search

aquasecurity / microscanner

Scan your container images for package vulnerabilities with Aqua Security
859 stars 108 forks source link

WARNING: scanning not supported for some part of this image #52

Closed qqilihq closed 4 years ago

qqilihq commented 4 years ago

I see this log output when running the scanner on our image (based on node:12.18.0-alpine):

WARNING: scanning not supported for some part of this image

I cannot find any documentation what this means? What “part of this image” was not scanned? Can I get some background details about this somewhere?

rflume commented 4 years ago

I'm having the exact same issue, leading to an output of 

WARNING: scanning not supported for some part of this image
 {
   "scan_started": {
     "seconds": 1593502015,
     "nanos": 286134981
   },
   "scan_duration": 4,
   "digest": "476aabd3d867d44c9d12499f71d85055d58518867219db0d9786267947b0f7f4",
   "os": "alpine",
   "version": "3.11.6",
   "image_assurance_results": {
     "checks_performed": [
       {
         "policy_id": 1,
         "policy_name": "Default",
         "control": "max_severity",
         "maximum_severity_allowed": "high"
       }
     ]
   },
   "vulnerability_summary": {
     "total": 0,
     "high": 0,
     "medium": 0,
     "low": 0,
     "negligible": 0,
     "sensitive": 0,
     "malware": 0
   },
   "scan_options": {},
   "partial_results": true,
   "initiating_user": "token",
   "data_date": 1543020471,
   "changed_result": false,
   "function_metadata": {}
 }

I'm not sure now if the image really does not contain any vulnerable package or if the scan did not even executed...

danielpacak commented 4 years ago

@jerbia isn't the warning related to some packages, which are required by the microscanner binary. We've resolved a similar issue for Harbor adapter by installing the following packages https://github.com/aquasecurity/harbor-scanner-aqua/blob/master/Dockerfile#L7

rflume commented 4 years ago

@jerbia isn't the warning related to some packages, which are required by the microscanner binary. We've resolved a similar issue for Harbor adapter by installing the following packages https://github.com/aquasecurity/harbor-scanner-aqua/blob/master/Dockerfile#L7

Installing these packages did not solve the issue for me. Also, running microscanner with the --no-verify flag shows the same result.

jerbia commented 4 years ago

@rflume @qqilihq There was a problem with the identification of Alpine 3.11.6 OS packages, therefore you got the message "scanning not supported for some part of this image". Can you try again?

rflume commented 4 years ago

Yes, works for me now!

2020-07-02 16:44:46.582 INFO    Contacting CyberCenter...   {"registry": "", "image": ""}
 2020-07-02 16:44:46.743    INFO    CyberCenter connection established  {"registry": "", "image": "", "api_version": "4"}
 2020-07-02 16:44:47.046    INFO    Processing results...   {"registry": "", "image": ""}
 2020-07-02 16:44:47.198    INFO    Applying image assurance policies...    {"registry": "", "image": ""}
 {
   "scan_started": {
     "seconds": 1593708283,
     "nanos": 940419939
   },
   "scan_duration": 4,
   "digest": "0c40866349ad3cfdb3ee0265dd39a379e53d0b805e924cd7b04a05598b06efe3",
   "os": "alpine",
   "version": "3.11.6",
   "resources": [
     {
       "resource": {
         "format": "npm",
         "path": "/usr/local/lib/node_modules/npm/node_modules/yargs-parser",
         "name": "yargs-parser",
         "version": "9.0.2",
         "cpe": "pkg:/npm:*:yargs-parser:9.0.2",
         "license": "ISC",
         "hash": "sha1:9ccf6a43460fe4ed40a9bb68f48d43b8a68cc077",
         "name_hash": "91e1aa67eb03d0d6c6547f3f171b1996"
       },
       "scanned": true,
       "vulnerabilities": [
         {
           "name": "CVE-2020-7608",
           "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a \"__proto__\" payload.",
           "nvd_score": 4.6,
           "nvd_score_version": "CVSS v2",
           "nvd_vectors": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
           "nvd_severity": "medium",
           "nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7608",
           "vendor_score": 4.6,
           "vendor_score_version": "CVSS v2",
           "vendor_vectors": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
           "vendor_severity": "medium",
           "vendor_url": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2",
           "publish_date": "2020-03-16",
           "modification_date": "2020-06-05",
           "fix_version": "18.1.1;13.1.2;15.0.1",
           "solution": "Upgrade package yargs-parser to version 18.1.1;13.1.2;15.0.1 or above.",
           "nvd_score_v3": 5.3,
           "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
           "nvd_severity_v3": "medium",
           "vendor_score_v3": 5.3,
           "vendor_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
           "vendor_severity_v3": "medium"
         }
       ]
     }
   ],
   "image_assurance_results": {
     "checks_performed": [
       {
         "policy_id": 1,
         "policy_name": "Default",
         "control": "max_severity",
         "maximum_severity_allowed": "high",
         "maximum_severity_found": "medium",
         "maximum_fixable_severity_found": "medium"
       }
     ]
   },
   "vulnerability_summary": {
     "total": 1,
     "high": 0,
     "medium": 1,
     "low": 0,
     "negligible": 0,
     "sensitive": 0,
     "malware": 0,
     "score_average": 4.6,
     "max_score": 4.6,
     "max_fixable_score": 4.6,
     "max_fixable_severity": "medium"
   },
   "scan_options": {},
   "initiating_user": "token",
   "data_date": 1593648551,
   "changed_result": false,
   "function_metadata": {}
 }

Thanks for the support!

qqilihq commented 4 years ago

@jerbia Works great. Thank you so much!