Trivy scan fails on missing value in resoruce file

[kornys]

Hello we are unable to run trivy with flink deployment due to this error.

I found that similar issue was in trivy and it was fixed. But seems in this container it is not.
I also tried to move from latest rapidast image to development but with same issue.

aquasecurity/trivy#7011

Log

11:55:44  + cat /home/cloud-user/jenkins/workspace/rapiDAST/flink/flink-3.0.0/rapidast/config-flink.yaml
11:55:44  config:
11:55:44    configVersion: '6'
11:55:44  application:
11:55:44    shortName: flink
11:55:44    url: https://api.kornys.strimzi.app-services-dev.net:6443/
11:55:44  general:
11:55:44    authentication:
11:55:44      type: http_header
11:55:44      parameters:
11:55:44        name: Authorization
11:55:44        value: ---------
11:55:44    container:
11:55:44      type: none
11:55:44  scanners:
11:55:44    generic_trivy_flink-kubernetes-operator:
11:55:44      inline: trivy k8s --kubeconfig=/tmp/rapidast/kubeconfig -n flink-kubernetes-operator pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json -o /opt/rapidast/results/trivy-flink-kubernetes-operator.json && python3 convert_trivy_k8s_to_sarif.py -f /opt/rapidast/results/trivy-flink-kubernetes-operator.json
11:55:44      container:
11:55:44        parameters:
11:55:44          validReturns:
11:55:44          - 0
11:55:44    generic_trivy_flink:
11:55:44      inline: trivy k8s --kubeconfig=/tmp/rapidast/kubeconfig -n flink pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json -o /opt/rapidast/results/trivy-flink.json && python3 convert_trivy_k8s_to_sarif.py -f /opt/rapidast/results/trivy-flink.json
11:55:44      container:
11:55:44        parameters:
11:55:44          validReturns:
11:55:44          - 0
11:55:44    zap_flink-apache-org-v1beta1:
11:55:44      container:
11:55:44        parameters:
11:55:44          image: ghcr.io/zaproxy/zaproxy:stable
11:55:44      apiScan:
11:55:44        apis:
11:55:44          apiUrl: https://api.kornys.strimzi.app-services-dev.net:6443/openapi/v3/apis/flink.apache.org/v1beta1
11:55:44      passiveScan:
11:55:44        disabledRules: 2,10015,10024,10027,10054,10096,10109,10112
11:55:44      activeScan:
11:55:44        policy: Kubernetes-API-scan
11:55:44      report:
11:55:44        format:
11:55:44        - html
11:55:44      miscOptions:
11:55:44        enableUI: false
11:55:44        updateAddons: false
11:55:44        overrideConfigs:
11:55:44        - formhandler.fields.field(0).fieldId=namespace
11:55:44        - formhandler.fields.field(0).value=default
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Run rapiDAST - flink)
[Pipeline] script
[Pipeline] {
[Pipeline] sh
11:55:45  + docker run --user=root --rm -v /home/cloud-user/jenkins/workspace/rapiDAST/flink/flink-3.0.0/rapidast/results:/opt/rapidast/results:Z -v /home/cloud-user/jenkins/workspace/rapiDAST/flink/flink-3.0.0/rapidast:/tmp/rapidast:Z quay.io/redhatproductsecurity/rapidast:development --config /tmp/rapidast/config-flink.yaml
11:55:45  Unable to find image 'quay.io/redhatproductsecurity/rapidast:development' locally
11:55:47  development: Pulling from redhatproductsecurity/rapidast
11:55:47  eeaa3613f51c: Pulling fs layer
11:55:47  5808a11b7bed: Pulling fs layer
11:55:47  64ba79665fc1: Pulling fs layer
11:55:47  154cbb7be29f: Pulling fs layer
11:55:47  154cbb7be29f: Waiting
11:55:47  5808a11b7bed: Verifying Checksum
11:55:47  5808a11b7bed: Download complete
11:55:48  eeaa3613f51c: Verifying Checksum
11:55:48  eeaa3613f51c: Download complete
11:55:49  154cbb7be29f: Verifying Checksum
11:55:49  154cbb7be29f: Download complete
11:55:49  eeaa3613f51c: Pull complete
11:55:49  5808a11b7bed: Pull complete
11:56:01  64ba79665fc1: Verifying Checksum
11:56:01  64ba79665fc1: Download complete
11:56:23  64ba79665fc1: Pull complete
11:56:23  154cbb7be29f: Pull complete
11:56:23  Digest: sha256:6d196dc7a3f313bf570b2d2191cec93d389bbdcf4d27fdedc0f6145a54922cb9
11:56:23  Status: Downloaded newer image for quay.io/redhatproductsecurity/rapidast:development
11:56:23  INFO:Starting the redaction and dumping process for the configuration file: /tmp/rapidast/config-flink.yaml
11:56:23  INFO:Created destination directory: ./results/flink/DAST-20250116-112448-RapiDAST-flink
11:56:23  INFO:Redacting sensitive information from configuration /tmp/rapidast/config-flink.yaml
11:56:23  INFO:Saving redacted configuration to ./results/flink/DAST-20250116-112448-RapiDAST-flink/config-flink.yaml
11:56:23  INFO:Redacted configuration saved successfully
11:56:23  INFO:Starting the redaction and dumping process for the configuration file: /opt/rapidast/./rapidast-defaults.yaml
11:56:23  INFO:Redacting sensitive information from configuration /opt/rapidast/./rapidast-defaults.yaml
11:56:23  INFO:Saving redacted configuration to ./results/flink/DAST-20250116-112448-RapiDAST-flink/rapidast-defaults.yaml
11:56:23  INFO:Redacted configuration saved successfully
11:56:23  INFO:Loading defaults from: /opt/rapidast/./rapidast-defaults.yaml
11:56:23  INFO:Next scanner: 'generic_trivy_flink-kubernetes-operator'
11:56:23  INFO:Preparing Generic configuration
11:56:23  INFO:Running up the generic scanner
11:56:23  INFO:Running a generic scan with the following command:
11:56:23  trivy k8s --kubeconfig=/tmp/rapidast/kubeconfig -n flink-kubernetes-operator pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json -o /opt/rapidast/results/trivy-flink-kubernetes-operator.json && python3 convert_trivy_k8s_to_sarif.py -f /opt/rapidast/results/trivy-flink-kubernetes-operator.json
11:56:23  2025-01-16T11:24:49.057Z	FATAL	failed getting auth for gvr: /v1, Resource=pods - getting secret by name: flink-kubernetes-operator/: resource name may not be empty
11:56:23  WARNING:The generic process did not finish correctly, and exited with code 1
11:56:23  INFO:Running postprocess for the generic environment
11:56:23  Traceback (most recent call last):
11:56:23    File "/opt/rapidast/./rapidast.py", line 304, in <module>
11:56:23      run()
11:56:23    File "/opt/rapidast/./rapidast.py", line 289, in run
11:56:23      ret = run_scanner(name, config, args, scan_exporter)
11:56:23    File "/opt/rapidast/./rapidast.py", line 126, in run_scanner
11:56:23      scanner.postprocess()
11:56:23    File "/opt/rapidast/scanners/generic/generic_none.py", line 123, in postprocess
11:56:23      raise RuntimeError("No post-processing as generic has not successfully run yet.")
11:56:23  RuntimeError: No post-processing as generic has not successfully run yet.

[jeremychoi]

Thanks for the PR, however the suggested version has another issue that prevents us from updating to it. Scans fail when a user lacks proper permissions for the namespaces to be scanned. aquasecurity/trivy-kubernetes#395 is supposed to fix the issue. We'll test the fixed one and update to it.

[kornys]

Thanks, hope it will be done soon :) it is blocker for us :)

[sfowl]

@kornys Now that #290 is merged, it will now be included in the :development tag of the rapidast image. The fix won't land in the :latest image until we do the next rapidast release, which might be a while.

[kornys]

@sfowl thank you! Im going to switch to :development tag to test it.

[kornys]

@sfowl I have tested development image and it works fine, it finally can scan flink deployment s and operator.