Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(k8s): trivy k8s scan throws panic: runtime error: slice bounds out of range error #8542

Open
2 tasks done
simar7 opened this issue Mar 13, 2025 · 0 comments
Open
2 tasks done

bug(k8s): trivy k8s scan throws panic: runtime error: slice bounds out of range error #8542

simar7 opened this issue Mar 13, 2025 · 0 comments
Assignees
@simar7
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.62.0

Comments

@simar7
Copy link
Member

simar7 commented Mar 13, 2025

Discussed in #8541

Originally posted by Nameisjohn247 March 12, 2025

Description

While scanning for k8s (EKS cluster) with --disable-node-collector , trivy fails with the below error

trivy k8s --cache-dir /Users/test/Library/Caches/trivy --timeout 2h --disable-node-collector --scanners=misconfig --severity=HIGH --report=all --debug --format json --output test-cluster-result.json

panic: runtime error: slice bounds out of range [::631757198] with length 268435455

goroutine 1 [running]:
go.etcd.io/bbolt/internal/common.UnsafeByteSlice(...)
go.etcd.io/[email protected]/internal/common/unsafe.go:26
go.etcd.io/bbolt/internal/common.WriteInodeToPage({0x1400d744340?, 0x1, 0x6?}, 0x14125538000)
go.etcd.io/[email protected]/internal/common/inode.go:81 +0x288
go.etcd.io/bbolt.(*node).write(0x1400748c000?, 0x96a0?)
go.etcd.io/[email protected]/node.go:199 +0xa0
go.etcd.io/bbolt.(*node).spill(0x1406236c0e0)
go.etcd.io/[email protected]/node.go:334 +0x1dc
go.etcd.io/bbolt.(*Bucket).spill(0x1400d744000)
go.etcd.io/[email protected]/bucket.go:786 +0x278
go.etcd.io/bbolt.(*Bucket).spill(0x1400748c018)
go.etcd.io/[email protected]/bucket.go:753 +0xc0
go.etcd.io/bbolt.(*Tx).Commit(0x1400748c000)
go.etcd.io/[email protected]/tx.go:204 +0x260
go.etcd.io/bbolt.(*DB).Update(0x109109be0?, 0x1406efc0ff0)
go.etcd.io/[email protected]/db.go:915 +0xc4
github.com/aquasecurity/trivy/pkg/cache.FSCache.PutBlob({, {, }}, {, }, {0x2, {0x0, 0x0}, {0x0, 0x0}, ...})
github.com/aquasecurity/trivy/pkg/cache/fs.go:88 +0x10c
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x1401e368e10, 0x43}, 0x1400267cb70, {0x1333e6908, 0x140252ebe18}, {0x109248b60, 0x10cc26da8}, {0x14010d8e620, {0x14003e0ce00, 0x1e, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:227 +0x80c
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0x1400017c0c0, 0x2, 0x2}, {0x140013d3c80, ...}, ...})
github.com/aquasecurity/trivy/pkg/scanner/scan.go:156 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:627 +0x2ec
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:259 +0x9c
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:204 +0xac
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:184 +0x1b8
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).scanMisconfigs(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a98c000?, 0x1fc4, 0x0?})
github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:178 +0x174
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).Scan(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:88 +0x4b4
github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run(0x1406efcb8f0, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:90 +0x450
github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun({, }, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, {0x16dd6b926, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:59 +0x434
github.com/aquasecurity/trivy/pkg/k8s/commands.Run({, }, {, _, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, ...}, ...})
github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:49 +0x30c
github.com/aquasecurity/trivy/pkg/commands.NewKubernetesCommand.func2(0x14001398008, {0x14001486a90, 0x0, 0xd})
github.com/aquasecurity/trivy/pkg/commands/app.go:1050 +0x188
github.com/spf13/cobra.(*Command).execute(0x14001398008, {0x140014869c0, 0xd, 0xd})
github.com/spf13/[email protected]/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x140010ecc08)
github.com/spf13/[email protected]/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x106c8fb76?)
github.com/spf13/[email protected]/command.go:1071 +0x1c
main.run()
github.com/aquasecurity/trivy/cmd/trivy/main.go:45 +0x124
main.main()
github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20

Desired Behavior

Perform scan successfully

Actual Behavior

panic: runtime error: slice bounds out of range

Reproduction Steps

1.Have the AWS creds and EKS cluster context is set
2.Run trivy using trivy k8s --cache-dir /Users/test/Library/Caches/trivy --timeout 2h --disable-node-collector --scanners=misconfig --severity=HIGH --report=all --debug --format json --output test-cluster-result.json
3.The scan starts but throws error after sometime
...

Target

Kubernetes

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

trivy k8s --cache-dir /Users/test/Library/Caches/trivy --timeout 2h --disable-node-collector --scanners=misconfig --severity=HIGH --report=all --debug --format json --output test-cluster-result.json
2025-03-13T06:16:15+05:30	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-03-13T06:16:15+05:30	DEBUG	Cache dir	dir="/Users/test/Library/Caches/trivy"
2025-03-13T06:16:15+05:30	DEBUG	Cache dir	dir="/Users/test/Library/Caches/trivy"
2025-03-13T06:16:15+05:30	DEBUG	Parsed severities	severities=[HIGH]
2025-03-13T06:16:15+05:30	DEBUG	Ignore statuses	statuses=[]
2025-03-13T06:22:36+05:30	INFO	Scanning K8s...	K8s="test@test-cluster"
163.77 KiB / 163.77 KiB [--------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.10 MiB p/s 300ms
panic: runtime error: slice bounds out of range [::631757198] with length 268435455

goroutine 1 [running]:
go.etcd.io/bbolt/internal/common.UnsafeByteSlice(...)
	go.etcd.io/[email protected]/internal/common/unsafe.go:26
go.etcd.io/bbolt/internal/common.WriteInodeToPage({0x1400d744340?, 0x1, 0x6?}, 0x14125538000)
	go.etcd.io/[email protected]/internal/common/inode.go:81 +0x288
go.etcd.io/bbolt.(*node).write(0x1400748c000?, 0x96a0?)
	go.etcd.io/[email protected]/node.go:199 +0xa0
go.etcd.io/bbolt.(*node).spill(0x1406236c0e0)
	go.etcd.io/[email protected]/node.go:334 +0x1dc
go.etcd.io/bbolt.(*Bucket).spill(0x1400d744000)
	go.etcd.io/[email protected]/bucket.go:786 +0x278
go.etcd.io/bbolt.(*Bucket).spill(0x1400748c018)
	go.etcd.io/[email protected]/bucket.go:753 +0xc0
go.etcd.io/bbolt.(*Tx).Commit(0x1400748c000)
	go.etcd.io/[email protected]/tx.go:204 +0x260
go.etcd.io/bbolt.(*DB).Update(0x109109be0?, 0x1406efc0ff0)
	go.etcd.io/[email protected]/db.go:915 +0xc4
github.com/aquasecurity/trivy/pkg/cache.FSCache.PutBlob({_, {_, _}}, {_, _}, {0x2, {0x0, 0x0}, {0x0, 0x0}, ...})
	github.com/aquasecurity/trivy/pkg/cache/fs.go:88 +0x10c
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x1401e368e10, 0x43}, 0x1400267cb70, {0x1333e6908, 0x140252ebe18}, {0x109248b60, 0x10cc26da8}, {0x14010d8e620, {0x14003e0ce00, 0x1e, ...}, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:227 +0x80c
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x1400017c0c0, 0x2, 0x2}, {0x140013d3c80, ...}, ...})
	github.com/aquasecurity/trivy/pkg/scanner/scan.go:156 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:627 +0x2ec
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:259 +0x9c
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:204 +0xac
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, ...}, ...})
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:184 +0x1b8
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).scanMisconfigs(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a98c000?, 0x1fc4, 0x0?})
	github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:178 +0x174
github.com/aquasecurity/trivy/pkg/k8s/scanner.(*Scanner).Scan(0x1402a92a408, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
	github.com/aquasecurity/trivy/pkg/k8s/scanner/scanner.go:88 +0x4b4
github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run(0x1406efcb8f0, {0x1092c2490, 0x14000964540}, {0x1402a948000, 0x2159, 0x2c00})
	github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:90 +0x450
github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun({_, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x68c61714000, {0x16dd6b926, ...}, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:59 +0x434
github.com/aquasecurity/trivy/pkg/k8s/commands.Run({_, _}, {_, _, _}, {{{0x106c2c83d, 0xa}, 0x0, 0x0, 0x1, ...}, ...})
	github.com/aquasecurity/trivy/pkg/k8s/commands/run.go:49 +0x30c
github.com/aquasecurity/trivy/pkg/commands.NewKubernetesCommand.func2(0x14001398008, {0x14001486a90, 0x0, 0xd})
	github.com/aquasecurity/trivy/pkg/commands/app.go:1050 +0x188
github.com/spf13/cobra.(*Command).execute(0x14001398008, {0x140014869c0, 0xd, 0xd})
	github.com/spf13/[email protected]/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x140010ecc08)
	github.com/spf13/[email protected]/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x106c8fb76?)
	github.com/spf13/[email protected]/command.go:1071 +0x1c
main.run()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:45 +0x124
main.main()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20

Operating System

macOS Sonoma

Version

trivy --version
Version: 0.60.0
Check Bundle:
  Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
  DownloadedAt: 2025-03-13 00:52:48.612847 +0000 UTC

Checklist
@simar7 simar7 added the kind/bug Categorizes issue or PR as related to a bug. label Mar 13, 2025
@simar7 simar7 self-assigned this Mar 13, 2025
@simar7 simar7 added this to the v0.61.0 milestone Mar 13, 2025
@simar7 simar7 modified the milestones: v0.61.0, v0.62.0 Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Trivy Roadmap
Status: No status
Milestone
v0.62.0
Development

No branches or pull requests
1 participant
@simar7