fix(server): add HTTP transport setup to server mode #9217

knqyf263 · 2025-07-18T11:40:16Z

Description

This fixes the broken --insecure flag in server mode since v0.64.0. The issue was caused by PR #9058 which centralized HTTP transport configuration but only updated client mode (pkg/commands/artifact/run.go), not server mode (pkg/commands/server/run.go).

Root Cause

The centralized HTTP transport system in pkg/x/http requires xhttp.SetDefaultTransport() to be called to configure TLS settings. While this was properly implemented in client mode, it was missing in server mode, causing the --insecure flag to be ignored.

Solution

Added the missing HTTP transport setup in pkg/commands/server/run.go:

// Set the default HTTP transport
xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{
    Insecure: opts.Insecure,
    Timeout:  opts.Timeout,
}))

This mirrors the pattern already implemented in pkg/commands/artifact/run.go.

Verification

Tested with mitmproxy to simulate TLS certificate issues:

❌ Without --insecure flag (Expected failure):

HTTPS_PROXY=http://localhost:8080 ./trivy server --listen localhost:8081 --token test123

Result: Failed with "tls: failed to verify certificate: x509: certificate signed by unknown authority"

✅ With --insecure flag (Expected success):

HTTPS_PROXY=http://localhost:8080 ./trivy server --listen localhost:8081 --token test123 --insecure

Result: Server started successfully, bypassed TLS verification, and downloaded 66.7MB database file.

Future Plans

Add E2E tests to prevent these issues

Related issues

Close Insecure setting broken for server since 0.64.0 #9218

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.64.1` -> `0.65.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.65.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0650-2025-07-30) [Compare Source](aquasecurity/trivy@v0.64.1...v0.65.0) ##### Features - add graceful shutdown with signal handling ([#9242](aquasecurity/trivy#9242)) ([2c05882](aquasecurity/trivy@2c05882)) - add HTTP request/response tracing support ([#9125](aquasecurity/trivy#9125)) ([aa5b32a](aquasecurity/trivy@aa5b32a)) - **alma:** add AlmaLinux 10 support ([#9207](aquasecurity/trivy#9207)) ([861d51e](aquasecurity/trivy@861d51e)) - **flag:** add schema validation for `--server` flag ([#9270](aquasecurity/trivy#9270)) ([ed4640e](aquasecurity/trivy@ed4640e)) - **image:** add Docker context resolution ([#9166](aquasecurity/trivy#9166)) ([99cd4e7](aquasecurity/trivy@99cd4e7)) - **license:** observe pkg types option in license scanner ([#9091](aquasecurity/trivy#9091)) ([d44af8c](aquasecurity/trivy@d44af8c)) - **misconf:** add private ip google access attribute to subnetwork ([#9199](aquasecurity/trivy#9199)) ([263845c](aquasecurity/trivy@263845c)) - **misconf:** added logging and versioning to the gcp storage bucket ([#9226](aquasecurity/trivy#9226)) ([110f80e](aquasecurity/trivy@110f80e)) - **repo:** add git repository metadata to reports ([#9252](aquasecurity/trivy#9252)) ([f4b2cf1](aquasecurity/trivy@f4b2cf1)) - **report:** add CVSS vectors in sarif report ([#9157](aquasecurity/trivy#9157)) ([60723e6](aquasecurity/trivy@60723e6)) - **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#9126](aquasecurity/trivy#9126)) ([12d6706](aquasecurity/trivy@12d6706)) ##### Bug Fixes - **alma:** parse epochs from rpmqa file ([#9101](aquasecurity/trivy#9101)) ([82db2fc](aquasecurity/trivy@82db2fc)) - also check `filepath` when removing duplicate packages ([#9142](aquasecurity/trivy#9142)) ([4d10a81](aquasecurity/trivy@4d10a81)) - **aws:** update amazon linux 2 EOL date ([#9176](aquasecurity/trivy#9176)) ([0ecfed6](aquasecurity/trivy@0ecfed6)) - **cli:** Add more non-sensitive flags to telemetry ([#9110](aquasecurity/trivy#9110)) ([7041a39](aquasecurity/trivy@7041a39)) - **cli:** ensure correct command is picked by telemetry ([#9260](aquasecurity/trivy#9260)) ([b4ad00f](aquasecurity/trivy@b4ad00f)) - **cli:** panic: attempt to get os.Args\[1] when len(os.Args) < 2 ([#9206](aquasecurity/trivy#9206)) ([adfa879](aquasecurity/trivy@adfa879)) - **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#9116](aquasecurity/trivy#9116)) ([a692f29](aquasecurity/trivy@a692f29)) - **license:** handle WITH operator for `LaxSplitLicenses` ([#9232](aquasecurity/trivy#9232)) ([b4193d0](aquasecurity/trivy@b4193d0)) - migrate from `*.list` to `*.md5sums` files for `dpkg` ([#9131](aquasecurity/trivy#9131)) ([f224de3](aquasecurity/trivy@f224de3)) - **misconf:** correctly adapt azure storage account ([#9138](aquasecurity/trivy#9138)) ([51aa022](aquasecurity/trivy@51aa022)) - **misconf:** correctly parse empty port ranges in google\_compute\_firewall ([#9237](aquasecurity/trivy#9237)) ([77bab7b](aquasecurity/trivy@77bab7b)) - **misconf:** fix log bucket in schema ([#9235](aquasecurity/trivy#9235)) ([7ebc129](aquasecurity/trivy@7ebc129)) - **misconf:** skip rewriting expr if attr is nil ([#9113](aquasecurity/trivy#9113)) ([42ccd3d](aquasecurity/trivy@42ccd3d)) - **nodejs:** don't use prerelease logic for compare npm constraints ([#9208](aquasecurity/trivy#9208)) ([fe96436](aquasecurity/trivy@fe96436)) - prevent graceful shutdown message on normal exit ([#9244](aquasecurity/trivy#9244)) ([6095984](aquasecurity/trivy@6095984)) - **rootio:** check full version to detect `root.io` packages ([#9117](aquasecurity/trivy#9117)) ([c2ddd44](aquasecurity/trivy@c2ddd44)) - **rootio:** fix severity selection ([#9181](aquasecurity/trivy#9181)) ([6fafbeb](aquasecurity/trivy@6fafbeb)) - **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#9194](aquasecurity/trivy#9194)) ([aa944cc](aquasecurity/trivy@aa944cc)) - **sbom:** use correct field for licenses in CycloneDX reports ([#9057](aquasecurity/trivy#9057)) ([143da88](aquasecurity/trivy@143da88)) - **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#9253](aquasecurity/trivy#9253)) ([54832a7](aquasecurity/trivy@54832a7)) - **secret:** fix line numbers for multiple-line secrets ([#9104](aquasecurity/trivy#9104)) ([e579746](aquasecurity/trivy@e579746)) - **server:** add HTTP transport setup to server mode ([#9217](aquasecurity/trivy#9217)) ([1163b04](aquasecurity/trivy@1163b04)) - supporting .egg-info/METADATA in python.Packaging analyzer ([#9151](aquasecurity/trivy#9151)) ([e306e2d](aquasecurity/trivy@e306e2d)) - **terraform:** `for_each` on a map returns a resource for every key ([#9156](aquasecurity/trivy#9156)) ([153318f](aquasecurity/trivy@153318f)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1073 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com>

fix: add HTTP transport setup to server mode for --insecure flag

33ee037

knqyf263 marked this pull request as draft July 18, 2025 11:40

knqyf263 self-assigned this Jul 18, 2025

knqyf263 added kind/bug Categorizes issue or PR as related to a bug. autoready Automatically mark PR as ready for review when all checks pass labels Jul 18, 2025

github-actions bot marked this pull request as ready for review July 18, 2025 11:59

github-actions bot removed the autoready Automatically mark PR as ready for review when all checks pass label Jul 18, 2025

DmitriyLewen approved these changes Jul 21, 2025

View reviewed changes

knqyf263 added this pull request to the merge queue Jul 21, 2025

Merged via the queue into aquasecurity:main with commit 1163b04 Jul 21, 2025
14 checks passed

knqyf263 deleted the fix-server-insecure-setting branch July 21, 2025 09:22

aqua-bot mentioned this pull request Jul 21, 2025

release: v0.65.0 [main] #9108

Merged

DmitriyLewen mentioned this pull request Jul 22, 2025

test: add end-to-end testing framework with image scan and proxy tests #9231

Merged

6 tasks

yutatokoi pushed a commit to yutatokoi/trivy that referenced this pull request Aug 12, 2025

fix(server): add HTTP transport setup to server mode (aquasecurity#9217)

2284739

Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(server): add HTTP transport setup to server mode #9217

fix(server): add HTTP transport setup to server mode #9217

Uh oh!

knqyf263 commented Jul 18, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

fix(server): add HTTP transport setup to server mode #9217

fix(server): add HTTP transport setup to server mode #9217

Uh oh!

Conversation

knqyf263 commented Jul 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Root Cause

Solution

Verification

Future Plans

Related issues

Checklist

Uh oh!

Uh oh!

Uh oh!

knqyf263 commented Jul 18, 2025 •

edited

Loading