container-scanning analyzer fails when scanning maven dependencies in offline environment
Summary
Based on information from gitlab-org/security-products/analyzers/container-scanning!2647 (comment 826253473) and issue created for trivy: https://github.com/aquasecurity/trivy/issues/1290 and related PR: https://github.com/aquasecurity/trivy/pull/1511 container-scanning
analyzer is not working properly for Maven projects in offline environment.
Steps to reproduce
- Create maven project in GitLab (you can use https://github.com/apache/maven)
- Configure
container-scanning
for this project (extendgitlab-ci.yml
file with Container Scanning: https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#configuration) - Run pipeline for this project
- Turn off internet connection and run pipeline again
Example Project
What is the current bug behavior?
Trivy fails with error:
2022-01-31T10:40:54.740+0100 DEBUG request failed {"error": "Get \"https://search.maven.org/solrsearch/select?q=1%3A%224f278760b2f9f8786cab446beff634f711a8746b%22&rows=1&wt=json\": dial tcp: lookup search.maven.org on [::1]:53: read udp [::1]:54741->[::1]:53: read: connection refused", "method": "GET", "url": "https://search.maven.org/solrsearch/select?q=1%3A%224f278760b2f9f8786cab446beff634f711a8746b%22&rows=1&wt=json"}
2022-01-31T10:40:54.740+0100 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%224f278760b2f9f8786cab446beff634f711a8746b%22&rows=1&wt=json", "timeout": "2m40s", "remaining": 2}
2022-01-31T10:43:32.115+0100 FATAL scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:71
- image scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:217
- failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:98
- analyze error:
github.com/aquasecurity/fanal/artifact/image.Artifact.Inspect
/home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211224205755-c94f68b6d71a/artifact/image/image.go:105
- timeout:
github.com/aquasecurity/fanal/artifact/image.Artifact.inspect
/home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211224205755-c94f68b6d71a/artifact/image/image.go:175
- context deadline exceeded
What is the expected correct behavior?
trivy
in container-scanning
should not contact external APIs when fetching information about dependencies in offline environment.
Workaround
Option 1
- Use older version of
CS_ANALYZER_IMAGE
(registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:4.5.10
)
Option 2
- Extend your
.gitlab-ci.yml
file with:
variables:
TRIVY_OFFLINE_SCAN: "true"
Possible fixes
- Use
--offline-scan
flag for trivy (we could hide it behind Environment variable, so this would be customisable)
Implementation plan
Option 1:
-
backend Extend scan_command
andos_scan_command
methods inlib/gcs/trivy.rb
to use--offline-scan
flag by default.
Option 2:
-
backend Extend scan_command
andos_scan_command
methods inlib/gcs/trivy.rb
to use--offline-scan
flag whenCS_OFFLINE_MODE
variable is set totrue
(default:false
). -
documentation Add information about CS_OFFLINE_MODE
toAvailable CI/CD variables
section indoc/user/application_security/container_scanning/index.md
Edited by Alan (Maciej) Paruszewski