`ImageScannerStep` fails with `InvalidPathException` on Windows due to `:` in Trivy output filename (OD-2782)

`ImageScannerStep` fails with `InvalidPathException` on Windows due to `:` in Trivy output filename #2782

Alejandro Oton Garcia opened 1 month ago

The ImageScannerStep fails during the publish-scanner-report sub-step when the OneDev server is running on Windows. The agent successfully completes the Trivy scan, but the server throws an InvalidPathException when attempting to untar the scan results because Trivy names its output file after the image digest sha256:<hash>.json and the colon in that filename is illegal on Windows paths.

Environment:
- OneDev server OS: Windows Server 2022
- Build agent: Docker (Linux)
Steps to reproduce:
- Run OneDev server on Windows1.
- Configure a job with BuildImageStep (OCI output) followed by ImageScannerStep
- Trigger a build - scan succeeds, but publish-scanner-report fails with 502
Build log error:

20:07:15 Scanning platform linux/amd64...
20:07:16 2026-05-20T01:07:16Z INFO [vulndb] Need to update DB
20:07:16 2026-05-20T01:07:16Z INFO [vulndb] Downloading vulnerability DB...
20:07:16 2026-05-20T01:07:16Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
20:07:21 
20:07:21 2026-05-20T01:07:21Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
20:07:21 2026-05-20T01:07:21Z INFO [vuln] Vulnerability scanning is enabled
20:07:21 2026-05-20T01:07:21Z INFO [secret] Secret scanning is enabled
20:07:21 2026-05-20T01:07:21Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
20:07:21 2026-05-20T01:07:21Z INFO [secret] Please see https://trivy.dev/docs/v0.70/guide/scanner/secret#recommendation for faster secret detection
20:07:25 2026-05-20T01:07:25Z INFO Detected OS family="alpine" version="3.23.4"
20:07:25 2026-05-20T01:07:25Z INFO [alpine] Detecting vulnerabilities... os_version="3.23" repository="3.23" pkg_num=18
20:07:25 2026-05-20T01:07:25Z INFO Number of language-specific files num=1
20:07:25 2026-05-20T01:07:25Z INFO [node-pkg] Detecting vulnerabilities...
20:07:25 fanal.db
20:07:25 Step "scan image -> run-trivy-scan" is successful (10 seconds)
20:07:25 Running step "scan image -> publish-scanner-report"...
20:07:25 java.lang.RuntimeException: Http request failed with status 502, check server log for details
 at io.onedev.k8shelper.KubernetesHelper.checkStatus(KubernetesHelper.java:383)
 at io.onedev.k8shelper.KubernetesHelper.runServerStep(KubernetesHelper.java:933)
 at io.onedev.k8shelper.KubernetesHelper.runServerStep(KubernetesHelper.java:892)
 at io.onedev.agent.AgentSocket$4.doExecute(AgentSocket.java:817)
 at io.onedev.agent.AgentSocket$4.lambda$execute$0(AgentSocket.java:688)
 at io.onedev.agent.AgentUtils.runStep(AgentUtils.java:135)
 at io.onedev.agent.AgentSocket$4.execute(AgentSocket.java:685)
 at io.onedev.k8shelper.LeafFacade.execute(LeafFacade.java:12)
 at io.onedev.k8shelper.CompositeFacade.execute(CompositeFacade.java:35)
 at io.onedev.k8shelper.CompositeFacade.execute(CompositeFacade.java:35)
 at io.onedev.agent.AgentSocket.executeDockerJob(AgentSocket.java:608)
 at io.onedev.agent.AgentSocket.service(AgentSocket.java:998)
 at io.onedev.agent.AgentSocket.lambda$onMessage$2(AgentSocket.java:281)
 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
 at java.base/java.lang.Thread.run(Thread.java:840)

Server log error

2026-05-19 20:07:25,494 ERROR [qtp2091430000-22973] i.o.s.rest.JerseyExceptionMapper Error processing api request
java.nio.file.InvalidPathException: Illegal char <:> at index 21: .trivy-outputs/sha256:831b158d1f0f302d74b5516cf86de60fa631ba5b1c47df11d3f095a38a2d4009.json
 at java.base/sun.nio.fs.WindowsPathParser.normalize(WindowsPathParser.java:204)
 at java.base/sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:175)
 at java.base/sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:77)
 at java.base/sun.nio.fs.WindowsPath.parse(WindowsPath.java:92)
 at java.base/sun.nio.fs.WindowsFileSystem.getPath(WindowsFileSystem.java:231)
 at java.base/java.nio.file.Path.resolve(Path.java:516)
 at io.onedev.commons.utils.TarUtils.untar(TarUtils.java:175)
 at io.onedev.server.plugin.executor.kubernetes.KubernetesResource.lambda$runServerStep$0(KubernetesResource.java:120)

Suggested fix: Sanitize the Trivy output filename before packaging into the tar archive - replace : with - or _ (e.g., sha256-.json) so it is valid on both Linux and Windows.

Alejandro Oton Garcia changed title 1 month ago

Previous Value	Current Value
`ImageScannerStep` fails with `InvalidPathException` on Windows — colon in Trivy output filename	`ImageScannerStep` fails with `InvalidPathException` on Windows due to `:` in Trivy output filename

Robin Shen commented 1 month ago

This step is running inside container, and does not support to run on Windows. Please run it on an agent installed on Linux.
Alejandro Oton Garcia commented 1 month ago

I do have an agent that is running on Linux and the CI/CD job is being executed there. The issue is not the where the step is being executed. The issue is the filename being generated by Trivy. When it tries to publish the report back to the OneDev server running on Windows it fails due to an invalid character (:) in the filename.
Robin Shen commented 1 month ago

I see. You are running the job on Linux agent and server on Windows. This is totally valid. Should be a bug and will look into this.

❤️ 1
Alejandro Oton Garcia commented 1 month ago

Thanks Robin!
OneDev commented 1 month ago

State changed as build OD-7402 (15.0.8) is successful
OneDev changed state to 'Closed' 1 month ago
Previous Value Current Value
Open

Closed
Login to comment

Previous Value	Current Value
Open	Closed

Type	Bug
Priority	Normal
Assignee	Robin Shen
Affected Versions	15.0.7
Labels	No labels

Issue Votes (0)

Watchers (3)

Reference

OD-2782