Scanning of Java Images broken: Java DB update failed: Java DB client not initialized

[very-doge-wow]

Description

I'm trying to scan an image which contains a java application. I'm using the latest trivy version (0.38.2).
Both in air-gapped mode as well as locally using the same version, I can't scan the image, as it fails with the error message:

ERROR	Unable to initialize the Java DB: Java DB update failed: Java DB client not initialized
FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer (sha256:ee6bd52a4cdc4bf0f8b860e782a39c2e14213180ff3298918bb0dc4d4ede248a): post analysis error: post analysis error: Java DB update failed: Java DB client not initialized

Things I have tried:

• using --skip-java-db-update flag
• providing the java db as air-gapped environment as described in docs
• downloading the db separately before running the scan
• resetting cache and db and re-initializing them

Can't share the image which I'm trying to scan as it is inner source of my corporation, however this actually happens when scanning any image which contains a java application/jar file as far as I can tell.

What did you expect to happen?

Trivy scans the image

What happened instead?

Error message and run terminates

Output of run with -debug:

trivy image --scanners secret \
      --skip-java-db-update \
      --offline-scan --debug \
      --format json \
      --output trivy-secret-results.json \
      ${IMAGE_REFERENCE}
2023-03-08T16:38:38.862+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-08T16:38:38.908+0100	DEBUG	cache dir:  /Users/bestusername/Library/Caches/trivy
2023-03-08T16:38:38.908+0100	INFO	Secret scanning is enabled
2023-03-08T16:38:38.908+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-08T16:38:38.908+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-03-08T16:38:39.426+0100	DEBUG	No secret config detected: trivy-secret.yaml
2023-03-08T16:38:39.559+0100	DEBUG	Image ID: sha256:63e3008f2693f85aea3b93a670cf622f7005df201cc35a37b96d3d1d0ce10d06
2023-03-08T16:38:39.559+0100	DEBUG	Diff IDs: [sha256:c5ff2d88f67954bdcf1cfdd46fe3d683858d69c2cadd6660812edfc83726c654 sha256:49990d05423249bdcd1226f174bf681498234aa3273caecabc3d988da13d46bd sha256:48ad6927f9c111c05a0ce70d6ea0191ed000cdfe7cc38bd5275027a49a74c71d sha256:4b9ffc9f711f0c9c2028884d750e6d49b87a845f56e0cd2d8ca329802d2f8455 sha256:ea2767c33d8c02c3fb24c36048408a9177e3be824362aedb11779f94992b78f8 sha256:61b6a5b27829354ebedfd0056b518e5e585b4fbe00fdd6541bd91b68860cb1ab sha256:de9e168bb9843e807599dfe267ebe15b6a9942a3ef62829c671b7f1c085f44bf sha256:aceb2a160f5dba0bdb0e9d449ccee33b9dd408c2299d8b1e4ef0b0e6d6772f6a sha256:50b6e8f2c2510e8c61645b290f93ea65d406013c633ae57e25345d36360c962c sha256:8cdefe7b4d523583bf6165af55eef86cdc41ac58311b88491ea91d0195b4b2a3 sha256:57f7f464fdc49598c3b5f08c4ba246806d34d4fabcd5c72a18c1bf2383d2eee5 sha256:ee6bd52a4cdc4bf0f8b860e782a39c2e14213180ff3298918bb0dc4d4ede248a sha256:1e7663fc17ad3f88822d8bcb5e6d9a5507e0d2733b63b2030c32880ee6fedf8a sha256:4f98b0d61fd56657af569677d77be48aa9cb6527adcd90f5d95931c2cc400083]
2023-03-08T16:38:39.559+0100	DEBUG	Base Layers: []
2023-03-08T16:38:39.583+0100	DEBUG	Missing image ID in cache: sha256:63e3008f2693f85aea3b93a670cf622f7005df201cc35a37b96d3d1d0ce10d06
2023-03-08T16:38:39.583+0100	DEBUG	Missing diff ID in cache: sha256:ee6bd52a4cdc4bf0f8b860e782a39c2e14213180ff3298918bb0dc4d4ede248a
2023-03-08T16:38:56.477+0100	INFO	JAR files found
2023-03-08T16:38:56.477+0100	ERROR	Unable to initialize the Java DB: Java DB update failed: Java DB client not initialized
2023-03-08T16:38:56.557+0100	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:427
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:669
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        github.com/aquasecurity/trivy/pkg/scanner/scan.go:146
  - analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:139
  - failed to analyze layer (sha256:ee6bd52a4cdc4bf0f8b860e782a39c2e14213180ff3298918bb0dc4d4ede248a):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:242
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:320
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:486
  - Java DB update failed:
    github.com/aquasecurity/trivy/pkg/javadb.NewClient
        github.com/aquasecurity/trivy/pkg/javadb/client.go:106
  - Java DB client not initialized:
    github.com/aquasecurity/trivy/pkg/javadb.Update
        github.com/aquasecurity/trivy/pkg/javadb/client.go:92

Output of trivy -v:

Version: 0.38.2

Additional details (base image name, container registry info...):

Container Registry is hosted in an Artifactory instance (corporate network).
Base Image is irrelevant, as it happens both in a containerized run (air-gapped) in a CI/CD pipeline as well as locally (debugging purposes).

[zetaab]

yeah for me it looks like its not possible to use offline scan anymore, it does not matter is offline false or true. It always fails if java db is not in place

[very-doge-wow]

@zetaab I get the same error message when running without the --offline-scan flag.

[very-doge-wow]

Might be related to the breaking change in 0.37.2?
(https://github.com/aquasecurity/trivy/releases/tag/v0.37.2)
However as mentioned above, doing a reset doesn't fix the problem.

[DmitriyLewen]

Hello @very-doge-wow , @zetaab
Thanks for your report!

We created #3810 to fix this problem.

Changes will be included in v0.38.3, which is planned to be released early next week.

Regards, Dmitriy

[sourabhgupta385]

I have the exact same error with Version: 0.41.0 . I'm using below command:

trivy --cache-dir /common-lab/trivy image --security-checks vuln --skip-db-update --offline-scan --ignorefile trivyignore_final.txt --timeout 10m0s --format json -o report.json image_name_and_tag_here

I get the below output

` [2023-05-11T08:31:32.533Z] 2023-05-11T08:31:32.001Z WARN '--security-checks' is deprecated. Use '--scanners' instead.

[2023-05-11T08:31:36.721Z] 2023-05-11T08:31:36.363Z INFO Vulnerability scanning is enabled

[2023-05-11T08:31:59.010Z] 2023-05-11T08:31:55.483Z INFO JAR files found

[2023-05-11T08:31:59.015Z] 2023-05-11T08:31:55.765Z ERROR Unable to initialize the Java DB: Java DB update failed: Java DB update error: Java DB metadata error: unable to decode metadata: EOF

[2023-05-11T08:31:59.015Z] 2023-05-11T08:31:55.997Z FATAL image scan error: scan error: scan failed: failed analysis: analyze error: failed to analyze layer (sha256:sha_here): post analysis error: post analysis error: Java DB update failed: Java DB update error: Java DB metadata error: unable to decode metadata: EOF `

Do we have a solution?

[DmitriyLewen]

Hello @sourabhgupta385
Can you try trivy image --reset and run again?

[sourabhgupta385]

@DmitriyLewen Thank you for immediate response. I manually cleared my cache and deleted all the DB files. And then again pulled them using oras and then things worked fine. I am working in a air-gapped environment and that's the process I followed.

[DmitriyLewen]

looks like metadata.json file was broken. Tell me if you have this problem again.

[trapeznikov]

@DmitriyLewen we are getting the same issue with v0.46.0 but it's very inconsistent. Sometimes scan is successful, and sometimes getting the following error. Running --reset before the scan doesn't help.

FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:6a99f1702481b494ebb16fba66613c611e6d34d168a3d7d1672d09bc8bd9b2ac): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: Java DB update error: Java DB metadata error: unable to decode metadata: EOF

We reverted to v0.45.1 and our pipelines seem to be stable with it.

Should I submit a separate bug issue for it?

[DmitriyLewen]

Hello @trapeznikov
Can you share <cache_dir>/trivy/java-db/metadata.json file for when error occurs?

Sometimes scan is successful, and sometimes getting the following error. Running --reset before the scan doesn't help.

How did you fix this error?

[trapeznikov]

Hi @DmitriyLewen
Just installed the latest version (0.46.0) and right away got this again:

2023-10-24T09:55:34.322-0400	FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:fc9ba6561d1d4e39518e14a3b31d3e01e63185ec5c8ff409041d237c13b8a2da): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: Java DB update error: Java DB metadata error: unable to decode metadata: EOF

metadata.json:

{"Version":1,"NextUpdate":"2023-10-27T00:57:54.297865625Z","UpdatedAt":"2023-10-24T00:57:54.297866425Z","DownloadedAt":"2023-10-24T13:55:33.112824434Z"}

Running scan right after that was successful. And metadata.json file stayed the same after the successful scan.

How did you fix this error?

With 0.45.1 every scan is successful.

Full log:

adminuser@ghrunner-c001:~$ ~/trivy image --reset
2023-10-24T10:31:22.865-0400	INFO	Removing DB file...
2023-10-24T10:31:23.006-0400	INFO	Removing artifact caches...
adminuser@ghrunner-c001:~$ ~/trivy image --scanners vuln --no-progress --ignore-unfixed --exit-code 0 <IMAGE>
2023-10-24T10:31:27.038-0400	INFO	Need to update DB
2023-10-24T10:31:27.038-0400	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-10-24T10:31:27.038-0400	INFO	Downloading DB...
2023-10-24T10:31:29.065-0400	INFO	Vulnerability scanning is enabled
2023-10-24T10:31:32.491-0400	INFO	JAR files found
2023-10-24T10:31:32.491-0400	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-10-24T10:31:32.491-0400	INFO	Downloading the Java DB...
2023-10-24T10:31:33.400-0400	INFO	JAR files found
2023-10-24T10:31:33.400-0400	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-10-24T10:31:33.400-0400	INFO	Downloading the Java DB...
2023-10-24T10:31:33.556-0400	INFO	JAR files found
2023-10-24T10:31:33.557-0400	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-10-24T10:31:33.557-0400	INFO	Downloading the Java DB...
2023-10-24T10:31:33.606-0400	INFO	JAR files found
2023-10-24T10:31:33.606-0400	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-10-24T10:31:33.606-0400	INFO	Downloading the Java DB...
2023-10-24T10:32:16.967-0400	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-10-24T10:32:16.968-0400	INFO	Analyzing JAR files takes a while...
2023-10-24T10:32:17.355-0400	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-10-24T10:32:17.356-0400	INFO	Analyzing JAR files takes a while...
2023-10-24T10:32:17.921-0400	FATAL	image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:28b7846187282e65925aa3273adc819bdebba6c5b19e5fc6078a664d74416739): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: Java DB update error: Java DB metadata error: unable to decode metadata: EOF
adminuser@ghrunner-c001:~$ cat .cache/trivy/java-db/metadata.json
{"Version":1,"NextUpdate":"2023-10-27T00:57:54.297865625Z","UpdatedAt":"2023-10-24T00:57:54.297866425Z","DownloadedAt":"2023-10-24T14:32:16.948113638Z"}
adminuser@ghrunner-c001:~$ ~/trivy image --scanners vuln --no-progress --ignore-unfixed --exit-code 0 <IMAGE>
2023-10-24T10:32:26.035-0400	INFO	Vulnerability scanning is enabled
2023-10-24T10:32:29.738-0400	INFO	JAR files found
2023-10-24T10:32:29.739-0400	INFO	Analyzing JAR files takes a while...
2023-10-24T10:32:29.892-0400	INFO	JAR files found
2023-10-24T10:32:29.892-0400	INFO	Analyzing JAR files takes a while...
2023-10-24T10:32:30.016-0400	INFO	JAR files found
2023-10-24T10:32:30.016-0400	INFO	Analyzing JAR files takes a while...
2023-10-24T10:32:30.128-0400	INFO	JAR files found
2023-10-24T10:32:30.128-0400	INFO	Analyzing JAR files takes a while...
2023-10-24T10:32:30.561-0400	INFO	Detected OS: ubuntu
2023-10-24T10:32:30.561-0400	INFO	Detecting Ubuntu vulnerabilities...
2023-10-24T10:32:30.575-0400	INFO	Number of language-specific files: 1
2023-10-24T10:32:30.575-0400	INFO	Detecting jar vulnerabilities...

<IMAGE> (ubuntu 22.04)

Total: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version  │   Fixed Version    │                          Title                           │
├──────────┼────────────────┼──────────┼────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────┤
│ curl     │ CVE-2023-38545 │ HIGH     │ fixed  │ 7.81.0-1ubuntu1.13 │ 7.81.0-1ubuntu1.14 │ heap based buffer overflow in the SOCKS5 proxy handshake │
│          │                │          │        │                    │                    │ https://avd.aquasec.com/nvd/cve-2023-38545               │
│          ├────────────────┼──────────┤        │                    │                    ├──────────────────────────────────────────────────────────┤
│          │ CVE-2023-38546 │ LOW      │        │                    │                    │ cookie injection with none file                          │
│          │                │          │        │                    │                    │ https://avd.aquasec.com/nvd/cve-2023-38546               │
├──────────┼────────────────┼──────────┤        │                    │                    ├──────────────────────────────────────────────────────────┤
│ libcurl4 │ CVE-2023-38545 │ HIGH     │        │                    │                    │ heap based buffer overflow in the SOCKS5 proxy handshake │
│          │                │          │        │                    │                    │ https://avd.aquasec.com/nvd/cve-2023-38545               │
│          ├────────────────┼──────────┤        │                    │                    ├──────────────────────────────────────────────────────────┤
│          │ CVE-2023-38546 │ LOW      │        │                    │                    │ cookie injection with none file                          │
│          │                │          │        │                    │                    │ https://avd.aquasec.com/nvd/cve-2023-38546               │
└──────────┴────────────────┴──────────┴────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────────┘
2023-10-24T10:32:30.715-0400	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                     Library                     │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http2 (ingestor.jar)       │ GHSA-xpw8-rcwv-8f8p │ MEDIUM   │ fixed  │ 4.1.97.Final      │ 4.1.100.Final │ io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset │
│                                                 │                     │          │        │                   │               │ Attack                                                      │
│                                                 │                     │          │        │                   │               │ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p           │
├─────────────────────────────────────────────────┤                     │          │        │                   │               │                                                             │
│ io.netty:netty-codec-http2 (monitor-legacy.jar) │                     │          │        │                   │               │                                                             │
│                                                 │                     │          │        │                   │               │                                                             │
│                                                 │                     │          │        │                   │               │                                                             │
└─────────────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
adminuser@ghrunner-c001:~$ cat .cache/trivy/java-db/metadata.json
{"Version":1,"NextUpdate":"2023-10-27T00:57:54.297865625Z","UpdatedAt":"2023-10-24T00:57:54.297866425Z","DownloadedAt":"2023-10-24T14:32:16.948113638Z"}
adminuser@ghrunner-c001:~$ ~/trivy --version
Version: 0.46.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-24 12:18:25.83018732 +0000 UTC
  NextUpdate: 2023-10-24 18:18:25.83018672 +0000 UTC
  DownloadedAt: 2023-10-24 14:31:29.065282456 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-24 00:57:54.297866425 +0000 UTC
  NextUpdate: 2023-10-27 00:57:54.297865625 +0000 UTC
  DownloadedAt: 2023-10-24 14:32:16.948113638 +0000 UTC

[DmitriyLewen]

@trapeznikov i created #5441 for your issue.

[trapeznikov]

@DmitriyLewen thank you!