Comments (5)
tgerla
commented on May 26, 2024
1
Hey @matthyx, sorry, I spoke too soon. I've reproduced this crash on 1.1.0 myself. We will take a look when we are able. Thanks again for the report!
from syft.
willmurphyscode
commented on May 26, 2024
1
Thanks @matthyx for the report!
It looks like demo.goharbor.io/forcharts/redpanda:5.7.23 is a helm chart packaged as an OCI image, but not a container image:
$ docker pull demo.goharbor.io/forcharts/redpanda:5.7.23
5.7.23: Pulling from forcharts/redpanda
unsupported media type application/vnd.cncf.helm.config.v1+json
$ helm pull oci://demo.goharbor.io/forcharts/redpanda --version 5.7.23
Pulled: demo.goharbor.io/forcharts/redpanda:5.7.23
Digest: sha256:e3fd748dad865a292c94d77ca71aca55d61585e413c5855011ea587dd6fe1c7d
$ ls
redpanda-5.7.23.tgz
$ tar -tzf redpanda-5.7.23.tgz
redpanda/Chart.yaml
... snip ...Syft doesn't currently support scanning helm charts directly, but definitely shouldn't panic when someone tries!
I'll make a PR to syft (or more likely https://github.com/anchore/stereoscope, the library Syft uses to handle OCI image interactions) to prevent the panic and fail gracefully in the case when Syft is asked to scan an image that turns out to be an OCI-packaged helm chart.
If you were trying to get a list of all the packages that will be involved if you deploy the helm chart, you might be able to make some progress by pulling the helm chart and looking at Chart.yaml to see which images would be pulled, and pointing syft at those, but I'm not an expert in helm and I don't know whether that would give you a complete list.
from syft.
tgerla
commented on May 26, 2024
Hi @matthyx, thank you for the report! Can you upgrade to the latest Syft (1.1.0) and see if the problem reproduces? 0.70 is from February 2023 so it's quite out of date now. Thanks!
from syft.
matthyx
commented on May 26, 2024
Sorry for the version mismatch, I had 2 syft installed, the old one by hand in /usr/local/bin/syft and the new one by apt in /usr/bin/syft.
Thanks for looking at it :)
from syft.
tgerla
commented on May 26, 2024
Whoops, hit Return too soon.
Dev notes: Here is the output from the stereoscope test script which includes just a little more information:
tgerla@Timothys-MacBook-Pro-2 stereoscope % go run examples/basic.go demo.goharbor.io/forcharts/redpanda:5.7.23
[0000] DEBUG image: source= location=demo.goharbor.io/forcharts/redpanda:5.7.23
[0000] TRACE trying podman socket path=/Users/tgerla/Library/Application Support/podman/podman.sock
[0000] TRACE trying podman socket path=/run/podman/podman.sock
[0000] TRACE unable to connect to podman via unix socket error=no socket address
github.com/anchore/stereoscope/internal/podman.init
/Users/tgerla/git/anchore/stereoscope/internal/podman/client.go:18
runtime.doInit1
/usr/local/go/src/runtime/proc.go:6740
runtime.doInit
/usr/local/go/src/runtime/proc.go:6707
runtime.main
/usr/local/go/src/runtime/proc.go:249
runtime.goexit
/usr/local/go/src/runtime/asm_arm64.s:1197
[0000] TRACE trying containerd socket path=/var/run/containerd/containerd.sock
[0000] DEBUG pulling image info directly from registry image="demo.goharbor.io/forcharts/redpanda:5.7.23"
[0000] DEBUG no registry credentials configured for "demo.goharbor.io", using the default keychain
[0002] DEBUG image metadata: digest=sha256:3d34c672cbed928c11048e901f8c2d81490e11b32cdd834736d3aef20b55ce4e mediaType=application/vnd.oci.image.manifest.v1+json tags=[]
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/anchore/stereoscope/pkg/image.newLayerMetadata({{0x14000222eb0, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {{0x0, ...}}, ...}, ...}, ...)
/Users/tgerla/git/anchore/stereoscope/pkg/image/layer_metadata.go:26 +0x178
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(_, _, {{0x14000222eb0, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, ...}, ...}, ...}, ...)
/Users/tgerla/git/anchore/stereoscope/pkg/image/layer.go:88 +0xc0
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0x1400040c380)
/Users/tgerla/git/anchore/stereoscope/pkg/image/image.go:227 +0x60c
github.com/anchore/stereoscope/pkg/image/oci.(*registryImageProvider).Provide(0x14000100720, {0x104dd4c90, 0x14000112690})
/Users/tgerla/git/anchore/stereoscope/pkg/image/oci/registry_provider.go:93 +0x948
github.com/anchore/stereoscope.getImageFromSource({0x104dd4c90, 0x14000112690}, {0x16babf8b3, 0x2a}, {0x0, 0x0}, {0x0, 0x0, 0x0})
/Users/tgerla/git/anchore/stereoscope/client.go:110 +0x388
github.com/anchore/stereoscope.GetImage({0x104dd4c90, 0x14000112690}, {0x16babf8b3, 0x2a}, {0x0, 0x0, 0x0})
/Users/tgerla/git/anchore/stereoscope/client.go:72 +0x70
main.main()
/Users/tgerla/git/anchore/stereoscope/examples/basic.go:36 +0x134
exit status 2
tgerla@Timothys-MacBook-Pro-2 stereoscope %
from syft.
Related Issues (20)
- Regression in 1.1 cataloging openjdk: generates version containing a null byte HOT 13
- Syft reports some fw* pckages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 4
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Add `bun-lock-cataloger` & `bun-binary-cataloger` catalogers HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but not in Cyclonedx json file format HOT 3
- Not all the packages are getting imported in Blackduck scanner HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.