Skip to content

bug(db): When several parallel Trivy processes download trivy-db - situation may arise when some processes will use empty trivy-db #8454

New issue
New issue
Closed
Bug
#8452
Closed
bug(db): When several parallel Trivy processes download trivy-db - situation may arise when some processes will use empty trivy-db#8454
Bug
#8452
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/vulnerabilityIssues relating to vulnerability scanning
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Feb 27, 2025

Description

There is case when Trivy uses empty trivy-db
This happens when 2 (or more) Trivy processes copy trivy.db files to cache dir at the same time.
In this case, 2nd Trivy thinks trivy-db is broken and recreates the database:
https://github.com/aquasecurity/trivy-db/blob/e912a576cd8ecca3ae1e9305ff76bc3fb6dae3a5/pkg/db/db.go#L87-L90

You can read more about this case and reproduction steps in #7758 (reply in thread)

Solutions

  • remove broken trivy-db and return error
  • check trivy.db and metadata.json files in NeedsUpdate (to avoid the case where Trivy sees a valid matadata.json file and uses an empty trivy-db.

Discussed in #7758

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.scan/vulnerabilityIssues relating to vulnerability scanning

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions