Trivy SBOM: Failed to pull image "docker.io/securecodebox/parser-cyclonedx:4.7.0

[LittaKake]

🐞 Bug report

Describe the bug

When trying to use Trivy SBOM in containerAutoDiscovery the parser image docker.io/securecodebox/parser-cyclonedx:4.7.0 is not found.

Steps To Reproduce

1. Install Operator and Autodiscovery (pr namespace). Provide this as values file

config:
  resourceInclusion:
    mode: "enabled-per-namespace"
  containerAutoDiscovery:
    enabled: true
    scanConfigs:
    - annotations:
        defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
        defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels
          `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version`
          }}{{end}}"
        defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name
          }} | {{ .Target.Name }}"
        defectdojo.securecodebox.io/product-tags: cluster/{{ .Cluster.Name }},namespace/{{
          .Namespace.Name }}
      env: []
      hookSelector: {}
      labels: {}
      name: trivy
      parameters:
      - "{{ .ImageID }}"
      repeatInterval: 168h
      scanType: trivy-sbom-image
      volumeMounts: []
      volumes: []

2. Install Trivy SBOM scantype in a namespace. Set the imagepullsecret.
3. Put annotation on namespace to trigger scanning of containerimages.
4. Watch parser fail to pull image

Expected behavior

Parser uses a valid image and parses the output from the scans.

Maybe replace parser.image.repository in values.yaml to https://hub.docker.com/r/securecodebox/parser-trivy-sbom ?

System (please complete the following information):

• kubernetes v1.30.3

Screenshots / Logs

k describe pod/parse-websockify-trivy-at-5cbb047609940dbb21add056da1019e-r7pp7 -n my-namespace

  Type     Reason     Age                     From               Message                                                                              
  ----     ------     ----                    ----               -------                                                                              
  Normal   Scheduled  7m25s                   default-scheduler  Successfully assigned my-namespace/parse-websockify-trivy-at-5cbb047609940dbb21add056da1019e-r7pp7 to my-node                                                                       
  Normal   Pulling    5m53s (x4 over 7m24s)   kubelet            Pulling image "docker.io/securecodebox/parser-cyclonedx:4.7.0"                       
  Warning  Failed     5m52s (x4 over 7m21s)   kubelet            Failed to pull image "docker.io/securecodebox/parser-cyclonedx:4.7.0": rpc error: code = NotFound desc = failed to pull and unpack image "docker.io/securecodebox/parser-cyclonedx:4.7.0": failed to resolve reference "docker.io/securecodebox/parser-cyclonedx:4.7.0": docker.io/securecodebox/parser-cyclonedx:4.7.0: not found                                                               
  Warning  Failed     5m52s (x4 over 7m21s)   kubelet            Error: ErrImagePull                                                                  
  Warning  Failed     5m36s (x6 over 7m20s)   kubelet            Error: ImagePullBackOff                                                              
  Normal   BackOff    2m13s (x21 over 7m20s)  kubelet            Back-off pulling image "docker.io/securecodebox/parser-cyclonedx:4.7.0" 

Sorry, pasting a different set of pods here than from the one above...

k get pods -n my-namespace
NAME                                                              READY   STATUS             RESTARTS   AGE
parse-centos-trivy-at-be65f488b7764ad3638f236b7b515b36783-869hc   0/1     ImagePullBackOff   0          34m
scan-centos-trivy-at-be65f488b7764ad3638f236b7b515b367836-qmgg5   0/2     Completed          0          34m

k logs pod/scan-centos-trivy-at-be65f488b7764ad3638f236b7b515b367836-qmgg5 -n my-namespace
Defaulted container "trivy-sbom" out of: trivy-sbom, lurker
2024-09-25T19:58:48Z    INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="chardet" version="2.2.1"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="iniparse" version="0.4"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="kitchen" version="1.1.1"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="urlgrabber" version="3.10"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="Python" version="2.7.5"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="PyGObject" version="3.22.0"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pygpgme" version="0.3"
2024-09-25T19:58:54Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pyliblzma" version="0.5.3"
2024-09-25T19:58:55Z    INFO    Detected OS     family="centos" version="xxx"
2024-09-25T19:58:55Z    INFO    Number of language-specific files       num=

Additional context

[J12934]

Ah mh yeah, that looks incorrect. Had these overwritten in my setup so I haven't noticed this 🙈

The parser.image.repo should be changed in the default helm values to use the parser image that is actually build, like you said 👍

Thank you for reporting this 🙌