Error during vulnerability DB Dowloading

[sacha-athias-wmx]

Question

Hello

I am using trivy from a while inside github action, i have wrote my own, because i could not use other action. Since 3 months, scans does not works anymore. It fails during Vulnerability database downloading with this message.

2024-09-09T12:45:06Z	INFO	[db] Need to update DB
2024-09-09T12:45:06Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-09T12:45:36Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: failed to update downloaded_at: unable to get metadata: unable to decode metadata: EOF

If i use --debugi got this outbput

2024-09-09T18:05:01Z	DEBUG	No plugins loaded
2024-09-09T18:05:01Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-09T18:05:01Z	DEBUG	Cache dir	dir="/home/runner/.cache/trivy"
2024-09-09T18:05:01Z	DEBUG	Cache dir	dir="/home/runner/.cache/trivy"
2024-09-09T18:05:02Z	DEBUG	Parsed severities	severities=[CRITICAL HIGH MEDIUM]
2024-09-09T18:05:02Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2024-09-09T18:05:02Z	DEBUG	There is no valid metadata file	err="unable to open a file: open /home/runner/.cache/trivy/db/metadata.json: no such file or directory"
2024-09-09T18:05:02Z	INFO	[db] Need to update DB
2024-09-09T18:05:02Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-09T18:05:02Z	DEBUG	No metadata file
2024-09-09T18:05:08Z	FATAL	Fatal error
  - init error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:366
  - DB error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:118
  - failed to download vulnerability DB:
    github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB
        /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:41
  - database download error:
    github.com/aquasecurity/trivy/pkg/db.(*Client).Download
        /home/runner/work/trivy/trivy/pkg/db/db.go:162
  - oci download error:
    github.com/aquasecurity/trivy/pkg/oci.(*Artifact).Download
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:144
  - download error:
    github.com/aquasecurity/trivy/pkg/oci.(*Artifact).download
        /home/runner/work/trivy/trivy/pkg/oci/artifact.go:193
  - failed to download /tmp/trivy1386014089/db.tar.gz:
    github.com/aquasecurity/trivy/pkg/downloader.Download
        /home/runner/work/trivy/trivy/pkg/downloader/download.go:99
  - open /home/runner/.cache/trivy/db/trivy.db: no such file or directory

Maybe i supposed it fails because i got this message There is no valid metadata file err="unable to open a file: open /home/runner/.cache/trivy/db/metadata.json: no such file or directory" but i am not sure and i did not find any case about that on google. Also i found that on the trivy doc

But i have no "firewall" it github action, before it was working perfectly but now it does not works anymore

I am using this command to perform vulnerability scanning on docker images
trivy image --no-progress --severity CRITICAL,HIGH,MEDIUM --scanners=vuln --ignore-unfixed ${imageArn} -o ./sarif-result/${sarifFile} -f sarif --timeout 15m --debug

Thanks for your support 🙏 é

Target

Container Image

Scanner

Vulnerability

Output Format

SARIF

Mode

Standalone

Operating System

debian

Version

Version: 0.55.0

[bloomadcariad]

I'm intermittently seeing the same error in an Azure China environment. It works a majority of the time, so doesn't seem to be a firewall issue.

[sacha-athias-wmx]

finally i found a solution if you want @bloomadcariad, as i mentionned previously i developed my own github action to use trivy. So first i install trivy, then i download the vulnerability DB by running trivy image --download-db-only and at the end i perform my scans and it works perfectly i did not fount the root cause but now it works 😆

[sacha-athias-wmx]

maybe if a maintainer could have an explanation ?