schewara

schewara

Member Since 9 years ago

Vienna

Experience Points
8
follower
Lessons Completed
11
follow
Lessons Completed
648
stars
Best Reply Awards
13
repos

17 contributions in the last year

Pinned
⚡ OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
⚡ Website of devopsbookmarks.com
⚡ Deploy Prometheus Alertmanager service
⚡ Safari Live Training - Python by Example
Activity
May
15
3 days ago
started
started time in 3 days ago
May
11
1 week ago
started
started time in 6 days ago
started
started time in 1 week ago
May
10
1 week ago
started
started time in 1 week ago
started
started time in 1 week ago
started
started time in 1 week ago
May
8
1 week ago
started
started time in 1 week ago
May
1
2 weeks ago
started
started time in 2 weeks ago
started
started time in 2 weeks ago
Apr
27
3 weeks ago
Activity icon
issue

schewara issue comment aquasecurity/trivy

schewara
schewara

Trivy image scans inside docker hangs

Description

Hey,

In my jenkins pipeline I run trivy image scans before publishing the images. Trivy is running as a container:

docker.image('aquasec/trivy:latest').inside("""-v /var/run/docker.sock:/var/run/docker.sock -u 0 --entrypoint=''""") {
    trivyScanResult = sh(script: "/usr/local/bin/trivy image ...", returnStdout: true)
}

In the last couple of days my jobs are failing when they reach the scan due to one of the following:

  • trivy consuming 100% CPU
  • trivy reaching timeout of 5 or 10 minutes

This happens with small (30 MB) and large (> 1GB) images. All images are stored locally on the machine during the scan.

When I login to the machines and start the container manually, I observe the same issue. If I download trivy to the machines and run it outside of docker, everything works fine.

One of the machines I am using was running trivy, with the same code, without any issues for a few months.

What did you expect to happen?

trivy scans usually finish in a matter of seconds to a minute.

What happened instead?

trivy hangs / timesout.

Output of run with -debug:

/usr/local/bin/trivy --debug image --severity HIGH,CRITICAL <image>
2022-04-26T07:41:56.279Z	DEBUG	Severities: HIGH,CRITICAL

Output of trivy -v:

Version: 0.27.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-04-26 06:06:39.247959855 +0000 UTC
  NextUpdate: 2022-04-26 12:06:39.247959555 +0000 UTC
  DownloadedAt: 2022-04-26 07:05:35.00901385 +0000 UTC

Additional details (base image name, container registry info...):

This does not seems to happen in version 0.25.3. with version 0.25.3 the scan process takes 10-20 seconds.

schewara
schewara

We ran into the same one yesterday.

In our case we have one fat jar File in the container and a downgrade to 0.26 fixed it for us as well.

Apr
26
3 weeks ago
started
started time in 3 weeks ago
started
started time in 3 weeks ago
started
started time in 3 weeks ago
Apr
22
3 weeks ago
started
started time in 3 weeks ago
started
started time in 3 weeks ago
Apr
20
4 weeks ago
started
started time in 4 weeks ago
Apr
17
1 month ago
Apr
16
1 month ago
Apr
14
1 month ago
Apr
13
1 month ago
started
started time in 1 month ago
Apr
10
1 month ago
started
started time in 1 month ago
Apr
8
1 month ago
started
started time in 1 month ago
Apr
6
1 month ago
started
started time in 1 month ago
Previous