gitlab - 如何在 GitLab 中为使用 Java 的 Docker 映像运行 Trivy stable？

Question

我使用 GitLab (Community Edition 14.0.10) 构建了一个 Spring Boot 应用程序并将其打包到 Docker 映像中。我将 Trivy 添加到我的 GitLab 管道中。

但有时 Trivy 不会检查 Java 依赖项。

代码

build-and-push-docker:
  stage: package
  image: docker:latest
  before_script:
    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - echo $TRIVY_VERSION
    - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
  script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker image build . --pull --tag "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
    - ./trivy -d --exit-code 0 --cache-dir .trivycache/ --no-progress --ignore-unfixed "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
    - docker image push "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
    - docker image rm "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
  cache:
    paths:
      - .trivycache/

另请参阅GitLab CI

错误

Analysis error: jar/war/ear parse error: failed to parse BOOT-INF/lib/spring-boot-starter-actuator-2.3.4.RELEASE.jar: failed to search by SHA1: status 400  from https://search.maven.org/solrsearch/select?q=1%3A%2244aebd5ec26be2d2ff3f72d2181001aad1f94f4a%22&rows=1&wt=json

如果我在浏览器中调用上述链接，我会得到有效响应。

日志

$ ./trivy -d --exit-code 0 --cache-dir .trivycache/ --no-progress --ignore-unfixed "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID"
2021-10-08T14:42:28.577Z    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-10-08T14:42:28.597Z    DEBUG   cache dir:  .trivycache/
2021-10-08T14:42:28.598Z    DEBUG   There is no valid metadata file: unable to open a file: open .trivycache/db/metadata.json: no such file or directory
2021-10-08T14:42:28.598Z    INFO    Need to update DB
2021-10-08T14:42:28.598Z    INFO    Downloading DB...
2021-10-08T14:42:28.598Z    DEBUG   no metadata file
2021-10-08T14:42:28.752Z    DEBUG   release name: v1-2021100812
2021-10-08T14:42:28.752Z    DEBUG   asset name: trivy-light-offline.db.tgz
2021-10-08T14:42:28.752Z    DEBUG   file name doesn't match
2021-10-08T14:42:28.752Z    DEBUG   asset name: trivy-light.db.gz
2021-10-08T14:42:28.752Z    DEBUG   file name doesn't match
2021-10-08T14:42:28.752Z    DEBUG   asset name: trivy-offline.db.tgz
2021-10-08T14:42:28.752Z    DEBUG   file name doesn't match
2021-10-08T14:42:28.752Z    DEBUG   asset name: trivy.db.gz
2021-10-08T14:42:28.761Z    DEBUG   asset URL: https://github-releases.githubusercontent.com [...]
2021-10-08T14:42:29.485Z    DEBUG   Updating database metadata...
2021-10-08T14:42:29.485Z    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-10-08 12:05:52.970906645 +0000 UTC, NextUpdate: 2021-10-08 18:05:52.970906245 +0000 UTC, DownloadedAt:    2021-10-08 14:42:29.48566609 +0000 UTC
2021-10-08T14:42:29.485Z    DEBUG   Vulnerability type:  [os library]
2021-10-08T14:42:29.490Z    DEBUG   Image ID: sha256:08770cf43def239f496562ab59fa2df2e387cc3ec6331cc251bbb262638a4870
2021-10-08T14:42:29.490Z    DEBUG   Diff IDs: [sha256:5e6a409f30b62f42e55599490ba76ad82dca8de7b52655ecc8be25c46ad8b2b9 sha256:dabfe5b2ea81d864f4c6d49a884ec43489a497606a0fdc875e203b388627e165 sha256:d35dc7f4c79e18c7cf9b39411661b66fe92999142ec4dd02e9c38c596da80441 sha256:3f4d061037d3e4c5706ab779910bd6a815539b3db32e509aa12f6f5b882c30c1 sha256:61e996612cf7a7cf9873d173b5f4a78b8ea9a8a8dd2a7609ddc79c21181d381c sha256:f0ecedcc8c0f68a6d6eeea16e490580df0267da4fd88afc27f3aad4b4a0075cb sha256:dce0aba9d8729df4e13119a672bbde3d21afa509eba27fc0a5ebd67818cc2b82 sha256:afddb0fbbf519183e18698970551b5a16a6e907c010319e5c910572afd3e3cda sha256:8e837de786fe1d0b073d0ad4c7c6386884e30dae6fe4fbdb342889120e192602 sha256:968e057504834f26cb4943f4a0fe354659003ba84b4cece7dd7653deb763dbfc]
2021-10-08T14:42:29.490Z    DEBUG   Missing image ID: sha256:08770cf43def239f496562ab59fa2df2e387cc3ec6331cc251bbb262638a4870
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:968e057504834f26cb4943f4a0fe354659003ba84b4cece7dd7653deb763dbfc
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:61e996612cf7a7cf9873d173b5f4a78b8ea9a8a8dd2a7609ddc79c21181d381c
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:5e6a409f30b62f42e55599490ba76ad82dca8de7b52655ecc8be25c46ad8b2b9
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:dabfe5b2ea81d864f4c6d49a884ec43489a497606a0fdc875e203b388627e165
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:d35dc7f4c79e18c7cf9b39411661b66fe92999142ec4dd02e9c38c596da80441
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:3f4d061037d3e4c5706ab779910bd6a815539b3db32e509aa12f6f5b882c30c1
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:afddb0fbbf519183e18698970551b5a16a6e907c010319e5c910572afd3e3cda
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:8e837de786fe1d0b073d0ad4c7c6386884e30dae6fe4fbdb342889120e192602
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:dce0aba9d8729df4e13119a672bbde3d21afa509eba27fc0a5ebd67818cc2b82
2021-10-08T14:42:29.490Z    DEBUG   Missing diff ID: sha256:f0ecedcc8c0f68a6d6eeea16e490580df0267da4fd88afc27f3aad4b4a0075cb
2021-10-08T14:42:31.763Z    DEBUG   Analysis error: unable to parse bin/bzcat: failed to parse bin/bzcat: EOF
2021-10-08T14:42:31.763Z    DEBUG   Analysis error: unable to parse bin/bzip2: failed to parse bin/bzip2: EOF
2021-10-08T14:42:31.773Z    DEBUG   Parsing Java artifacts...   {"file": "usr/local/openjdk-11/lib/jrt-fs.jar"}
2021-10-08T14:42:31.776Z    DEBUG   Analysis error: unable to parse usr/bin/zipinfo: failed to parse usr/bin/zipinfo: EOF
2021-10-08T14:42:31.800Z    DEBUG   Analysis error: unable to parse bin/uncompress: failed to parse bin/uncompress: EOF
2021-10-08T14:42:31.857Z    DEBUG   Parsing Java artifacts...   {"file": "usr/src/app/app.jar"}
2021-10-08T14:42:31.867Z    DEBUG   Analysis error: unable to parse usr/bin/perl5.32.1: failed to parse usr/bin/perl5.32.1: EOF
2021-10-08T14:42:31.912Z    DEBUG   Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-starter-actuator-2.3.4.RELEASE.jar"}
2021-10-08T14:42:32.238Z    DEBUG   No such POM in the central repositories {"file": "jrt-fs.jar"}
2021-10-08T14:42:32.346Z    DEBUG   Analysis error: jar/war/ear parse error: failed to parse BOOT-INF/lib/spring-boot-starter-actuator-2.3.4.RELEASE.jar: failed to search by SHA1: status 400  from https://search.maven.org/solrsearch/select?q=1%3A%2244aebd5ec26be2d2ff3f72d2181001aad1f94f4a%22&rows=1&wt=json
2021-10-08T14:42:32.367Z    DEBUG   Missing image cache: sha256:7b4706b6a3577b17b1528ec4ba1995d3f1d0704a52c78ef1e1d4f3dd5e1d84f9
2021-10-08T14:42:32.442Z    INFO    Detected OS: debian
2021-10-08T14:42:32.442Z    INFO    Detecting Debian vulnerabilities...
2021-10-08T14:42:32.442Z    DEBUG   debian: os version: 11
2021-10-08T14:42:32.442Z    DEBUG   debian: the number of packages: 142
2021-10-08T14:42:32.457Z    INFO    Number of language-specific files: 0
gitlab.my-company.com:5005/product/service:221 (debian 11.0)
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

缺少 Java 依赖项检查的日志。

研究

我发现了一个类似的问题，请参阅扫描尝试联系 maven.org，即使在气隙环境中：

我们正在使用最新版本的 v0.19.2 并看到以下错误
Analysis error: jar/war/ear parse error: failed to search by SHA1: status 403 Forbidden
from http://search.maven.org/solrsearch/select?q=1%3A%22a080d66963eaa0e3a4cabcc90a7798156b047fee%22&rows=1&wt=json
任何建议的解决方法或使用 maven mirror 的选项？

但我不明白403，我明白400。此外，我不想禁用 Java 扫描或使用第二个工具（问题中推荐的解决方案）。

问题

如何使用 GitLab 以稳定的方式调用 Trivy？

gitlab - 如何在 GitLab 中为使用 Java 的 Docker 映像运行 Trivy stable？

0 回答 0

Related

Reference