unable to initialize a scanner: unable to initialize a filesystem scanner: analyzer group error: post-analyzer init error: cloudformation scanner init error: mapfs file copy error

[farcop]

Description

I am not sure that is trivy bug, but after update to v0.53.0 we have in some helm chart scans this issue:

trivy runs inside bazel build with the command:
trivy config --exit-code 1 --severity HIGH,CRITICAL $file --quiet

2024-07-10T06:34:15Z FATAL Fatal error filesystem scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: analyzer group error: post-analyzer init error: cloudformation scanner init error: mapfs file copy error: open /tmp/trivy/policy/content/policies/kubernetes/policies/cisbenchmarks/cni: no such file or directory

May be you can get some clarification what is the issue?

Desired Behavior

trivy scan runs without errors

Actual Behavior

2024-07-10T06:34:15Z FATAL Fatal error filesystem scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: analyzer group error: post-analyzer init error: cloudformation scanner init error: mapfs file copy error: open /tmp/trivy/policy/content/policies/kubernetes/policies/cisbenchmarks/cni: no such file or directory

Reproduction Steps

I cant give exact repro steps because the issue only reproduces in CI

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

no

Operating System

Ubuntu 20.04 amd64

Version

0.53.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

To me this looks like trivy was not able to fetch the required file from the filesystem within the CI. Are you certain that there isn't anything wrong with the CI setup, especially around permissions/disk?

[farcop]

Yeah, all others things goes without any problems.

[simar7]

In that case if you can provide us a minimal example that can reproduce this, it would be helpful as I'm not able to reproduce it locally.

[nikpivkin]

@farcop How do you run Trivy using Bazel?

[farcop]

@nikpivkin I use https://github.com/theoremlp/rules_multitool and bazel tests, e.g.:

trivy-scan-test.sh

#!/usr/bin/env bash

set -eu

# trivy scan test script
# $1 trivy tool location
# $2 scan type: image (OCI image tarball) || rootfs (go binary) || config (helm chart)
# $3 artifact location

# if it is image scan then use --input option to scan tarball on filesystem
if [ "$2" == "image" ]; then input="--input"; else input=""; fi

# Resolve symlinks, in other case rootfs and config scan does not work
if [ "$2" == "rootfs" ] || [ "$2" == "config" ]; then file=$(realpath "$3"); else file="$3"; fi

# trivy scan and fail in case if issues with severity given exist
$1 $2 --exit-code 1 --severity HIGH,CRITICAL $input $file --quiet

native.sh_test(
    name = name + "_trivy_scan_test",
    srcs = ["//hacks/bazel:trivy-scan-test.sh"],
    args = [
        "$(location @multitool//tools/trivy)",
        "config",
        "$(location :%s)" % name,
    ],
    tags = [
        "trivy",
        "helm",
        "manual",
        "no-cache",
        "no-remote-cache",
    ],
    data = [
        "@multitool//tools/trivy",
        ":%s" % name,
    ],
)

[ondramie]

i getting sames. ran this on GHA

name: pre-commit
on:
  pull_request:
jobs:
  pre-commit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
       .... 
      - name: Install Trivy
        run: |
          wget https://github.com/aquasecurity/trivy/releases/download/v0.52.2/trivy_0.52.2_Linux-64bit.deb
          sudo dpkg -i trivy_0.52.2_Linux-64bit.deb

and it doesn't error for me on

2024-07-31T01:23:33Z	FATAL	Fatal error	filesystem scan error: scan error: unable to initialize a scanner: unable to initialize a filesystem scanner: analyzer group error: post-analyzer init error: azure-arm scanner init error: mapfs file copy error: open /home/runner/.cache/trivy/policy/content/policies/kubernetes/policies/cisbenchmarks/controllermamager: no such file or directory

whereas latest does

[knqyf263]

How did you run Trivy? What did you scan?

[danielmapar]

Consider pointing your cache to a new location if you encounter this issue.

Example with a .pre-commit-config.yaml setup

      - id: terraform_trivy
        files: terraform/.*\.tf$
        args:
          - --args=--config=__GIT_WORKING_DIR__/terraform/trivy.yaml
          - --args=--ignorefile=__GIT_WORKING_DIR__/terraform/.trivyignore
          - --args=--skip-dirs="**/.terraform"
          - --args=--cache-dir=__GIT_WORKING_DIR__/terraform/.trivy-cache

[danielmapar]

Consider pointing your cache to a new location if you encounter this issue.

Example with a .pre-commit-config.yaml setup

      - id: terraform_trivy
        files: terraform/.*\.tf$
        args:
          - --args=--config=__GIT_WORKING_DIR__/terraform/trivy.yaml
          - --args=--ignorefile=__GIT_WORKING_DIR__/terraform/.trivyignore
          - --args=--skip-dirs="**/.terraform"
          - --args=--cache-dir=__GIT_WORKING_DIR__/terraform/.trivy-cache

Never mind, I am still facing this problem. Seems to be some race condition. Sometimes it work, sometimes it doesn't

[danielmapar]

The solution I found was setting the parallelism to 1:

args:
    - --hook-config=--parallelism-limit=1

More details here: antonbabenko/pre-commit-terraform#691

[sebastianczech]

thanks @danielmapar , that solution is working for me too