offline-scan: true declared in trivy.yaml config file doesn't work anymore

[tellierd]

Description

Hello!

I'm using the centralized configuration trivy.yaml to manage my options.
On version 0.50.1 the offline-scan: true option is not working anymore.

I discovered it when running a scan in a repository that contains a pom.xml.
The usual scanning time went from 1 minute to more than 5 minutes.

I then used the --debug to find that Trivy was making API calls to fetch package OSS information.
This means the offline-scan: true option is not working.

trivy fs --scanners vuln .
with
trivy.yaml

scan:
  offline-scan: true

However, it works with the CLI
trivy fs --offline-scan --scanners vuln .

Documentation reference
https://aquasecurity.github.io/trivy/v0.50/docs/references/configuration/config-file/#scan-options

Desired Behavior

When offline-scan: true is added to the trivy.yaml config file, this should skip Java package validation call to oss API.

In addition, if you want to scan pom.xml dependencies, you need to specify --offline-scan since Trivy tries to issue API requests for scanning Java applications by default.

Ref: https://aquasecurity.github.io/trivy/v0.50/docs/advanced/air-gap/#put-the-db-files-in-trivys-cache-directory

Actual Behavior

API calls are being made to get OSS info about packages.

Reproduction Steps

1. First add a non-empty pom.xml file in a folder
2. Create a trivy.yaml file and add the options as in the description
3. Run `trivy fs --debug --scanners vuln .`
4. Note all the the API calls. (Should not have any)
...

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-04-19T11:00:40.947-0400	INFO	Loaded trivy.yaml
2024-04-19T11:00:40.949-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-19T11:00:40.949-0400	DEBUG	Ignore statuses	{"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2024-04-19T11:00:40.959-0400	DEBUG	cache dir:  /Users/user/Library/Caches/trivy
2024-04-19T11:00:40.959-0400	DEBUG	DB update was skipped because the local DB is the latest
2024-04-19T11:00:40.959-0400	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-19 12:12:43.546713617 +0000 UTC, NextUpdate: 2024-04-19 18:12:43.546713136 +0000 UTC, DownloadedAt: 2024-04-19 12:21:57.954674 +0000 UTC
2024-04-19T11:00:40.960-0400	INFO	Vulnerability scanning is enabled
2024-04-19T11:00:40.960-0400	DEBUG	Vulnerability type:  [os library]
2024-04-19T11:00:40.960-0400	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-19T11:00:40.960-0400	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-04-19T11:00:40.962-0400	DEBUG	Walk the file tree rooted at '.' in parallel
2024-04-19T11:00:40.964-0400	DEBUG	Adding repository apache.snapshots: https://repository.apache.org/content/repositories/snapshots/
2024-04-19T11:00:40.964-0400	DEBUG	Adding repository maven2: https://repo.maven.apache.org/maven2
2024-04-19T11:00:40.964-0400	DEBUG	Adding repository confluent: https://packages.confluent.io/maven/
2024-04-19T11:00:40.964-0400	DEBUG	Resolving com.google.cloud:libraries-bom:26.33.0...
2024-04-19T11:00:41.447-0400	DEBUG	Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/libraries-bom/26.33.0/libraries-bom-26.33.0.pom
2024-04-19T11:00:41.642-0400	DEBUG	Resolving com.google.cloud:first-party-dependencies:3.25.0...
2024-04-19T11:00:42.066-0400	DEBUG	Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/first-party-dependencies/3.25.0/first-party-dependencies-3.25.0.pom
2024-04-19T11:00:42.099-0400	DEBUG	Start parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:42.535-0400	DEBUG	Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/google-cloud-shared-config/1.7.1/google-cloud-shared-config-1.7.1.pom
2024-04-19T11:00:42.579-0400	DEBUG	Start parent: com.google.cloud:native-image-shared-config:1.7.1
2024-04-19T11:00:43.016-0400	DEBUG	Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/cloud/native-image-shared-config/1.7.1/native-image-shared-config-1.7.1.pom
2024-04-19T11:00:43.052-0400	DEBUG	Exit parent: com.google.cloud:native-image-shared-config:1.7.1
2024-04-19T11:00:43.052-0400	DEBUG	Exit parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:43.052-0400	DEBUG	Resolving com.google.api:gapic-generator-java-bom:2.35.0...
2024-04-19T11:00:43.493-0400	DEBUG	Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/api/gapic-generator-java-bom/2.35.0/gapic-generator-java-bom-2.35.0.pom
2024-04-19T11:00:43.525-0400	DEBUG	Start parent: com.google.api:gapic-generator-java-pom-parent:2.35.0
2024-04-19T11:00:43.961-0400	DEBUG	Failed to fetch from repository.apache.org/content/repositories/snapshots/com/google/api/gapic-generator-java-pom-parent/2.35.0/gapic-generator-java-pom-parent-2.35.0.pom
2024-04-19T11:00:43.996-0400	DEBUG	Adding repository google-maven-central-copy: https://maven-central.storage-download.googleapis.com/maven2
2024-04-19T11:00:43.996-0400	DEBUG	Adding repository maven-central: https://repo1.maven.org/maven2
2024-04-19T11:00:43.996-0400	DEBUG	Start parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:43.996-0400	DEBUG	Exit parent: com.google.cloud:google-cloud-shared-config:1.7.1
2024-04-19T11:00:43.996-0400	DEBUG	Exit parent: com.google.api:gapic-generator-java-pom-parent:2.35.0
2024-04-19T11:00:43.996-0400	DEBUG	Resolving com.google.auth:google-auth-library-bom:1.23.0...
2024-04-19T11:00:44.208-0400	DEBUG	Resolving com.google.http-client:google-http-client-bom:1.44.1...
2024-04-19T11:00:44.285-0400	DEBUG	Resolving com.google.guava:guava-bom:32.1.3-jre...
2024-04-19T11:00:44.362-0400	DEBUG	Start parent: org.sonatype.oss:oss-parent:9
2024-04-19T11:00:44.395-0400	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-04-19T11:00:44.395-0400	DEBUG	Exit parent: org.sonatype.oss:oss-parent:9
2024-04-19T11:00:44.395-0400	DEBUG	Resolving com.google.protobuf:protobuf-bom:3.25.2...
2024-04-19T11:00:44.595-0400	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/google/protobuf/protobuf-bom/3.25.2/protobuf-bom-3.25.2.pom
2024-04-19T11:00:44.681-0400	DEBUG	Resolving io.grpc:grpc-bom:1.61.1...
2024-04-19T11:00:44.720-0400	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/grpc/grpc-bom/1.61.1/grpc-bom-1.61.1.pom
...

Operating System

macOS Sonoma 14.4.1

Version

2024-04-19T10:41:09.855-0400	INFO	Loaded trivy.yaml
Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-19 12:12:43.546713617 +0000 UTC
  NextUpdate: 2024-04-19 18:12:43.546713136 +0000 UTC
  DownloadedAt: 2024-04-19 12:21:57.954674 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
  NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
  DownloadedAt: 2024-02-12 14:21:22.412343 +0000 UTC
Policy Bundle:
  Digest: sha256:24b38cdf646f0e5becf55a709ae9a3c4e819a348c28990cec0b6aabe4637d8b1
  DownloadedAt: 2023-10-05 20:31:54.322645 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @tellierd
Thanks for your report!

Can you try to use offline: true?
Looks like our docs contain mistake.
I created #6547 to fix that.

Regards, Dmitriy

[tellierd]

Hello @DmitriyLewen,

I tried with offline: true and it works fine.
Thank you for having worked on a documentation fix.

Cheers,
David