copacetic icon indicating copy to clipboard operation
copacetic copied to clipboard

Published 20 hours ago • verified publisher icon project-copacetic

[BUG] Redhat ubi-micro images aren't supported

Open jpinz opened this issue 11 months ago • 3 comments

Version of copa

v0.6.2

Expected Behavior

Given the trivy scan report of vulnerabilities, I would expect copa to patch the image

Actual Behavior

Command failed with exit code 1: copa patch -i quay.io/kiali/kiali:v1.77.0 -r /scan-trivy-quay_io_kiali_kiali_v1_77_0.json -t v1.77.0 --debug
time="2024-03-06T22:15:46Z" level=debug msg="updates to apply: &{{{redhat 8.9} {amd64}} [{openssl 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3446} {openssl 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3817} {openssl 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-5678} {openssl-libs 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3446} {openssl-libs 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3817} {openssl-libs 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-5678}]}"
time="2024-03-06T22:15:46Z" level=debug msg="Trying docker driver"
time="2024-03-06T22:15:46Z" level=debug msg="serving grpc connection"
time="2024-03-06T22:15:46Z" level=debug msg="stopping session"
time="2024-03-06T22:15:46Z" level=debug msg="serving grpc connection"
time="2024-03-06T22:15:47Z" level=debug msg="latest unique RPMs: [{openssl  1:1.1.1k-12.el8_9 } {openssl-libs  1:1.1.1k-12.el8_9 }]"
time="2024-03-06T22:15:47Z" level=debug msg="Using mcr.microsoft.com/cbl-mariner/base/core:2.0 as basis for tooling image"
time="2024-03-06T22:16:34Z" level=debug msg="RPM DB Type in image is: RPMDBBerkley"
time="2024-03-06T22:16:34Z" level=info msg="Checking for available RPM tools in non-distroless image ..."
time="2024-03-06T22:16:34Z" level=debug msg="RPM tools probe results: map[]"
time="2024-03-06T22:16:34Z" level=error msg="image contains no RPM package managers needed for patching"
time="2024-03-06T22:16:34Z" level=error msg="image does not have the rpm tool needed for patch verification"
Error: 2 errors occurred:
	* image contains no RPM package managers needed for patching
	* image does not have the rpm tool needed for patch verification

Steps To Reproduce

Try scanning and patching the image: quay.io/kiali/kiali:v1.77.0 or registry.access.redhat.com/ubi8/openssl

Potentially relevant links

https://github.com/kiali/kiali/blob/master/deploy/docker/Dockerfile-distroless

https://catalog.redhat.com/software/containers/ubi8/openssl/6195a60d65764fb87abae995?architecture=amd64&image=65cba1f6f87d9ae658d7e77f&container-tabs=dockerfile

https://explore.ggcr.dev/fs/registry.access.redhat.com/ubi8/openssl@sha256:7bd53558c2ce8784b1e0d203fc9d5f3e7bb1e0d2b438befdc165233481789e70/

Are you willing to submit PRs to contribute to this bug fix?

  • [ ] Yes, I am willing to implement it.

jpinz avatar Mar 07 '24 22:03 jpinz

Copa currently detects a file which indicates RPM support at /var/lib/rpm/Packages, which in turn makes Copa assume the container isn't distroless. I ran the debugger in GoLand to identify exactly what is happening and have sent my findings to the Copa team.

MiahaCybersec avatar May 15 '24 07:05 MiahaCybersec

Ran into this same issue with quay.io/quarkus/quarkus-micro-image:2.0 which I believe is based on one of the RedHat UBI images as well.

craigbthompson avatar May 30 '24 13:05 craigbthompson

this issue will be addressed via #602

ashnamehrotra avatar May 30 '24 17:05 ashnamehrotra