Skip to content

Container Scanning v6.1.0 FIPS images are broken

Summary

Support for uncompressing the trivy and grype vulnerability databases at runtime was added in Uncompress vulnerability databases at runtime (#404578 - closed), however, due to missing test coverage, the fips images were not updated to automatically uncompress the data, which results in both the trivy:6-fips and grype:6-fips failing:

docker run -it --rm -e CS_IMAGE=alpine:3.7 registry.gitlab.com/security-products/container-scanning/trivy:6.1.0-fips

/bin/bash: /home/gitlab/.bashrc: No such file or directory

<snip>

[INFO] [2023-06-14 00:45:26 +0000] [container-scanning]  >  Scanning container from registry alpine:3.7 for vulnerabilities with severity level UNKNOWN or higher, with gcs 6.1.0 and Trivy unknown, advisories updated at unknown

2023-06-14T00:45:27.074Z	DEBUG	cache dir:  /home/gitlab/.cache/trivy/ce
2023-06-14T00:45:27.075Z	DEBUG	There is no valid metadata file: unable to open a file: open /home/gitlab/.cache/trivy/ce/db/metadata.json: no such file or directory
2023-06-14T00:45:27.075Z	ERROR	The first run cannot skip downloading DB
2023-06-14T00:45:27.078Z	FATAL	init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:389
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:124
  - database error:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:109
  - --skip-update cannot be specified on the first run:
    github.com/aquasecurity/trivy/pkg/db.(*Client).NeedsUpdate
        /home/runner/work/trivy/trivy/pkg/db/db.go:96

What is the current bug behavior?

Container Scanning analyzer fails to produce gl-container-scanning-report.json file and exits with code 1

What is the expected correct behavior?

Container Scanning analyzer should produce gl-container-scanning-report.json file and exit with code 0

Possible fixes

Update the Dockerfile.fips file to:

  1. Copy the .bashrc file to the Docker container
  2. Don't remove tar from the fips Docker image
  3. Fix the missing test coverage. To be addressed in Investigate missing test coverage in Container ... (#415283).
Edited by Adam Cohen