search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.08k stars 562 forks source link

Survive indexing not accessible files #3286

Open edhinard opened 1 week ago

edhinard commented 1 week ago

What happened: syft crash when a symlink is referencing a file which is not accessible (under not readable dir)

What you expected to happen: syft should continue ignoring the file as for other non readable ones

Steps to reproduce the issue:

Use the attached docker file:

$ mv Dockerfile.txt Dockerfile
$ docker build -t syftissue .
$ docker run --rm -it syftissue
 ✔ Indexed file system                                                                                                               /tmp
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  WARN unable to access path="/tmp/dir1": open /tmp/dir1: permission denied
unable to get file resolver: unable to create directory resolver: unable to index filesystem path="/tmp/dir1/dir2/file": lstat /tmp/dir1/dir2: permission denied
returned code: 1

Anything else we need to know?: looks like #2645 (but already closed) and #3258 (not exactely the same since the directory is not excluded)

Environment:

Dockerfile.txt

popey commented 1 week ago

Hi @edhinard - thank you for this issue, and the steps to reproduce it. I have reproduced it here.

docker run --rm -it syftissue
 ✔ Indexed file system                                                                                                                    /tmp
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  WARN unable to access path="/tmp/dir1": open /tmp/dir1: permission denied
unable to get file resolver: unable to create directory resolver: unable to index filesystem path="/tmp/dir1/dir2/file": lstat /tmp/dir1/dir2: permission denied
returned code: 1

Here's the full trace in case anyone needs it.

docker run --rm -it syftissue
[0000]  INFO syft version: 1.13.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  config: ""
  output:
      - syft-table
  format:
      pretty: null
      template:
          path: ""
          legacy: false
      json:
          legacy: false
          pretty: false
      spdx-json:
          pretty: false
      cyclonedx-json:
          pretty: false
      cyclonedx-xml:
          pretty: false
  check-for-app-update: true
  default-catalogers: []
  select-catalogers: []
  package:
      search-unindexed-archives: false
      search-indexed-archives: true
      exclude-binary-overlap-by-ownership: true
  file:
      metadata:
          selection: owned-by-package
          digests:
              - sha1
              - sha256
      content:
          skip-files-above-size: 256000
          globs: []
      executable:
          globs: []
  scope: squashed
  parallelism: 1
  relationships:
      package-file-ownership: true
      package-file-ownership-overlap: true
  compliance:
      missing-name: drop
      missing-version: stub
  enrich: []
  golang:
      search-local-mod-cache-licenses: null
      local-mod-cache-dir: /home/user/go/pkg/mod
      search-remote-licenses: null
      proxy: https://proxy.golang.org,direct
      no-proxy: ""
      main-module-version:
          from-ld-flags: true
          from-contents: true
          from-build-settings: true
  java:
      use-network: null
      use-maven-local-repository: null
      maven-local-repository-dir: /home/user/.m2/repository
      maven-url: https://repo1.maven.org/maven2
      max-parent-recursive-depth: 0
  javascript:
      search-remote-licenses: null
      npm-base-url: ""
  linux-kernel:
      catalog-modules: true
  python:
      guess-unpinned-requirements: false
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  from: []
  platform: ""
  source:
      name: ""
      version: ""
      base-path: ""
      file:
          digests:
              - SHA-256
      image:
          default-pull-source: ""
  exclude: []
  cache:
      dir: /home/user/.cache/syft
      ttl: 7d
[0000] DEBUG checking if a new version of syft is available
[0000] DEBUG no new syft update available
[0000] TRACE looking for matching encoder name=syft-table version=
[0000] TRACE considering format aliases=[json syft] name=syft-json version=16.0.17
[0000] TRACE considering format aliases=[table] name=syft-table version=
[0000] TRACE considering format aliases=[text] name=syft-text version=
[0000] TRACE considering format aliases=[github] name=github-json version=
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.0
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.1
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.2
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.3
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.4
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.5
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.6
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.2
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.3
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.4
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.5
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.6
[0000] TRACE considering format aliases=[] name=spdx-json version=2.2
[0000] TRACE considering format aliases=[] name=spdx-json version=2.3
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.1
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.2
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.3
[0000] TRACE found matching encoder name=syft-table version=
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000] TRACE indexing filetree path=/tmp
[0000]  WARN unable to access path="/tmp/dir1": open /tmp/dir1: permission denied
[0000] TRACE indexing filetree path=/tmp/dir1/dir2/file
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop
unable to get file resolver: unable to create directory resolver: unable to index filesystem path="/tmp/dir1/dir2/file": lstat /tmp/dir1/dir2: permission denied
returned code: 1