chore: display the troubleshooting URL for the DB denial error (aquasecurity#3474)

knqyf263 · web-flow · commit aaf845d02e70 · 2023-01-23T16:12:00.000+02:00
diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md
@@ -91,23 +91,6 @@ Reference : [boltdb: Opening a database][boltdb].
 
 [boltdb]: https://github.com/boltdb/bolt#opening-a-database
 
-### Error downloading vulnerability DB
-
-!!! error
-    FATAL failed to download vulnerability DB
-
-If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
-
-- ghcr.io
-- pkg-containers.githubusercontent.com
-
-### Old DB schema
-
-!!! error
-    --skip-update cannot be specified with the old DB schema.
-
-Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
-
 ### Multiple Trivy servers
 
 !!! error
@@ -150,6 +133,37 @@ Try:
 $ TMPDIR=/my/custom/path trivy image ...
 ```
 
+## DB
+### Old DB schema
+
+!!! error
+    --skip-update cannot be specified with the old DB schema.
+
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+
+### Error downloading vulnerability DB
+
+!!! error
+    FATAL failed to download vulnerability DB
+
+If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
+
+- ghcr.io
+- pkg-containers.githubusercontent.com
+
+### Denied
+
+!!! error
+    GET https://ghcr.io/token?scope=repository%3Aaquasecurity%2Ftrivy-db%3Apull&service=ghcr.io: DENIED: denied
+
+Your local GHCR (GitHub Container Registry) token might be expired.
+Please remove the token and try downloading the DB again.
+
+```shell
+docker logout ghcr.io
+```
+
+
 ## Homebrew
 ### Scope error
 !!! error
diff --git a/pkg/db/db.go b/pkg/db/db.go
@@ -2,17 +2,18 @@ package db
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
-	"github.com/aquasecurity/trivy/pkg/oci"
-
+	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"golang.org/x/xerrors"
 	"k8s.io/utils/clock"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/oci"
 )
 
 const (
@@ -191,6 +192,16 @@ func (c *Client) initOCIArtifact() (*oci.Artifact, error) {
 	repo := fmt.Sprintf("%s:%d", c.dbRepository, db.SchemaVersion)
 	art, err := oci.NewArtifact(repo, dbMediaType, c.quiet, c.insecureSkipTLSVerify)
 	if err != nil {
+		var terr *transport.Error
+		if errors.As(err, &terr) {
+			for _, diagnostic := range terr.Errors {
+				// For better user experience
+				if diagnostic.Code == transport.DeniedErrorCode || diagnostic.Code == transport.UnauthorizedErrorCode {
+					log.Logger.Warn("See https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/#db")
+					break
+				}
+			}
+		}
 		return nil, xerrors.Errorf("OCI artifact error: %w", err)
 	}
 	return art, nil
