Trivy will not try another registry for DB OCI artifact download

[etaormm]

Description

Well sometimes, Trivy will not try to download artifact from another repository.... but sometimes it will - my guess is that not all responses are handled and therefore it exits with 1.
The same can be seen if I use GCR or GHCR as the first optionl, occasionally they give a different response which is not handled and trivy will not try 2nd link at all.

I'm using your official docker image and scanning my own image as part of a gitlab job.

Desired Behavior

if 1st link fails, always go to 2nd no matter the error we're getting, and if 2nd fails go to 3rd... etc.

eg i want it to work like this always:
$ trivy image --download-db-only --no-progress
2024-11-22T15:00:02Z INFO [vulndb] Need to update DB
2024-11-22T15:00:02Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T15:00:02Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-22T15:00:04Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha[25](https://gitlab.rosetta.ericssondevops.com/sa-bnew-rdidc/RDI_data_router/-/jobs/21461384#L25)6:dca99f86925c7374fe3ca54553b43f984a153acb4911353afd1dff63b32178bb: TOOMANYREQUESTS: retry-after: 1.008957ms, allowed: 44000/minute"
2024-11-22T15:00:04Z INFO [vulndb] Trying to download artifact from other repository...
2024-11-22T15:00:04Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T15:00:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"

Actual Behavior

Download fails on the first link without trying another registry.

Reproduction Steps

1. Set VAR mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,aquasec/trivy-db:2
2. trivy image --download-db-only --no-progress
3. catch the case where it actually fails -- i'll post a few
...
Fails without trying 2nd link

$ trivy image --download-db-only --no-progress
2024-11-29T12:38:39Z	INFO	[vulndb] Need to update DB
2024-11-29T12:38:39Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-29T12:38:39Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-29T12:38:40Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from mirror.gcr.io/aquasec/trivy-db:2: oci download error: failed to fetch the layer: GET https://mirror.gcr.io/v2/aquasec/trivy-db/blobs/sha256:a1973cb67b074515965a420875b7d20862ff19d5250ee4dcfe5081eedc7ea810: BLOB_UNKNOWN: Unknown blob: sha256:a1973cb67b074515965a420875b7d20862ff19d5250ee4dcfe5081eedc7ea810

--------------------------------------------------------------------------------------------------------
2024-11-22T14:40:51Z	INFO	[vulndb] Need to update DB
2024-11-22T14:40:51Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T14:40:51Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-22T14:40:52Z	WARN	See https://aquasecurity.github.io/trivy/v0.57/docs/references/troubleshooting#db
2024-11-22T14:40:52Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from ghcr.io/aquasecurity/trivy-db:2: OCI repository error: 2 errors occurred:
	* GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 430.285µs, allowed: 44000/minute

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

.

Operating System

linux

Version

0.57.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

It's not a bug. It's intended. If you think it should try another registry with unexpected errors, it should be an idea.

trivy/docs/docs/configuration/db.md

Line 65 in 511b7d3

The flags accepts multiple values, which can be used to specify multiple alternative repository locations. In case of a transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.