Anchore engine failure with ''NoneType'' object is not iterable' when scanning a manifest created by Podman

[pganeshar]

What happened: Submitted a manifest that contains an amd and arm image and Anchore scan failed with ''NoneType'' object is not iterable'. The images and manifest were created by Podman.

What you expected to happen: Anchore to scan the images successfully; like it did when the images and manifest are built by docker.

How to reproduce it (as minimally and precisely as possible):

1. Build an amd image using podman
2. Build an arm image using podman
3. Create a manifest and amd and arm images to it.
4. Submit the manifest to Anchore engine.
5. Check Anchore event log, it reports with error ''NoneType'' object is not iterable' Here is the whole error:

   $ anchore-cli event get a451c800ab014def8503c4d59afb03ab
   details:
   msg: 'failed to download, unpack, analyze, and generate image export (9999999999999.dkr.ecr.us-west-2.amazonaws.com/sandbox-example/goserviceeks@sha256:8fd0f9323432343384385ec23b500ac091a9577c78cf87f412ab4ff1ad3fce9f)
   - exception: ''NoneType'' object is not iterable'
   level: error
   message: Failed to analyze image
   resource:
   id: 9999999999999.dkr.ecr.us-west-2.amazonaws.com/sandbox-example/goserviceeks:0.0.1-1662584101053-feature-signed
   type: image_tag
   user_id: dev-team
   source:
   base_url: http://release-name-anchore-engine-analyzer:8084/
   hostid: release-name-anchore-engine-analyzer-56ffc4fbd7-dlxw4
   request_id: null
   servicename: analyzer
   timestamp: '2022-10-06T21:03:29.845699Z'
   type: user.image.analysis.failed

Anything else we need to know?: Anchore scans the manifest successfully when its built by docker. Also if I submit the amd and arm images built by Podman individually, Anchore works fine its the manifest it has problem with.

Environment:

• Output of syft version:

• OS (e.g: cat /etc/os-release or similar):

  
  # cat /etc/os-release
  NAME="CentOS Stream"
  VERSION="8"
  ID="centos"
  ID_LIKE="rhel fedora"
  VERSION_ID="8"
  PLATFORM_ID="platform:el8"
  PRETTY_NAME="CentOS Stream 8"
  ANSI_COLOR="0;31"
  CPE_NAME="cpe:/o:centos:centos:8"
  HOME_URL="https://centos.org/"
  BUG_REPORT_URL="https://bugzilla.redhat.com/"
  REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
  REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

$ anchore-cli system status Engine DB Version: 0.0.14 Engine Code Version: 0.9.1

podman info --debug

host: arch: amd64 buildahVersion: 1.27.0 cgroupControllers:

• cpuset
• cpu
• cpuacct
• blkio
• memory
• devices
• freezer
• net_cls
• perf_event
• net_prio
• hugetlb
• pids cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.1.4-1.module_el8.7.0+1216+b022c01d.x86_64 path: /usr/bin/conmon version: 'conmon version 2.1.4, commit: ec95327311bd1f0a118cadc9b24032df370babe4' cpuUtilization: idlePercent: 99.76 systemPercent: 0.05 userPercent: 0.19 cpus: 48 distribution: distribution: '"centos"' version: "8" eventLogger: file hostname: centos-amd-he-golang-9pp1w idMappings: gidmap: null uidmap: null kernel: 5.4.204-113.362.amzn2.x86_64 linkmode: dynamic logDriver: k8s-file memFree: 21345615872 memTotal: 99658764288 networkBackend: cni ociRuntime: name: crun package: crun-1.5-1.module_el8.7.0+1216+b022c01d.x86_64 path: /usr/bin/crun version: |- crun version 1.5 commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL os: linux remoteSocket: path: /run/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: false seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.2.0-2.module_el8.7.0+1216+b022c01d.x86_64 version: |- slirp4netns version 1.2.0 commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.2 swapFree: 0 swapTotal: 0 uptime: 1025h 52m 33.00s (Approximately 42.71 days) plugins: authorization: null log:
• k8s-file
• none
• passthrough
• journald network:
• bridge
• macvlan
• ipvlan volume:
• local registries: search:
• registry.access.redhat.com
• registry.redhat.io
• docker.io store: configFile: /etc/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mountopt: nodev,metacopy=on graphRoot: /var/lib/containers/storage graphRootAllocated: 536858308608 graphRootUsed: 65003925504 graphStatus: Backing Filesystem: xfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "true" imageCopyTmpDir: /var/tmp imageStore: number: 117 runRoot: /run/containers/storage volumePath: /var/lib/containers/storage/volumes version: APIVersion: 4.2.0 Built: 1663766104 BuiltTime: Wed Sep 21 13:15:04 2022 GitCommit: "" GoVersion: go1.18.4 Os: linux OsArch: linux/amd64 Version: 4.2.0

[tgerla]

Hi @pganeshar, sorry for the bad news but we have actually just removed the anchore-engine upload feature from Syft going forward. Please feel free to come by our Slack channel and we can help you figure out a migration path. We will be happy to help you out.

[kzantow]

Quick follow-up: it should be noted that this upload functionality was never intended to work with Engine but only Enterprise due to some nuances between the APIs and it has always been an experimental feature (as indicated by the documentation/etc.). Enterprise now has a different tool to perform this upload so it is no longer needed in Syft. Sorry for the inconvenience!