Issue initialising the Java DB when scanning for mis-configurations

[Mo0rBy]

Description

Configuration scanning is not working due to an error when when attempting to initialise the java DB. It seems as if the database is successfully downloaded, but there is an issue in initialising it.
I noticed this problem working in our remote environments, but I tested it locally and I get the same issue, so it's not a problem specific to my own systems/infrastructure.

What did you expect to happen?

Expected Trivy to successfully scan the configuration of an image and output the result

Command used:
trivy image --debug --scanners config {MY_IMAGE}:{MY_TAG}

What happened instead?

Obtained the following error:
ERROR Unable to initialize the Java DB: Java DB update failed: Java DB client not initialized

Output of run with -debug:

2023-03-08T17:04:08.052Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-08T17:04:08.097Z	DEBUG	cache dir:  /Users/wmoorby/Library/Caches/trivy
2023-03-08T17:04:08.097Z	INFO	Misconfiguration scanning is enabled
2023-03-08T17:04:08.098Z	DEBUG	Failed to open the policy metadata: open /Users/wmoorby/Library/Caches/trivy/policy/metadata.json: no such file or directory
2023-03-08T17:04:08.098Z	INFO	Need to update the built-in policies
2023-03-08T17:04:08.098Z	INFO	Downloading the built-in policies...
39.14 KiB / 39.14 KiB [------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2023-03-08T17:04:09.498Z	DEBUG	Digest of the built-in policies: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
2023-03-08T17:04:09.499Z	DEBUG	Policies successfully loaded from disk
2023-03-08T17:04:09.512Z	DEBUG	Image ID: sha256:9ab333bf594a123fd7a0ba5717729b69caaa4afdca8703f4e68ab87e422908e2
2023-03-08T17:04:09.512Z	DEBUG	Diff IDs: [sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88 sha256:f9e315186df9d3a8de76074e45a1d5d65e712837e6f91271c2a47425ccc6706e sha256:35438d8420b34dc0f232a0b45eff5141bf6189c4f7f9a358463f4de7716cd832 sha256:5a8893cf75bb89e612fb847127a086ca583ddb4d5ce180df3999078d616180f7 sha256:81b04cb27ceee6cf656c55c80056c814423810edb3bf723aa48cbc59e0738408 sha256:26b9451e6021f6e27a1fedbcbb6e99ec931d59af414d4ed1d5163b5214efa542 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:88a917ed2c1ceffc22f6ed2930e25e41afc2637d792e6b6092791dff4d36cff6 sha256:45b9fa357ff6e8ae3602ca0a9d91bc96b7b6990d238c162995d6f85ebbe8827e]
2023-03-08T17:04:09.512Z	DEBUG	Base Layers: [sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88]
2023-03-08T17:04:09.824Z	DEBUG	Missing diff ID in cache: sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88
2023-03-08T17:04:09.824Z	DEBUG	Missing diff ID in cache: sha256:35438d8420b34dc0f232a0b45eff5141bf6189c4f7f9a358463f4de7716cd832
2023-03-08T17:04:09.824Z	DEBUG	Missing diff ID in cache: sha256:5a8893cf75bb89e612fb847127a086ca583ddb4d5ce180df3999078d616180f7
2023-03-08T17:04:09.824Z	DEBUG	Missing diff ID in cache: sha256:81b04cb27ceee6cf656c55c80056c814423810edb3bf723aa48cbc59e0738408
2023-03-08T17:04:09.824Z	DEBUG	Missing diff ID in cache: sha256:f9e315186df9d3a8de76074e45a1d5d65e712837e6f91271c2a47425ccc6706e
2023-03-08T17:04:16.091Z	DEBUG	Missing diff ID in cache: sha256:26b9451e6021f6e27a1fedbcbb6e99ec931d59af414d4ed1d5163b5214efa542
2023-03-08T17:04:16.125Z	INFO	JAR files found
2023-03-08T17:04:16.125Z	ERROR	Unable to initialize the Java DB: Java DB update failed: Java DB client not initialized
2023-03-08T17:04:16.136Z	DEBUG	Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
2023-03-08T17:04:16.178Z	DEBUG	Missing diff ID in cache: sha256:88a917ed2c1ceffc22f6ed2930e25e41afc2637d792e6b6092791dff4d36cff6
2023-03-08T17:04:16.220Z	DEBUG	Missing diff ID in cache: sha256:45b9fa357ff6e8ae3602ca0a9d91bc96b7b6990d238c162995d6f85ebbe8827e
2023-03-08T17:04:16.344Z	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:427
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:669
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:139
  - failed to analyze layer (sha256:35438d8420b34dc0f232a0b45eff5141bf6189c4f7f9a358463f4de7716cd832):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:242
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:320
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:486
  - Java DB update failed:
    github.com/aquasecurity/trivy/pkg/javadb.NewClient
        /home/runner/work/trivy/trivy/pkg/javadb/client.go:106
  - Java DB client not initialized:
    github.com/aquasecurity/trivy/pkg/javadb.Update
        /home/runner/work/trivy/trivy/pkg/javadb/client.go:92

Output of trivy -v:

Version: 0.38.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-08 06:07:29.13580037 +0000 UTC
  NextUpdate: 2023-03-08 12:07:29.13579997 +0000 UTC
  DownloadedAt: 2023-03-08 14:00:27.228251 +0000 UTC
Policy Bundle:
  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
  DownloadedAt: 2023-03-08 17:04:09.498946 +0000 UTC

Additional details (base image name, container registry info...):

The image I am scanning is a Java image, I do not get this error when scanning a non-java based image (It's an error initialising the java DB)

I get this same error when attempting to scan for secrets (using: trivy image --debug --scanners secret {MY_IMAGE}:{MY_TAG}) but everything works when I scan for vulnerabilities (using: trivy image --debug --scanners vuln {MY_IMAGE}:{MY_TAG})

[Mo0rBy]

I'm pretty sure this is a duplicate of #3794 but I will leave it here just in case it is different.

[very-doge-wow]

Yep seems to be the exact same problem. Only occures since the breaking change in 0.37.2 was introduced (https://github.com/aquasecurity/trivy/releases/tag/v0.37.2)

[Mo0rBy]

I've used the --reset flag and then ran the scanning command again and I get the exact same result. Can see from my trivy -v that I downloaded the DB just now.

Version: 0.38.2
Policy Bundle:
  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
  DownloadedAt: 2023-03-09 12:49:24.624929 +0000 UTC

[very-doge-wow]

I've used the --reset flag and then ran the scanning command again and I get the exact same result. Can see from my trivy -v that I downloaded the DB just now.

Version: 0.38.2
Policy Bundle:
  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
  DownloadedAt: 2023-03-09 12:49:24.624929 +0000 UTC

I know, I was simply pointing out that I am seeing this error since the version 0.37.2. I am fully aware that the "fix" documented in the release notes does not work, as I already pointed out in the other issue #3794.

[Mo0rBy]

@very-doge-wow ah right, my apologies. From now on I'm just going to add to your own issue as these are duplicates and you created the issue first. I will mark this issue as closed.