Container Scanning fails to download Trivy Java DB due to rate-limiting
Currently, the container scanning task pulls the Java vulnerability databases each time it runs, which means it can hit Google's container registry rate-limiting:
Using docker image sha256:0664f5f43e33e7e9998b089f52a138a07613e5a99c2934f145e66fbe8100d73c for registry.gitlab.com/security-products/container-scanning:6 with digest registry.gitlab.com/security-products/container-scanning@sha256:937bf3a5437a9cdb13c135ea1b53b6d58dff36e9ffa89292352254c362083efe ...
…
2023-11-28T16:53:40.500Z ERROR Unable to initialize the Java DB: Java DB update failed: Java DB update error: DB download error: OCI repository error: 1 error occurred:
* Get "https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-java-db%3Apull&service=ghcr.io": stopped after 10 redirects
2023-11-28T16:53:44.450Z FATAL image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:200a10512f67a9f2c2cf8628cc0e35f0351a6d50ba0d63ec6d31743f27b73e74): post analysis error: post analysis error: Java DB update failed: Java DB update error: DB download error: OCI repository error: 1 error occurred:
* Get "https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-java-db%3Apull&service=ghcr.io": stopped after 10 redirectsIt is possible to configure a local mirror of the Java database but this should be built-in to keep it simple, ideally reusing the dependency proxy.
Proposals
- Host image on our registry. See #433019 (comment 1696988798).
- Wait to see if the fix for multiple db downloads works. See #433019 (comment 1696993119).
Implementation
Let's try first with upgrading Trivy to a patched version (See #433019 (comment 1696993119)). We'll revisit the implementation plan if the problem is still present.
Edited by Oscar Tovar