FS scanning doesn't work with Trivy version >= 0.23.0

Question

FS scanning doesn't work with Trivy version >= 0.23.0

chen-keinan opened this issue 2 years ago · comments

Trivy fs scanning in the same namespace does not work with the latest starboard. release. v0.15.4.
getting this error:

{"level":"error","ts":1651479039.0873706,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"test-file/scan-vulnerabilityreport-dfcd666f8","container":"6ed20c40-482d-444b-b4b9-968439d67ee4","status.reason":"Error","s
tatus.message":"2022-05-02T08:10:09.436Z\t\u001b[34mINFO\u001b[0m\tNeed to update DB\n2022-05-02T08:10:09.436Z\t\u001b[34mINFO\u001b[0m\tDownloading DB...\n2022-05-02T08:10:38.658Z\t\u001b[31mFATAL\u001b[0m\tDB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get \"https://ghcr.io/v2/\": dial tcp 140.82.121.34:443: i/o timeout\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/Users/test.file/Documents/GitHub/starboard/pkg/vulnerabilityreport/controller.go:32

starboard config :
vulnerabilityReports.scanJobsInSameNamespace : true

Expected result :
scan image

Actual result:
fail with error

chenk · Answer 1 · Tue May 03 2022 21:40:02 GMT+0800 (China Standard Time)

Trivy version 0.23.0 introduced sub commands capability, it is required to change starboard to support it, when Trivy fs scanning job is initialized, trivy scan job is setting the init container with old Trivy convention command, without sub command, therefore the job its failing: initContainer

chenk · Answer 2 · Wed Jun 01 2022 16:52:55 GMT+0800 (China Standard Time)

issue has been moved to [Trivy-Operator#49] (aquasecurity/trivy-operator#49)