Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support other registries (quai.io, Azure Container Registry, private Harbor, etc.) #229

Closed
ahmddp opened this issue Oct 26, 2019 · 4 comments · Fixed by aquasecurity/fanal#48
Closed

support other registries (quai.io, Azure Container Registry, private Harbor, etc.) #229

ahmddp opened this issue Oct 26, 2019 · 4 comments · Fixed by aquasecurity/fanal#48
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@ahmddp
Copy link

ahmddp commented Oct 26, 2019

Description

Trivy is unable to create a registry client to pull Quay.io hosted images.

➜  ~ docker run -v /Library/Caches:/root/.cache/ \   
        aquasec/trivy:latest -c quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
2019-10-26T20:34:33.822Z	INFO	Removing image caches...
2019-10-26T20:34:33.847Z	INFO	Updating vulnerability database...
2019-10-26T20:34:38.673Z	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to create the registry client: Get https://quay.io/v2/: http: non-successful response (status=401 body="{\"error\": \"Invalid bearer token format\"}")
➜  ~

However, if I first pull the image and then scan it on the host machine (by mounting docker.sock.), Trivy succeeds:

➜  ~ docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1

0.26.1: Pulling from kubernetes-ingress-controller/nginx-ingress-controller
c8775c51b291: Already exists 
4fc647720de5: Already exists 
4bee7d3b55eb: Already exists 
85ee1a272ac8: Already exists 
6a37290ece43: Already exists 
cd42756652d1: Already exists 
ba0a46163f53: Already exists 
b15c3bdebd38: Already exists 
69a3d60cbd64: Already exists 
7b1f35e5645a: Already exists 
8c7b9cd15ac7: Already exists 
9021fc6169bc: Already exists 
Digest: sha256:d0b22f715fcea5598ef7f869d308b55289a3daaa12922fa52a1abf17703c88e7
Status: Image is up to date for quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
➜  ~ docker run \
        -v /Library/Caches:/root/.cache/ \
        -v /var/run/docker.sock:/var/run/docker.sock \
        aquasec/trivy:latest -c quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
2019-10-26T20:40:01.937Z	INFO	Removing image caches...
2019-10-26T20:40:01.941Z	INFO	Updating vulnerability database...
2019-10-26T20:40:09.097Z	INFO	Detecting Debian vulnerabilities...

quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1 (debian 10.1)
===================================================================================
Total: 127 (UNKNOWN: 1, LOW: 29, MEDIUM: 81, HIGH: 15, CRITICAL: 1)
...

Output of run with -debug:

➜  ~ docker run -v /Library/Caches:/root/.cache/ \
        aquasec/trivy:latest -c -debug quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
2019-10-26T20:35:54.517Z	DEBUG	cache dir:  /root/.cache/trivy
2019-10-26T20:35:54.517Z	INFO	Removing image caches...
2019-10-26T20:35:54.517Z	DEBUG	db path: /root/.cache/trivy/db/trivy.db
2019-10-26T20:35:54.521Z	INFO	Updating vulnerability database...
2019-10-26T20:35:54.521Z	DEBUG	git pull
2019-10-26T20:35:55.522Z	DEBUG	total updated files: 1
2019-10-26T20:35:55.524Z	DEBUG	Vulnerability type:  [os library]
2019-10-26T20:35:58.888Z	FATAL	error in image scan:
    github.com/aquasecurity/trivy/pkg.Run
        /home/circleci/project/pkg/run.go:168
  - failed to analyze image:
    github.com/aquasecurity/trivy/pkg/scanner.ScanImage
        /home/circleci/project/pkg/scanner/scan.go:38
  - failed to extract files:
    github.com/aquasecurity/fanal/analyzer.Analyze
        /go/pkg/mod/github.com/aquasecurity/[email protected]/analyzer/analyzer.go:131
  - failed to create the registry client:
    github.com/aquasecurity/fanal/extractor/docker.DockerExtractor.Extract
        /go/pkg/mod/github.com/aquasecurity/[email protected]/extractor/docker/docker.go:175
  - Get https://quay.io/v2/: http: non-successful response (status=401 body="{\"error\": \"Invalid bearer token format\"}")

Output of trivy -v:

➜  ~ docker run -v /Library/Caches:/root/.cache/ \                                    
        aquasec/trivy:latest -v        
trivy version 0.1.7
@ahmddp ahmddp added the kind/bug Categorizes issue or PR as related to a bug. label Oct 26, 2019
@chgl
Copy link

chgl commented Oct 27, 2019
edited
Loading

There's a similar issue using a private Harbor-based registry:

$ docker run --rm -v /cache/trivy/:/root/.cache/ aquasec/trivy harbor.example.com/test/test-vuln:1.0.0 --severity HIGH --exit-code 0 --no-progress --auto-refresh
[...]
2019-10-27T10:31:54.454Z	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to create the registry client: Get https://harbor.example.com/v2/: http: non-successful response (status=401 body="{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":null}]}\n")

Setting TRIVY_USERNAME and TRIVY_PASSWORD has no effect.

Note that this occurs even if harbor.example.com/test/test-vuln:1.0.0 is configured as a public project in Harbor.

Let me know if this warrants its own issue.

@ahmddp
Copy link
Author

ahmddp commented Oct 30, 2019

Today, I encountered the same error while scanning one of the images from Azure Container Registry anonymous repo.

➜  ~ docker run -v /Library/Caches:/root/.cache/ \                                                                                                                               
        aquasec/trivy:latest -c aksrepos.azurecr.io/prod/hcp-tunnel-front:v1.9.2-v3.0.7
2019-10-30T20:20:47.259Z	INFO	Removing image caches...
2019-10-30T20:20:47.299Z	INFO	Updating vulnerability database...
2019-10-30T20:20:49.233Z	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to create the registry client: Get https://aksrepos.azurecr.io/v2/: http: non-successful response (status=401 body="{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":null}]}\n")

@christian-weiss
Copy link

Would be nice if you change the title to
"Support other registries (quai.io, Azure Container Registry, private Harbor, etc.)"

@ahmddp ahmddp changed the title failed to create the registry client for quay hosted images support other registries (quai.io, Azure Container Registry, private Harbor, etc.) Nov 4, 2019
@jabielecki
Copy link
Contributor

Created auxiliary upstream issue genuinetools/reg#198, but we can apply some easy workaround here and now as well, I guess.

jabielecki added a commit to jabielecki/fanal that referenced this issue Nov 21, 2019
@jabielecki
fix docker reg with option SkipPing
3853aa2 
Workaround for a deficient Ping implementation of reg package.
Ping fails on docker registries that return http 401
Authentication Required when requesting general /v2 url, but
happily allow unauthenticated pull of a specific image.

Closes aquasecurity/trivy#229

Signed-off-by: Jakub Bielecki <[email protected]>
@jabielecki jabielecki mentioned this issue Nov 21, 2019
Merged
knqyf263 pushed a commit to aquasecurity/fanal that referenced this issue Nov 24, 2019
@jabielecki @knqyf263
fix docker reg with option SkipPing (#48)
eff41db 
Workaround for a deficient Ping implementation of reg package.
Ping fails on docker registries that return http 401
Authentication Required when requesting general /v2 url, but
happily allow unauthenticated pull of a specific image.

Closes aquasecurity/trivy#229

Signed-off-by: Jakub Bielecki <[email protected]>
liamg pushed a commit that referenced this issue Jun 7, 2022
@jabielecki @knqyf263
fix docker reg with option SkipPing (#48)
fa1c1b6 
Workaround for a deficient Ping implementation of reg package.
Ping fails on docker registries that return http 401
Authentication Required when requesting general /v2 url, but
happily allow unauthenticated pull of a specific image.

Closes #229

Signed-off-by: Jakub Bielecki <[email protected]>
josedonizetti referenced this issue in josedonizetti/trivy Jun 24, 2022
@liamg
Merge pull request #229 from vanesasejdiu/cloudstack-compute-tests
fae73f9 
feat: add unit tests for Cloudstack Compute rules
knqyf263 pushed a commit to knqyf263/trivy that referenced this issue Feb 9, 2024
@dependabot
chore(deps): bump github.com/hashicorp/go-retryablehttp (aquasecurity…
47b6cba 
…#229)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix docker reg with option SkipPing jabielecki/fanal
4 participants
@christian-weiss @chgl @ahmddp @jabielecki