Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trivy does not honor --insecure for vulnerability DB download #2093

Open
mayrstefan opened this issue May 9, 2022 · 5 comments · May be fixed by #2140
Open

trivy does not honor --insecure for vulnerability DB download #2093

mayrstefan opened this issue May 9, 2022 · 5 comments · May be fixed by #2140
Assignees
Labels
good first issue help wanted kind/bug

Comments

@mayrstefan
Copy link

@mayrstefan mayrstefan commented May 9, 2022

Description

We have an air gapped environment without direct internet access. All necessary container images are mirrored to or proxied through an OnPrem registry (Artifactory). This registry uses a certificate from a private PKI. The vulnerability DB cannot be downloaded from this internal registry.

What did you expect to happen?

We expected that --insecure ignores the private PKI certificate when downloading the vulnerability DB.

What happened instead?

In contrast to an image scan the download of the vulnerability DB ignores the --insecure flag:

 # docker run --rm  ghcr-mirror.example.com/aquasecurity/trivy image --insecure=true --download-db-only --db-repository=ghcr-mirror.example.com/aquasecurity/trivy-db
2022-05-09T21:03:54.082Z        INFO    Need to update DB
2022-05-09T21:03:54.082Z        INFO    DB Repository: ghcr-mirror.example.com/aquasecurity/trivy-db
2022-05-09T21:03:54.082Z        INFO    Downloading DB...
2022-05-09T21:03:54.102Z        FATAL   DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get https://ghcr-mirror.example.com/aquasecurity/v2/: x509: certificate signed by unknown authority

Output of trivy -v:

Version: 0.27.1

Additional details (base image name, container registry info...):

  1. If we mount the local ca-bundle into the container we can download the DB without the --insecure flag (which is not documented)
  2. the --insecure flag works if we scan images from our local registry with a prepopulated cache directory and --skip-db-update
  3. I think #1877 might be the same issue. Maybe a (transparent) proxy which replaces the certificate with a cert signed by an internal CA.
@mayrstefan mayrstefan added the kind/bug label May 9, 2022
@maltewhiite
Copy link

@maltewhiite maltewhiite commented May 12, 2022

I am in the exact same scenario.

This is from the gitlab ci job:

$ time trivy image --exit-code 0 --format template --template "@contrib/junit.tpl" --output "$CI_PROJECT_DIR/junit-report.xml" "$FULL_IMAGE_NAME"
2022-05-12T10:13:03.839Z	INFO	Need to update DB
2022-05-12T10:13:03.839Z	INFO	DB Repository: PRIVATE REGISTRY/aquasecurity/trivy-db
2022-05-12T10:13:03.839Z	INFO	Downloading DB...
2022-05-12T10:13:03.864Z	FATAL	DB error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get "https://PRIVATE REGISTRY/": x509: certificate signed by unknown authority

Here is my .gitlab-ci.yml variables

  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: $CI_REGISTRY_USER
    TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
    TRIVY_AUTH_URL: $CI_REGISTRY
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: /cache/trivy
    TRIVY_DB_REPOSITORY: "${CI_REGISTRY}/aquasecurity/trivy-db"
    TRIVY_INSECURE: "true"

edit: I fixed it by wget'ing our cert to /etc/ssl/certs/ca-certificates.crt

@DmitriyLewen
Copy link
Collaborator

@DmitriyLewen DmitriyLewen commented May 16, 2022

Hello @mayrstefan , @maltewhiite

Trivy currently uses the --insecure flag to get an image or repository, not to load a DB.
You can manually download the database and use Trivy with the --skip-update --offline-scan flags.
Information on using Trivy in an air gap environment is here

Trivy currently uses --insecure flag to get image or repository, not to download DB.
You can manually download DB and use Trivy with --skip-update --offline-scan flags.
Information on using Trivy in Air-Gapped Environment here.

Regards, Dmitriy

@maltewhiite
Copy link

@maltewhiite maltewhiite commented May 16, 2022

@DmitriyLewen - Well, the expected behavior is

We expected that --insecure ignores the private PKI certificate when downloading the vulnerability DB.

Could you update the documentation, so people don't expect something that is wrong?

@knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented May 16, 2022

Trivy does the same thing for pulling images.
https://github.com/aquasecurity/fanal/blob/8498ea6d53b6fc14544253ca5445dd46c2e84e76/image/remote.go#L20-L26

We can add custom http.Transport here to skip TLS verification for downloading the DB.
https://github.com/aquasecurity/trivy/blob/main/pkg/oci/artifact.go#L53-L56

@knqyf263 knqyf263 added help wanted good first issue labels May 16, 2022
@mayrstefan
Copy link
Author

@mayrstefan mayrstefan commented May 16, 2022

I would prefer that trivy is also able to ignore the certificate when pulling the db image as it can do when pulling an image for scanning. This would make it much easier to use trivy in a container or kubernetes context where we are restricted to a whitelisted private registry. Like @maltewhiite described the setup of his gitlab environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue help wanted kind/bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants