-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: [bug description] Not able to generate any vuln report in STDOUT nor SBOMs for mounted qcow2 #4662
Comments
That last line is just Potential things to try:
|
There is over ~ 9G of space present in root fs , okhard@keep-platform-utility:~/$ df -h still the cve-bin-tool keeps on getting killed , may I know what are the other minimum requirements for running cve-bin-tool? I tried |
Maybe it was killed due to memory issues? I can't really debug this from the cve-bin-tool side, so you'll need to use your linux utilities to figure it out. I'd start with In case you've never debugged something similar, here's a random blog post that explains a bit more about figuring out when something was killed by the system: https://www.baeldung.com/linux/what-killed-a-process -- it might not be the answer for you but I don't want to assume that you've ever read a dmesg trace before so I figured I'd include something with more detail. |
Also, I don't think you're using github actions but I will say that I've been seeing jobs killed after about 30-45 minutes even when their timeouts are set considerably longer, so I won't rule out being killed by a timeout if you're running in a CI or cloud system that may have additional restrictions enabled. |
Yeah I am not using github actions or not with any CI/CD libraries. When I am seeing kern.log , seems oom-killer occurs before the cve-bin-tool gets
In
What I could guess is the cve-bin-tool is taking a loot of memory as expected, maybe due to multiprocessing/multithreading. While
It seems cve-bin-tool is taking 5% of Memory which seems to pretty much , should it be using this much memory ? before vs during running cve-bin-tool , this is the memory status
during
Question : Just wanted to confirm if this is the expected behaviour of cve-bin-tool ? |
I haven't done a memory profile on it since I've never seen an OOM myself, but that doesn't seem utterly unreasonable given that it's processing gigs of vuln data in those steps. Maybe someone who's profiled the tool more recently can compare numbers with you? I'll ask in our gitter chat and see if anyone's got numbers or wants to do some profiling. |
Hello! Thank you for the suggestion. I would like to work on this issue. Please let me know if there are any specific steps or requirements I should follow. Thank you! |
Any suggestions to avoid OOM-killer , and to reduce memory/space consumption ? |
Not sure but disabling some data sources might help |
why don't you use Swap file. It will prevent the OOM Killer for terminating process. |
Yeah disabling the sources and excluding few expressions indeed helped, Thanks. |
Description
Not able to generate any vuln report in STDOUT nor SBOMs for mounted qcow2
To reproduce
okhard@keep-platform-utility:~/$ cve-bin-tool /mnt/
[11:20:22] INFO cve_bin_tool - CVE Binary Tool v3.4 cli.py:624
INFO cve_bin_tool - This product uses the NVD API but is not endorsed or cli.py:625
certified by the NVD.
INFO cve_bin_tool - For potentially faster NVD downloads, mirrors are available cli.py:628
using -n json-mirror
[11:20:23] INFO cve_bin_tool - Getting NVD CVE data... nvd_source.py:389
INFO cve_bin_tool - Getting GitLab Advisory Database CVEs... gad_source.py:86
INFO cve_bin_tool - Getting RedHat CVEs... redhat_source.py:69
INFO cve_bin_tool - Getting PURL2CPE data... purl2cpe_source.py:36
ERROR CVEDB - Unable to fetch EPSS, skipping EPSS. epss_source.py:158
Downloading CVEs... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:41
[11:24:55] INFO cve_bin_tool - Adding 35598 RedHat CVE entries redhat_source.py:136
[11:29:12] INFO cve_bin_tool - Getting Open Source Vulnerability Database CVEs... osv_source.py:161
Killed
Expected behaviour: Should show the vulnerable packages with CVE in stdout as well as in SBOM if sbom tags are given.
Actual behaviour: Not happening as Expected.
Version/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version
):Installed from pypi or github?
Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)
Linux keep-platform-utility 5.15.0-122-generic 132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Python 3.10.12
Running in any particular CI environment we should know about? (e.g. Github Actions)
The text was updated successfully, but these errors were encountered: