Trivy can hang if an error occurs scanning a container image with --slow option

[DmitriyLewen]

Discussed in #4335

^{Originally posted by mpoindexter May 12, 2023}

Description

When scanning with --slow, any error will deadlock the scan if the image has more than one layer.

This is because here https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/artifact/image/image.go#L243 the goroutine blocks on sending to the errCh channel, while it is holding the limit semaphore which is only released in the defer. This means that the goroutine calling Inspect is then blocked at https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/artifact/image/image.go#L223 and can never get to https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/artifact/image/image.go#L259 to read from errCh and unblock the scan goroutine.

Desired Behavior

Trivy does not hang when an error occurs

Actual Behavior

Trivy hangs

Reproduction Steps

Can be reproduced by running `trivy image localstack/localstack:0.8.6 --java-db-repository invalid --slow` after clearing trivy caches

Note that specifying an invalid java db repository is just an easy way to reproducibly get an error, any error can cause this

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Client/Server

Debug Output

2023-05-11T12:49:02.714-0700	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-11T12:49:02.758-0700	DEBUG	cache dir:  /Users/mpoindexter/Library/Caches/trivy
2023-05-11T12:49:02.759-0700	DEBUG	DB update was skipped because the local DB is the latest
2023-05-11T12:49:02.769-0700	DEBUG	DB Schema: 2, UpdatedAt: 2023-05-11 18:07:12.093565921 +0000 UTC, NextUpdate: 2023-05-12 00:07:12.093565521 +0000 UTC, DownloadedAt: 2023-05-11 19:45:48.802006 +0000 UTC
2023-05-11T12:49:02.769-0700	INFO	Vulnerability scanning is enabled
2023-05-11T12:49:02.769-0700	DEBUG	Vulnerability type:  [os library]
2023-05-11T12:49:02.769-0700	INFO	Secret scanning is enabled
2023-05-11T12:49:02.769-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-11T12:49:02.769-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-11T12:49:03.907-0700	DEBUG	No secret config detected: trivy-secret.yaml
2023-05-11T12:49:04.849-0700	DEBUG	Image ID: sha256:552ceea94437e4e07b4d1af2f62c1978ed1d8264fd47ba28da18776dc670fdaa
2023-05-11T12:49:04.849-0700	DEBUG	Diff IDs: [sha256:0f35610e1138a253e7bc69884e88e34fe5f27190a84c3b05638db9ba15ec149b sha256:41933ed411185ccebe00bf21598a9f85e3d1cbc2a6d2722d55edb2a27f078d31 sha256:3aaba766c3d2cb157e8304b400500da7dcb8302ae9bba3aa5df55062041bf43f sha256:e4a6508ded18b3ddafd64aa7b25808694716cb1905ffc810fd3bd7802707f03f sha256:b1cb9bbfad459aa492d48aec9972cdd20306a00fa185d618a464efac7dfb6443 sha256:9ad53ec08ea6eaec32298ebbbaa0c05ab3e8c1224e4e04b87e4d886f86f206e3 sha256:35a02c789ee1e15c5a6266ce7308133f982af9b3e7f8c1f55d4ddfcc62291b18 sha256:8e5ca2ff2ef92e9bdce1efb5ada5f913bd8cf17645dc11a8243529184f03e679 sha256:a7b8971f2f59291ede6daea5bfce822e823e579394aa2f745fd6755601ee4fec sha256:a135082e06ab089f8e64735142eff124837bad00553b6cedb7fee45f19f28ea0 sha256:dbd699d6c878b55b261e1b38cb59ff1fea5b8a4a45556311610796fffca9df72 sha256:362e022117fdbe046e01935b89c537aa32866ef6b8e5e967398691277427ff0c sha256:2a304e8812a49573eb22dfcbc900b5815861a57708850cdcc853272f4e394ed5 sha256:18f209c26c5f231aff6b89e694eed17d81dd0c437e540214598df5c2c8b6098c sha256:4fa862ba42f339331d80ac941fb5126c6d85f23e84672fbed50bdb117b92806c sha256:8d0405d543a0fbf2dad70b8900712866158add7ccc32f1b8a19a161b904666af sha256:fbf82e5322d968c70373647c8113a8b0b0da78e279e938668eff24da307f8009 sha256:c39be81f06cedab59455dd4855ab594396392c6c1dc9d27e8f74690616b5ca43]
2023-05-11T12:49:04.849-0700	DEBUG	Base Layers: []
2023-05-11T12:49:04.850-0700	DEBUG	Missing image ID in cache: sha256:552ceea94437e4e07b4d1af2f62c1978ed1d8264fd47ba28da18776dc670fdaa
2023-05-11T12:49:04.850-0700	DEBUG	Missing diff ID in cache: sha256:0f35610e1138a253e7bc69884e88e34fe5f27190a84c3b05638db9ba15ec149b
2023-05-11T12:49:29.037-0700	DEBUG	Skipping directory: dev
2023-05-11T12:49:29.106-0700	DEBUG	Skipping directory: proc
2023-05-11T12:49:29.109-0700	DEBUG	Skipping directory: sys
2023-05-11T12:49:29.121-0700	INFO	JAR files found
2023-05-11T12:49:29.121-0700	INFO	Java DB Repository: invalid:1
2023-05-11T12:49:29.121-0700	INFO	Downloading the Java DB...
2023-05-11T12:49:30.877-0700	ERROR	Unable to initialize the Java DB: Java DB update failed: Java DB update error: DB download error: OCI repository error: 1 error occurred:
	* GET https://index.docker.io/v2/library/invalid/manifests/1: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/invalid Type:repository]]

Operating System

MacOS

Version

Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-11 18:07:12.093565921 +0000 UTC
  NextUpdate: 2023-05-12 00:07:12.093565521 +0000 UTC
  DownloadedAt: 2023-05-11 19:45:48.802006 +0000 UTC

Checklist

• Run trivy --reset
• Read the troubleshooting