-
Notifications
You must be signed in to change notification settings - Fork 271
Anchore analysis fails on Redhat UBI Micro multi-stage build #1111
Comments
some additional context on this finding, as an attempt to reproduce by building/pushing an image with the provided Dockerfile was unsuccessful (in that the resulting image would analyze normally, without generating the error). Working with user, we did find that in the particular registry being used, there is a difference between the layers listed in the manifest versus the layers listed in the result of the skopeo download (oci directory), for just one of the layers. namely, the manifest has:
where the oci manifest shows:
for the first layer. this causes anchore to be unable to 'find' the first layer, as the code is using the layer digest from the manifest to look for the corresponding layer file post download. Details of the layer file itself show that the oci manifest entry lines up with the local layer file, but the digest from the manifest is against the uncompressed data, even though the mediaType is indicating that the layer is compressed:
Adding the above to aid with triage - we don't have an example of an image in a registry (that is public) that demonstrates this effect, but the above does explain the error in the logs. Suggest considering adding a codepath for inspecting the oci manifest instead of (or in addition to, if there is a misalignment detected) the registry manifest, to handle this condition (one idea that could ensure that when this condition is present for a given registry/image, the analyzer would be able to find the layer on disk after download even if the manifest layer digest differs from the layer file that is ultimately present). |
More context - anchore uses skopeo to download image for analysis, with a command like:
In the case discussed here, we observe that adding the skopeo copy option '--dest-oci-accept-uncompressed-layers' appears to result in the local layer file names matching the layer digests in the original manifest (adding this for consideration for a possible alternate solution). Finally - the image in question is being pushed to a registry using skopeo, with signing
which may be a way to try and reproduce the effect (manifest layer digests not lining up with downloaded layer file names). |
Is this a request for help?: Yes
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): Bug Report
Version of Anchore Engine and Anchore CLI if applicable:
$ anchore-cli --version
anchore-cli, version 0.9.1
Engine DB Version: 0.0.14
Engine Code Version: 0.9.4
What happened:
Image analysis fails every time for this image
What did you expect to happen:
Image should be scanned successfully scanned and vulnerability data able to be retreived
Any relevant log output from /var/log/anchore:
What docker images are you using:
Dockerfile
How to reproduce the issue:
Anything else we need to know:
It might be related to it being the micro image
registry.access.redhat.com/ubi8-minimal:latest
being very basic (No package manager, tar, curl, etc) but that image works if you scan it directlyThe text was updated successfully, but these errors were encountered: