BUG: Non-fatal permissions errors for files in /etc when Trivy container is run as non-root

[tspearconquest]

Description

When running Trivy as a non-root user with the --debug flag, in our non-root Trivy container, I found that some files in /etc are causing permissions errors in the output. This is not a fatal error, as the scan completes properly, however I believe when the container is run normally (as root), these files are being opened in write mode instead of read mode, which can potentially be a security risk for anyone running image published in dockerhub.

In case there is a vulnerability found in Trivy in the future, wherein Trivy is able to execute arbitrary code, the opening of the below 3 files in write mode could allow for data in them to be manipulated. These files are meant to be readonly and owned by root, however root can bypass the permissions and write to readonly files anyway. So the fact that Trivy is opening them in write mode is an error that simply doesn't appear under normal circumstances because of root being able to open the files in write mode without any issue.

/ $ trivy --debug --cache-dir=/trivycache fs --skip-update .
2022-10-18T22:30:25.994Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-10-18T22:30:25.996Z	DEBUG	cache dir:  /trivycache
2022-10-18T22:30:25.996Z	DEBUG	Skipping DB update...
2022-10-18T22:30:25.996Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-10-18 18:12:27.474860418 +0000 UTC, NextUpdate: 2022-10-19 00:12:27.474860018 +0000 UTC, DownloadedAt: 2022-10-18 22:26:42.655394951 +0000 UTC
2022-10-18T22:30:25.997Z	INFO	Vulnerability scanning is enabled
2022-10-18T22:30:25.997Z	DEBUG	Vulnerability type:  [os library]
2022-10-18T22:30:25.997Z	INFO	Secret scanning is enabled
2022-10-18T22:30:25.997Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-18T22:30:25.997Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-18T22:30:25.997Z	DEBUG	No secret config detected: trivy-secret.yaml
2022-10-18T22:30:25.999Z	DEBUG	Permission error: etc/crontabs/root
2022-10-18T22:30:26.005Z	DEBUG	Permission error: etc/shadow
2022-10-18T22:30:26.006Z	DEBUG	Permission error: etc/shadow-
2022-10-18T22:30:26.153Z	INFO	Detected OS: alpine
2022-10-18T22:30:26.153Z	INFO	Detecting Alpine vulnerabilities...
2022-10-18T22:30:26.153Z	DEBUG	alpine: os version: 3.16
2022-10-18T22:30:26.153Z	DEBUG	alpine: package repository: 3.16
2022-10-18T22:30:26.153Z	DEBUG	alpine: the number of packages: 16
2022-10-18T22:30:26.154Z	INFO	Number of language-specific files: 0

What did you expect to happen?

There should not be the below 3 lines in the output above:

2022-10-18T22:30:25.999Z	DEBUG	Permission error: etc/crontabs/root
2022-10-18T22:30:26.005Z	DEBUG	Permission error: etc/shadow
2022-10-18T22:30:26.006Z	DEBUG	Permission error: etc/shadow-

What happened instead?

The 3 lines above appears

Output of run with -debug:

See above

Output of trivy -v:

/ $ trivy -v
Version: 0.32.1

Additional details (base image name, container registry info...):

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[tspearconquest]

/remove-lifecycle stale

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[tspearconquest]

/remove-lifecycle stale

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.