fossas
Container scanning does not support distroless
Example upstream image: gcr.io/distroless/nodejs:16
Error observed in output from fossa-cli:
$ fossa container analyze ***.dkr.ecr.us-west-2.amazonaws.com/<folder>/<image>:latest
[ INFO] Inferred registry source: https://<REDACTED>:<REDACTED>@***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest
[ INFO] [ 5 Waiting / 1 Running / 0 Completed ]
[ INFO] [ 3 Waiting / 2 Running / 1 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>.tar
[ INFO] [ 2 Waiting / 2 Running / 2 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>.tar
[ INFO] [ 1 Waiting / 2 Running / 3 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>.tar
[ INFO] [ 0 Waiting / 2 Running / 4 Completed ]
[ INFO] Downloaded: <REDACTED>[12](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/<REDACTED>#step:8:13)<REDACTED>.json
[ INFO] [ 0 Waiting / 1 Running / 5 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>[14](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/5683842951#step:8:15)<REDACTED>.tar
[ INFO] Analyzing exported docker archive: /tmp/fossa-container-registry-tmp-<REDACTED>[17](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/5683842951#step:8:18)<REDACTED>/image.tar
[ INFO] Analyzing Base Layer
Error: ----------
An issue occurred
>>> Relevant errors
Error
Error reading file etc/os-release:
user error (ReadContentBS: Could not find etc/os-release in /tmp/fossa-container-registry-tmp-<REDACTED>/image.tar)
Traceback:
- Parsing file 'etc/os-release'
- Retrieving Os Information
- Analyzing via registry
Error
Error reading file etc/system-release-cpe:
user error (ReadContentBS: Could not find etc/system-release-cpe in /tmp/fossa-container-registry-tmp-<REDACTED>/image.tar)
Traceback:
- Parsing file 'etc/system-release-cpe'
- Retrieving Os Information
- Analyzing via registry
Error
Error reading file bin/busybox:
user error (ReadContentBS: Could not find bin/busybox in /tmp/fossa-container-registry-tmp-<REDACTED>/image.tar)
Traceback:
- Retrieving Os Information
- Analyzing via registry
>>> Possibly-related warnings
Warning
Could not find: ***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest in local repository.
Perform: docker pull ***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest, prior to running fossa.
>>> Relevant errors
Error
Could not locate tarball source at filepath: /home/runner/work/<REDACTED>/<REDACTED>/***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest
Traceback:
(none)
Error
Error in $: key "Size" not found
Traceback:
(none)
Error
Command execution failed:
command: Command {cmdName = "podman", cmdArgs = ["image","inspect","***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest"], cmdAllowErr = Never}
dir: /home/runner/work/<REDACTED>/<REDACTED>/
exit: ExitFailure 1[25](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/<REDACTED>#step:8:26)
stdout:
[]
stderr:
Error: error inspecting object: ***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest: image not known
If you believe this to be a defect, please report a bug to FOSSA support at https://support.fossa.com/
Traceback:
- Running command 'podman'
- Running command 'podman'
Hi - I've patched this with https://github.com/fossas/fossa-cli/releases/tag/v3.6.2; please let us know if you continue to see this issue.
Hi @meghfossa v3.6.2 solved the original error, but now I see
Error
The FOSSA endpoint reported an error:
Container image did not have any artifacts.
Error UUID from API:
1daf7b71-ecfa-45f8-ab45-0485afed2231
If you believe this to be a defect, please report a bug to FOSSA support at https://support.fossa.com/
Though the image does have content:
Hey @FraBle!
So the root cause of the error here is that we didn't find any dependencies in the image.
To clarify: is the issue here that you're expecting to see dependencies, or that you're expecting "no dependencies" to be a valid case on which FOSSA should not error?
We've ticketed the latter regardless as we think that should be a supported case, but I just want to make sure whether that's the issue from your perspective as well!
