Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rootfs fails randomly when scanning folders with jar files #3921

Closed
javierfreire opened this issue Mar 29, 2023 · 9 comments · Fixed by #4061
Closed

Rootfs fails randomly when scanning folders with jar files #3921

javierfreire opened this issue Mar 29, 2023 · 9 comments · Fixed by #4061
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@javierfreire
Copy link
Contributor

javierfreire commented Mar 29, 2023
edited
Loading

Description

Since Trivy 0.38.0 (we can't reproduce it in release 0.37.3), rootfs fails randomly. The failure occurs while walking through folders with jar files.

The file that doesn't find is different in each execution, and sometimes it works fine:

2023-03-29T13:15:35.664+0200    INFO    Vulnerability scanning is enabled
2023-03-29T13:15:35.713+0200    FATAL   rootfs scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with /tmp/puzzle-workplace-17210770677456083533/vmdk/opt/bitnami/wildfly/modules/system/layers/base/org/wildfly/security/jakarta/security/main: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist

2023-03-29T13:15:37.985+0200    INFO    Vulnerability scanning is enabled
2023-03-29T13:15:38.040+0200    FATAL   rootfs scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with /tmp/puzzle-workplace-17210770677456083533/vmdk/opt/bitnami/wildfly/modules/system/layers/base/io/smallrye/common: unknown error with /tmp/puzzle-workplace-17210770677456083533/vmdk/opt/bitnami/wildfly/modules/system/layers/base/io/smallrye/common/annotation: unknown error with /tmp/puzzle-workplace-17210770677456083533/vmdk/opt/bitnami/wildfly/modules/system/layers/base/io/smallrye/common/annotation/main: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist

2023-03-29T13:15:52.319+0200    INFO    Vulnerability scanning is enabled
2023-03-29T13:15:52.449+0200    INFO    JAR files found
2023-03-29T13:15:52.450+0200    INFO    Analyzing JAR files takes a while...
2023-03-29T13:15:52.607+0200    INFO    Detected OS: debian
2023-03-29T13:15:52.608+0200    INFO    Detecting Debian vulnerabilities...
2023-03-29T13:15:52.651+0200    INFO    Number of language-specific files: 4
2023-03-29T13:15:52.652+0200    INFO    Detecting gobinary vulnerabilities...
2023-03-29T13:15:52.652+0200    INFO    Detecting jar vulnerabilities...
2023-03-29T13:15:53.118+0200    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

What did you expect to happen?

Always it must end correctly.

What happened instead?

It fails randomly.

Output of run with -debug:

2023-03-29T13:18:58.895+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-29T13:18:58.903+0200    DEBUG   cache dir:  /home/fjavier/.cache/trivy
2023-03-29T13:18:58.903+0200    DEBUG   DB update was skipped because the local DB is the latest
2023-03-29T13:18:58.903+0200    DEBUG   DB Schema: 2, UpdatedAt: 2023-03-29 06:18:30.78166506 +0000 UTC, NextUpdate: 2023-03-29 12:18:30.78166476 +0000 UTC, DownloadedAt: 2023-03-29 07:18:44.143154773 +0000 UTC
2023-03-29T13:18:58.903+0200    INFO    Vulnerability scanning is enabled
2023-03-29T13:18:58.903+0200    DEBUG   Vulnerability type:  [os library]
2023-03-29T13:18:58.904+0200    DEBUG   Walk the file tree rooted at '/tmp/puzzle-workplace-17210770677456083533/vmdk' in parallel
2023-03-29T13:18:58.953+0200    FATAL   rootfs scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:435
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:668
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - walk filesystem:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:153
  - walk error:
    github.com/aquasecurity/trivy/pkg/fanal/walker.walkFast
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:82
  - unknown error with /tmp/puzzle-workplace-17210770677456083533/vmdk/opt/bitnami/wildfly/modules/system/layers/base/jakarta/enterprise/concurrent/api/main:
    github.com/aquasecurity/trivy/pkg/fanal/walker.walkFast.func1
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:75
  - failed to analyze file:
    github.com/aquasecurity/trivy/pkg/fanal/walker.FS.Walk.func1
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:51
  - failed to build filesystem:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:147
  - mapfs write error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.buildFS
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:246
  - file does not exist

Output of trivy -v:

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-29 06:18:30.78166506 +0000 UTC
  NextUpdate: 2023-03-29 12:18:30.78166476 +0000 UTC
  DownloadedAt: 2023-03-29 07:18:44.143154773 +0000 UTC

Additional details (base image name, container registry info...):

To reproduce it, you can download the Bitnami Wildfly OVA, and extract it using 7z.

$ 7z x bitnami-wildfly-27.0.1-r9-debian-11-amd64.ova

$ 7z x bitnami-wildfly-27-27.0.1-r9-debian-11-amd64-disk-0.vmdk -owildfly
``
@javierfreire javierfreire added the kind/bug Categorizes issue or PR as related to a bug. label Mar 29, 2023
@DmitriyLewen
Copy link
Contributor

Hello @javierfreire
Thanks for your report and sorry for late reply.

I can't reproduce this issue( i got only invalid zip error, but it is different issue).
Can you check this problem in v0.39.1?

Also i saw that you used tmp folder(/tmp/puzzle-workplace-17210770677456083533/vmdk) to extract vm. Have you tried using a different folder?

Regards, Dmitriy

@DmitriyLewen DmitriyLewen self-assigned this Apr 11, 2023
@javierfreire
Copy link
Contributor Author

javierfreire commented Apr 11, 2023
edited
Loading

Thanks for your attention.

Same error using v0.39.1 and the Downloads folder.

$ 7z x bitnami-wildfly-27.0.1-r9-debian-11-amd64.ova -owildfly-ova
...

$ 7z x wildfly-ova/bitnami-wildfly-27-27.0.1-r9-debian-11-amd64-disk-0.vmdk -owildfly-vmdk
...

$ trivy rootfs wildfly-vmdk --scanners vuln
2023-04-11T09:44:01.319+0200    INFO    Vulnerability scanning is enabled
2023-04-11T09:44:01.365+0200    FATAL   rootfs scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with wildfly-vmdk/opt/bitnami/wildfly/modules/system/layers/base/asm/asm: unknown error with wildfly-vmdk/opt/bitnami/wildfly/modules/system/layers/base/asm/asm/main: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist

$ trivy --version
Version: 0.39.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-11 06:09:01.353030514 +0000 UTC
  NextUpdate: 2023-04-11 12:09:01.353030314 +0000 UTC
  DownloadedAt: 2023-04-11 07:32:49.116919811 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-03-28 01:46:40.203088549 +0000 UTC
  NextUpdate: 2023-03-31 01:46:40.203088149 +0000 UTC
  DownloadedAt: 2023-03-28 14:32:18.260255173 +0000 UTC

@DmitriyLewen
Copy link
Contributor

thanks a lot, i will investigation more and write to you!

@axi92
Copy link

axi92 commented Apr 12, 2023
edited
Loading

I have the same error. After starting trivy for about 3-4 times it works =)

It fails every time at a different module scan:
filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/pac-proxy-agent/node_modules/http-proxy-agent: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist

PS: I use trivy fs . for a node project

@axi92
Copy link

axi92 commented Apr 13, 2023

I am using this code now to retry untill it works:

until trivy fs . --skip-files **/yarn.lock
do
    echo Retry...
    sleep 1
done

Thats the output:

2023-04-13T08:54:31.224+0200    INFO    Loaded trivy.yaml
2023-04-13T08:54:31.227+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:54:31.227+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:54:31.229+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:54:31.229+0200    INFO    Secret scanning is enabled
2023-04-13T08:54:31.229+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:54:31.229+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:54:41.064+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/protractor/node_modules/cliui/node_modules/strip-ansi: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:54:42.509+0200    INFO    Loaded trivy.yaml
2023-04-13T08:54:42.512+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:54:42.512+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:54:42.514+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:54:42.514+0200    INFO    Secret scanning is enabled
2023-04-13T08:54:42.514+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:54:42.514+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:54:49.161+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/@babel/plugin-transform-runtime: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:54:50.608+0200    INFO    Loaded trivy.yaml
2023-04-13T08:54:50.610+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:54:50.610+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:54:50.612+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:54:50.612+0200    INFO    Secret scanning is enabled
2023-04-13T08:54:50.612+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:54:50.612+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:54:53.629+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/type-utils: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:54:55.079+0200    INFO    Loaded trivy.yaml
2023-04-13T08:54:55.082+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:54:55.082+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:54:55.087+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:54:55.087+0200    INFO    Secret scanning is enabled
2023-04-13T08:54:55.087+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:54:55.087+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:55:09.435+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/eslint-plugin-import/node_modules: unknown error with ./node_modules/eslint-plugin-import/node_modules/debug: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:55:10.879+0200    INFO    Loaded trivy.yaml
2023-04-13T08:55:10.885+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:55:10.885+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:55:10.891+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:55:10.891+0200    INFO    Secret scanning is enabled
2023-04-13T08:55:10.891+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:55:10.891+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:55:20.887+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/resolve/test/resolver/multirepo: unknown error with ./node_modules/resolve/test/resolver/multirepo/packages: unknown error with ./node_modules/resolve/test/resolver/multirepo/packages/package-b: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:55:22.342+0200    INFO    Loaded trivy.yaml
2023-04-13T08:55:22.345+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:55:22.345+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:55:22.346+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:55:22.346+0200    INFO    Secret scanning is enabled
2023-04-13T08:55:22.346+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:55:22.346+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:55:32.283+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/needle: unknown error with ./node_modules/needle/node_modules: unknown error with ./node_modules/needle/node_modules/iconv-lite: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:55:33.733+0200    INFO    Loaded trivy.yaml
2023-04-13T08:55:33.736+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:55:33.736+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:55:33.737+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:55:33.737+0200    INFO    Secret scanning is enabled
2023-04-13T08:55:33.737+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:55:33.737+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:55:43.581+0200    FATAL   filesystem scan error: scan error: scan failed: failed analysis: walk filesystem: walk error: unknown error with ./node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types: failed to analyze file: failed to build filesystem: mapfs write error: file does not exist
Retry...
2023-04-13T08:55:45.030+0200    INFO    Loaded trivy.yaml
2023-04-13T08:55:45.034+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-04-13T08:55:45.034+0200    WARN    "--dependency-tree" can be used only with "--format table".
2023-04-13T08:55:45.035+0200    INFO    Vulnerability scanning is enabled
2023-04-13T08:55:45.035+0200    INFO    Secret scanning is enabled
2023-04-13T08:55:45.035+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-13T08:55:45.035+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-13T08:56:07.190+0200    INFO    To collect the license information of packages in "node_modules/minipass-sized/package-lock.json", "npm install" needs to be performed beforehand
2023-04-13T08:56:07.197+0200    INFO    To collect the license information of packages in "node_modules/npm-normalize-package-bin/package-lock.json", "npm install" needs to be performed beforehand
2023-04-13T08:56:07.205+0200    INFO    To collect the license information of packages in "node_modules/protobufjs/package-lock.json", "npm install" needs to be performed beforehand
2023-04-13T08:56:07.405+0200    INFO    Number of language-specific files: 11
2023-04-13T08:56:07.405+0200    INFO    Detecting bundler vulnerabilities...
2023-04-13T08:56:07.405+0200    INFO    Detecting pom vulnerabilities...
2023-04-13T08:56:07.406+0200    INFO    Detecting yarn vulnerabilities...
2023-04-13T08:56:07.406+0200    INFO    Detecting cocoapods vulnerabilities...
2023-04-13T08:56:07.406+0200    WARN    CocoaPods is supported for SBOM, not for vulnerability scanning
2023-04-13T08:56:07.406+0200    INFO    Detecting pip vulnerabilities...
2023-04-13T08:56:07.406+0200    INFO    Detecting npm vulnerabilities...

@DmitriyLewen
Copy link
Contributor

Thanks @axi92 !

I was able to reproduce the error.
I am currently working on this.

@axi92
Copy link

axi92 commented Apr 13, 2023

I found out that if I enable scan.slow = true it does not fail.

@DmitriyLewen DmitriyLewen mentioned this issue Apr 14, 2023
Merged
6 tasks
@DmitriyLewen
Copy link
Contributor

Hello @axi92 , @javierfreire

We merged #4061
It should fix this problem.

Until new release you can use canary build.

Best Regards, Dmitriy

@javierfreire
Copy link
Contributor Author

Thank you!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: fix file does not exist error for post-analyzers DmitriyLewen/trivy
3 participants
@axi92 @javierfreire @DmitriyLewen