scout-cli
scout-cli copied to clipboard
docker
could not parse reference
When I try to scan locally built Docker images with the Docker Scout GUI, then I get a security report.
However, when I use the Docker Scout CLI, then it crashes with a strange error trace. I think the error handling may be broken.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
SecOps/hello-world-ant latest 0d023c25ffb5 3 minutes ago 251MB
$ docker scout cves -e SecOps/hello-world-ant
Display CVEs identified in a software artifact
Usage
docker scout cves [OPTIONS] [IMAGE|DIRECTORY|ARCHIVE]
Description
The docker scout cves command analyzes a software artifact for vulnerabilities.
If no image is specified, the most recently built image is used.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by docker save
- Local directory or file
- SPDX file or in-toto attestation file with SPDX predicate
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
- redis
- curlimages/curl:7.87.0
- mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory,
or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:
- image:// (default) use a local image, or fall back to a registry lookup
- local:// use an image from the local image store (don't do a registry lookup)
- registry:// use an image from a registry (don't use a local image)
- oci-dir:// use an OCI layout directory
- archive:// use a tarball archive, as created by docker save
- fs:// use a local directory or file
- sbom:// use an SBOM as SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file
Flags
--details Print details on default text output
--env string Name of environment
--epss Display the EPSS scores and organize the package's CVEs according to their EPSS score
--epss-percentile float32 Exclude CVEs with EPSS scores less than the specified percentile (0 to 1)
--epss-score float32 Exclude CVEs with EPSS scores less than the specified value (0 to 1)
-e, --exit-code Return exit code '2' if vulnerabilities are detected
--format string Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
(default "packages")
--ignore-base Filter out CVEs introduced from base image
--ignore-suppressed Filter CVEs found in Scout exceptions based on the specified exception scope
--locations Print package locations including file paths and layer diff_id
--multi-stage Show packages from multi-stage Docker builds
--only-base Only show CVEs introduced by the base image
--only-cisa-kev Filter to CVEs listed in the CISA KEV catalog
--only-cve-id strings Comma separated list of CVE ids (like CVE-2021-45105) to search for
--only-fixed Filter to fixable CVEs
--only-metric strings Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by
--only-package strings Comma separated regular expressions to filter packages by
--only-package-type strings Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
--only-severity strings Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
--only-stage strings Comma separated list of multi-stage Docker build stage names
--only-unfixed Filter to unfixed CVEs
--only-vex-affected Filter CVEs by VEX statements with status not affected
--only-vuln-packages When used with --format=only-packages ignore packages with no vulnerabilities
--org string Namespace of the Docker organization
-o, --output string Write the report to a file
--platform string Platform of image to analyze
--ref string Reference to use if the provided tarball contains multiple references.
Can only be used with archive
--vex-author strings List of VEX statement authors to accept
--vex-location strings File location of directory or file containing VEX statements
Examples
Display vulnerabilities for the most recently built image
$ docker scout cves
Display vulnerabilities grouped by package
$ docker scout cves alpine
Display vulnerabilities from a docker save tarball
$ docker save alpine > alpine.tar
$ docker scout cves archive://alpine.tar
Display vulnerabilities from an OCI directory
$ skopeo copy --override-os linux docker://alpine oci:alpine
$ docker scout cves oci-dir://alpine
Display vulnerabilities from the current directory
$ docker scout cves fs://.
Export vulnerabilities to a SARIF JSON file
$ docker scout cves --format sarif --output alpine.sarif.json alpine
Markdown output, including HTML tags. To be used in Pull Request comments for instance.
$ docker scout cves --format markdown alpine
List all Go packages of the image that are vulnerable
$ docker scout cves --format only-packages --only-package-type golang --only-vuln-packages golang:1.18.0
List vulnerabilities from an SPDX file
$ syft -o spdx-json alpine | docker scout cves sbom://
Learn More
Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/
Report Issues
Raise bugs and feature requests at https://github.com/docker/scout-cli/issues
Send Feedback
Send feedback with docker feedback
ERROR Status: could not parse reference: SecOps/hello-world-ant, Code: 1
Also tried using the option to scan the most recently built image:
$ docker scout cves
✓ SBOM of image already cached, 201 packages indexed
ERROR Status: could not apply VEX statements: could not parse image name: could not parse reference: SecOps/hello-world-ant, Code: 1
Tried configuring export DOCKER_DEFAULT_PLATFORM='linux/amd64'.
Tried explicitly providing --platform linux/amd64
Tried rebuilding the image without the SecOps/ prefix.
Tried referencing the image with an explicit :latest tag suffix.
Tried removing the -e option for meaningful exit codes.
Tried macOS and Windows.
Tried Docker Scout 14 and Docker Scout 15.
Tried relaunching Docker.
Tried docker system prune -f.
No change in behavior.
To clarify, the image is built with conventional docker build -t <name> . commands, no special sauce.
@mcandre, this is another issue with the different interpretations of the OCI spec. While docker build supports creating images with names like SecOps/hello-world-ant other commands don't support them. Those names are not compatible with the OCI spec which is why this is failing in our of our dependencies. If you can lowercase the namespace part of your image name, it would work.
More oddities, when trying to pull this image:
❯ docker pull SecOps/hello-world-ant
Using default tag: latest
Error response from daemon: failed to resolve reference "SecOps/hello-world-ant:latest": failed to do request: Head "https://SecOps/v2/hello-world-ant/manifests/latest": dialing SecOps:443 container via direct connection because has no HTTPS proxy: connecting to SecOps:443: dial tcp: lookup SecOps: no such host
Interesting.
Please apply validation, with a message indicating that the requested image name uses nonportable characters, with a URL to some documentation on standardized image names.