Container image scan fails due to missing files

[adsick]

Question

Hello, there is an issue - Ubuntu image scan fails seemingly because of the missing /home/ubuntu/.* files (e.g. .bash_logout). Quite strangely it only reproduces on one concrete vm, I was unable to reproduce it in my environment by deleting all of the files from /home/ubuntu to match those of my colleague. In his env the issue is persistent though.

I would like to know why it may happen.

We are simply scanning an Ubuntu image (which may be a little messed up).
Another note: we are scanning images from inside a docker container. I doubt it's important (other stuff scans just fine).

Here is a debug log output.

 /usr/bin/trivy image --offline-scan --skip-db-update --skip-java-db-update --format cyclonedx --debug 17c0145030df106e60e5d99149d69810db23b869ff0d3c9d236279a5a7bbb6b3
2024-12-30T14:26:58Z	DEBUG	No plugins loaded
2024-12-30T14:26:58Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-30T14:26:58Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-12-30T14:26:58Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-12-30T14:26:58Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-30T14:26:58Z	DEBUG	Ignore statuses	statuses=[]
2024-12-30T14:26:58Z	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-12-30T14:26:58Z	DEBUG	[pkg] Package types	types=[os library]
2024-12-30T14:26:58Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-12-30T14:26:58Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-30T14:26:58Z	DEBUG	Initializing scan cache...	type="fs"
2024-12-30T14:26:58Z	DEBUG	[image] Detected image ID	image_id="sha256:17c0145030df106e60e5d99149d69810db23b869ff0d3c9d236279a5a7bbb6b3"
2024-12-30T14:26:58Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:42d3f8788282c6e48bac7236609753b240db353465dc55cb77c21f2391720dd9]
2024-12-30T14:26:58Z	DEBUG	[image] Detected base layers	diff_ids=[]
2024-12-30T14:26:58Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:17c0145030df106e60e5d99149d69810db23b869ff0d3c9d236279a5a7bbb6b3"
2024-12-30T14:26:58Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:42d3f8788282c6e48bac7236609753b240db353465dc55cb77c21f2391720dd9"
2024-12-30T14:26:58Z	FATAL	Fatal error
  - image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:386
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:260
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:615
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:158
  - analyze error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:126
  - pipeline error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:230
  - failed to analyze layer (sha256:42d3f8788282c6e48bac7236609753b240db353465dc55cb77c21f2391720dd9):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:217
  - unable to get uncompressed layer sha256:42d3f8788282c6e48bac7236609753b240db353465dc55cb77c21f2391720dd9:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:247
  - failed to get the layer (sha256:42d3f8788282c6e48bac7236609753b240db353465dc55cb77c21f2391720dd9):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.uncompressedLayer
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/image/image.go:351
  - unable to populate:
    github.com/aquasecurity/trivy/pkg/fanal/image/daemon.(*image).LayerByDiffID
        /home/runner/work/trivy/trivy/pkg/fanal/image/daemon/image.go:156
  - unable to open:
    github.com/aquasecurity/trivy/pkg/fanal/image/daemon.(*image).populateImage
        /home/runner/work/trivy/trivy/pkg/fanal/image/daemon/image.go:82
  - unable to export the image:
    github.com/aquasecurity/trivy/pkg/fanal/image/daemon.DockerImage.imageOpener.func6
        /home/runner/work/trivy/trivy/pkg/fanal/image/daemon/image.go:39
  - Error response from daemon: open /var/lib/docker/overlay2/6ddde61c9d11bdedae7b432459861c6045a39e012935b57fa9a00e9e5d768910/diff/home/ubuntu/.bash_logout: no such file or directory
 

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Operating System

Ubuntu VM

Version

0.55

[knqyf263]

Is it possible to provide an image where the problem replicates?

[adsick]

I wanted to clarify a bit - the whole /home/ubuntu dir is missing, not just dotfiles in it.

[knqyf263]

Docker even fails on the image, so is the image just broken?

[adsick]

I suppose that yes, it may be broken in one way or another, but it still runs.

[knqyf263]

Since Trivy uses Docker API under the hood, it fails on the same error. In other words, it's not a Trivy's problem. I think you should ask Docker to fix it.

[adsick]

Right, I guess it's just a broken image, thank you for your time.