Open mathrock opened 10 months ago
If I'm understanding correctly, if there is an infinite symlink within a dir, and it's half way through the entires in a directory, then we're not reading the remaining entires in the directory. There may be more cases here I haven't considered. This is the part of the code we should scrutinize further https://github.com/anchore/stereoscope/blob/50ce3be7aa1fb8829234ae648215e7907196bfa5/pkg/filetree/depth_first_path_walker.go#L90-L93
@kzantow you pointed out this might play into the known-unknowns work in syft https://github.com/anchore/syft/issues/518 -- specifically noting that there could be symlink loops that is occluding catalogable part of the filetree.
What happened: We recently came across an image where a user had accidentally created a symlink loop within their container image. This resulted in the image failing both syft and grype scans.
This could be used by an attacker or developer who wants to hide vulnerabilities through malicious compliance. By generating a symlink loop, syft/grype will error and fail to output results. If scan errors are not closely monitored the image could avoid detection.
What you expected to happen: Malformed symlinks should be logged, but allow the rest of the syft or grype scans to complete.
How to reproduce it (as minimally and precisely as possible): Using old, known vulnerable image from
webgoat/webgoat-8.0:latest
grype shows a bunch of vulns:Build a downstream image and create a symlink loop in a cataloged binary,
/usr/bin/xz
for example:Syft error:
Grype error:
Anything else we need to know?:
This issue was validated on latest syft/grype versions:
Environment:
cat /etc/os-release
or similar):REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7" REDHAT_BUGZILLA_PRODUCT_VERSION=7.9 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="7.9"