bug(misconf): eval_conflict_error in AVD-DS-0017

[nikpivkin]

Discussed in #6512

^{Originally posted by baksetercx April 17, 2024}

Description

When running a misconfiguration scan on a Dockerfile containing apt-get update , apt-get upgrade and apt-get install in the same RUN-step, Trivy will fail.

Desired Behavior

Trivy not failing.

Actual Behavior

Trivy failed with the error:

filesystem scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: dockerfile scan error: scan config error: home/andreas/.cache/trivy/policy/content/policies/docker/policies/update_instruction_alone.rego:69: eval_conflict_error: functions must not produce multiple outputs for same inputs

Reproduction Steps

1. Create a Dockerfile with this spec:

FROM ubuntu:latest

RUN apt-get update \
    && apt-get upgrade -y \
    && apt-get install -y curl

2. Run Trivy:

trivy config Dockerfile

Target

None

Scanner

Misconfiguration

Output Format

Any

Mode

Standalone

Debug Output

2024-04-17T12:04:21.015+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-17T12:04:21.025+0200	DEBUG	cache dir:  /home/andreas/.cache/trivy
2024-04-17T12:04:21.025+0200	INFO	Misconfiguration scanning is enabled
2024-04-17T12:04:21.025+0200	DEBUG	Failed to open the policy metadata: open /home/andreas/.cache/trivy/policy/metadata.json: no such file or directory
2024-04-17T12:04:21.025+0200	INFO	Need to update the built-in policies
2024-04-17T12:04:21.025+0200	INFO	Downloading the built-in policies...
2024-04-17T12:04:21.025+0200	DEBUG	Using URL: ghcr.io/aquasecurity/trivy-policies:0 to load policy bundle
50.08 KiB / 50.08 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
2024-04-17T12:04:21.788+0200	DEBUG	Digest of the built-in policies: sha256:c124bcf1f8975b0e942ebdaa93398acbaf85c3990503b81d6bfd1cc4a333cf54
2024-04-17T12:04:21.788+0200	DEBUG	Policies successfully loaded from disk
2024-04-17T12:04:21.788+0200	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-17T12:04:21.801+0200	DEBUG	Walk the file tree rooted at 'Dockerfile' in series
2024-04-17T12:04:21.801+0200	DEBUG	Scanning Dockerfile files for misconfigurations...
2024-04-17T12:04:21.801+0200	DEBUG	[misconf] 04:21.801994170 dockerfile.scanner.rego          Overriding filesystem for policies!
2024-04-17T12:04:21.838+0200	DEBUG	[misconf] 04:21.838354933 dockerfile.scanner.rego          Loaded 194 policies from disk.
2024-04-17T12:04:21.838+0200	DEBUG	[misconf] 04:21.838703244 dockerfile.scanner.rego          Overriding filesystem for data!
2024-04-17T12:04:22.182+0200	DEBUG	[misconf] 04:22.181995586 dockerfile.scanner.rego          Scanning 1 inputs...
2024-04-17T12:04:22.188+0200	FATAL	filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:429
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:710
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:164
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:496
  - dockerfile scan error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:47
  - scan config error:
    github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan
        /home/runner/work/trivy/trivy/pkg/misconf/scanner.go:162
  - home/andreas/.cache/trivy/policy/content/policies/docker/policies/update_instruction_alone.rego:69: eval_conflict_error: functions must not produce multiple outputs for same inputs

Operating System

Debian trixie/sid

Version

Version: 0.50.1
Policy Bundle:
  Digest: sha256:c124bcf1f8975b0e942ebdaa93398acbaf85c3990503b81d6bfd1cc4a333cf54
  DownloadedAt: 2024-04-17 10:04:21.788096344 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[flurin]

Same here.

[odise]

You can try --policy-bundle-repository ghcr.io/aquasecurity/trivy-policies:0.10.0. This release of the policy-bundle works fine.

[DominicNewAwaze]

You can try --policy-bundle-repository ghcr.io/aquasecurity/trivy-policies:0.10.0. This release of the policy-bundle works fine.

I'm using the trivy action which looks like that cant be set in the trivy config, is there a work around for that?

[baksetercx]

You can try --policy-bundle-repository ghcr.io/aquasecurity/trivy-policies:0.10.0. This release of the policy-bundle works fine.

This works, thanks!

[nvuillam]

Exact same issue with MegaLinter :(

[simar7]

We've cut a new release for trivy-checks https://github.com/aquasecurity/trivy-checks/releases/tag/v0.10.4 which should fix this issue.

[mr-niche]

Awesome, thank you - can confirm the trivy-action is succeeding now. Appreciate the quick turnaround!