trivy k8s: --timeout flag

[chen-keinan]

Discussed in #6260

^{Originally posted by vintury March 4, 2024}

Description

When the flag '--timeout' is use the scan don't finish in selected timeout.
I'm guessing the problem is caused by containers not being able to download.

Desired Behavior

A few days later I see that the process is still running.

# ps aux | grep trivy
gitlab-+  22693  0.0  2.3 7965560 188940 ?      Sl   Mar02   3:17 ./trivy -q k8s -n namespace all -q -f table --report summary --timeout 160m
# date
Mon Mar  4 13:24:45 +05 2024

Scan don't finish after 160m.

Actual Behavior

Stop process after timeout exists.

Reproduction Steps

1. Create namespace with fiew southand pods. I have about 280 Pods and 738 images (86 from dockerhub).
2. Run trivy k8s with flag --timeout 160m
3. Scan don't finish after 160m.

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

# trivy k8s -n namespace all -f table --report summary --timeout 160m --debug
2024-03-04T11:46:13.604+0300	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-04T11:46:13.605+0300	DEBUG	Ignore statuses	{"statuses": null}
2024-03-04T11:46:42.060+0300	DEBUG	cache dir:  /Users/user/Library/Caches/trivy
2024-03-04T11:46:42.061+0300	DEBUG	DB update was skipped because the local DB is the latest
2024-03-04T11:46:42.061+0300	DEBUG	DB Schema: 2, UpdatedAt: 2024-03-04 06:25:04.681863889 +0000 UTC, NextUpdate: 2024-03-04 12:25:04.681863277 +0000 UTC, DownloadedAt: 2024-03-04 08:45:26.675897 +0000 UTC
46.13 KiB / 46.13 KiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
49 / 238 [----------------------------------------------->______________________________________________________________________________________________________________________________________________________________________________________] 20.59% 0 p/s

Operating System

CentOS Linux release 7.9.2009 (Core)

Version

# ./trivy --version
Version: 0.49.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[chen-keinan]

@vintury is this has been running in ci pipeline ?
I have made a simple test on local cluster (kind) and it did respect timeout

trivy k8s cluster --report summary --timeout 0m5s

Do you mind doing the same test on local cluster and let me know the results ?

[vintury]

# trivy k8s cluster --report summary --timeout 0m5s
2024-03-26T20:49:19.388+0300	FATAL	get k8s artifacts with node info error: .spec.template.spec.initContainers accessor error: <nil> is of the type <nil>, expected []interface{}

but I think this is not related to my problem

[chen-keinan]

# trivy k8s cluster --report summary --timeout 0m5s
2024-03-26T20:49:19.388+0300	FATAL	get k8s artifacts with node info error: .spec.template.spec.initContainers accessor error: <nil> is of the type <nil>, expected []interface{}

but I think this is not related to my problem

this issue should be fixed with latest trivy