Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jfrog docker scan does not report any vulnerabilities when image is provided with sha256 digest #331

Open
mehulgogri-hpe opened this issue Apr 9, 2024 · 0 comments
Open

jfrog docker scan does not report any vulnerabilities when image is provided with sha256 digest #331

mehulgogri-hpe opened this issue Apr 9, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@mehulgogri-hpe
Copy link

mehulgogri-hpe commented Apr 9, 2024
edited
Loading

Describe the bug

JFROG CLI VERSION: 2.55.0

We are trying to scan our docker image using the sha256 digest and it does not report any vulnerabilities. But when the same image is scanned with its tag it reports the vulnerabilities successfully.

Current behavior

jf docker scan <image-name><@sha256:digest>
14:59:12 [Debug] JFrog CLI version: 2.55.0
14:59:12 [Debug] OS/Arch: linux/amd64
14:59:12 [🔵Info] Log path: /root/.jfrog/logs/jfrog-cli.2024-04-09.14-59-12.1388981.log

Vulnerable Components
┌───────────────────────────────────────────┐
│ ✨ No vulnerable components were found ✨ │
└───────────────────────────────────────────┘
14:59:24 [🔵Info] Scan completed successfully.

LOGS:

[Debug] Sending HTTP GET request to: http:///xray/api/v1/system/version
[Debug] Usage Report: Sending info...
[Info] Creating image archive...
[Debug] Sending HTTP GET request to: http:///artifactory/api/system/version
[Debug] Artifactory response: 200
[Debug] JFrog Artifactory version is: 7.71.3
[Debug] Sending HTTP POST request to: http:///artifactory/api/system/usage
[Debug] Sending HTTP GET request to: http:///xray/api/v1/system/version
[Info] JFrog Xray version is: 3.59.4
[Debug] Creating lock in: /root/.jfrog/locks/xray-indexer
[Debug] Releasing lock: /root/.jfrog/locks/xray-indexer/jfrog-cli.conf.lck.1388981.1712689156605167401
[Info] [Thread 0] Indexing file: /tmp/jfrog.cli.temp.-1712689152-2057509679/image.tar
[Info] 2024-04-09T18:59:16.799460379Z [jfxia] [DEBUG] [] [wire_gen:46 ] [main ] Initializing filtering service
2024-04-09T18:59:17.513727352Z [jfxia] [DEBUG] [] [indexer-app:58 ] [main ] Indexing standalone file /tmp/jfrog.cli.temp.-1712689152-2057509679/image.tar using artifactory folder /tmp/jfrog.cli.temp.-1712689156-3218770454
2024-04-09T18:59:17.513855827Z [jfxia] [DEBUG] [] [indexer_app:122 ] [main ] Local path: /tmp/jfrog.cli.temp.-1712689156-3218770454/f7bf15cf-1a29-4626-7166-b1e91d161238/171268915751385135/image.tar
2024-04-09T18:59:17.513883959Z [jfxia] [DEBUG] [] [indexer_app:122 ] [main ] Scanning file from Artifactory with mimetype 'application/x-gzip'
2024-04-09T18:59:18.910209693Z [jfxia] [DEBUG] [] [indexer_app:122 ] [main ] Found archive file. Performing deep scan for file /tmp/jfrog.cli.temp.-1712689156-3218770454/f7bf15cf-1a29-4626-7166-b1e91d161238/171268915751385135/image.tar
2024-04-09T18:59:18.910554432Z [jfxia] [WARN ] [] [archive_mgr:247 ] [main ] Failed to index tar file as container image, continue to generic tar indexer. Error: failed to analyze OCI tar archive
--- at /go/src/jfrog.com/xray/indexer/indexer_core/docker_tar.go:144 (DockerTarOpener.analyzeTarAsContainer) ---
Caused by: failed to parse and validate manifests list: index.json
--- at /go/src/jfrog.com/xray/indexer/indexer_core/oci_tar.go:53 (DockerTarOpener.handleIndexFile) ---
Caused by: manifest does not contain annotations
--- at /go/src/jfrog.com/xray/indexer/indexer_core/oci_tar.go:85 (DockerTarOpener.parseAndValidateManifestsList) ---
2024-04-09T18:59:18.91064211Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/08511f65a6896fbb12f55860c217a1354e2c950ffed0c905603f547dd0e561ca
2024-04-09T18:59:18.910680517Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/15c008cdc7a5699a1aa769d562ff58649935e640694313177dcbc3bb4a1f4b26
2024-04-09T18:59:18.91071313Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/246f2370b28ad4a4245ef8a9986c01601391e7c44a54bff09a0c5a1bb573b0ca
2024-04-09T18:59:18.910739771Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/317e644e0340fe81cff6b002700e630a1b15eaa0dace8bffb6fc7b9c809b5af8
2024-04-09T18:59:18.910762111Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/399b3f1ec4e6052380b2020d97336d54209639132c24938d7921bac960a1a75c
2024-04-09T18:59:18.91079767Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/5879dfd507ac227cbf84ff0c005beb7001f5af88cebe6c78cb09e2447db845fc
2024-04-09T18:59:18.910832373Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/7ea8d07be83fce5f74a7d3c65465904d79fee3b234d265da617568eef40cfe13
2024-04-09T18:59:18.910854161Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/883b2f948c6cbf77a16b32057f0f1b197607f7c12cbe0b1aabb80bd4d91a9165
2024-04-09T18:59:18.910897545Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/931c1b78ea66bbe82be3552b2b464681ba4d8e356973571e9ff88371dc5f64ba
2024-04-09T18:59:18.910919085Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/954d9f1c794f6af94aac5b51217f9196f7d4fa442094b4dcbcdfb602b9fe4a9c
2024-04-09T18:59:18.929261307Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/96a8f60cc2befac4c7487920694e4ca92a59a02cde6ed6189241b393d328c189
2024-04-09T18:59:18.948018157Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/97007ab98ef08d7744dfda1571bfe3ee61c66f6bbd6a13858a798928ff0f5053
2024-04-09T18:59:18.94808668Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/b0c382fc5b04a5ae2bebec2dabd52f72864395149636b752bc09078472b83739
2024-04-09T18:59:18.948111609Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/b4bec5c577fae6edfe4f5470723818214704e04ae7d47b71fa5c55660b8e1a7e
2024-04-09T18:59:18.948147793Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/c1827ee010dbe3d0e7aa85282da0a80f74f02da1c44d6e81313cccdf465e58c6
2024-04-09T18:59:19.013222423Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable blobs/sha256/fc3f0958f080d9a5ae815be7e3c19d2577e6071409cc51172d8c4f21f76750fc
2024-04-09T18:59:19.013721346Z [jfxia] [DEBUG] [] [archive_mgr:1260 ] [main ] Found archive file. Performing deep scan for file /tmp/jfrog.cli.temp.-1712689156-3218770454/f7bf15cf-1a29-4626-7166-b1e91d161238/171268915901345746/manifest.json
2024-04-09T18:59:19.013768692Z [jfxia] [WARN ] [] [archive_mgr:627 ] [main ] Archive manifest.json exceeded internal depth limitation, extraction stopped.
2024-04-09T18:59:19.013838367Z [jfxia] [DEBUG] [] [archive_mgr:228 ] [main ] No classification found for manifest.json, classified as generic
2024-04-09T18:59:19.013887527Z [jfxia] [DEBUG] [] [archive_mgr:228 ] [main ] manifest.json was classified as Generic
2024-04-09T18:59:19.013914907Z [jfxia] [DEBUG] [] [archive_mgr:228 ] [main ] total running time for indexing tree construction of manifest.json: 7.9021e-05 seconds
2024-04-09T18:59:19.013983185Z [jfxia] [DEBUG] [] [archive_mgr:1241 ] [main ] checking if the file is supported executable oci-layout
2024-04-09T18:59:19.014060975Z [jfxia] [DEBUG] [] [archive_mgr:228 ] [main ] No classification found for image.tar, classified as generic
2024-04-09T18:59:19.014078952Z [jfxia] [DEBUG] [] [archive_mgr:228 ] [main ] image.tar was classified as Generic
2024-04-09T18:59:19.014103289Z [jfxia] [DEBUG] [] [archive_mgr:228 ] [main ] total running time for indexing tree construction of image.tar: 7.5667e-05 seconds
2024-04-09T18:59:19.014126022Z [jfxia] [DEBUG] [] [archive_mgr:191 ] [main ] total running time for indexing image.tar: 0.103845949 seconds

[Debug] Sending HTTP POST request to: http:///xray/api/v1/scan/graph?scan_type=binary
[Info] Waiting for scan to complete on JFrog Xray...
[Debug] Sending HTTP GET request to: http:///xray/api/v1/scan/graph/6ac699e5-0deb-4109-496d-18227f7a1efa?include_vulnerabilities=true
[Debug] Get Dependencies Scan results... (Attempt 1)
[Debug] Sending HTTP GET request to: http:///xray/api/v1/scan/graph/6ac699e5-0deb-4109-496d-18227f7a1efa?include_vulnerabilities=true

Reproduction steps

No response

Expected behavior

No response

JFrog CLI version

jf version 2.55.0

Operating system type and version

RockyLinux 9.3

JFrog Artifactory version

7.71.3

JFrog Xray version

3.59.4
@mehulgogri-hpe mehulgogri-hpe added the bug Something isn't working label Apr 9, 2024
@shuvadipc shuvadipc transferred this issue from jfrog/jfrog-cli Feb 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mehulgogri-hpe