offline-scan: true
declared in trivy.yaml config file doesn't work anymore
#6529
-
DescriptionHello! I'm using the centralized configuration trivy.yaml to manage my options. I discovered it when running a scan in a repository that contains a I then used the --debug to find that Trivy was making API calls to fetch package OSS information.
However, it works with the CLI Documentation reference Desired BehaviorWhen
Actual BehaviorAPI calls are being made to get OSS info about packages. Reproduction Steps1. First add a non-empty pom.xml file in a folder
2. Create a trivy.yaml file and add the options as in the description
3. Run `trivy fs --debug --scanners vuln .`
4. Note all the the API calls. (Should not have any)
... TargetFilesystem ScannerVulnerability Output FormatTable ModeStandalone Debug Output2024-04-19T11:00:40.947-0400 INFO Loaded trivy.yaml
2024-04-19T11:00:40.949-0400 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-19T11:00:40.949-0400 DEBUG Ignore statuses {"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2024-04-19T11:00:40.959-0400 DEBUG cache dir: /Users/user/Library/Caches/trivy
2024-04-19T11:00:40.959-0400 DEBUG DB update was skipped because the local DB is the latest
2024-04-19T11:00:40.959-0400 DEBUG DB Schema: 2, UpdatedAt: 2024-04-19 12:12:43.546713617 +0000 UTC, NextUpdate: 2024-04-19 18:12:43.546713136 +0000 UTC, DownloadedAt: 2024-04-19 12:21:57.954674 +0000 UTC
2024-04-19T11:00:40.960-0400 INFO Vulnerability scanning is enabled
2024-04-19T11:00:40.960-0400 DEBUG Vulnerability type: [os library]
2024-04-19T11:00:40.960-0400 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-19T11:00:40.960-0400 DEBUG The nuget packages directory couldn't be found. License search disabled
2024-04-19T11:00:40.962-0400 DEBUG Walk the file tree rooted at '.' in parallel
2024-04-19T11:00:40.964-0400 DEBUG Adding repository apache.snapshots: https://repository.apache.org/content/repositories/snapshots/
2024-04-19T11:00:40.964-0400 DEBUG Adding repository maven2: https://repo.maven.apache.org/maven2
2024-04-19T11:00:40.964-0400 DEBUG Adding repository confluent: https://packages.confluent.io/maven/
2024-04-19T11:00:40.964-0400 DEBUG Resolving com.google.cloud:libraries-bom:26.33.0...
2024-04-19T11:00:41.447-0400 DEBUG Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/libraries-bom/26.33.0/libraries-bom-26.33.0.pom
2024-04-19T11:00:41.642-0400 DEBUG Resolving com.google.cloud:first-party-dependencies:3.25.0...
2024-04-19T11:00:42.066-0400 DEBUG Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/first-party-dependencies/3.25.0/first-party-dependencies-3.25.0.pom
2024-04-19T11:00:42.099-0400 DEBUG Start parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:42.535-0400 DEBUG Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/google-cloud-shared-config/1.7.1/google-cloud-shared-config-1.7.1.pom
2024-04-19T11:00:42.579-0400 DEBUG Start parent: com.google.cloud:native-image-shared-config:1.7.1
2024-04-19T11:00:43.016-0400 DEBUG Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/native-image-shared-config/1.7.1/native-image-shared-config-1.7.1.pom
2024-04-19T11:00:43.052-0400 DEBUG Exit parent: com.google.cloud:native-image-shared-config:1.7.1
2024-04-19T11:00:43.052-0400 DEBUG Exit parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:43.052-0400 DEBUG Resolving com.google.api:gapic-generator-java-bom:2.35.0...
2024-04-19T11:00:43.493-0400 DEBUG Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/api/gapic-generator-java-bom/2.35.0/gapic-generator-java-bom-2.35.0.pom
2024-04-19T11:00:43.525-0400 DEBUG Start parent: com.google.api:gapic-generator-java-pom-parent:2.35.0
2024-04-19T11:00:43.961-0400 DEBUG Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/api/gapic-generator-java-pom-parent/2.35.0/gapic-generator-java-pom-parent-2.35.0.pom
2024-04-19T11:00:43.996-0400 DEBUG Adding repository google-maven-central-copy: https://maven-central.storage-download.googleapis.com/maven2
2024-04-19T11:00:43.996-0400 DEBUG Adding repository maven-central: https://repo1.maven.org/maven2
2024-04-19T11:00:43.996-0400 DEBUG Start parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:43.996-0400 DEBUG Exit parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:43.996-0400 DEBUG Exit parent: com.google.api:gapic-generator-java-pom-parent:2.35.0
2024-04-19T11:00:43.996-0400 DEBUG Resolving com.google.auth:google-auth-library-bom:1.23.0...
2024-04-19T11:00:44.208-0400 DEBUG Resolving com.google.http-client:google-http-client-bom:1.44.1...
2024-04-19T11:00:44.285-0400 DEBUG Resolving com.google.guava:guava-bom:32.1.3-jre...
2024-04-19T11:00:44.362-0400 DEBUG Start parent: org.sonatype.oss:oss-parent:9
2024-04-19T11:00:44.395-0400 DEBUG Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-04-19T11:00:44.395-0400 DEBUG Exit parent: org.sonatype.oss:oss-parent:9
2024-04-19T11:00:44.395-0400 DEBUG Resolving com.google.protobuf:protobuf-bom:3.25.2...
2024-04-19T11:00:44.595-0400 DEBUG Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/google/protobuf/protobuf-bom/3.25.2/protobuf-bom-3.25.2.pom
2024-04-19T11:00:44.681-0400 DEBUG Resolving io.grpc:grpc-bom:1.61.1...
2024-04-19T11:00:44.720-0400 DEBUG Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/grpc/grpc-bom/1.61.1/grpc-bom-1.61.1.pom
... Operating SystemmacOS Sonoma 14.4.1 Version2024-04-19T10:41:09.855-0400 INFO Loaded trivy.yaml
Version: 0.50.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-04-19 12:12:43.546713617 +0000 UTC
NextUpdate: 2024-04-19 18:12:43.546713136 +0000 UTC
DownloadedAt: 2024-04-19 12:21:57.954674 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
DownloadedAt: 2024-02-12 14:21:22.412343 +0000 UTC
Policy Bundle:
Digest: sha256:24b38cdf646f0e5becf55a709ae9a3c4e819a348c28990cec0b6aabe4637d8b1
DownloadedAt: 2023-10-05 20:31:54.322645 +0000 UTC Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Hello @tellierd Can you try to use Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
Hello @tellierd
Thanks for your report!
Can you try to use
offline: true
?Looks like our docs contain mistake.
I created #6547 to fix that.
Regards, Dmitriy