Outdated vulnerability DB is used in container scanning job

onurb · November 28, 2024, 9:11am

Problem to solve

I’ve set up a schedule pipeline for scanning a Docker image a week ago.

First and last runs of the pipeline reported no vulnerability but some in the middle did report some.

After looking at the logs:

the scans that returned no vulnerability used a DB that was updated on 2024-11-13
the scans that showed some vulnerabilities used a DB that had been recently updated (less than 24 hours before the scan)
NB: the vulnerabilities were published on 2024-11-14.

Some excerpts of the logs:

Scan on 2024-11-25 using an outdated DB from 2024-11-13

2024-11-25T04:04:53.791014Z 01O [[34mDEBUG[0m] [2024-11-25 04:04:53 +0000] [container-scanning]  >  trivy --version
2024-11-25T04:04:54.292386Z 01O [[34mDEBUG[0m] [2024-11-25 04:04:53 +0000] [container-scanning]  >  Version: 0.56.2
2024-11-25T04:04:54.292404Z 01O Vulnerability DB:
2024-11-25T04:04:54.292408Z 01O   Version: 2
2024-11-25T04:04:54.292413Z 01O   UpdatedAt: 2024-11-13 03:56:14.106615355 +0000 UTC
2024-11-25T04:04:54.292415Z 01O   NextUpdate: 2024-11-13 09:56:14.106614905 +0000 UTC
2024-11-25T04:04:54.292419Z 01O   DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Scan on 2024-11-24 (NB: one day before the previous one) using an up-to-date DB from 2024-11-23

2024-11-24T04:04:59.863298Z 01O [e[34mDEBUGe[0m] [2024-11-24 04:04:59 +0000] [container-scanning]  >  trivy --version
2024-11-24T04:04:59.863303Z 01O [e[34mDEBUGe[0m] [2024-11-24 04:04:59 +0000] [container-scanning]  >  Version: 0.56.2
2024-11-24T04:04:59.863307Z 01O Vulnerability DB:
2024-11-24T04:04:59.863314Z 01O   Version: 2
2024-11-24T04:04:59.863316Z 01O   UpdatedAt: 2024-11-23 03:53:29.313758104 +0000 UTC
2024-11-24T04:04:59.863319Z 01O   NextUpdate: 2024-11-24 03:53:29.313757954 +0000 UTC
2024-11-24T04:04:59.863324Z 01O   DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Is this a known problem? Is there anything I can do to make sure the can always run with an up-to-date vulnerability DB?

Configuration

gitlab-runner 17.4.0
using the Container Scanning template - template: Jobs/Container-Scanning.gitlab-ci.yml

Add the security feature configuration and template includes with modifications/variables.

Versions

Self-managed
GitLab.com SaaS
Dedicated
Self-hosted Runners

Versions

GitLab (Web: /help or self-managed system information sudo gitlab-rake gitlab:env:info):
GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version):

Topic		Replies	Views
AutoDevOps container is outdated and has security vulnerabilities? GitLab CI/CD	0	383	December 6, 2019
Help with container scanning throwing an error DevSecOps	0	796	April 10, 2024
Container Scanning DB error: database error: --skip-update cannot be specified on the first run DevSecOps ci	0	245	June 26, 2024
Container_scanning Fatal : unable to inspect the image/unable to initialize Podman client/containerd socket not found/UNAUTHORIZED: authentication required DevSecOps api , ci , docker	3	2790	September 6, 2024
Trivy Approval steps DevSecOps	2	1529	January 12, 2022

Outdated vulnerability DB is used in container scanning job

Problem to solve

Configuration

Versions

Related topics