Trivy is unable to access the network when using a proxy

[yariv1025]

Question

Description

Hey #trivy.
We have been using Trivy to scan different open-source packages, including NPM and Maven. However, we are encountering an issue when scanning a Maven package. We are using another service to download the required package from the Central Maven Repository, and the data is being shared between the services using a volume.

We treat the packages as a 'filesystem' and scan the target directory where the pom.xml file is stored and the dependency directory, which includes the *.jar files.

Desired Behavior

We expected the scan to succeed and fetch the URL.

Actual Behavior

We encountered an issue while running the following command:
trivy fs --skip-db-update --skip-java-db-update --debug --scanners vuln,license --license-full --severity UNKNOWN,HIGH,CRITICAL --format json -o /app/shared_data/trivy-report.json /app/shared_data /target

DEBUG [pom] Failed to fetch url="https://repo.maven.apache.org/org/maven2/springframework/boot/spring-boot-starter-web/3.3.1/spring-boot-starter-web-3.3.1.pom"
DEBUG [pom] Repository error err="org.springframework.boot:spring-boot-starter-web:3.3.1 was not found in local/remote repositories"

Note:

• Trivy installed in a container within an air-gapped environment.
• The '/root/.cache/trivy' directory includes the database directories 'db' and 'java-db'.
• There is access to the 'Central Maven Repository' through our proxy (tested using curl).
• The following environment variables have been added to the container:
  HTTPS_PROXY="http://domain:port"
HTTP_PROXY="http://domain:port"

Has anyone encountered the same issue?

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

Ubuntu

Version

0.54.1

[knqyf263]

Since we use the default client, the proxy environment variables should be respected. @DmitriyLewen Any ideas?

trivy/pkg/dependency/parser/java/pom/parse.go

Lines 744 to 745 in 49d5270

	client := &http.Client{}
	resp, err := client.Do(req)

BTW, we should improve the debug message to show the detailed error or the status code.

trivy/pkg/dependency/parser/java/pom/parse.go

Line 747 in 49d5270

p.logger.Debug("Failed to fetch", log.String("url", req.URL.String()))

[DmitriyLewen]

Hello @yariv1025
I tested this case today. Trivy should work correctly.
We added error message. Can you test it with canary builld?

[DmitriyLewen]

There is access to the 'Central Maven Repository' through our proxy (tested using curl).

What URL are you using?
Trivy uses https://repo.maven.apache.org to fetch pom.xml files

[yariv1025]

Hello @yariv1025 I tested this case today. Trivy should work correctly. We added error message. Can you test it with canary builld?

I've tested the service in a development environment, and it works fine.
The air-gapped/production environment still returns "[pom] Failed to fetch...."

There is access to the 'Central Maven Repository' through our proxy (tested using curl).

What URL are you using? Trivy uses https://repo.maven.apache.org to fetch pom.xml files

We are using the same URL: https://repo.maven.apache.org

[DmitriyLewen]

The air-gapped/production environment still returns "[pom] Failed to fetch...."

The Canary binary should display an error or response from the server.
Can you send that error/response?