container-scanning analyzer fails when scanning maven dependencies in offline environment

Summary

Based on information from gitlab-org/security-products/analyzers/container-scanning!2647 (comment 826253473) and issue created for trivy: https://github.com/aquasecurity/trivy/issues/1290 and related PR: https://github.com/aquasecurity/trivy/pull/1511 container-scanning analyzer is not working properly for Maven projects in offline environment.

Steps to reproduce

  1. Create maven project in GitLab (you can use https://github.com/apache/maven)
  2. Configure container-scanning for this project (extend gitlab-ci.yml file with Container Scanning: https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#configuration)
  3. Run pipeline for this project
  4. Turn off internet connection and run pipeline again

Example Project

What is the current bug behavior?

Trivy fails with error:

2022-01-31T10:40:54.740+0100	DEBUG	request failed	{"error": "Get \"https://search.maven.org/solrsearch/select?q=1%3A%224f278760b2f9f8786cab446beff634f711a8746b%22&rows=1&wt=json\": dial tcp: lookup search.maven.org on [::1]:53: read udp [::1]:54741->[::1]:53: read: connection refused", "method": "GET", "url": "https://search.maven.org/solrsearch/select?q=1%3A%224f278760b2f9f8786cab446beff634f711a8746b%22&rows=1&wt=json"}
2022-01-31T10:40:54.740+0100	DEBUG	retrying request	{"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%224f278760b2f9f8786cab446beff634f711a8746b%22&rows=1&wt=json", "timeout": "2m40s", "remaining": 2}
2022-01-31T10:43:32.115+0100	FATAL	scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:71
  - image scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:217
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:98
  - analyze error:
    github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211224205755-c94f68b6d71a/artifact/image/image.go:105
  - timeout:
    github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
        /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211224205755-c94f68b6d71a/artifact/image/image.go:175
  - context deadline exceeded

What is the expected correct behavior?

trivy in container-scanning should not contact external APIs when fetching information about dependencies in offline environment.

Workaround

Option 1

  1. Use older version of CS_ANALYZER_IMAGE (registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:4.5.10)

Option 2

  1. Extend your .gitlab-ci.yml file with:
variables:
  TRIVY_OFFLINE_SCAN: "true"

Possible fixes

  1. Use --offline-scan flag for trivy (we could hide it behind Environment variable, so this would be customisable)

Implementation plan

Option 1:

  • backend Extend scan_command and os_scan_command methods in lib/gcs/trivy.rb to use --offline-scan flag by default.

Option 2:

  • backend Extend scan_command and os_scan_command methods in lib/gcs/trivy.rb to use --offline-scan flag when CS_OFFLINE_MODE variable is set to true (default: false).
  • documentation Add information about CS_OFFLINE_MODE to Available CI/CD variables section in doc/user/application_security/container_scanning/index.md
Edited by Alan (Maciej) Paruszewski