jfrog-cli icon indicating copy to clipboard operation
jfrog-cli copied to clipboard
verified publisher icon jfrog

Failure while reading containerd-sourced images

Open inquinity opened this issue 1 year ago • 0 comments

Describe the bug

Docker desktop has two options for pulling and storing images internally: the default container and containerd.

jf cli cannot scan images or tar files created using containerd.

Current behavior

JFrog Xray version is: 3.86.11

command: jf scan mariadb-latest-containerd.tar

[jfxia] [WARN ] [] [docker_tar:74 ] [UnnamedContext ] Failed to index tar file as container image, continue to generic tar indexer. Error: failed to analyze OCI tar archive --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/docker_tar.go:144 (DockerTarOpener.analyzeTarAsContainer) --- Caused by: failed to parse and validate manifests list: index.json --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:53 (DockerTarOpener.handleIndexFile) --- Caused by: manifest unexpected media type: application/vnd.oci.image.index.v1+json --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:95 (DockerTarOpener.parseAndValidateManifestsList) ---

Reproduction steps

I used mariadb:lateset as an example, since it is easily available. It is NOT necessary to export files to tar, but doing so makes it easier to demonstrate the error.

  1. Check that "Use containerd for pulling and storing images" option in Docker Desktop is disabled. This is "control" test.

  2. Download the image if needed: docker pull mariadb:latest

  3. Save image to tar file: docker save mariadb:latest -o mariadb-latest-default.tar

  4. Enable "Use containerd for pulling and storing images" option in Docker Desktop. (Docker will restart) image

  5. Download the image if needed: docker pull mariadb:latest

  6. Save image to tar file: docker save mariadb:latest -o mariadb-latest-containerd.tar

  7. Scan the images: jf scan mariadb-latest-default.tar jf scan mariadb-latest-containerd.tar

Expected behavior

jf scan mariadb-latest-default.tar Will produce a viable security scan.

jf scan mariadb-latest-containerd.tar Will fail to scan with the following error:

Failed to index tar file as container image, continue to generic tar indexer. Error: failed to analyze OCI tar archive --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/docker_tar.go:144 (DockerTarOpener.analyzeTarAsContainer) --- Caused by: failed to parse and validate manifests list: index.json --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:53 (DockerTarOpener.handleIndexFile) --- Caused by: manifest unexpected media type: application/vnd.oci.image.index.v1+json --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:95 (DockerTarOpener.parseAndValidateManifestsList) ---

jf will continue despite the failure and fail to find any vulnerabilities

Vulnerable Components ┌───────────────────────────────────────────┐ │ ✨ No vulnerable components were found ✨ │ └───────────────────────────────────────────┘

JFrog CLI version

jf version 2.59.1

Operating system type and version

Mac OS 14.5, Docker Desktop 4.3.1.0

JFrog Artifactory version

No response

JFrog Xray version

JFrog Xray version is: 3.86.11

inquinity avatar Jul 16 '24 18:07 inquinity