syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Support for `application/vnd.oci.image.index.v1+json` manifests in root OCI layout

Open saisatishkarra opened this issue 2 years ago • 1 comments

What would you like to be added: Syft expects OCI layout to contain only 1 image of mediaType application/vnd.oci.image.manifest.v1+json and doesn't support mediaType application/vnd.oci.image.index.v1+json when building a single OCI tar ball for multiple architectures

Why is this needed: This adds an additional layer of complexity to extract the digest of each image manifest for each architecture in the application/vnd.oci.image.index.v1+json (use regctl --platform for extraction) to run the scan

Additional context: Uploaded a demo_alpine OCI layout (single architecture and image manifest) vs demo_amazonlinux OCI layout (multiple architectures within single manifest of type application/vnd.oci.image.index.v1+json)

Current behavior:

  • works for demo_alpine oci layout with single image manifest Screen Shot 2023-02-07 at 11 56 26 AM

  • Fails for demo_amazonlinux with error: * failed to construct source from user input "docker-archive-demo-amz-2.tar": could not fetch image "docker-archive-demo-amz-2.tar": unable to use OciTarball source: unable to parse OCI directory as an image: unexpected media type for sha256:1ab94ef8f74d975ce5b3637944358cce8d776259f493c4d857898dbe862c1fb3: application/vnd.oci.image.index.v1+json Screen Shot 2023-02-07 at 11 57 51 AM

saisatishkarra avatar Feb 07 '23 17:02 saisatishkarra

Has there been any ideas on this? This becomes important when you start using multi-platform container builds.

moos3 avatar Mar 06 '24 14:03 moos3