Error "semaphore acquire: context deadline exceeded" when running Trivy fs scan on WildFly repository

[pooja0805]

Question

Hi Team,

While scanning WildFly source repositories using trivy fs, the scan intermittently fails with a context deadline exceeded error. The issue appears during the file traversal or analysis stage for specific pom.xml files within the WildFly source tree.

Error Logs:

Executing trivy scanner
2025-10-31T06:26:31Z	FATAL	Fatal error	run error: fs scan error: scan error: scan failed: failed analysis: analyze with traversal: walk dir error: unknown error with wildfly/clustering/common/pom.xml: failed to analyze file: analyze file (clustering/common/pom.xml): semaphore acquire: context deadline exceeded
2025-10-31T06:56:31Z	FATAL	Fatal error	run error: fs scan error: scan error: scan failed: failed analysis: analyze with traversal: walk dir error: unknown error with wildfly/clustering/ejb/cache/pom.xml: failed to analyze file: analyze file (clustering/ejb/cache/pom.xml): semaphore acquire: context deadline exceeded
Error: Process completed with exit code 1.

Command Used:
sudo trivy -q fs --timeout 30m -f json <source_code>

Expected Behavior:
Trivy should complete the full filesystem scan without timing out on specific files.

Actual Behavior:
Trivy terminates with a fatal error, failing to analyze certain pom.xml files in the WildFly source tree, showing a semaphore acquire: context deadline exceeded message.

Additional Context / Notes:
Increasing the timeout to 30m did not resolve the problem.

It would be really helpful if you'll could help investigate or suggest a workaround for this issue.
Thanks!

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

ppc64le

Version

v0.67.2

[knqyf263]

Could you try with --debug? It may take a long time if it's a large repository.

[pooja0805]

Sure @knqyf263.

[pooja0805]

Hi @knqyf263, I retried the scan with debug mode enabled. The WildFly repository worked fine, but we faced a similar error on another project, camel-quarkus. Sharing a small part of the debug log below:

2025-11-04T11:13:43Z	FATAL	Fatal error
  - run error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:398
  - fs scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:439
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:291
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:693
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scan/service.go:48
  - analyze with traversal:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:220
  - walk dir error:
    github.com/aquasecurity/trivy/pkg/fanal/walker.(*FS).Walk
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:35
  - unknown error with camel-quarkus/extensions-jvm/smpp/deployment/pom.xml:
    github.com/aquasecurity/trivy/pkg/fanal/walker.(*FS).Walk.(*FS).onError.func2
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:92
  - failed to analyze file:
    github.com/aquasecurity/trivy/pkg/fanal/walker.(*FS).Walk.(*FS).WalkDirFunc.func1
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:73
  - analyze file (extensions-jvm/smpp/deployment/pom.xml):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.analyzeWithTraversal.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:314
  - semaphore acquire:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:443
  - context deadline exceeded
2025-11-04T11:43:43Z	FATAL	Fatal error
  - run error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:398
  - fs scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:439
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:291
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:693
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scan/service.go:48
  - analyze with traversal:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:220
  - walk dir error:
    github.com/aquasecurity/trivy/pkg/fanal/walker.(*FS).Walk
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:35
  - unknown error with camel-quarkus/extensions-core/core-cloud/runtime/pom.xml:
    github.com/aquasecurity/trivy/pkg/fanal/walker.(*FS).Walk.(*FS).onError.func2
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:92
  - failed to analyze file:
    github.com/aquasecurity/trivy/pkg/fanal/walker.(*FS).Walk.(*FS).WalkDirFunc.func1
        /home/runner/work/trivy/trivy/pkg/fanal/walker/fs.go:73
  - analyze file (extensions-core/core-cloud/runtime/pom.xml):
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.analyzeWithTraversal.func1
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:314
  - semaphore acquire:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:443
  - context deadline exceeded
Error: Process completed with exit code 1.

[pooja0805]

Sure. Let me try this out.

[pooja0805]

Hey @DmitriyLewen, I tried mvn dependency:resolve, but Trivy still failed to complete the scan. It still fails with the error mentioned above.

[DmitriyLewen]

Did you download all required dependencies successfully?
I got an error:

[ERROR] Failed to execute goal on project camel-quarkus-core-deployment: Could not resolve dependencies for project org.apache.camel.quarkus:camel-quarkus-core-deployment:jar:3.30.0-SNAPSHOT
[ERROR] dependency: org.apache.camel.quarkus:camel-quarkus-core:jar:3.30.0-SNAPSHOT (compile)
[ERROR] 	Could not find artifact org.apache.camel.quarkus:camel-quarkus-core:jar:3.30.0-SNAPSHOT
[ERROR] 
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :camel-quarkus-core-deployment

After that, I can see Trivy also tries to fetch these dependencies, but it fails.
This takes a lot of time (see the timestamps in the log).

2025-11-05T14:21:27+06:00	DEBUG	[pom] Resolving...	group_id="jakarta.servlet" artifact_id="jakarta.servlet-api" version="6.0.0"
2025-11-05T14:22:35+06:00	DEBUG	[pom] Failed to fetch	url="https://repository.jboss.org/nexus/content/groups/public/jakarta/servlet/jakarta.servlet-api/6.0.0/jakarta.servlet-api-6.0.0.pom" err="Get \"https://repository.jboss.org/nexus/content/groups/public/jakarta/servlet/jakarta.servlet-api/6.0.0/jakarta.servlet-api-6.0.0.pom\": read tcp 192.168.1.101:62974->2.19.183.48:443: read: operation timed out"

[pooja0805]

We are following the steps mentioned here - https://github.com/Aayush-Panchal/build-scripts/blob/debugtravy/c/camel-quarkus/camel_quarkus_ubi_9.3.sh

[DmitriyLewen]

Hi @pooja0805
I reviewed the repository and downloaded the dependencies using that script.
Although I hit an error, I believe it’s related to tests and shouldn’t affect us.

I checked the logs and see that in most cases Trivy pulls artifacts from the local repository, but occasionally it tries to download a parent artifact from a remote repository.
Apparently Trivy picks wrong versions (i am not sure about this, perhaps mvn didn't download them (i don't know why)) for some artifacts and attempts to fetch them. We’re constantly improving Trivy’s logic to match mvn more closely, but mistakes can still happen.

I don’t know how you’d even untangle such a large repository to find the spot where Trivy “took a wrong turn”.

But nevertheless, I successfully scanned this repository:

[root@d1f4a7f3668d camel-quarkus]# time trivy -d fs pom.xml
...

real	19m15.009s
user	4m47.561s
sys	0m10.528s

there is #9747 - it can also slow down the scan.

[ggjulio]

Same error, it is very random, it's happening about 1/2.

When it works it is very fast, less than <25sec. And when it fails it timeout. (10min)
Our repo is also quite big, with a lot of modules. We use mvnd to builds them in parallel before running trivy fs/repo.

I kind of suspect mvnd is not always consistant in the downloading ? which may explain our 50% failure rate.

Any hints appreciated. Also we could open an issue?

EDIT:

Did you download all required dependencies successfully

Trivy is run after the build. I'm pretty sure all dependencies are downloaded before.

[DmitriyLewen]

If Trivy accesses remote repositories (instead of using a local one), performance depends not on the machine’s power, but on the speed of its internet connection.

[ggjulio]

It's a local repository that we are accessing

[DmitriyLewen]

Can you share debug logs for wrong (with timeout) and correct (fast run) runs?

[ggjulio]

@DmitriyLewen I can't sorry.
In the end we evaluated syft and cyclone maven plugin, we'll probably stick to cyclone maven plugin.
We may switch back to trivy later.

[DmitriyLewen]

Hello @ggjulio
If you want to see vulnerabilities for your project, you can scan an SBOM generated by the CycloneDX Maven plugin.
Documentation: https://trivy.dev/docs/latest/guide/target/sbom/

[pooja0805]

@DmitriyLewen Any insights on above?