"The local DB has an old schema version which is not supported by the current version of Trivy CLI" Error During Trivy Scan in Air-Gapped Harbor Environment

search cancel

"The local DB has an old schema version which is not supported by the current version of Trivy CLI" Error During Trivy Scan in Air-Gapped Harbor Environment

book

Article ID: 419574

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

^{Running a Harbor Trivy image scan in offline mode fails with the following error:}

^{DEBUG No plugins loaded}
^{DEBUG Default config file "trivy.yaml" not found, using built-in values}
^{DEBUG Cache dir dir="~/.cache/trivy"}
^{DEBUG Cache dir dir="~/.cache/trivy"}
^{DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]}
^{DEBUG Ignore statuses statuses=[]}
^{DEBUG [vulndb] Skipping DB update...}
^{ERROR The local DB has an old schema version which is not supported by the current version of Trivy CLI. DB needs to be updated.}
^{FATAL Fatal error}
^{- init error:}
^{github.com/aquasecurity/trivy/pkg/commands/artifact.Run}
^{- DB error:}
^{github.com/aquasecurity/trivy/pkg/commands/artifact.NewRunner}
^{- database error:}
^{github.com/aquasecurity/trivy/pkg/commands/operation.DownloadDB}
^{- validate error:}
^{github.com/aquasecurity/trivy/pkg/db.(*Client).NeedsUpdate}
^{- --skip-update cannot be specified with the old DB schema. Local DB: 1, Expected: 2}
^{github.com/aquasecurity/trivy/pkg/db.(*Client).validate}

^{checking the metadata.json file was showing db version as 1}

^{cat metadata.json}

^{{"Version":1,"Type":1,"NextUpdate":"xxxx-xx-xxT18:48:16.989777438Z","UpdatedAt":"xxxx-xx-xxT12:48:16.989777838Z","DownloadedAt":"0001-01-01T00:00:00Z"}}

Environment

^{VMware vCenter Server 8.x}

^{vSphere with Tanzu 8.x}

Cause

^{Trivy’s local vulnerability database is outdated.}

^{The environment is still using Trivy DB Version 1.}
^{DB v1 reached end of support in February 2023, and all current Trivy releases require DB Version 2.}

Resolution

^{Download the Trivy Vulnerability DB on a Jumpbox (with internet)}

^{# Install Trivy binary}
^{curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.58.0}

^{# Create a temporary directory}
^{TRIVY_TEMP_DIR=$(mktemp -d)}

^{# Download the DB}
^{trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only}

^{# Adjust permissions}
^{chmod o+r $TRIVY_TEMP_DIR/db/metadata.json}
^{chmod o+r $TRIVY_TEMP_DIR/db/trivy.db}

^{Transfer the DB Into the Air-Gapped Environment and verify}

^{#STEP 1 — Identify the Trivy scanner pod}

^{NS=$(kubectl get ns | grep -E 'vmware-system|registry' | awk '{print $1}')}
^{POD=$(kubectl -n $NS get pod -l component=trivy -o jsonpath="{.items[0].metadata.name}")}

^{#STEP 2 — Create the Trivy DB cache directory inside the pod}

^{kubectl -n $NS exec $POD -- mkdir -p /home/scanner/.cache/trivy/db}

^{#STEP 3 — Copy the downloaded trivy-data.db and metadata.json into the pod}

^{cat $TRIVY_TEMP_DIR/db/metadata.json | kubectl -n $NS exec $POD -i -- tee /home/scanner/.cache/trivy/db/metadata.json >/dev/null}
^{cat $TRIVY_TEMP_DIR/db/trivy-data.db | kubectl -n $NS exec $POD -i -- tee /home/scanner/.cache/trivy/db/trivy-data.db >/dev/null}

^{#STEP 4 — Verify the DB files exist}

^{kubectl -n $NS exec $POD -- ls -l /home/scanner/.cache/trivy/db}

Feedback

thumb_up Yes

thumb_down No