Getting blocked by people.apache.org when fetching pom files - Resulting in extremely slow scanning #8000
Replies: 1 comment 7 replies
-
|
Please share a small pom.xml to reproduce it. We need to figure out why it accesses people.apache.org first. |
Beta Was this translation helpful? Give feedback.
-
|
There's a PR open for this here btw 😄 |
Beta Was this translation helpful? Give feedback.
-
|
Yes, but that PR is a workaround. We should find a solution if possible. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @SemProvoost Trivy doesn't access We collect |
Beta Was this translation helpful? Give feedback.
-
|
@DmitriyLewen make sure to trigger it multiple times until the people.apache.org starts throttling you. Trivy only talks about actually trying to connect with 'people.apache.org' in their error messages. I reproduced this with the exact steps in this thread 😁 |
Beta Was this translation helpful? Give feedback.
-
|
You could make a few hundred apicalls to |
Beta Was this translation helpful? Give feedback.
-
Description
When Trivy tries to fetch pom files from people.apache.org, the domain throttles/blocks you, which results in constant timeouts and extremely slow scans.
These people.apache.org are always just 404 or not relevant.
Desired Behavior
Skip the people.apache.org urls instead of trying to fetch.
Example that fixes it:
Actual Behavior
Tries fetching from an unreliable source which makes scans very slow (without any benefits)
Reproduction Steps
Target
Git Repository
Scanner
Vulnerability
Output Format
None
Mode
Standalone
Debug Output
Operating System
verified on macOS & Linux
Version
Checklist
trivy clean --allBeta Was this translation helpful? Give feedback.
All reactions