Getting blocked by people.apache.org when fetching pom files - Resulting in extremely slow scanning

[SemProvoost]

Description

When Trivy tries to fetch pom files from people.apache.org, the domain throttles/blocks you, which results in constant timeouts and extremely slow scans.
These people.apache.org are always just 404 or not relevant.

Desired Behavior

Skip the people.apache.org urls instead of trying to fetch.

Example that fixes it:

Actual Behavior

Tries fetching from an unreliable source which makes scans very slow (without any benefits)

Reproduction Steps

Having a bit of a more complicated repo with multiple pom files where Trivy tries to fetch from people.apache.org

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

screenshot in 'Actual Behaviour' section

Operating System

verified on macOS & Linux

Version

0.56.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Please share a small pom.xml to reproduce it. We need to figure out why it accesses people.apache.org first.

[DmitriyLewen]

Hi @SemProvoost
I can't reproduce your case.

Trivy doesn't access people.apache.org for these pom.xml files.

We collect repositories from the upper pom files. Perhaps one of your pom.xml files uses this repository?

[SemProvoost]

@DmitriyLewen make sure to trigger it multiple times until the people.apache.org starts throttling you.

Trivy only talks about actually trying to connect with 'people.apache.org' in their error messages.

I reproduced this with the exact steps in this thread 😁

[SemProvoost]

You could make a few hundred apicalls to https://people.apache.org/repo/m2-incubating-repository/org/apache/geronimo/genesis/genesis/1.2/genesis-1.2.pom for example to get yourself throttled, then run trivy on the root folder of the example. Let me know if you run into issues, available for a call as well if needed.

[DmitriyLewen]

I got it. You use v0.56.1 version.
We updated logic to work with parents in v0.57.0 (#7541)

Can you take a looks with latest version?

[DmitriyLewen]

Also I want to add that Trivy finds people.apache.org from org.apache.geronimo.genesis.config:project-config file.
I am not sure that we need to skip these repositories.
Maybe there is a way to contact the developers and ask them why they added these repositories (despite the fact that these artifacts are already in maven central)

[SemProvoost]

With the updated logic, it seems to be all good (and a lot faster) now. (doesn't do the calls to people.apache.org anymore)
Thanks for the help! Feel free to close this ticket and PR. 😁

I am not sure that we need to skip these repositories.

Well, it basically just times out 100% of the time once blocked - So it would only be useful the first (few) times you scan (but for bigger repos, it would already block you on first scan even, I think).
So we were basically falling back to offline mode in these cases.

Anyway, now we're not hitting the people.apache.org anymore so all good. Thanks for the follow-up here!