scan-cli-plugin icon indicating copy to clipboard operation
scan-cli-plugin copied to clipboard

Published 20 hours ago verified publisher icon docker

Scan output truncating with plugin build v0.8.0

Open ericsmalling opened this issue 3 years ago • 3 comments

Description

Running docker scan on an image with a lot of vulns the report is being truncated.

Steps to reproduce the issue:

  1. Create Dockerfile with base of FROM node:6
  2. docker built -t myimage .
  3. docker scan myimage --file=Dockerfile

Describe the results you received:

Scan output is truncated with the last lines something similar to:

✗ Low severity vulnerability found in imagemagick/libmagickcore-6.q16-3
  Description: Missing Release of Resource after Effective Lifetime
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-402926
  Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u12, imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12, imagemagick/libmagickwand-dev@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/imagemagick-6.q16@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3-extra@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  and 24 more...
  Image layer: Introduced by your base image (node:14.16.1)

✗ Low severity vulnerability found in imagemagick/libmagickcore-6.q16-3
  Description: Missing Release of Resource after Effective Lifetime
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-402934
  Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u12, imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12, imagemagick/libmagickwand-dev@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/imagemagick-6.q16@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3-extra@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  and 24 more...
  Image layer: Introduced by your base image (node:14.16.1)

✗ Low severity vulnerability found in imagemagick/libmagickcore-6.q16-3
  Description: Missing Release of Resource after Effective Lifetime
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-402942
  Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u12, imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12, imagemagick/libmagickwand-dev@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/imagemagick-6.q16@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-3@8:6.9.7.4+dfsg-11+deb9u12
  From: imagemagick/libmagickcore-dev@8:6.9.7.4+dfsg-11+deb9u12 > imagemagick/libmagickcore-6.q16-dev@8:6

Describe the results you expected:

Full output report, including image recommendations

Additional information you deem important (e.g. issue happens only occasionally):

Not sure if related but syslog shows this around the time of the scan run:

May  3 19:37:55 ip-172-31-12-76 dockerd[999]: time="2021-05-03T19:37:55.960400324Z" level=error msg="attach failed with error: error attaching stdout stream: write unix /var/run/docker.sock->@: write: broken pipe"

Also, installing and running native snyk container test on same machine works fine. (native snyk is uninstalled when the issue occurs)

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.6
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        370c289
 Built:             Fri Apr  9 22:46:01 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd2
  Built:            Fri Apr  9 22:44:13 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
TeamRole:/var/log $

Output of docker scan --version:

Version:    v0.8.0
Git commit: 35651ca
Provider:   Snyk (1.563.0 (standalone))

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 35
 Server Version: 20.10.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-1045-aws
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.773GiB
 Name: ip-172-31-12-76
 ID: HG6S:FKL3:6B67:NYXK:63D5:2LTC:62ZE:NIFF:UCWY:MRHK:NIIX:5K5V
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: ericsmalling
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.): Running on Ubuntu 18.04.5 LTS on AWS Cloud9 environment with 20G root EBS volume (9.7G avail) and t2.large instance size.

ericsmalling avatar May 03 '21 19:05 ericsmalling

Is there some kind of timeout occuring during the scan, possibly?

ericsmalling avatar May 03 '21 19:05 ericsmalling

Taking a stab at things, I ran: docker run --rm -it --name snyk -v $(pwd):/project -e SNYK_TOKEN=$SNYK_TOKEN -v /var/run/docker.sock:/var/run/docker.sock snyk/snyk:docker snyk container test ericsmalling/goof-image:latest --file=/project/Dockerfile and it worked fine, immediately ran docker scan ericsmalling/goof-image:latest --file=Dockerfile and got similar results (truncation of the stdout)

(ericsmalling/goof-image:latest is a node:6 based image and is locally cached as well as available on DockerHub )

ericsmalling avatar May 03 '21 21:05 ericsmalling

https://asciinema.org/a/hGrL1szSgMQizKXWBR06v2F0x

ericsmalling avatar May 03 '21 21:05 ericsmalling