Open trend-sandy-lin opened 1 year ago
prabhu
commented
1 year ago @trend-sandy-lin, this error gets thrown if the container image has a symlink that might overwrite a valid path on the host. It is usually safe to ignore this error. Do you see any difference in results?
trend-sandy-lin
commented
1 year ago The result seems normal. Got it! Thanks
DarrenRays
commented
1 year ago Hello, I got a similar error.
Error while extracting image /tmp/docker-images-qKmFF2/c6f356af6f7c2ccb5229e5a1fd9b0638a2af636477afb48b74a823d58264e76b/layer.tar to /tmp/docker-images-qKmFF2/all-layers. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues
------------
Error: TAR_ENTRY_INVALID: linkpath forbidden
at UnpackSync.warn (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/warn-mixin.js:21:40)
at UnpackSync.warn (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/unpack.js:229:18)
at [consumeHeader] (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:173:16)
at [consumeChunkSub] (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:513:30)
at [consumeChunk] (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:485:30)
at UnpackSync.write (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:427:25)
at ReadStream.ondata (node:internal/streams/readable:785:22)
at ReadStream.emit (node:events:514:28)
at ReadStream.emit (node:domain:489:12)
at addChunk (node:internal/streams/readable:343:12) {
header: Header {
cksumValid: true,
needPax: false,
nullBlock: false,
block: null,
path: 'etc/ssl/certs/.wh.1675024b.0',
mode: 384,
uid: 0,
gid: 0,
size: 0,
mtime: 2023-10-24T10:57:35.000Z,
cksum: 7846,
linkpath: 'etc/ssl/certs/11129a95.0',
uname: '',
gname: '',
devmaj: 0,
devmin: 0,
atime: null,
ctime: null,
[Symbol(type)]: '0'
},
cwd: '/tmp/docker-images-qKmFF2/all-layers',
code: 'TAR_ENTRY_INVALID',
tarCode: 'TAR_ENTRY_INVALID'
}Many packets present in the skipped layer are missing. The final results are incomplete. How to solve this error? Thanks
prabhu
commented
1 year ago @DarrenRays you can extract the image tars manually and run cdxgen with -t oci-dir
prabhu
commented
9 months ago @DarrenRays could you try with the latest cdxgen which has received several fixes for container sbom?
foreverankit
commented
6 months ago I am also facing the same issue when I am running this command from inside the docker container: cdxgen openjdk-11-runtime_1.18.tar -o test.json -t docker. However it does create test.json in which the results are not accurate. But when I run the cdxgen command for this tar from my host machine it runs fine without any errors and also shows accurate results. Can someone please help me with this issue? I am using the latest cdxgen version - 10.5.1
Error: TAR_ENTRY_INVALID: linkpath forbidden at UnpackSync.warn (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/warn-mixin.js:21:40) at UnpackSync.warn (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/unpack.js:236:18) at [consumeHeader] (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:173:16) at [consumeChunkSub] (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:513:30) at [consumeChunk] (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:485:30) at UnpackSync.write (/usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/tar/lib/parse.js:427:25) at ReadStream.ondata (node:internal/streams/readable:1007:22) at ReadStream.emit (node:events:520:28) at ReadStream.emit (node:domain:488:12) at addChunk (node:internal/streams/readable:559:12) { header: Header { cksumValid: true, needPax: false, nullBlock: false, block: null, path: 'usr/lib/.build-id/02/.wh.3ba25ab58d3ebecd83cbf6c98fb7104f2309b9', mode: 0, uid: 0, gid: 0, size: 0, mtime: 2024-01-18T20:39:05.000Z, cksum: 13203, linkpath: 'usr/lib/.build-id/00/3d4ed8b4363eb08a13b880d61e836fdad4e3aa', uname: '', gname: '', devmaj: 0, devmin: 0, atime: null, ctime: null,
}, cwd: '/tmp/docker-images-YJzPPP/all-layers', code: 'TAR_ENTRY_INVALID', tarCode: 'TAR_ENTRY_INVALID' }
prabhu
commented
6 months ago @foreverankit I think we need a patch here to ignore files beginning with a dot.
https://github.com/CycloneDX/cdxgen/blob/master/docker.js#L716
basename(path).startsWith(".")Could you give it a try and send a PR?
foreverankit
commented
5 months ago @prabhu I tried adding like this, but its not helping. It still gives this same error.
path.includes("usr/share/licenses/device-mapper-libs") || basename(path).startsWith(".") ||
Error: Error while extracting image /tmp/docker-images-EilHvU/af6e6b21f6db465674257c420cb9091dd5c3f1f3886ad0411b686a3d0ff9976b.tar to /tmp/docker-images-EilHvU/all-layers. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues Error: TAR_ENTRY_INVALID: linkpath forbidden at UnpackSync.warn (/opt/cdxgen/node_modules/tar/lib/warn-mixin.js:21:40) at UnpackSync.warn (/opt/cdxgen/node_modules/tar/lib/unpack.js:236:18) at [consumeHeader] (/opt/cdxgen/node_modules/tar/lib/parse.js:173:16) at [consumeChunkSub] (/opt/cdxgen/node_modules/tar/lib/parse.js:513:30) at [consumeChunk] (/opt/cdxgen/node_modules/tar/lib/parse.js:485:30) at UnpackSync.write (/opt/cdxgen/node_modules/tar/lib/parse.js:427:25) at ReadStream.ondata (node:internal/streams/readable:1007:22) at ReadStream.emit (node:events:520:28) at ReadStream.emit (node:domain:488:12) at addChunk (node:internal/streams/readable:559:12) { header: Header { cksumValid: true, needPax: false, nullBlock: false, block: null, path: 'usr/lib/.build-id/02/.wh.3ba25ab58d3ebecd83cbf6c98fb7104f2309b9', mode: 0, uid: 0, gid: 0, size: 0, mtime: 2024-01-18T20:39:05.000Z, cksum: 13203, linkpath: 'usr/lib/.build-id/00/3d4ed8b4363eb08a13b880d61e836fdad4e3aa', uname: '', gname: '', devmaj: 0, devmin: 0, atime: null, ctime: null,
}, cwd: '/tmp/docker-images-EilHvU/all-layers', code: 'TAR_ENTRY_INVALID', tarCode: 'TAR_ENTRY_INVALID' }
prabhu
commented
5 months ago How are you executing the local version? I am still seeing /opt/cdxgen
foreverankit
commented
5 months ago I did docker compose up. I copied the tar file in container and then ran from inside the container like this. /opt/cdxgen/bin/cdxgen.js openjdk-11-runtime_1.18_test.tar -o test.json -t docker
I am trying to generate bom for this image: registry.access.redhat.com/ubi8/openjdk-11-runtime:1.18. I am trying this from inside the docker container.
prabhu
commented
5 months ago cc: @aryan-rajoria
aryan-rajoria
commented
5 months ago Hello @trend-sandy-lin and @foreverankit,
Could you please checkout PR #1095 and let me know if it resolves your issues? Your feedback is much appreciated!
Thank you!
foreverankit
commented
5 months ago @prabhu @aryan-rajoria It doesn't throw the error now but the results differ when I run cdxgen from my local and when I run it from inside docker. For eg: This image (registry.access.redhat.com/ubi8/openjdk-11-runtime:1.18) uses this version of curl: curl@7.61.1-33.el8, this is coming correctly when I generate the bom from my local but when I try to generate from inside the docker it shows this version: curl@7.61.1-30.el8_8.3 Similarly many versions are different. I am using cdxgen version 10.2.4 in my local and 10.5.1 in docker. But I really doubt its version issue.
foreverankit
commented
5 months ago @prabhu @aryan-rajoria any updates?
prabhu
commented
5 months ago @foreverankit no idea. Could you kindly investigate further and share your observation?
Hi, I tried cdxgen -o .json to create SBOMs, however it got this error and told me to file the bug:
Error while extracting image /var/folders/_8/nnm0ylrs5zv8szd7kb3fsngc0000gp/T/docker-images-L0CoEc/3d52a331bbcaeabbdc3c222f4fb6280b3a0cb395d4062d71dd45fee09321b0b6/layer.tar to /var/folders/_8/nnm0ylrs5zv8szd7kb3fsngc0000gp/T/docker-images-L0CoEc/all-layers. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues Error: TAR_ENTRY_INVALID: linkpath forbidden
It was normal two months ago with the same command. Does anyone know how to solve this? Thanks:)