Comments (19)
Thanks, @knqyf263 @danielpacak
The scanner seems to be consistent in results now.
from harbor-scanner-trivy.
@danielpacak - I did check our deployment, all the instances are running on v0.10.0. from past 9 days.
from harbor-scanner-trivy.
@piyush94 I finally got to know the cause. This is a bug and already fixed in the master branch of trivy. I'll release the new version of trivy shortly, then harbor-scanner-trivy is also going to update trivy version. It should be going to fix this problem.
from harbor-scanner-trivy.
@piyush94 This affects the image having multiple lock files, regardless of OS and package. I've released v0.9.0 just before. I'm making sure it works properly now. Thank you for reporting this issue!
from harbor-scanner-trivy.
From trivy 0.7.0, i can see they are coming from different files in the image, but this information is not available in harbor scan. But, also it's changing between count 4 and 7.
CC: @svisagan83
from harbor-scanner-trivy.
@piyush94 Thank you for opening this issue. I did check and I can reproduce the "duplicates" issue.
However I cannot reproduced the discrepancy in the number of critical vulnerabilities found by Trivy in short intervals. Could you provide more details whether your trivy.db file is cached and / or is up to date?
Regarding duplicates, Trivy scans each Gemfile.lock
independently and reports vulnerabilities, if any, as a separate targets in the output report. In your example there are 3 Gemfile.lock
files. When we map these targets to the Harbor model we somehow loose the context from which Gemfile.lock
the vulnerable library dependency comes from, but from our stand point it's not a duplicate. It's mapped as a VulnerabilityItem and rendered as a row in the grid.
If I append the path to a Gemfile.lock
to a package name we'd get a noisy report as shown below:
Originally the Harbor model catered only for OS packages but not application dependencies. What we've done with Trivy is bending a bit the reality, but maybe in the next releases of Harbor we'll extend the model to provide the missing context described above in the Harbor user interface.
from harbor-scanner-trivy.
@danielpacak Thank you for the info.
Regarding the discrepancy, yesterday, as you can see from my screenshot, Trivy 0.7.0 was showing total count of 7 from 3 files.
But today's scan is matching what you have shared, total count 4 from 2 files, although the image hasn't changed.
Is there any reason for this?
CC: @svisagan83
from harbor-scanner-trivy.
@danielpacak Seems to be a cache issue, as both scans are with the same DB.
fluentd.txt
fluentd-cache-cleared.txt
from harbor-scanner-trivy.
Interesting. The only way I could get 7 critical vulnerabilities is with the previous version of the adapter service, which relies on Trivy v0.6.0. As you might remember in Trivy v0.7.0 we prefer vendor severity, which might justify the discrepancy. Is there any chance that you're running multiple instances of the adapter service, and one of them is still on the previous version?
from harbor-scanner-trivy.
@danielpacak Seems to be a cache issue, as both scans are with the same DB.
fluentd.txt
fluentd-cache-cleared.txt
@piyush94 A few more questions so I fully understand what's happening in your environment:
- When you say cache issue, are you referring to
trivy.db
file orfanal.db
or maybe the latest scan results stored in Harbor DB? - How did you clean the cache, was it
trivy -c
command? - Last but not least, after all did cleaning the cache resolve the discrepancy? Or is is still reproducible? I cannot reproduce it on my end.
from harbor-scanner-trivy.
- I am not sure which database, but I was referring to this line in the trivy debug log
DB Schema: 1, Type: 1, UpdatedAt: 2020-05-28 12:10:23.757050823 +0000 UTC
. - I ran the first scan with the flag
--skip-update
and got total count 7 always. Then I cleared cache usingtrivy -c
command. - After this, I got total count as 4 in the next scans with the flag
--skip-update
.
After observing the discrepancy in Harbor, I did this test with local trivy, not harbor.
Is there a way to clear either scanner or Harbor cache?
from harbor-scanner-trivy.
Also, i did some more tests now.
Scanner details,
Name:Trivy
Vendor:Aqua Security
Version:0.7.0
Capabilities
Consumes Mime Types:[application/vnd.oci.image.manifest.v1+json , application/vnd.docker.distribution.manifest.v2+json]
Produces Mime Types:[application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0]
Properties
com.github.aquasecurity.trivy.debugMode:true
com.github.aquasecurity.trivy.ignoreUnfixed:false
com.github.aquasecurity.trivy.insecure:false
com.github.aquasecurity.trivy.severity:UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
com.github.aquasecurity.trivy.skipUpdate:false
com.github.aquasecurity.trivy.vulnType:os,library
harbor.scanner-adapter/scanner-type:os-package-vulnerability
harbor.scanner-adapter/vulnerability-database-next-update-at:2020-05-29T12:16:57Z
harbor.scanner-adapter/vulnerability-database-updated-at:5/29/20, 5:46 AM
org.label-schema.build-date:2020-05-20T12:03:08Z
org.label-schema.vcs:https://github.com/aquasecurity/harbor-scanner-trivy
org.label-schema.vcs-ref:b063d5f467dd9538a7705a720bf99a1177d648ba
org.label-schema.version:0.10.0
from harbor-scanner-trivy.
@knqyf263 Looking at the above examples provided by @piyush94 do you have any idea under which conditions we might get such discrepancies? It seems to be reproducible with trivy executable so I bet it's not related to the adapter service.
from harbor-scanner-trivy.
@piyush94 Is your image available in public? I couldn't find ranchercharts/fluentd-aggregator
. Also, it doesn't reproduce in my environment.
from harbor-scanner-trivy.
@knqyf263 It's this one, https://hub.docker.com/r/ranchercharts/fluentd-aggregator/tags
from harbor-scanner-trivy.
@piyush94 Oh, I don't know why I couldn't find the image 😓 I probably did a typo. I'll look into it. Thanks.
from harbor-scanner-trivy.
@knqyf263 Which OS and/or packages are affected by this bug?
from harbor-scanner-trivy.
@piyush94 We've just released https://github.com/aquasecurity/harbor-scanner-trivy/releases/tag/v0.11.0 which relies on https://github.com/aquasecurity/trivy/releases/tag/v0.9.0
And we hope that your issue has gone with this new version!
from harbor-scanner-trivy.
@piyush94 Thank you for the confirmation!
from harbor-scanner-trivy.
Related Issues (20)
- Harbor trivy-adapter offline not working HOT 2
- Allow .trivyignore HOT 2
- Can I use it by separately installing adapter 0.30.7 in harbor 2.2 in an offline environment?
- un-use deprecated flags
- How is the reports folder used when using the Harbor Trivy Adapter?
- [Question] Connecting to external Trivy instance HOT 2
- harbor integration trivy report Unhealthy
- Missing attribute preferred_cvss in the report json
- File containing the security issue (target) is not stored
- Trivy cache is growing too fast
- Scan report is missing the binary related to vulnerability HOT 1
- the length of usernames and passwords must match with 2.8.2 HOT 8
- About vulnerabilities [email protected] on image docker
- mkdir /home/scanner/.cache/trivy/fanal: permission denied HOT 1
- ERROR: column t0.critical_cnt does not exist HOT 1
- It does not work when scan java program HOT 1
- Trivy status goes unhealthy during the scan
- how to skip java db update when scanning start
- Allow image layer cache (fanal.db) to be stored in Redis HOT 1
- Trivy scan results are not up to date HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from harbor-scanner-trivy.