Как запустить Trivy stable в GitLab для образа Docker с Java?
Я использую GitLab (Community Edition 14.0.10), чтобы создать приложение Spring Boot и упаковать его в образ Docker. Я добавил Trivy в свой конвейер GitLab.
Но иногда Trivy не проверяет зависимости Java.
Код
build-and-push-docker:
stage: package
image: docker:latest
before_script:
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- docker image build . --pull --tag "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
- ./trivy -d --exit-code 0 --cache-dir .trivycache/ --no-progress --ignore-unfixed "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
- docker image push "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
- docker image rm "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
cache:
paths:
- .trivycache/
См. Также GitLabCI
Ошибка
Analysis error: jar/war/ear parse error: failed to parse BOOT-INF/lib/spring-boot-starter-actuator-2.3.4.RELEASE.jar: failed to search by SHA1: status 400 from https://search.maven.org/solrsearch/select?q=1%3A%2244aebd5ec26be2d2ff3f72d2181001aad1f94f4a%22&rows=1&wt=json
Если я вызову указанную выше ссылку в своем браузере, я получу правильный ответ.
Журналы
$ ./trivy -d --exit-code 0 --cache-dir .trivycache/ --no-progress --ignore-unfixed "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
2021-10-08T14:42:28.577Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-10-08T14:42:28.597Z DEBUG cache dir: .trivycache/
2021-10-08T14:42:28.598Z DEBUG There is no valid metadata file: unable to open a file: open .trivycache/db/metadata.json: no such file or directory
2021-10-08T14:42:28.598Z INFO Need to update DB
2021-10-08T14:42:28.598Z INFO Downloading DB...
2021-10-08T14:42:28.598Z DEBUG no metadata file
2021-10-08T14:42:28.752Z DEBUG release name: v1-2021100812
2021-10-08T14:42:28.752Z DEBUG asset name: trivy-light-offline.db.tgz
2021-10-08T14:42:28.752Z DEBUG file name doesn't match
2021-10-08T14:42:28.752Z DEBUG asset name: trivy-light.db.gz
2021-10-08T14:42:28.752Z DEBUG file name doesn't match
2021-10-08T14:42:28.752Z DEBUG asset name: trivy-offline.db.tgz
2021-10-08T14:42:28.752Z DEBUG file name doesn't match
2021-10-08T14:42:28.752Z DEBUG asset name: trivy.db.gz
2021-10-08T14:42:28.761Z DEBUG asset URL: https://github-releases.githubusercontent.com [...]
2021-10-08T14:42:29.485Z DEBUG Updating database metadata...
2021-10-08T14:42:29.485Z DEBUG DB Schema: 1, Type: 1, UpdatedAt: 2021-10-08 12:05:52.970906645 +0000 UTC, NextUpdate: 2021-10-08 18:05:52.970906245 +0000 UTC, DownloadedAt: 2021-10-08 14:42:29.48566609 +0000 UTC
2021-10-08T14:42:29.485Z DEBUG Vulnerability type: [os library]
2021-10-08T14:42:29.490Z DEBUG Image ID: sha256:08770cf43def239f496562ab59fa2df2e387cc3ec6331cc251bbb262638a4870
2021-10-08T14:42:29.490Z DEBUG Diff IDs: [sha256:5e6a409f30b62f42e55599490ba76ad82dca8de7b52655ecc8be25c46ad8b2b9 sha256:dabfe5b2ea81d864f4c6d49a884ec43489a497606a0fdc875e203b388627e165 sha256:d35dc7f4c79e18c7cf9b39411661b66fe92999142ec4dd02e9c38c596da80441 sha256:3f4d061037d3e4c5706ab779910bd6a815539b3db32e509aa12f6f5b882c30c1 sha256:61e996612cf7a7cf9873d173b5f4a78b8ea9a8a8dd2a7609ddc79c21181d381c sha256:f0ecedcc8c0f68a6d6eeea16e490580df0267da4fd88afc27f3aad4b4a0075cb sha256:dce0aba9d8729df4e13119a672bbde3d21afa509eba27fc0a5ebd67818cc2b82 sha256:afddb0fbbf519183e18698970551b5a16a6e907c010319e5c910572afd3e3cda sha256:8e837de786fe1d0b073d0ad4c7c6386884e30dae6fe4fbdb342889120e192602 sha256:968e057504834f26cb4943f4a0fe354659003ba84b4cece7dd7653deb763dbfc]
2021-10-08T14:42:29.490Z DEBUG Missing image ID: sha256:08770cf43def239f496562ab59fa2df2e387cc3ec6331cc251bbb262638a4870
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:968e057504834f26cb4943f4a0fe354659003ba84b4cece7dd7653deb763dbfc
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:61e996612cf7a7cf9873d173b5f4a78b8ea9a8a8dd2a7609ddc79c21181d381c
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:5e6a409f30b62f42e55599490ba76ad82dca8de7b52655ecc8be25c46ad8b2b9
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:dabfe5b2ea81d864f4c6d49a884ec43489a497606a0fdc875e203b388627e165
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:d35dc7f4c79e18c7cf9b39411661b66fe92999142ec4dd02e9c38c596da80441
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:3f4d061037d3e4c5706ab779910bd6a815539b3db32e509aa12f6f5b882c30c1
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:afddb0fbbf519183e18698970551b5a16a6e907c010319e5c910572afd3e3cda
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:8e837de786fe1d0b073d0ad4c7c6386884e30dae6fe4fbdb342889120e192602
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:dce0aba9d8729df4e13119a672bbde3d21afa509eba27fc0a5ebd67818cc2b82
2021-10-08T14:42:29.490Z DEBUG Missing diff ID: sha256:f0ecedcc8c0f68a6d6eeea16e490580df0267da4fd88afc27f3aad4b4a0075cb
2021-10-08T14:42:31.763Z DEBUG Analysis error: unable to parse bin/bzcat: failed to parse bin/bzcat: EOF
2021-10-08T14:42:31.763Z DEBUG Analysis error: unable to parse bin/bzip2: failed to parse bin/bzip2: EOF
2021-10-08T14:42:31.773Z DEBUG Parsing Java artifacts... {"file": "usr/local/openjdk-11/lib/jrt-fs.jar"}
2021-10-08T14:42:31.776Z DEBUG Analysis error: unable to parse usr/bin/zipinfo: failed to parse usr/bin/zipinfo: EOF
2021-10-08T14:42:31.800Z DEBUG Analysis error: unable to parse bin/uncompress: failed to parse bin/uncompress: EOF
2021-10-08T14:42:31.857Z DEBUG Parsing Java artifacts... {"file": "usr/src/app/app.jar"}
2021-10-08T14:42:31.867Z DEBUG Analysis error: unable to parse usr/bin/perl5.32.1: failed to parse usr/bin/perl5.32.1: EOF
2021-10-08T14:42:31.912Z DEBUG Parsing Java artifacts... {"file": "BOOT-INF/lib/spring-boot-starter-actuator-2.3.4.RELEASE.jar"}
2021-10-08T14:42:32.238Z DEBUG No such POM in the central repositories {"file": "jrt-fs.jar"}
2021-10-08T14:42:32.346Z DEBUG Analysis error: jar/war/ear parse error: failed to parse BOOT-INF/lib/spring-boot-starter-actuator-2.3.4.RELEASE.jar: failed to search by SHA1: status 400 from https://search.maven.org/solrsearch/select?q=1%3A%2244aebd5ec26be2d2ff3f72d2181001aad1f94f4a%22&rows=1&wt=json
2021-10-08T14:42:32.367Z DEBUG Missing image cache: sha256:7b4706b6a3577b17b1528ec4ba1995d3f1d0704a52c78ef1e1d4f3dd5e1d84f9
2021-10-08T14:42:32.442Z INFO Detected OS: debian
2021-10-08T14:42:32.442Z INFO Detecting Debian vulnerabilities...
2021-10-08T14:42:32.442Z DEBUG debian: os version: 11
2021-10-08T14:42:32.442Z DEBUG debian: the number of packages: 142
2021-10-08T14:42:32.457Z INFO Number of language-specific files: 0
gitlab.my-company.com:5005/product/service:221 (debian 11.0)
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Отсутствует журнал проверки зависимостей Java.
Исследовать
Я обнаружил аналогичную проблему, см. Scan пытается связаться с maven.org, даже если в среде с воздушным зазором :
Мы используем последнюю версию v0.19.2 и видим ошибку ниже.
Analysis error: jar/war/ear parse error: failed to search by SHA1: status 403 Forbidden from http://search.maven.org/solrsearch/select?q=1%3A%22a080d66963eaa0e3a4cabcc90a7798156b047fee%22&rows=1&wt=jsonЛюбой предлагаемый обходной путь или вариант использования зеркала maven?
Но я не понимаю
403, Я получил
400. Также я не хочу отключать сканирование Java или использовать для этого второй инструмент (рекомендуемое решение проблемы).
Вопрос
Как стабильно вызывать Trivy с помощью GitLab?