Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config parsing includes config.yaml in working dir #1634

Closed
AidanDelaney opened this issue Mar 1, 2023 · 0 comments · Fixed by #2001
Closed

Config parsing includes config.yaml in working dir #1634

AidanDelaney opened this issue Mar 1, 2023 · 0 comments · Fixed by #2001
Assignees
Labels
breaking-change Change is not backwards compatible bug Something isn't working
Milestone

Comments

@AidanDelaney
Copy link
Contributor

What happened:
syft reads any config.yaml in the current working directory as Syft configuration. If the config.yaml is not a valid syft config, then scanning fails.

What you expected to happen:
I expect config.yaml in the current working directory to not be read as Syft configuration.

Steps to reproduce the issue:

  1. Create directory foo: mkdir foo
  2. Create a config.yaml in the foo directory: touch foo/config.yaml
  3. Place invalid Syft config in the config.yaml:
    cat > foo/config.yaml << EOF
      output:
        example:
          value: value
    EOF
    

Note that is is important that the config file uses a Syft configuration value like output
4. Run syft in the foo directory: cd foo && syft packages .
5. Observe the error 'output[0]' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[example:map[value:value]]'

Anything else we need to know?:
The problem occurs on https://github.com/anchore/syft/blob/main/internal/config/application.go#L226.

On line 226 we add the pwd as a config path. We then check to see if a .syft config file exists. If it does not, we move to check the other documented config files.

On line 236 we add .syft as a config path. Note that pwd is still in the search path for configs. When we then search for config files with the name config, it picks up ./config.yaml which was never intended as a syft configuration file.

Environment:

  • Output of syft version: latest syft from git
  • OS (e.g: cat /etc/os-release or similar): Falure observed on Linux and Macos
@AidanDelaney AidanDelaney added the bug Something isn't working label Mar 1, 2023
AidanDelaney added a commit to AidanDelaney/syft that referenced this issue Mar 2, 2023
Only add the pwd to the config search path if and only if it contains
a config file that we expect.  This avoids incorrectly finding config
files that may be specific to applictions other than syft.

fixes: anchore#1634

Signed-off-by: Aidan Delaney <adelaney21@bloomberg.net>
@spiffcs spiffcs added this to OSS Mar 16, 2023
@spiffcs spiffcs moved this to In Review in OSS Mar 16, 2023
@spiffcs spiffcs self-assigned this Mar 16, 2023
@spiffcs spiffcs added this to the Stabilize user surfaces milestone Mar 20, 2023
@spiffcs spiffcs added the breaking-change Change is not backwards compatible label Mar 20, 2023
@spiffcs spiffcs moved this from In Review to Done in OSS Apr 4, 2023
@spiffcs spiffcs moved this from Done to Backlog in OSS Apr 4, 2023
@spiffcs spiffcs removed their assignment Apr 4, 2023
@kzantow kzantow self-assigned this Aug 7, 2023
@kzantow kzantow moved this from Backlog to In Progress in OSS Aug 7, 2023
@kzantow kzantow moved this from In Progress to In Review in OSS Aug 22, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking-change Change is not backwards compatible bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants