Open knqyf263 opened 3 weeks ago
I'm getting this same error, pointing me at this Issue, despite the fact that the image DOES contain /root/buildinfo/content_manifests
and was created in 2024.
green@fedora:~/ctest$ trivy image registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1725667424
2024-09-21T07:45:26-04:00 INFO [vuln] Vulnerability scanning is enabled
2024-09-21T07:45:26-04:00 INFO [secret] Secret scanning is enabled
2024-09-21T07:45:26-04:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-21T07:45:26-04:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-21T07:45:32-04:00 INFO Detected OS family="redhat" version="8.10"
2024-09-21T07:45:32-04:00 INFO [redhat] Detecting RHEL/CentOS vulnerabilities... os_version="8" pkg_num=375
2024-09-21T07:45:32-04:00 FATAL Fatal error image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: unable to scan OS packages: failed vulnerability detection of OS packages: failed detection: redhat vulnerability detection error: failed to get Red Hat advisories: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details
@DmitriyLewen Can you please take a look?
Hello @atgreen
It looks like the content_manifests
file contains unknown repositories.
Unfortunately, I don't have access to this image.
Can you send me the /root/buildinfo/content_manifests/*.json
file from this image?
UPD.
But Pyxis
shows correct content sets:
➜ curl -X 'GET' \
'https://catalog.redhat.com/api/containers/v1/images/id/66db9ee0a82efda2c54a9ec6' \
-H 'accept: application/json' | jq .content_sets
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 47900 100 47900 0 0 66602 0 --:--:-- --:--:-- --:--:-- 66527
[
"rhel-8-for-aarch64-baseos-rpms",
"rhel-8-for-aarch64-appstream-rpms"
]
It looks like several files contain incorrect content_sets
:
====== /root/buildinfo/content_manifests/openshift-base-rhel8-container-v4.14.0-202408260910.p0.gf020942.assembly.stream.el8.json ======
{
...
"content_sets": [
"rhel-8-for-x86_64-appstream-rpms__8",
"rhel-8-for-x86_64-baseos-rpms__8"
]
}====== /root/buildinfo/content_manifests/openshift-enterprise-base-container-v4.14.0-202408260910.p0.g03e5f40.assembly.stream.el8.json ======
{
...
"content_sets": [
"rhel-8-for-x86_64-appstream-rpms__8",
"rhel-8-for-x86_64-baseos-rpms__8"
]
}====== /root/buildinfo/content_manifests/openshift-enterprise-cli-container-v4.14.0-202408260910.p0.g44b3ac2.assembly.stream.el8.json ======
{
...
"content_sets": [
"rhel-8-for-x86_64-appstream-rpms__8",
"rhel-8-for-x86_64-baseos-rpms__8"
]
}====== /root/buildinfo/content_manifests/openshift-jenkins-2-container-v4.14.0-1725667424.json ======
{
...
"content_sets": [
"rhel-8-for-x86_64-baseos-rpms",
"rhel-8-for-x86_64-appstream-rpms"
]
}====== /root/buildinfo/content_manifests/ubi8-container-8.10-901.1717584420.json ======
{
...
"content_sets": [
"rhel-8-for-x86_64-baseos-rpms",
"rhel-8-for-x86_64-appstream-rpms"
],
"image_contents": []
}
rhel-8-for-x86_64-baseos-rpms
and rhel-8-for-x86_64-appstream-rpms
are correct (see output of Pyxis
).
rhel-8-for-x86_64-appstream-rpms__8
and rhel-8-for-x86_64-baseos-rpms__8
are wrong.
@knqyf263 you have more experience in this matter. I have 2 question:
/root/buildinfo/content_manifests
should contain one manifest file. Is it correct that this directory contains more than 1 file?content_sets
from these files?
https://github.com/aquasecurity/trivy/blob/37d549e5b86a1c5dce6710fbfd2310aec9abe949/pkg/fanal/analyzer/analyzer.go#L294-L296IIUC /root/buildinfo/content_manifests should contain one manifest file. Is it correct that this directory contains more than 1 file?
My understanding is that there should only be one file per layer. However, the image as a whole may contain multiple files. Therefore, it is necessary to look up the appropriate buildinfo for each package. https://github.com/aquasecurity/trivy/blob/37d549e5b86a1c5dce6710fbfd2310aec9abe949/pkg/fanal/applier/docker.go#L53-L76
This is the content set we have used in our config.
aarch64:
- rhel-8-for-aarch64-baseos-rpms
- rhel-8-for-aarch64-appstream-rpms
ppc64le:
- rhel-8-for-ppc64le-baseos-rpms
- rhel-8-for-ppc64le-appstream-rpms
s390x:
- rhel-8-for-s390x-baseos-rpms
- rhel-8-for-s390x-appstream-rpms
x86_64:
- rhel-8-for-x86_64-baseos-rpms
- rhel-8-for-x86_64-appstream-rpms
@sayan-biswas Thanks for sharing. We see some content sets, like rhel-8-for-x86_64-appstream-rpms__8
. Is it legitimate or a mistake?
$ docker run --rm -it --entrypoint cat registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:b142a2461dcf8bc50cc6311808867c38a3de45c82145df648d34d37a75496d0f -- /root/buildinfo/content_manifests/openshift-enterprise-base-container-v4.15.0-202408260908.p0.g27f1695.assembly.stream.el8.json | jq .cont
ent_sets
[
"rhel-8-for-aarch64-appstream-rpms__8",
"rhel-8-for-aarch64-baseos-rpms__8"
]
Description:
We've identified an issue in our scanning process for Red Hat container images.
Problem
Scanning fails for Red Hat container images that meet both of these criteria:
Root cause:
These older images lack
/root/buildinfo/content_manifests
, requiring NVR-to-CPE conversion. Our current NVR-to-CPE mapping only includes amd64 architectures.Impact
Incomplete vulnerability scanning for affected images