Automatic Image Pull for Private Docker Registry in cdxgen

[pooja0805]

Hello Team,

I've encountered a situation where I'm using cdxgen with an image from a private Docker registry. When I attempt to run the following command:

cdxgen <image-name:tag> -t docker -o /tmp/bom.json -p

It seems that cdxgen does not automatically handle pulling the image from the private registry. Instead, it prompts users to manually execute a docker pull command before running cdxgen.

cdxgen is expected to handle image pulling from private Docker registries automatically, eliminating the need for users to perform this step manually. Any insights and suggestions to address this issue are highly appreciated.

Thank you!

[prabhu]

@setchy any ideas why cdxgen might refuse to pull private images?

cdxgen 129.40.81.95:5000/nginx:latest -p -o nginxbom.json
WARN[2023-11-03T12:44:51.902961763Z] Error getting v2 registry: Get "https://129.40.81.95:5000/v2/": http: server gave HTTP response to HTTPS client
INFO[2023-11-03T12:44:51.903001299Z] Attempting next endpoint for pull after error: Get "https://129.40.81.95:5000/v2/": http: server gave HTTP response to HTTPS client
ERRO[2023-11-03T12:44:51.906556175Z] Handler for POST /images/create returned error: Get "https://129.40.81.95:5000/v2/": http: server gave HTTP response to HTTPS client
Unable to pull 129.40.81.95:5000/nginx:latest. Check if the name is valid. Perform any authentication prior to invoking cdxgen.
Try manually pulling this image using docker pull 129.40.81.95:5000/nginx:latest
BOM generation has failed due to problems with exporting the image

docker login was performed, and insecure registries were also set.

[setchy]

I'll try and test today.

[setchy]

Confirmed I experience a similar error

Manually pull

docker pull someorg.jfrog.io/docker/library/eclipse-temurin:latest                                                          

latest: Pulling from docker/library/eclipse-temurin
Digest: sha256:798e8ee1da62d926613189d41448b64056428781ba659d5a70f23e7f06073f2f
Status: Downloaded newer image for someorg.jfrog.io/docker/library/eclipse-temurin:latest
someorg.jfrog.io/docker/library/eclipse-temurin:latest

Running cdxgen@master

CDXGEN_DEBUG_MODE=debug node ./bin/cdxgen.js someorg.jfrog.io/docker/library/eclipse-temurin:latest -t docker 

Docker service in root mode detected. Consider switching to rootless mode to improve security. See https://docs.docker.com/engine/security/rootless/
Trying to pull the image someorg.jfrog.io/docker/library/eclipse-temurin:latest from registry. This might take a while ...
Re-trying the pull with the name docker/library/eclipse-temurin:latest.
Trying with docker/library/eclipse-temurin:latest
Trying with docker/library/eclipse-temurin
Trying with someorg.jfrog.io/docker/library/eclipse-temurin:latest
Unable to pull someorg.jfrog.io/docker/library/eclipse-temurin:latest. Check if the name is valid. Perform any authentication prior to invoking cdxgen.
Try manually pulling this image using docker pull someorg.jfrog.io/docker/library/eclipse-temurin:latest
BOM generation has failed due to problems with exporting the image

[prabhu]

@setchy the docker api endpoint to pull is /images/create

https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate

https://github.com/CycloneDX/cdxgen/blob/master/docker.js#L414

Could you hardcode or create a unit test to figure out the naming convention to use? Also, is there a way to run docker pull in debug mode to collect the API calls it makes?

[norigeist]

I have experienced a similar issue on analysing an OCI image in GitHub Action which was built with docker buildx and pushed to a local registry. $ docker run -d -p 5000:5000 --restart always --name registry registry:2

I can also reproduce the same issue locally on Windows with Docker Desktop using WSL2 Docker version 27.5.1, build 9f9e405, with feature containerd enabled for pulling and storing images.

I downloaded the binary for Linux from the GitHub release page to execute cdxgen, version 11.2.2.

./cdxgen \
  --author "[redacted]" \
  --type oci \
  --deep \
  --output $sbom_staging_dir/${sanitized_image_name}.json \
  localhost:5000/example-image:0.0.64

Error message

╔═══════════════════════════════════════════════════════════════════════════════════════════════╗
║                               ¤ Donate to the OWASP Foundation                                ║
╟───────────────────────────────────────────────────────────────────────────────────────────────╢
║ OWASP foundation relies on donations to fund our projects.                                    ║
║ Donation link: https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX ║
╚═══════════════════════════════════════════════════════════════════════════════════════════════╝

Unable to pull localhost:5000/example-image:0.0.64. Check if the name is valid. Perform any authentication prior to invoking cdxgen.
Try manually pulling this image using docker pull localhost:5000/example-image:0.0.64
OCI BOM generation has failed due to problems with exporting the image localhost:5000/example-image:0.0.64.

*Image name has been changed.

---

Prior than that, I was using syft to analyse the OCI images. Wtih that, I need to supply the platform to pull the image, as I build for linux/arm64 and the runner's architecture is linux/amd64.

syft scan \
  --platform $target_platform \
  --output cyclonedx-json="$sbom_staging_dir/${sanitized_image_name}.json" \
  registry:${image}

[prabhu]

@norigeist yes, we are lacking --platform and --namespace support currently. It requires some effort since we need to add this for docker, podman, nerdctl, Rancher (docker and nerdctl), and colima (nerdctl and containerd). Will you be interested in contributing this feature?

Alternatively, since the image gets built locally can you try passing just the image name example-image:0.0.64 without the registry name to cdxgen? This should work regardless of the platform since it will use the one available in the default namespace.