Unable to download database from private organization repository (failed to download vulnerability DB: database download error: oci download error: failed to create a temp file)

[darkcyber]

I successfully built Trivy-DB and pushed it into a private organization repository. It is verified using below command

username@hostname Tools % oras pull ghcr.io/<private-org>/trivy-db:2 --output $TRIVY_TEMP_DIR
✓ Pulled      assets/db.tar.gz                                                                                                                                                           56.5/56.5 MB 100.00%    15s
  └─ sha256:0c67f20dedd7b9a5794aab76f12dbb0cdc7b3a5948b8957244126d0de280cb26
✓ Pulled      application/vnd.oci.image.manifest.v1+json                                                                                                                                   622/622  B 100.00%    2ms
  └─ sha256:3ba53537f5bcda0e84dbb660feb2a5e49587458810ad949265e47b522478e38f
Pulled [registry] ghcr.io/<private-org>/trivy-db:2
Digest: sha256:3ba53537f5bcda0e84dbb660feb2a5e49587458810ad949265e47b522478e38f

However, I got the following error when I tried to run trivy to download database from private organization repository.

username@host Tools % trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only --db-repository ghcr.io/<private-organization>/trivy-db:2 --debug
2024-12-13T22:56:02+07:00	DEBUG	Cache dir	dir="/var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/tmp.GkH7akMD9l"
2024-12-13T22:56:02+07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-13T22:56:02+07:00	DEBUG	Ignore statuses	statuses=[]
2024-12-13T22:56:02+07:00	DEBUG	There is no valid metadata file	err="unable to open a file: open /var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/tmp.GkH7akMD9l/db/metadata.json: no such file or directory"
2024-12-13T22:56:02+07:00	INFO	Need to update DB
2024-12-13T22:56:02+07:00	INFO	Downloading DB...	repository="ghcr.io/<private-organization>/trivy-db:2"
2024-12-13T22:56:02+07:00	DEBUG	No metadata file
0 B / 56.48 MiB [___________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/s 0s
2024-12-13T22:56:04+07:00	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to create a temp file: open /var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/trivy2995523288/assets/db.tar.gz: no such file or directory

The error says init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to create a temp file: open /var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/trivy2995523288/assets/db.tar.gz: no such file or directory

$TRIVY_TEMP_DIR has been created using the following command

export TRIVY_TEMP_DIR=(mktemp -d)

I already try to pas --username and --password flag but I got the same error

username@host Tools % trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only --db-repository ghcr.io/<private-org>/trivy-db:2 --username myusername --password $CR_PAT_RW --debug
2024-12-13T22:55:35+07:00	DEBUG	Cache dir	dir="/var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/tmp.GkH7akMD9l"
2024-12-13T22:55:35+07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-13T22:55:35+07:00	DEBUG	Ignore statuses	statuses=[]
2024-12-13T22:55:35+07:00	DEBUG	There is no valid metadata file	err="unable to open a file: open /var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/tmp.GkH7akMD9l/db/metadata.json: no such file or directory"
2024-12-13T22:55:35+07:00	INFO	Need to update DB
2024-12-13T22:55:35+07:00	INFO	Downloading DB...	repository="ghcr.io/<private-org>/trivy-db:2"
2024-12-13T22:55:35+07:00	DEBUG	No metadata file
0 B / 56.48 MiB [___________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/s 0s
2024-12-13T22:55:37+07:00	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to create a temp file: open /var/folders/r0/hbj54wkd7374ncc63xfq3zrr0000gn/T/trivy2439653938/assets/db.tar.gz: no such file or directory

I'm using trivy 0.53.0

username@host Tools % trivy -v
Version: 0.53.0

The docs says it might be firewall issue. However, I can download the database normally using oras cli.

In addition, I have tried to run trivy clean --all but still got the same error.

May I know where I'm doing wrong? was it the issue during database download from private repository, just permission issue to create folder or other?

Thanks

[DmitriyLewen]

Hello @darkcyber
Looks like your image contains assets/db.tar.gz instead of db.tar.gz:

➜ oras pull ghcr.io/aquasecurity/trivy-db:2 --output .
✓ Pulled      db.tar.gz                              57.5/57.5 MB 100.00%     3s
  └─ sha256:59e280fca4f4e3341964bfb170a06f48487627970f76ebf5d382156fcfb7f0d5