-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft does not detect some software in Docker Official Images #1197
Comments
@captn3m0 for python and busybox detection try running the Example: The results should be under I'll take a look at the other reports from this issue as well. |
The Perhaps classifiers should provide a template alongside that can be included in the BOM? For eg, |
I re-ran the images against the Here's the output from the important ones:
|
FWIW, both of those Python versions that "work" are picking up the distro build of Python, not the Python that's first in the path / intentionally provided by the image (instances of docker-library/python#744, essentially) -- because they're the non-slim "batteries included" images, some of the "batteries" in their base layer use Python so it gets included via the distro (and that's somewhat dangerous for us to override/remove) 😞 |
Hi @captn3m0, I'm looking at some old issues and I have spot-checked a few of these with the latest version of Syft, and I believe we have solved most of these problems. I'll close this issue but if you run into any other missing packages, please go ahead and open a new issue and we can look into it. Thank you! |
Double checked all of the above, and filed #1963. |
What happened:
Docker official images are highly used across the ecosystem, but since these images involve a lot of custom source-installed software, instead of package managers, a lot of these components are undetected by Syft. These are critical foundational dependencies that are getting missed.
What you expected to happen: Syft should detect foundational packages via other means.
How to reproduce it (as minimally and precisely as possible): Run some scans on docker official images and validate whether the primary dependency is picked up. Examples:
Python
None of these detects the version of Python installed:
python:3-slim ❌
python:3-alpine ❌
python:2 ✔️
This one does work (Partial output)
python:3 ✔️
Busybox ❌
None of these discovers busybox as installed:
Redis ❌
None of the following picks up Redis:
Nodejs ❌
None of the following picks up Nodejs
Traefik ❌
Picks up incorrect version
httpd ❌
Neither of these picks up httpd/apache:
memcached ❌
None of these picks up memcached
Golang ❌
Consul ❌
It does report some versions, but all are incorrect
Correct version is 1.13:
Nextcloud ❌
Influxdb ❌✔️
Detected in the debian version, not in the alpine one.
Wordpress ❌
Not detected.
Ruby ❌
None of the Ruby images detect ruby
Haproxy ❌
PHP ❌
Bash ❌
Vault ❌
Detects wrong version.
Anything else we need to know?: I picked the first 30 or so images from https://hub.docker.com/search?image_filter=official&q= for the survey. The ones that get detected are either using a package manager properly (mariadb, mysql) or built as java archives which are detected easily outside the package managers (such as tomcat or sonarqube).
Python/PHP/Ruby/Node/Golang are arguably the most depended upon base images, and
syft
should detect the primary dependency in these images.Usage Context
This request comes via the endoflife.date project, where we are working towards detecting EOL products by scanning SBOMs. The plan is to "leave the detection the existing SBOM ecosystem" (ie, products like syft), while we can provide feeds/PURLs/scanners to actually find EOL products in existing SBOMs.
Unfortunately, the most common usecase for eol checks (Programming Language EOL) is not met by syft, hence this issue.
The text was updated successfully, but these errors were encountered: