trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

feat: add support of OCI tarballs

Open DmitriyLewen opened this issue 2 years ago • 1 comments

Description

Buildx supports creating OCI images - https://docs.docker.com/build/exporters/oci-docker/ By default, images are compressed into tar archives. We need to unzip archive before reading index.json file.

Before:

➜ docker buildx build -o type=oci,dest=image.tar .
...

➜ trivy image --input image.tar 
2023-12-12T14:51:42.742+0600	INFO	Vulnerability scanning is enabled
2023-12-12T14:51:42.743+0600	INFO	Secret scanning is enabled
2023-12-12T14:51:42.743+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-12T14:51:42.743+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-12T14:51:42.747+0600	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
	* unable to open image.tar as a Docker image: file manifest.json not found in tar
	* unable to open image.tar as an OCI Image: stat image.tar/index.json: not a directory

After:

➜ docker buildx build -o type=oci,dest=image.tar .
...

➜ ./trivy image --input image.tar
2023-12-12T14:51:50.599+0600	INFO	Vulnerability scanning is enabled
2023-12-12T14:51:50.599+0600	INFO	Secret scanning is enabled
2023-12-12T14:51:50.599+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-12T14:51:50.599+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-12-12T14:51:50.689+0600	INFO	Detected OS: alpine
2023-12-12T14:51:50.689+0600	INFO	Detecting Alpine vulnerabilities...
2023-12-12T14:51:50.692+0600	INFO	Number of language-specific files: 0

image.tar (alpine 3.18.4)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
│            ├───────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│            │ CVE-2023-5678 │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or  │
│            │               │          │        │                   │               │ checking excessively long X9.42...                     │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678              │
├────────────┼───────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2023-5363 │ HIGH     │        │                   │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
│            ├───────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│            │ CVE-2023-5678 │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or  │
│            │               │          │        │                   │               │ checking excessively long X9.42...                     │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678              │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Related issues

  • Close #5775

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [x] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Dec 12 '23 08:12 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Feb 11 '24 00:02 github-actions[bot]