trivy fails to detect Redhat 9.5 packages - unable to scan OS packages

[pmolon]

Description

We are using trivy in our CI pipeline to scan images. Redhat now just recently updated all their base images to RHEL 9.5, e.g. https://catalog.redhat.com/software/containers/ubi9-minimal/61832888c0d15aff4912fe0d?image=67334c07aa3afe8d468be888&container-tabs=overview

Trivy now fails with the error

trivy image registry.access.redhat.com/ubi9-minimal@sha256:ba0d97dd43fea58f9bdcc4488c60a3869827e1e30a51c11bbfae3fb7dc91e6f5
2024-11-13T08:38:49+01:00	INFO	[vuln] Vulnerability scanning is enabled
2024-11-13T08:38:49+01:00	INFO	[secret] Secret scanning is enabled
2024-11-13T08:38:49+01:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-13T08:38:49+01:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-13T08:38:58+01:00	INFO	Detected OS	family="redhat" version="9.5"
2024-11-13T08:38:58+01:00	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="9" pkg_num=105
2024-11-13T08:38:58+01:00	FATAL	Fatal error	image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: unable to scan OS packages: failed vulnerability detection of OS packages: failed detection: redhat vulnerability detection error: failed to get Red Hat advisories: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details

We are using most recent trivy version

podman run registry.access.redhat.com/ubi9-minimal@sha256:ba0d97dd43fea58f9bdcc4488c60a3869827e1e30a51c11bbfae3fb7dc91e6f5 cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.5 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.5"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.5 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://issues.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.5"

Desired Behavior

Trivy should correctly detect RHEL 9.5 packages

Actual Behavior

Trivy encounters FATAL error

Reproduction Steps

1. Run trivy command
trivy image registry.access.redhat.com/ubi9-minimal@sha256:ba0d97dd43fea58f9bdcc4488c60a3869827e1e30a51c11bbfae3fb7dc91e6f5
2. The scan will fail with above mentioned error

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

trivy image registry.access.redhat.com/ubi9-minimal@sha256:ba0d97dd43fea58f9bdcc4488c60a3869827e1e30a51c11bbfae3fb7dc91e6f5 --debug
2024-11-13T08:48:53+01:00	DEBUG	No plugins loaded
2024-11-13T08:48:53+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-13T08:48:53+01:00	DEBUG	Cache dir	dir="/home/dev/.cache/trivy"
2024-11-13T08:48:53+01:00	DEBUG	Cache dir	dir="/home/dev/.cache/trivy"
2024-11-13T08:48:53+01:00	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-13T08:48:53+01:00	INFO	Adding schema version to the DB repository for backward compatibility	repository="index.docker.io/aquasec/trivy-db:2"
2024-11-13T08:48:53+01:00	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-13T08:48:53+01:00	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-java-db:1"
2024-11-13T08:48:53+01:00	INFO	Adding schema version to the DB repository for backward compatibility	repository="index.docker.io/aquasec/trivy-java-db:1"
2024-11-13T08:48:53+01:00	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-java-db:1"
2024-11-13T08:48:53+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-13T08:48:53+01:00	DEBUG	Ignore statuses	statuses=[]
2024-11-13T08:48:53+01:00	DEBUG	DB update was skipped because the local DB is the latest
2024-11-13T08:48:53+01:00	DEBUG	DB info	schema=2 updated_at=2024-11-13T06:17:36.372318513Z next_update=2024-11-14T06:17:36.372318082Z downloaded_at=2024-11-13T07:19:31.605034373Z
2024-11-13T08:48:53+01:00	DEBUG	[pkg] Package types	types=[os library]
2024-11-13T08:48:53+01:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-11-13T08:48:53+01:00	INFO	[vuln] Vulnerability scanning is enabled
2024-11-13T08:48:53+01:00	INFO	[secret] Secret scanning is enabled
2024-11-13T08:48:53+01:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-13T08:48:53+01:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-13T08:48:53+01:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-13T08:48:53+01:00	DEBUG	Initializing scan cache...	type="fs"
2024-11-13T08:48:53+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-11-13T08:48:53+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-11-13T08:48:53+01:00	DEBUG	[image] Detected image ID	image_id="sha256:2a2f1e3ad21b75aaf944b4046ab39154c63c635b97e7934ef33f987fc5977e01"
2024-11-13T08:48:53+01:00	DEBUG	Saving the container image to a local file to obtain the image config...
2024-11-13T08:48:54+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:cf05185ff4b33b2e1a8d2d75d1f7adb1d14152db698061bba878773795c08ac8 sha256:f6053727b5a4e5fdd612fdf1b7f83af015fc86c4fc267300660700f61db450c4]
2024-11-13T08:48:54+01:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-11-13T08:48:55+01:00	INFO	Detected OS	family="redhat" version="9.5"
2024-11-13T08:48:55+01:00	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="9" pkg_num=105
2024-11-13T08:48:55+01:00	FATAL	Fatal error
  - image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:387
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:261
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:622
  - scan failed:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:169
  - failed to detect vulnerabilities:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.ScanTarget
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:117
  - unable to scan OS packages:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:168
  - failed vulnerability detection of OS packages:
    github.com/aquasecurity/trivy/pkg/scanner/ospkg.(*scanner).Scan
        /home/runner/work/trivy/trivy/pkg/scanner/ospkg/scan.go:57
  - failed detection:
    github.com/aquasecurity/trivy/pkg/detector/ospkg.Detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:83
  - redhat vulnerability detection error:
    github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat.(*Scanner).Detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:94
  - failed to get Red Hat advisories:
    github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat.(*Scanner).detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:116
  - unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details:
    github.com/aquasecurity/trivy-db/pkg/vulnsrc/redhat-oval.VulnSrc.Get
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20240910133327-7e0f4d2ed4c1/pkg/vulnsrc/redhat-oval/redhat-oval.go:252

Operating System

Ubuntu

Version

trivy --version
Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-13 06:17:36.372318513 +0000 UTC
  NextUpdate: 2024-11-14 06:17:36.372318082 +0000 UTC
  DownloadedAt: 2024-11-13 07:19:31.605034373 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-09-13 01:08:50.455768046 +0000 UTC
  NextUpdate: 2024-09-16 01:08:50.455767885 +0000 UTC
  DownloadedAt: 2024-09-13 07:42:05.285683637 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @pmolon
Created #7911 for this issue.

FYI looks like it is bug in this image, because root/buildinfo/content_manifests/ should contain file with content_sets.
e.g.:

➜ docker run -it --rm registry.access.redhat.com/ubi9-minimal@sha256:73f7dcacb460dad137a58f24668470a5a2e47378838a0190eef0ab532c6e8998 ls -hl /root/buildinfo/content_manifests/
-rw-rw-r-- 1 root root 368 Jul 18 15:53 ubi9-minimal-container-9.4-1194.json

➜ docker run -it --rm registry.access.redhat.com/ubi9-minimal@sha256:73f7dcacb460dad137a58f24668470a5a2e47378838a0190eef0ab532c6e8998 cat /root/buildinfo/content_manifests/ubi9-minimal-container-9.4-1194.json 
{
    "metadata": {
        "icm_version": 1,
        "icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
        "image_layer_index": 0
    },
    "content_sets": [
        "rhel-9-for-x86_64-baseos-rpms",
        "rhel-9-for-x86_64-appstream-rpms"
    ],
    "image_contents": []
}