Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grype throws "requested access to the resource is denied" even I have access with Docker #2161

Closed
Dentrax opened this issue Oct 4, 2024 · 2 comments
Closed

Grype throws "requested access to the resource is denied" even I have access with Docker #2161

Dentrax opened this issue Oct 4, 2024 · 2 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@Dentrax
Copy link

Dentrax commented Oct 4, 2024
edited
Loading

What happened:

This works - and I able to pull the image without any issues:

docker image pull docker:cli

But this doesn't:

grype docker:cli
 ✔ Vulnerability DB                [no update available]
 ✔ Pulled image

failed to catalog: an error occurred attempting to resolve 'cli': docker: pull failed: Error response from daemon: pull access denied for cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

I able to scan any image with Grype beside docker:cli image. It's weird. This is actually the first time it threw auth issue.

After pull the image with docker pull, this worked:

grype docker.io/library/docker:cli

What you expected to happen:

It should able to pull the image?

How to reproduce it (as minimally and precisely as possible):

I don't know to provide reproducible steps here, sorry.

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:         grype
Version:             0.80.0
BuildDate:           2024-08-20T17:56:40Z
GitCommit:           205ccfb6c90edb7258a9d25995f0a59c32e48142
GitDescription:      v0.80.0
Platform:            darwin/arm64
GoVersion:           go1.22.6
Compiler:            gc
Syft Version:        v1.11.1
Supported DB Schema: 5
  • OS (e.g: cat /etc/os-release or similar): macOS 14
@Dentrax Dentrax added the bug Something isn't working label Oct 4, 2024
@Dentrax Dentrax changed the title Grype says "requested access to the resource is denied" even I have access with Docker Grype throws "requested access to the resource is denied" even I have access with Docker Oct 5, 2024
@wagoodman
Copy link
Contributor

A workaround for the behavior you're seeing is this:

grype docker:docker:cli

What's happening here is that grype is interpreting docker: as a scheme on how to fetch the image, in this case saying to fetch the image from the local docker daemon (where the valid syft/grype values here are docker, podman, registry, etc). Since there is a name collision with these schemes and the image you're using grype is interpreting your input as fetching the image cli:latest via the local docker daemon.

The only way to really fix all cases for this here is a CLI redesign where we accept either a URLish thing:

grype docker://docker:cli

or we start introducing other flags, similar to what we added in syft to do this:

grype --from docker docker:cli

Which is tracked in #1917 .

@spiffcs
Copy link
Contributor

spiffcs commented Oct 14, 2024

Closing as the workaround has been posted and we're actively tracking redesigns and potential new schemes for v1.0.0

@spiffcs spiffcs closed this as completed Oct 14, 2024
@github-project-automation github-project-automation bot moved this to Done in OSS Oct 14, 2024
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wagoodman @willmurphyscode @Dentrax @spiffcs