I may be missing some intricacies of how things work and maybe this does not make sense?

@github-actions
Copy link

github-actions bot commented Apr 2, 2023

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 2, 2023
@afdesk afdesk removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 3, 2023
@github-actions
Copy link

github-actions bot commented Jun 3, 2023

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jun 3, 2023
@afdesk afdesk removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jun 5, 2023
@nikpivkin
Copy link
Contributor

Hi @victornoel . The key for storing artifacts in the cache is calculated depending on the analyzers used. The cache will be reused if you disable the secret scanner when scanning an image or enable it when creating cyclonedx. For example:

trivy image -d --scanners vuln python:3.4-alpine
trivy image -d --format cyclonedx --output sbom.json python:3.4-alpine

or

trivy image -d python:3.4-alpine
trivy image -d --scanners secret --format cyclonedx --output sbom.json python:3.4-alpine

@knqyf263 knqyf263 added triage/support Indicates an issue that is a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels Jun 29, 2023
@victornoel
Copy link
Author

@nikpivkin ok, this makes sense, thank you for the explanation! I think we can close this, right? Feel free to reopen if not :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afdesk afdesk

Labels
scan/vulnerability Issues relating to vulnerability scanning triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@victornoel @itaysk @knqyf263 @afdesk @nikpivkin