intermittently "no such file or directory" error seen when using trivy pre-commit hook

[ocofaigh]

Description

We are running the trivy pre-commit hook like this:

- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.92.0
  hooks:
    - id: terraform_trivy
      args:
        - --args=--skip-files="**/.terraform/**/*"
        - --args=--skip-files="**/examples/**/*.yaml"
        - --args=--skip-files="**/examples/**/*.yml"
        - --args=--skip-files="**/helm-charts/**/*"
        - --args=--skip-files="**/tests/**/*"
        - --args=--skip-files="common-dev-assets/**/*"

And we are intermittently seeing this:

Terraform validate with trivy.............................................Failed
- hook id: terraform_trivy
- exit code: 1

2024-07-10T16:47:27Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:27Z	INFO	Need to update the built-in policies
2024-07-10T16:47:27Z	INFO	Downloading the built-in policies...
2024-07-10T16:47:27Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:27Z	INFO	Need to update the built-in policies
2024-07-10T16:47:27Z	INFO	Downloading the built-in policies...
2024-07-10T16:47:27Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:27Z	INFO	Need to update the built-in policies
2024-07-10T16:47:27Z	INFO	Downloading the built-in policies...
2024-07-10T16:47:27Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:27Z	INFO	Need to update the built-in policies
2024-07-10T16:47:27Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] [100](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/actions/runs/9878184694/job/27281554456#step:6:101).00% ? p/s 0s2024-07-10T16:47:27Z	FATAL	Fatal error	filesystem scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: analyzer group error: post-analyzer init error: kubernetes scanner init error: mapfs file copy error: readdirent /github/home/.cache/trivy/policy/content/policies/cloud/policies/azure/database: no such file or directory
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T16:47:27Z	ERROR	Falling back to embedded checks	err="check load error: manifest file open error (/github/home/.cache/trivy/policy/content/.manifest): open /github/home/.cache/trivy/policy/content/.manifest: no such file or directory"
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s74.86 KiB / 74.86 KiB [--------------------------------------------------------] 100.00% ? p/s 100ms2024-07-10T16:47:29Z	INFO	Detected config files	num=1
2024-07-10T16:47:29Z	INFO	Detected config files	num=1
2024-07-10T16:47:32Z	INFO	Detected config files	num=4
2024-07-10T16:47:33Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:33Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:33Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:34Z	INFO	Detected config files	num=1
2024-07-10T16:47:34Z	INFO	Detected config files	num=1
2024-07-10T16:47:34Z	INFO	Detected config files	num=1
2024-07-10T16:47:34Z	INFO	Misconfiguration scanning is enabled
2024-07-10T16:47:35Z	INFO	Detected config files	num=1

NOTE: It usually passes on retry

Desired Behavior

No error

Actual Behavior

Error (see above)

Reproduction Steps

pre-commit run --all-files

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

tbc

Operating System

Debian

Version

v0.53.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

I don't think this issue is related to Trivy. Most likely the way you are running your pre-commit hook or the environment it is running in is the cause of the error, which is making Trivy fallback to embedded policies.

[afdesk]

@afdesk could you take a look at this?

ok, i'll try to take a look at this soon

[ocofaigh]

FYI, we are working around it by setting - --hook-config=--parallelism-limit=1

[afdesk]

FYI, we are working around it by setting - --hook-config=--parallelism-limit=1

does it work? thanks!

[ocofaigh]

yes, this workaround works for us

[yermulnik]

JFYI: that flag is specific to pre-commit-terraform (which means it might worth of replacing pre-commit with pre-commit-terraform in the title of this thread) and allows to limit number of simultaneous invocations of the underlying tool (ref: antonbabenko/pre-commit-terraform#691 (comment))

[mnazir23]

Faced this same issue on a GitLab pipeline. Does not happen in local machine. We also use pre-commit run --all-files.

Also happens intermittently and goes away on retries.

Do we know what causes this issue?

[Propolisa]

+1, also seeing this in GitLab pipeline (docker executor) with trivy config inside a custom container. Do not see the error when running the same container + entrypoint on local machine (not mounting any volumes in either case).

I'm also running the command in parallel. How can I gather just the misconfiguration / rego checks in a command run (async) before the other scans? I couldn't find it in the Air-Gapped Environment doc page (only instructions for collecting the vulnerability DB are provided).

[nikpivkin]

I think the problem is due to multiple instances of Trivy running at the same time that are concurrently working on a common directory, in this case it's delete and download checks.

rm -rf ~/Library/Caches/trivy/policy

trivy conf . -d  & trivy conf . -d & trivy conf . -d & trivy conf . -d && fg
[1] 25180
[2] 25181
[3] 25182
2024-08-13T21:21:49+06:00       DEBUG   Cache dir       dir="/Users/nikita/Library/Caches/trivy"
2024-08-13T21:21:49+06:00       DEBUG   Cache dir       dir="/Users/nikita/Library/Caches/trivy"
2024-08-13T21:21:49+06:00       DEBUG   Cache dir       dir="/Users/nikita/Library/Caches/trivy"
2024-08-13T21:21:49+06:00       DEBUG   Cache dir       dir="/Users/nikita/Library/Caches/trivy"
...
2024-08-13T21:21:49+06:00       INFO    Need to update the built-in policies
n policies...
2024-08-13T21:21:49+06:00       INFO    Downloading the built-in policies...
2024-08-13T21:21:49+06:00       DEBUG   Loading check bundle    repository="ghcr.io/aquasecurity/trivy-checks:0"
2024-08-13T21:21:49+06:00       DEBUG   Loading check bundle    repository="ghcr.io/aquasecurity/trivy-checks:0"
74.86 KiB / 74.86 KiB [-----------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2024-08-13T21:21:51+06:00       ERROR   [misconfig] Falling back to embedded checks     err="failed to download built-in policies: download error: oci download error: download error: failed to download /var/folders/08/9jn5k93x207g509y9zqk2b5m0000gn/T/trivy3029491832/bundle.tar.gz: chmod /Users/nikita/Library/Caches/trivy/policy/content/policies/kubernetes/policies/general/manage_all_resources.rego: no such file or directory"
2024-08-13T21:21:51+06:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-13T21:21:51+06:00       DEBUG   Initializing scan cache...      type="memory"
2024-08-13T21:21:51+06:00       DEBUG   Skipping path   path=".git"
2024-08-13T21:21:51+06:00       DEBUG   Scanning files for misconfigurations... scanner="Helm"
2024-08-13T21:21:51+06:00       DEBUG   [misconf] 21:51.051479000 helm.scanner.rego                Loaded 3 embedded libraries.
74.86 KiB / 74.86 KiB [----------------------------------------------------------------------------------] 100.00% 7.30 MiB p/s 200ms
2024-08-13T21:21:51+06:00       ERROR   [misconfig] Falling back to embedded checks     err="failed to download built-in policies: download error: oci download error: download error: failed to download /var/folders/08/9jn5k93x207g509y9zqk2b5m0000gn/T/trivy4155932743/bundle.tar.gz: chmod /Users/nikita/Library/Caches/trivy/policy/content/policies/cloud: no such file or directory"
...

[simar7]

Does this happen with a vulnerability scan as well? IOW, when downloading trivy-db, do we have any logic to take care of parallel instances of trivy being executed?

[nikpivkin]

The same logic is used to load the db and the checks bundle. But I have not been able to reproduce the problem when loading the db.

[simar7]

I think we should decide if running multiple instances of Trivy in parallel is something we'd like to support. I can see the use case for it, if we're scanning multiple targets at once. Although supporting something like this might add complexity (lock files, etc.) WDYT @knqyf263?