Operational Container Scanning fails to scan images with Java dependencies

Summary

When Operational Container Scanning attempts to scan an image that contains Java dependencies, it attempts to download the Trivy Java DB from ghcr.io/aquasecurity/trivy-java-db:1. Due to the lower limits for unauthenticated users, the rate limit for pulling this image is hit quite quickly, causing the scans to fail.

Steps to reproduce

  1. Set up a Kubernetes cluster with a deployment that contains Java images. For example, you can create a deployment that uses the webgoat/webgoat:latest image.
  2. Set up OCS on this cluster, and set a cadence for scans to run every 5 minutes.
  3. After some time you will see that the scan pods fail because of the 429 too many requests error.

What is the current bug behavior?

Rate limit is triggered, the scan fails, and all previous vulnerabilities are removed from the project.

What is the expected correct behavior?

  1. The rate limit is not hit so quickly. The proposed solution is to use the GitLab mirrored database, but this doesn't mean that a rate limit is impossible to reach. It just means that it's highly unlikely.
  2. If the rate limit is reached, say a user has cluster with a lot of activity, then the scan should fail and not cause the vulnerabilities to be removed. This will most likely turn into a separate issue.

Relevant logs and/or screenshots

ERROR	Error during vulnerabilities or misconfiguration scan	err=\"scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:4c5f388e71e673829df754051fdd5038b76f9996dbb479fecd8cbac34d54a29e): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: DB download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-java-db/manifests/1: TOOMANYREQUESTS: retry-after: 1.01763ms, allowed: 44000/minute

Additional information

This occurs on the v0.4.0 release of the Trivy K8s wrapper.

Possible fixes

Not mutually exclusive.

  • Set the Trivy K8s wrapper to use the GitLab mirror of the Trivy Java DB by default and release new version (tentatively 0.6.0).

    container_scanning:
  trivy_k8s_wrapper_image:
    repository: "registry.gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper"
    tag: "0.6.0"
  cadence: '*/5 * * * *'

  • Allow users to define a mirror of the repository of their choice.

Edited by Oscar Tovar