search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.84k stars 574 forks source link

Anchore grype container is not working with custom template. #1399

Closed nb044 closed 1 year ago

nb044 commented 1 year ago

With the latest version of container image of anchore grype it has stopped working with the templates that are mounted in container. After the run it is observed that it converts the template file to a blank file. Sep to reproduce:

  1. Create a template file and store in your tem/template directory with following code. Example /tmp/templates/cve_csv.tmpl file contains (Do not add dotted lines to the file)

"Package Name","Version","Type","Vulnerability ID","Severity","Fixed in" {{- range .Matches}} "{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Artifact.Type}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{ range $index, $i := .Vulnerability.Fix.Versions}}{{if $index}} {{end}}{{$i}}{{end}}" {{- end}}

  1. Run simple command to perform scan on the sample alpine container image or any other image. Example: docker run -v "/tmp/templates":/cve anchore/grype alpine -t /cve/cve_csv.tmpl -o template

Observation:

  1. No result
  2. the template file contents are gone and the file is converted to a blank file on the host machine.

Expected result:

  1. Anchore grype scans and shows vulnerabilities in the format mentioned in the template
  2. No effect on template file on the host machine.
nb044 commented 1 year ago

Note that this was working fine few days back, started observing this issue on July 13.

nb044 commented 1 year ago

here is debug log:

docker run -v "/tmp/templates":/cve anchore/grype alpine -t /cve/cve_csv.tmpl -o template -vv [0000] DEBUG application config: output:

[0000] INFO grype version: 0.64.0 [0000] DEBUG ├── buildDate: 2023-07-13T15:19:47Z [0000] DEBUG ├── compiler: gc [0000] DEBUG ├── gitCommit: 37f436cfb6eb871bfde9cfcb1a360c510751afc9 [0000] DEBUG ├── gitDescription: v0.64.0 [0000] DEBUG ├── goVersion: go1.19.10 [0000] DEBUG ├── platform: linux/amd64 [0000] DEBUG ├── syftVersion: v0.85.0 [0000] DEBUG └── version: 0.64.0 [0000] INFO new version of grype is available: 0.64.2 (currently running: 0.64.0) [0000] DEBUG gathering packages [0000] DEBUG loading DB [0000] DEBUG looking for updates on vulnerability database [0000] DEBUG checking for available database updates [0000] DEBUG no socket address was found. Trying default address: /run/user/0/podman/podman.sock from-lib=stereoscope [0000] DEBUG looking for socket file: stat /run/user/0/podman/podman.sock: no such file or directory from-lib=stereoscope [0000] DEBUG image: source=OciRegistry location=alpine from-lib=stereoscope [0000] DEBUG pulling image info directly from registry image="alpine" from-lib=stereoscope [0000] DEBUG no registry credentials configured, using the default keychain from-lib=stereoscope [0000] DEBUG found database update candidate: Listing(url=https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2023-07-24T01:34:10Z_a4cf9b7d6f30b2d91cde.tar.gz) [0000] DEBUG cannot find existing metadata, using update... [0000] DEBUG database update available: Listing(url=https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2023-07-24T01:34:10Z_a4cf9b7d6f30b2d91cde.tar.gz) [0000] INFO downloading new vulnerability DB [0001] DEBUG image metadata: digest=sha256:c1aabb73d2339c5ebaa3681de2e9d9c18d57485045a4e311d9f8004bec208d67 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[] from-lib=stereoscope [0001] DEBUG layer metadata: index=0 digest=sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope [0006] INFO identified distro: Alpine Linux v3.18 from-lib=syft [0006] INFO cataloging an image from-lib=syft [0006] DEBUG cataloging packages catalogers=17 from-lib=syft parallelism=1 [0006] DEBUG discovered 0 packages cataloger=alpmdb-cataloger from-lib=syft [0006] DEBUG discovered 15 packages cataloger=apkdb-cataloger from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-5e69ca50.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-58cbb476.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-58e4f17d.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub from-lib=syft [0006] DEBUG found path duplicate of /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub from-lib=syft [0007] DEBUG found path duplicate of /etc/ssl/certs/ca-certificates.crt from-lib=syft [0007] DEBUG found path duplicate of /etc/ssl/certs/ca-certificates.crt from-lib=syft [0007] DEBUG found path duplicate of /etc/ssl/misc/tsget.pl from-lib=syft [0007] DEBUG found path duplicate of /lib/libcrypto.so.3 from-lib=syft [0007] DEBUG found path duplicate of /lib/libssl.so.3 from-lib=syft [0007] DEBUG found path duplicate of /lib/ld-musl-x86_64.so.1 from-lib=syft [0007] DEBUG found path duplicate of /lib/libz.so.1.2.13 from-lib=syft [0007] DEBUG discovered 1 packages cataloger=binary-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=dpkgdb-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=dotnet-deps-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=go-module-binary-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=java-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=javascript-package-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=nix-store-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=php-composer-installed-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=portage-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=python-package-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=r-package-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=rpm-db-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger from-lib=syft [0007] DEBUG discovered 0 packages cataloger=sbom-cataloger from-lib=syft [0030] INFO downloaded new vulnerability DB version=5 built="2023-07-24 01:34:10 +0000 UTC" [0031] DEBUG adding matcher: deb [0031] DEBUG adding matcher: gem [0031] DEBUG adding matcher: python [0031] DEBUG adding matcher: dotnet [0031] DEBUG adding matcher: rpm [0031] DEBUG adding matcher: java-archive [0031] DEBUG adding matcher: jenkins-plugin [0031] DEBUG adding matcher: npm [0031] DEBUG adding matcher: apk [0031] DEBUG adding matcher: go-module [0031] DEBUG adding matcher: msrc-kb [0031] DEBUG adding matcher: portage [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=alpine-baselayout, version=3.4.3-r1, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=alpine-baselayout-data, version=3.4.3-r1, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=alpine-keys, version=2.4-r1, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=apk-tools, version=2.14.0-r2, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=busybox, version=1.36.1-r0, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=busybox-binsh, version=1.36.1-r0, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=ca-certificates-bundle, version=20230506-r0, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=libc-utils, version=0.7.2-r5, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=libcrypto3, version=3.1.1-r1, upstreams=1) [0031] DEBUG found 2 vulnerabilities for pkg=Pkg(type=apk, name=libcrypto3, version=3.1.1-r1, upstreams=1) [0031] DEBUG ├── vuln="CVE-2023-2975" matchers=[apk-matcher] [0031] DEBUG └── vuln="CVE-2023-3446" matchers=[apk-matcher] [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=libssl3, version=3.1.1-r1, upstreams=1) [0031] DEBUG found 2 vulnerabilities for pkg=Pkg(type=apk, name=libssl3, version=3.1.1-r1, upstreams=1) [0031] DEBUG ├── vuln="CVE-2023-2975" matchers=[apk-matcher] [0031] DEBUG └── vuln="CVE-2023-3446" matchers=[apk-matcher] [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=musl, version=1.2.4-r0, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=musl-utils, version=1.2.4-r0, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=scanelf, version=1.3.7-r1, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=ssl_client, version=1.36.1-r0, upstreams=1) [0031] DEBUG searching for vulnerability matches for pkg=Pkg(type=apk, name=zlib, version=1.2.13-r1, upstreams=1) [0031] INFO found 4 vulnerabilities for 15 packages [0031] DEBUG ├── fixed: 4 [0031] DEBUG └── matched: 4 [0031] DEBUG ├── unknown severity: 4 [0031] DEBUG ├── negligible: 0 [0031] DEBUG ├── low: 0 [0031] DEBUG ├── medium: 0 [0031] DEBUG ├── high: 0 [0031] DEBUG └── critical: 0

kzantow commented 1 year ago

Hi @nb044 this has been fixed in Grype v0.64.1. Please upgrade and let us know if you continue to have the issue! I'm going to close for now, as I've tested with the latest Grype release successfully, but if you continue to have problems, we will definitely reopen!

nb044 commented 1 year ago

Thank you @kzantow this is working fine now 👍