Solve once for all the TOOMANYREQUESTS issues

[nvuillam]

Description

Hi, I'm the maintainer of MegaLinter, which heavily uses trivy in its core, but also in its own CI/CD jobs

For some weeks now, there are many fatal errors because of rate limit when downloading database, and this is impacting MegaLinter stability, at a point that we have to advise to disable trivy "until it is stable again"

init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:9eed63035e251610986ab4666a7ef45cfcf74e7f02daee94fe9958d1f7f2749b: TOOMANYREQUESTS: retry-after: 544.488µs, allowed: 44000/minute

I've read all issues & discussions about it, and all I see are workarounds

• Send GITHUB_TOKEN
• Use another image hosted on AWS

MegaLinter users can run MegaLinter on:

• GitHub Actions
• Gitlab CI
• Azure Pipelines
• Bitbucket
• Jenkins
• & many more tools

So the GITHUB_TOKEN solution does not work.
People also have existing MegaLinter config with their own arguments to call trivy, so I can't either force the AWS image to be used

The best solution I imagine is the following:

• When releasing trivy-db, host it on ghcr:trivy-db1, ghcr:trivy-db-mirror-2, ghcr:trivy-db-mirror-3, aws:trivy-db-mirror-1, aws:trivy-db-mirror-2, aws:trivy-db-mirror-3, somewhereelse:trivy-db-mirror-1, somewhereelse:trivy-db-mirror-2, somewhereelse:trivy-db-mirror-3
• Then when running trivy, try all of the DB mirrors until there is one responding

That way, Trivy would continue to work great without forcing user to implement clumsy workarounds :)

Do you think it's doable ? :)

Desired Behavior

Trivy to work perfectly everytime as before :)

Actual Behavior

If you are lucky, it work, but if you are not , it fails :/

Reproduction Steps

Call trivy from anywhere ^^

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

`init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:9eed63035e251610986ab4666a7ef45cfcf74e7f02daee94fe9958d1f7f2749b: TOOMANYREQUESTS: retry-after: 544.488µs, allowed: 44000/minute`

Operating System

Alpine & ubuntu

Version

latest

Checklist

• Run trivy clean --all
• Read the troubleshooting

[kavaka123]

I get a similar error.

GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 193.178µs, allowed: 44000/minute``

Can someone please look into this ASAP?

[AdrianKoszalka]

I am experiencing the same problem, even after upgrading to version 0.56.1:

2024-10-08T10:08:02Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 146.925µs, allowed: 44000/minute

After running my CI/CD pipeline 8 times, it finally worked, but repeatedly rerunning it shouldn't be the solution.

[AtomicFS]

Exactly the same problem here

[knqyf263]

The rate limits are applied per organization, so creating a new repository (e.g., aquasecurity/trivia-db-mirror) does not help. Creating a new organization (e.g., aqua-trivy/trivy-db-mirror) may help to get around the limit, but we are not sure if creating another organization just to work around the rate limits is allowed under the terms of the service, and we are checking with GitHub (cc: @itaysk).

This is happening just because Trivy has too many users and reached the rate limits. The same problem could occur in other registries. We are trying to find a way, but currently, the only ways are to use ECR Public (we're still evaluating ECR Public, though) or self-host DBs on another registry, including a separate GitHub organization like this.

[nvuillam]

@knqyf263 thanks for your reply but... trivy is a security tool, you can not seriously ask users to self-host the list of vulnerabilities 🥹

Or to use mirrors not managed by trivy team, that would add security risks to a security tool 🥹

If ECR hosting is stable, it should be called by default: this is not for a user to decide which trivy vuln database to use, but for trivy to enforce to its users which database to use 🥹

[knqyf263]

trivy is a security tool, you can not seriously ask users to self-host the list of vulnerabilities 🥹

Why not?
Please don't forget that it's a temporary solution until we find a way.

[EdKingscote]

I agree with @knqyf263 - especially for everyone relying on the open source tooling and not paying to cover the costs of ensuring access.

I agree that provenance validation for the databases is on the critical path, but replicating from a known good source announced by the team to a private registry that is in the control of the consumer helps to mitigate the load concerns and isn't any worse than what exists today.

Of course consuming anything from unknown random mirrors without validation is always a risk - and the deeper question is how does Trivy itself validate the vulnerability databases it is fetching and using - I haven't looked, but if it doesn't, then the well could always be poisoned and that is the much deeper concern to address.

[nvuillam]

I am myself maintainer of MegaLinter which is free and open source tool: this is not about open source or not, this is about breaking changes, security and ease of use :)

MegaLinter works because it's easy to setup and configure, if tomorrow I force my thousands of users to mirror docker images so it continues to work, they'll be very unhappy, even if they don't pay 🙃

[psibre]

Over the past 1-2 days, I've started seeing CI/CD scan job failures with this error as well in our on-prem infrastructure (with a GitLab Runner using the Kubernetes executor). A big difference is that we scan via a Trivy server deployment (using the Trivy Helm chart), so the errors don't arise from pulling Java DBs, etc.
Instead the failures I've seen come from hitting the GHCR when running scan client jobs with the image: ghcr.io/aquasecurity/trivy (implicit latest tag). Pipelines where the image is tagged don't fail, because that image is already available locally.
I suspect that GitHub is counting HEAD requests which check for the latest image, unlike Docker Hub (see docs).

[psibre]

Actually, inspecting our Trivy server deployment logs, I'm also seeing some errors there, of the sort discussed above, e.g.,

INFO    Updating DB...                                                                                                           │
INFO    Downloading vulnerability DB...                                                                                          │
INFO    Downloading artifact...    repo="ghcr.io/aquasecurity/trivy-db:2"
ERROR    Failed to download artifact    repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 934.422µs, allowed: 44000/minute\n\n"

But this doesn't break our scans, since the old DB etc. is still available in the Trivy server.

[kimdre]

I set up a new deployment for trivy but the operator won't work because every single image pull attempt fails for me with TOOMANYREQUESTS :(

[mwager]

Same errors in our GitLab pipelines. v0.56.1

@knqyf263 Any info/docs on how exactly to configure trivy to do the workaround you mentioned (ECR)? Or better to wait?

[nvuillam]

This is a workaround, not a solution , because it still requires to change the same way all calls to trivy in the whole universe :/
Such behaviour should be by default without users needing to change the calls :/

[ErikLundJensen]

The Trivy Operator helm chart does not support multiple repositories. Is it acceptable to use only public.ecr.aws/aquasecurity/trivy-db and public.ecr.aws/aquasecurity/trivy-java-db ?

[williamwissemann]

@ErikLundJensen Yeah, using one is just fine; the CLI commands were updated to accept a priority list, so supplying both just tells it to try ghcr.io first and fall back to public.ecr.aws.

      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])

3562529#diff-7bfcac56497a113e6a3d15e967ba52d22a30c232a0b641728eda7dc85fe32137R32

[jakob-o]

Trivy version: aquasec/trivy:0.56.2

Setting these variables seems not to have worked, the fallback is not used in our case:

trivy  --cache-dir .trivy-cache --format cyclonedx --output sbom-cyclonedx.json image <redacted>
2024-10-21T08:00:40Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-21T08:00:40Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-21T08:00:40Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-java-db:1"
2024-10-21T08:00:40Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-java-db:1"
2024-10-21T08:00:40Z	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-10-21T08:00:42Z	INFO	[javadb] Downloading Java DB...
2024-10-21T08:00:42Z	INFO	[javadb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-java-db:1"
2024-10-21T08:00:42Z	WARN	See https://aquasecurity.github.io/trivy/v0.56/docs/references/troubleshooting#db
2024-10-21T08:00:50Z	FATAL	Fatal error	image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:35c603a570d0a3078eeabfe116af92db8c1cb900a66061928ee6110b178dfe58): post analysis error: post analysis error: Unable to initialize the Java DB: Java DB update failed: OCI artifact error: failed to download Java DB: failed to download artifact from ghcr.io/aquasecurity/trivy-java-db:1: OCI repository error: 2 errors occurred:
	* GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-java-db%3Apull&service=ghcr.io: DENIED: denied
	* GET https://ghcr.io/v2/aquasecurity/trivy-java-db/manifests/1: TOOMANYREQUESTS: retry-after: 1.042127ms, allowed: 44000/minute

[xrstf]

williamwissemann's suggested workaround works fine for us.

docker run \
  --rm \
  -v "$(realpath .):/opt/src" \
  -v /run/docker.sock:/var/run/docker.sock \
  -v /tmp/trivy-cache:/cache \
  -e "TRIVY_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-db" \
  -e "TRIVY_JAVA_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-java-db" \
  -w /opt/src \
  aquasec/trivy:0.56.2 --cache-dir /cache image --quiet "$image"

Et voilà.

[chriskellyrelay]

Just adding my context: We're moving to using private AWS ECR Pull Through Caches for containers so that we have more visibility into the containers that are running, and so that we can disconnect environments where things are running from having public internet access. I'd love if a job running trivy could do everything it needs to do, without connecting to the public internet.

AWS requires credentials to set up these caches for the upstream, and does sane things with ratelimiting.

I was already working to have trivy pull things through caches instead of "upstream", but there is different config required for each of the different ways of using trivy (config, image, etc).

I'd be totally happy for trivy to have a single configuration method for "use_this_repo" to allow us to maintain our own cache, but it'd be even better to have a aquasec/trivy-with-vuln-db:latest that I could pull, that includes the up-to-date vuln db, and doesn't require pulling a db OCI image to run. Maybe you could set this up and require authenticated pulls for this one, and keep an eye on any bad actors?

[pankajmouriya]

@chriskellyrelay
I did some digging while looking for a solution for my org. I do have few questions around ECR Pull through cache

• Do you plan to use semantic version instead of tags like Latest/Stable for a image?
• If you plan to use Semantic version image:0.0.0. How will AWS ECR Pull through cache update that? I did not see a single document mentioning or not mentioning that anywhere. I did a run myself and it does not and can not pull updates for new tags
• What made to stick to tags like Latest? Don't you think its not always great to use such tags as they may break your pipeline someday and then you won't have a solution apart from waiting for the Latest image to have new updates?

[chriskellyrelay]

It's a complex thing. latest seems to be a fine approach for vuln db for this. Yep, sometimes the pipeline breaks -> you just have to fix it either by fixing the vulns or adding ignore rules. We generally use "major" version pins which seem to break pipeline less (e.g. vendor:1-alpine vendor:1.2.3-alpine)

[psibre]

I'd like to add one more aspect that was touched upon but not made explicit by several comments above. If registries like GHCR and ECR make it difficult for Trivy users to access the DBs during high load, then why not ensure that the latest DB images are also hosted on Docker Hub? When they started their rate limiting nearly four years ago, the tooling and hosting ecosystem quickly adapted and introduced features like Harbor's Proxy Cache, GitLab's Dependency Proxy, and others, which are designed to mitigate upstream registry rate limiting, but work specifically and exclusively with Docker Hub at the moment, and not with GHCR etc.
This would be another viable workaround, if only the Trivy maintainers would push the DB images to Docker Hub. Alas, https://hub.docker.com/r/aquasec/trivy-db has not been updated since early 2023, and the Java DB image does not even exist there...
The main Trivy images get updated on Docker Hub with every release, so why not push the DB images daily as well?

[knqyf263]

aquasecurity/trivy-db#441

[cgoea]

Have the same problem but with the bundle-checks repository when running misconfiguration.
[misconfig] Misconfiguration scanning is enabled
2024-10-14T14:40:04Z INFO Need to update the built-in policies
2024-10-14T14:40:04Z INFO Downloading the built-in policies...
2024-10-14T14:40:05Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/0: TOOMANYREQUESTS: retry-after: 256.419µs, allowed: 44000/minute\n\n"
As far as I can tell there is no environment variable for it.

[simar7]

With misconfiguration scanner, the checks bundle is embedded within Trivy. While its not ideal that it fails to download latest, the scan will still be successful with the embedded version of the checks that Trivy contains.

[aonan-wyze]

It will failed, can we have a ecr mirror for trivy-checks?

[phyzical]

aquasecurity/trivy-checks#262

[cantonnetwork-infstones]

I am using the helm chart to deploy the operator on EKS and pointing to the AWS ECR for images and vulnerability DBs. For some reason, it still keeps going to ghcr.io. The CM seems to have been updated properly though.

Below is my values.yml

  # -- createConfig indicates whether to create config objects
  image:
    registry: "public.ecr.aws"
    tag: latest
  dbRegistry: "public.ecr.aws"
  dbRepository: "aquasecurity/trivy-db"

  javaDbRegistry: "public.ecr.aws"
  javaDbRepository: "aquasecurity/trivy-java-db"

And below is the error I am seeing still

{"level":"error","ts":"2024-10-15T23:30:12Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:cba49b6781cfcdeb6b063283a711ce0ddb1f36d6e2a5db69ef7d2e3f13998149: TOOMANYREQUESTS: retry-after: 725.597µs, allowed: 44000/minute","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).loadPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:144\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).Hash\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:114\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*ResourceController).SetupWithManager.(*ResourceController).reconcileResource.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/resource.go:208\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:222"}
{"level":"error","ts":"2024-10-15T23:30:14Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:cba49b6781cfcdeb6b063283a711ce0ddb1f36d6e2a5db69ef7d2e3f13998149: TOOMANYREQUESTS: retry-after: 501.841µs, allowed: 44000/minute","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).loadPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:144\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).Hash\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:114\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*ResourceController).SetupWithManager.(*ResourceController).reconcileResource.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/resource.go:208\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:222"}

[kimdre]

You are specifying the wrong path in your values. To adjust the registry for trivy-checks use these:

Key	Type	Default	Description
policiesBundle.insecure	bool	false	insecure is the flag to enable insecure connection to the policy bundle registry
policiesBundle.registry	string	"ghcr.io"	registry of the policies bundle
policiesBundle.registryPassword	string	nil	registryPassword is the password for the registry
policiesBundle.registryUser	string	nil	registryUser is the user for the registry
policiesBundle.repository	string	"aquasecurity/trivy-checks"	repository of the policies bundle
policiesBundle.tag	int	0	tag version of the policies bundle

[kimdre]

Most people here are talking about issues with the trivy-db image, however I'm using the operator in Client-Server mode (operator.builtInTrivyServer: true) and I also have this problem with the trivy-checks image, which has no images/tags published on aws ecr. https://gallery.ecr.aws/aquasecurity/trivy-checks

[phyzical]

@knqyf263 any chance this image can get pushed up too?

would you be open to a pr in checks that replicates this? https://github.com/aquasecurity/trivy-db/pull/440/files

Or is there other behind the scenes reasoning to these images not yet being hosted?

[phyzical]

Ah infact an open pr exists already aquasecurity/trivy-checks#262

[major2323]

i have the same issue with latest trivy version while executing stage with jenkins pipeline:
TOOMANYREQUESTS: retry-after: 256.419µs, allowed: 44000/minute\n\n"

[Mo0rBy]

This is still an issue for me and my team.

We updated all commands in our CI/CD scripts to specify the AWS ECR (--db-repository public.ecr.aws/aquasecurity/trivy-db) as the repository to pull from, rather that the default "ghcr.io", however it still looks like the request is being redirected to https://ghcr.io/v2/aquasecurity/trivy-java-db/manifests/1.

This tool is a critical part of our CI processes and it is very difficult for us to remove it.

Are there any other workarounds for this issue that we can try?
Or how long will it take to publish a fix for this problem?

[resamaraschi]

This is still an issue for me and my team.

We updated all commands in our CI/CD scripts to specify the AWS ECR (--db-repository public.ecr.aws/aquasecurity/trivy-db) as the repository to pull from, rather that the default "ghcr.io", however it still looks like the request is being redirected to https://ghcr.io/v2/aquasecurity/trivy-java-db/manifests/1.

This tool is a critical part of our CI processes and it is very difficult for us to remove it.

Are there any other workarounds for this issue that we can try? Or how long will it take to publish a fix for this problem?

you may have forget setting --java-db-repository as well. Basically :

--db-repository public.ecr.aws/aquasecurity/trivy-db and -java-db-repository public.ecr.aws/aquasecurity/trivy-java-db

[Mo0rBy]

Ah theres a different flag for the Java DB! My bad, I'll try that out.

[daehiff]

This is still an issue for us.
We also used the TRIVY_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-db, but there the request failed due to a:

OCI repository error: 1 error occurred:\n\t* GET https://public.ecr.aws/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: Data limit exceeded\n\n

Is there any timeline of when this issue will actually be solved?

[nikpivkin]

@daehiff You've reached your limit as an anonymous user. Try authenticating for ECR.

[daehiff]

Thanks for the quick response. Can I reach this limit when being authenticated?

[daehiff]

@nikpivkin so we used an aws account, but still ran into the same rate limit. This is quite blocking for us, is there any other option asides from rotating accounts?

[miguno]

Even with the workaround of setting TRIVY_DB_REPOSITORY, we still see frequent failures both locally as well as in CI.

Example command:

$ TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db trivy fs .

The failures happen with both and with only one of the repos enabled:

• TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
• TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db
• TRIVY_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-db

Failure example:

2024-10-25T13:25:22+02:00       INFO    Loaded  file_path="trivy.yaml"
2024-10-25T13:25:22+02:00       INFO    [vulndb] Need to update DB
2024-10-25T13:25:22+02:00       INFO    [vulndb] Downloading vulnerability DB...
2024-10-25T13:25:22+02:00       INFO    [vulndb] Downloading artifact...        repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-25T13:25:22+02:00       ERROR   [vulndb] Failed to download artifact    repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 924.795µs, allowed: 44000/minute\n\n"
2024-10-25T13:25:22+02:00       FATAL   Fatal error     init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
ERROR: One or more vulnerability scans failed.

Trivy version:

$ trivy --version
2024-10-25T13:39:25+02:00       INFO    Loaded  file_path="trivy.yaml"
Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-25 06:16:24.134613424 +0000 UTC
  NextUpdate: 2024-10-26 06:16:24.134613063 +0000 UTC
  DownloadedAt: 2024-10-25 11:33:33.169512 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-21 02:52:13.021715717 +0000 UTC
  NextUpdate: 2024-10-24 02:52:13.021715596 +0000 UTC
  DownloadedAt: 2024-10-21 15:42:53.42322 +0000 UTC

[miguno]

$ trivy --version
2024-10-25T13:39:25+02:00       INFO    Loaded  file_path="trivy.yaml"
Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-25 06:16:24.134613424 +0000 UTC
  NextUpdate: 2024-10-26 06:16:24.134613063 +0000 UTC
  DownloadedAt: 2024-10-25 11:33:33.169512 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-21 02:52:13.021715717 +0000 UTC
  NextUpdate: 2024-10-24 02:52:13.021715596 +0000 UTC
  DownloadedAt: 2024-10-21 15:42:53.42322 +0000 UTC

Updated original comment.

[nikpivkin]

If you specify multiple repositories, Trivy will try to load them all. You have only one repository in your logs.

2024-10-25T17:40:18+06:00       INFO    [vulndb] Downloading vulnerability DB...
2024-10-25T17:40:18+06:00       INFO    [vulndb] Downloading artifact...        repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-25T17:40:19+06:00       ERROR   [vulndb] Failed to download artifact    repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 722.467µs, allowed: 44000/minute\n\n"
2024-10-25T17:40:19+06:00       INFO    [vulndb] Trying to download artifact from other repository...
2024-10-25T17:40:19+06:00       INFO    [vulndb] Downloading artifact...        repo="public.ecr.aws/aquasecurity/trivy-db:2"
54.81 MiB / 54.81 MiB [-----------------------------------------------------------------------------] 100.00% 5.50 MiB p/s 10s
2024-10-25T17:40:32+06:00       INFO    [vulndb] Artifact successfully downloaded       repo="public.ecr.aws/aquasecurity/trivy-db:2"

[miguno]

Interesting, because that's not how trivy behaves here.

TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db trivy fs .
2024-10-25T13:24:18+02:00       INFO    Loaded  file_path="trivy.yaml"
2024-10-25T13:24:18+02:00       INFO    [vulndb] Need to update DB
2024-10-25T13:24:18+02:00       INFO    [vulndb] Downloading vulnerability DB...
2024-10-25T13:24:18+02:00       INFO    [vulndb] Downloading artifact...        repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-25T13:24:19+02:00       ERROR   [vulndb] Failed to download artifact    repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 599.92µs, allowed: 44000/minute\n\n"
2024-10-25T13:24:19+02:00       FATAL   Fatal error     init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
ERROR: One or more vulnerability scans failed.

Note how the command enables two repositories, yet trivy terminates after the first one fails to download.

[miguno]

Ok, this was a false positive. Your comment #7668 (reply in thread) pointed me in the right direction. In our case, trivy is run in a scripted setup. There was a problem that the TRIVY_DB_REPOSITORY variable got scrambled, which resulted in "losing" the second repository in the list.

This is now fixed in our setup, and if ghcr.io/aquasecurity/trivy-db fails to download, trivy will now correctly attempt to download from the second repo.

Sorry for the false report, and thanks a lot for your help to resolve this!

[nikpivkin]

I run Trivy in a similar way: TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db trivy fs . -d

Is it in your logs?

2024-10-25T17:40:18+06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-25T17:40:18+06:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="public.ecr.aws/aquasecurity/trivy-db:2"

[abkrishnan-95]

Hello @nikpivkin
I am getting the following error while trying to use multiple db-repos
TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db trivy image tomcat:latest 2024-10-21T06:53:06+05:30 FATAL Fatal error flag error: db flag error: invalid db repository: could not parse reference: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

Could you please guide me on this?

[nikpivkin]

What version are you using? Support for multiple repositories was added in 0.56.0

[zfLQ2qx2]

A lot of this doesn't make sense to me, my guess is the whole reason the databases are being distributed like this, is its some scheme to avoid paying transit costs, that has obviously broken down now that GitHub is rate limiting. This would probably have been better done by distributing the file via HTTP, via a good CDN like Cloudflare, where there are better tools for caching available. My workaround is to use an AWS ECR pull-through cache rule:

UpstreamRegistryType: github-container-registry
UpstreamRegistryUrl: ghcr.io
EcrRepositoryPrefix: github
RegistryUsername: <github_user_name>
RegistryPassword: <github_access_token>

You just need the public_repo permission on the GitHub access token, and the token is required, but unfortunately having a token doesn't get you past the rate limit, because thats being imposed on the aquasecurity organization.

One you have created the cache rule you need to "prime the pump" since you may be rate limited several times before getting a successful pull. When successful, you will see the message: "unsupported mediatype application/vnd.oci.empty.v1+json" because the Docker tools do not know how to parse these particular container images. If you are interested in inspecting the contents, use the command docker manifest inspect <uri>.

aws ecr get-login-password --profile <your_aws_profile> --region <your_aws_region> | \
docker login --username AWS --password-stdin <accountid>.dkr.ecr.<region>.amazonaws.com

docker pull <accountid>.dkr.ecr.<region>.amazonaws.com/github/aquasecurity/trivy-db:2
docker pull <accountid>.dkr.ecr.<region>.amazonaws.com/github/aquasecurity/trivy-java-db:1

 
When successful you will have new ECR repos in your account, github/aquasecurity/trivy-db and github/aquasecurity/trivy-java-db, containing the images. Future requests to the repos will try to check the upstreams for changes, but if no changes or if a rate limit response is received you'll get the local copy. If there are changes they'll be mirrored to your local repo.

Once the images exist you can do something like:

trivy image \
--db-repository <accountid>.dkr.ecr.<region>.amazonaws.com/github/aquasecurity/trivy-db \
--java-db-repository <accountid>.dkr.ecr.<region>.amazonaws.com/github/aquasecurity/trivy-java-db \
--scanners vuln,secret \
--format json \
<imaeuri>:<imagetag>

And you have to repeat that for every account/region combo where you need it because cross-account/cross-region access to ECR seems to be hard or not supported.

But this is a PITA to have to set up and maintain so longer term I think aquasecurity ought to re-think if this overly elaborate scheme to distribute tar files is really the right way.

[SharkMachine]

I get this error on CI even when the last run was a day ago. Maybe it's time to setup mirrors instead of just relying on GitHub. I'm up for hosting one.

[nvuillam]

cc @knqyf263 , a good samaritan offers to host a mirror :)

[resamaraschi]

My workaround for those with their own OCI compatible image registry (such as harbor).
nightly pipeline to mirror copy the OCI artifact using oras command ( with retry in case it hits the ghcr.io limit):

oras cp ghcr.io/aquasecurity/trivy-db:latest --to-password xxxx --to-username=xxx yourharbor.io/project-x/aquasecurity/trivy-db:latest
#same for trivy-java-db:
oras cp ghcr.io/aquasecurity/trivy-java-db:1 --to-password xxxx --to-username=xxx yourharbor.io/project-x/aquasecurity/trivy-java-db:latest

yourharbor.io/project-x should not be proxy cache and rather a normal project in harbor (since harbor proxy cache did not work correctly, at least for us). With that you have always a hard copy of trivy-db in your infrastructure.
Why oras?
oras cp takes care of copying OCI artifact as it is (you don't need to take care of correct config, manifest as required by OCI specification )

oras doc: https://oras.land/docs/commands/oras_cp/

[akcrisp]

Just to add my feedback, in order to be able to pull down from the aws ecr I had to do a firewall request. Which worked. but its now failing on trying to pull down one of the layers of the image - (snippet from the error) -

oci download error: failed to fetch layer : GET https://d2glxk2uabbnd.cloudfront.net/.....

now clearly that url is blocked at present.

Now this isn't an issue I have seen before with the normal trivy db download... So any explanation or indeed expectation around additional firewall permissions be useful..

That said I think I'll just implement what @resamaraschi has done above.

[sbirl]

Tagging my discussion because @miguno said above

This is now fixed in our setup, and if ghcr.io/aquasecurity/trivy-db fails to download, trivy will now correctly attempt to download from the second repo.

but that doesnt seem to be case from what Ive seen in my personal git pipeline.

[hectoralicea]

Still getting this error as of today.

+ trivy image --input /home/jenkins/agent/workspace/DevOps/ansible-builder/image.tar --timeout 50m0s --format table --output scan-results.txt
2024-11-01T22:14:25Z	INFO	[vulndb] Need to update DB
2024-11-01T22:14:25Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-01T22:14:25Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-01T22:14:26Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:0dd3d0356593ec0a74166ced15efd5cd7903a8a76c146d2627dbf7808950c494: TOOMANYREQUESTS: retry-after: 594.735µs, allowed: 44000/minute"
2024-11-01T22:14:26Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
	* oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:0dd3d0356593ec0a74166ced15efd5cd7903a8a76c146d2627dbf7808950c494: TOOMANYREQUESTS: retry-after: 594.735µs, allowed: 44000/minute

[nvuillam]

Same

[AB-xdev]

Can someone please cleanup this discussion?
There is a lot of "I have the same error"-replies or even false positives. Please hide them.

Finding the actual solution/workaround from #7668 (reply in thread) is quite hard...

[nvuillam]

Such workaround doesn't always work, and is just a workaround, not a fix :/

[AB-xdev]

The workaround works fine for me when not downloading from GitHub as primary.
We use AWS -> DockerHub -> GHCR:

TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

[AB-xdev]

Additional note: There is a PR in progress that aims to fix these problems: #7679

[nvuillam]

It is 28 days old, do we have an ETA ? :)

[muhammedsaidkaya]

I encountered the same issue while using GitHub Actions. Caching the Trivy database in the GitHub Workspace and reusing it during the scan process resolved the problem for me.

Here's the caching guide: https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch

[miguno]

We are using this setup now, too. That is, 1x workflow to download and cache the Trivy vulnerability database(s), and 1x workflow to run the actual scans using the cached database(s). The caching guide link explains this setup in copy-pastable detail.

[nvuillam]

Works only on github :/

[PapaPeskwo]

This worked the first day but started failing the second day... seems like it still tries to pull, even though we used the caching example (and see that it has cached the database?)

[crazy-matt]

Same as @PapaPeskwo, I cached and thought "yeah problem solved". Until a few mins ago, I got again the TOOMANYREQUESTS: retry-after: 58.531µs, allowed: 44000/minute.
It fails now only when the DB cache need to be refreshed.

[apino]

2024-11-07T16:28:02Z INFO [vulndb] Need to update DB 2024-11-07T16:28:02Z INFO [vulndb] Downloading vulnerability DB... 2024-11-07T16:28:02Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2" 2024-11-07T16:28:02Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 394.[52](https://gitlab.com/...#L52)3µs, allowed: 44000/minute\n\n" 2024-11-07T16:28:02Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred: * OCI repository error: 1 error occurred: * GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 394.523µs, allowed: 44000/minute Uploading artifacts for failed job 00:00 Uploading artifacts...

Same issue with GitlabCI, this is starting to get very problematic.

[hectoralicea]

TOOMANYREQUESTS error is also happening to me today.

[kevin-secops-lt]

Jenkins Pipeline: Same issue.....

Why not have a user create a free user account, confirm email. and then distribute a token ? Attach the token to the ENV variables and have trivy pick it up..

16:29:41 2024-11-12T13:29:41-08:00 INFO [vulndb] Need to update DB
16:29:41 2024-11-12T13:29:41-08:00 INFO [vulndb] Downloading vulnerability DB...
16:29:41 2024-11-12T13:29:41-08:00 INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
16:29:42 2024-11-12T13:29:42-08:00 ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:23b49011a746526d67a8bda0edbbbfcd65a55fc5910ad665973888fe90d6f946: TOOMANYREQUESTS: retry-after: 1.106172ms, allowed: 44000/minute"
16:29:42 2024-11-12T13:29:42-08:00 FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
16:29:42 * oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:23b49011a746526d67a8bda0edbbbfcd65a55fc5910ad665973888fe90d6f946: TOOMANYREQUESTS: retry-after: 1.106172ms, allowed: 44000/minute

[apino]

@DmitriyLewen What do you suggest if someone is using a pipeline in GitLab or Jenkins and this issue is occurring more frequently?

[Darwiner]

The "quick" workaround has been suggested above already - #7668 (reply in thread).

• The reality being that "most" requests are being done by default towards GHCR and hitting the rate-limit, the "solution" is simply to point your instance to using ECR instead (which, not being the default "should" probably be fine for a while and not run into it's own rate-limit issues...).

• If you're looking for a more "solid" workaround, then you'd need to setup a pipeline to mirror trivy-db/trivy-java-db/trivy-checks to your own private repository and then point your trivy checks to use those instead.

[kevin-secops-lt]

@Darwiner - would aws pull through cache mechanism work? Use GHCR as the upstrea url?

And then I can point my trivy to use this instead?

[Darwiner]

@Darwiner - would aws pull through cache mechanism work? Use GHCR as the upstrea url?

And then I can point my trivy to use this instead?

I haven't tried it, but according to a few comments above, it does seem like it could/should work.

[kevin-secops-lt]

can confirm it worked:

1. add ecr pull through cache with github (you're going to need classic tokens for this), add the secrets
2. create the namespace, in my scenario I used - ghcr-security
3. run this command locally to get the image connected with up-stream (${AWS_ACCOUNT}.dkr.ecr.us-west.amazonaws.com/ghcr-security/aquasecurity/trivy-db:latest)
4. Add the to the ENV variables: (TRIVY_DB_REPOSITORY= '${AWS_ACCOUNT}.dkr.ecr.us-west-2.amazonaws.com/ghcr-security/aquasecurity/trivy-db:latest')

The only "Issue" with this is that you'll need to create a jenkins job to run step 3 every 6 hours or so because pull-through cache isn't smart enough to monitor the ghcr repository for changes and automatically pull the latest image.

[DmitriyLewen]

Hi all, we found 1 more way - #7538 (comment)

[knqyf263]

v0.57.1 with mirror.gcr.io is out. See #7938 for details. Please bump Trivy up to v0.57.1+ and let us know if you still face the same issue.

[PapaPeskwo]

been using it for a few days now and seems to work. thx

[nvuillam]

@knqyf263 please would it be possible to merge my PR in trivy-action , so the fix is applicable to the github action ?
aquasecurity/trivy-action#433