Problem with downloading images from Quay.io

[fmotrifork]

Description

There seems to be a problem with pulling images from Quay.io.
This is a problem for all images i have tried from quay.io.
In the following i use quay.io/fairwinds/polaris:0.6 as an example.

When trying to scan an image from quay.io I get the following error

$ trivy quay.io/fairwinds/polaris:0.6
2020-02-10T14:12:33.863+0100	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to create the registry client: Get https://quay.io/v2/: http: non-successful response (status=401 body="{\"error\": \"Invalid bearer token format\"}")

If I pull the image manually first I get the expected report:

$ trivy quay.io/fairwinds/polaris:0.6
2020-02-10T14:16:41.809+0100	FATAL	error in image scan: failed to analyze image: failed to extract files: failed to create the registry client: Get https://quay.io/v2/: http: non-successful response (status=401 body="{\"error\": \"Invalid bearer token format\"}")
$ docker pull quay.io/fairwinds/polaris:0.6
0.6: Pulling from fairwinds/polaris
89d9c30c1d48: Already exists 
fae06b134584: Pull complete 
21496f85faab: Pull complete 
ff3e23cb611f: Pull complete 
341f45de5958: Pull complete 
Digest: sha256:d48993260cae9d1282ca4b20179efa91123599445e1b6cdabf2db6e0ccc62070
Status: Downloaded newer image for quay.io/fairwinds/polaris:0.6
quay.io/fairwinds/polaris:0.6
$ trivy quay.io/fairwinds/polaris:0.6
2020-02-10T14:17:42.828+0100	INFO	Detecting Alpine vulnerabilities...

quay.io/fairwinds/polaris:0.6 (alpine 3.10.3)
=============================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1551    | MEDIUM   | 1.1.1d-r0         | 1.1.1d-r2     | openssl: Integer overflow in   |
|         |                  |          |                   |               | RSAZ modular exponentiation on |
|         |                  |          |                   |               | x86_64                         |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Output of run with -debug:

$ trivy --debug quay.io/fairwinds/polaris:0.6
2020-02-10T14:18:53.016+0100	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-02-10T14:18:53.016+0100	DEBUG	cache dir:  /home/mogensen/.cache/trivy
2020-02-10T14:18:53.017+0100	DEBUG	DB update was skipped because DB is the latest
2020-02-10T14:18:53.017+0100	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2020-02-10 12:08:58.126499384 +0000 UTC, NextUpdate: 2020-02-11 00:08:58.126498884 +0000 UTC
2020-02-10T14:18:53.017+0100	DEBUG	Vulnerability type:  [os library]
2020-02-10T14:18:54.387+0100	FATAL	error in image scan:
    github.com/aquasecurity/trivy/internal/standalone.run
        /home/circleci/project/internal/standalone/run.go:75
  - failed to analyze image:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanImage
        /home/circleci/project/pkg/scanner/scan.go:82
  - failed to extract files:
    github.com/aquasecurity/fanal/analyzer.Config.Analyze
        /go/pkg/mod/github.com/aquasecurity/[email protected]/analyzer/analyzer.go:126
  - failed to create the registry client:
    github.com/aquasecurity/fanal/extractor/docker.Extractor.Extract
        /go/pkg/mod/github.com/aquasecurity/[email protected]/extractor/docker/docker.go:180
  - Get https://quay.io/v2/: http: non-successful response (status=401 body="{\"error\": \"Invalid bearer token format\"}")

Output of trivy -v:

$ trivy -v
trivy version 0.4.3

Additional details (base image name, container registry info...):

Note that to verify this you may need to delete both the image from the docker cache and from the fanal cache:

$ docker rmi quay.io/fairwinds/polaris:0.6 
$ rm -rf ~/.cache/trivy/fanal

A workaround would be to always pull the image manually first. This is unfortunately not an option for me, as I am running Trivy in a dockerless environment.

[Jean-Mercier]

Same problem for us thanks

[Krenair]

I'm using Trivy 0.5.2 and see error in image scan: failed analysis: analyze error: unable to analyze config: json marshal error: unexpected end of JSON input when running e.g. trivy quay.io/calico/typha:v3.8.1 - though unknown OS for quay.io/prometheus/node-exporter:v0.18.1 and quay.io/prometheus/prometheus:v2.15.2

[knqyf263]

I'm sorry for the late reply, but they seem to use v1 schema. They return v1 schema even when we specify v2 schema in Accept header.

$ curl -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' https://quay.io/v2/fairwinds/polaris/manifests/0.6 
{
   "schemaVersion": 1,
   "name": "fairwinds/polaris",
   "tag": "0.6",
...
}

Trivy doesn't support v1 schema. I'm sorry for the confusing error message. At the next version, it shows
an easier error. Anyway, if you want to scan an image supporting only v1 schema, you have to pull the image at first.

[knqyf263]

Would you try v0.6.0? If it says unsupported MediaType: "application/vnd.docker.distribution.manifest.v1+prettyjws", trivy doesn't support it.

[Krenair]

yeah, v1 for that calico container:

$ docker run --network=host -it aquasec/trivy:0.6.0 -s CRITICAL --ignore-unfixed quay.io/calico/typha:v3.8.1
2020-04-20T16:52:10.271Z	INFO	Need to update DB
2020-04-20T16:52:10.271Z	INFO	Downloading DB...
15.64 MiB / 15.64 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.45 MiB p/s 11s
2020-04-20T16:52:22.620Z	FATAL	unable to initialize the docker scanner: unable to initialize a image struct: unable to access the remote image (quay.io/calico/typha:v3.8.1): unsupported MediaType: "application/vnd.docker.distribution.manifest.v1+prettyjws", see https://github.com/google/go-containerregistry/issues/377

$ docker run --network=host -it aquasec/trivy:0.6.0 -s CRITICAL --ignore-unfixed quay.io/prometheus/node-exporter:v0.18.1
2020-04-20T16:53:38.265Z	INFO	Need to update DB
2020-04-20T16:53:38.265Z	INFO	Downloading DB...
15.64 MiB / 15.64 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.57 MiB p/s 10s
2020-04-20T16:53:51.961Z	FATAL	error in image scan: scan failed: failed to apply layers: unknown OS

$ docker run --network=host -it aquasec/trivy:0.6.0 -s CRITICAL --ignore-unfixed quay.io/prometheus/prometheus:v2.15.2
2020-04-20T16:53:15.884Z	INFO	Need to update DB
2020-04-20T16:53:15.884Z	INFO	Downloading DB...
15.64 MiB / 15.64 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.45 MiB p/s 11s
2020-04-20T16:53:36.013Z	FATAL	error in image scan: scan failed: failed to apply layers: unknown OS

[Krenair]

On the other hand if I pull first, then it gives unknown OS too, okay:

$ docker pull quay.io/calico/typha:v3.8.1
v3.8.1: Pulling from calico/typha
32ed8cd9120d: Pull complete 
bb923b1c5d71: Pull complete 
0960e3ebf17a: Pull complete 
Digest: sha256:df2c1a956c0aaf0fc70c96f233dba41cdd26760d4bb1ae934c272548090b188b
Status: Downloaded newer image for quay.io/calico/typha:v3.8.1
quay.io/calico/typha:v3.8.1
$ trivy quay.io/calico/typha:v3.8.1
2020-04-20T17:59:37.963+0100	FATAL	error in image scan: scan failed: failed to apply layers: unknown OS

[knqyf263]

@Krenair Thank you for the confirmation. Yes, calico uses v1 schema which is not supported. Then, quay.io/prometheus/node-exporter is based on busybox which is also not supported.

We don't have a plan to support v1 schema. If you want to scan an image with v1 schema, you can do it after pulling the image by docker.

As for busybox, we can't detect vulnerabilities of os packages at the moment because it doesn't have a package manager such as rpm and apt-get. But we have a plan to enable scanning application libraries used by npm or bundler even if the image is based on busybox.
#397

So, they are not bugs. You can watch the above issue for the enhancement. If you have any other problems, don't hesitate to open this issue again.

[Krenair]

Thanks!