Scanning failure for non-amd64 Red Hat images created before June 2020

[knqyf263]

Description:

We've identified an issue in our scanning process for Red Hat container images.

Problem

Scanning fails for Red Hat container images that meet both of these criteria:

• Created before June 2020
• Architecture other than amd64

Root cause:

These older images lack /root/buildinfo/content_manifests, requiring NVR-to-CPE conversion. Our current NVR-to-CPE mapping only includes amd64 architectures.

Impact

Incomplete vulnerability scanning for affected images

[atgreen]

I'm getting this same error, pointing me at this Issue, despite the fact that the image DOES contain /root/buildinfo/content_manifests and was created in 2024.

green@fedora:~/ctest$ trivy image registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1725667424
2024-09-21T07:45:26-04:00   INFO    [vuln] Vulnerability scanning is enabled
2024-09-21T07:45:26-04:00   INFO    [secret] Secret scanning is enabled
2024-09-21T07:45:26-04:00   INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-21T07:45:26-04:00   INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-21T07:45:32-04:00   INFO    Detected OS family="redhat" version="8.10"
2024-09-21T07:45:32-04:00   INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...   os_version="8" pkg_num=375
2024-09-21T07:45:32-04:00   FATAL   Fatal error image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: unable to scan OS packages: failed vulnerability detection of OS packages: failed detection: redhat vulnerability detection error: failed to get Red Hat advisories: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details

[knqyf263]

@DmitriyLewen Can you please take a look?

[DmitriyLewen]

Hello @atgreen It looks like the content_manifests file contains unknown repositories.

Unfortunately, I don't have access to this image.

Can you send me the /root/buildinfo/content_manifests/*.json file from this image?

UPD. But Pyxis shows correct content sets:

➜ curl -X 'GET' \ 
  'https://catalog.redhat.com/api/containers/v1/images/id/66db9ee0a82efda2c54a9ec6' \
  -H 'accept: application/json' | jq .content_sets
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 47900  100 47900    0     0  66602      0 --:--:-- --:--:-- --:--:-- 66527
[
  "rhel-8-for-aarch64-baseos-rpms",
  "rhel-8-for-aarch64-appstream-rpms"
]

[atgreen]

out.txt

[DmitriyLewen]

It looks like several files contain incorrect content_sets:

====== /root/buildinfo/content_manifests/openshift-base-rhel8-container-v4.14.0-202408260910.p0.gf020942.assembly.stream.el8.json ======
{
    ...
    "content_sets": [
        "rhel-8-for-x86_64-appstream-rpms__8",
        "rhel-8-for-x86_64-baseos-rpms__8"
    ]
}====== /root/buildinfo/content_manifests/openshift-enterprise-base-container-v4.14.0-202408260910.p0.g03e5f40.assembly.stream.el8.json ======
{
    ...
    "content_sets": [
        "rhel-8-for-x86_64-appstream-rpms__8",
        "rhel-8-for-x86_64-baseos-rpms__8"
    ]
}====== /root/buildinfo/content_manifests/openshift-enterprise-cli-container-v4.14.0-202408260910.p0.g44b3ac2.assembly.stream.el8.json ======
{
    ...
    "content_sets": [
        "rhel-8-for-x86_64-appstream-rpms__8",
        "rhel-8-for-x86_64-baseos-rpms__8"
    ]
}====== /root/buildinfo/content_manifests/openshift-jenkins-2-container-v4.14.0-1725667424.json ====== 
{
    ...
    "content_sets": [
        "rhel-8-for-x86_64-baseos-rpms",
        "rhel-8-for-x86_64-appstream-rpms"
    ]
}====== /root/buildinfo/content_manifests/ubi8-container-8.10-901.1717584420.json ====== 
{
    ...
    "content_sets": [
        "rhel-8-for-x86_64-baseos-rpms",
        "rhel-8-for-x86_64-appstream-rpms"
    ],
    "image_contents": []
}

rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms are correct (see output of Pyxis). rhel-8-for-x86_64-appstream-rpms__8 and rhel-8-for-x86_64-baseos-rpms__8 are wrong.

@knqyf263 you have more experience in this matter. I have 2 question:

• IIUC /root/buildinfo/content_manifests should contain one manifest file. Is it correct that this directory contains more than 1 file?
• if yes - should we merge content_sets from these files? https://github.com/aquasecurity/trivy/blob/37d549e5b86a1c5dce6710fbfd2310aec9abe949/pkg/fanal/analyzer/analyzer.go#L294-L296

[knqyf263]

IIUC /root/buildinfo/content_manifests should contain one manifest file. Is it correct that this directory contains more than 1 file?

My understanding is that there should only be one file per layer. However, the image as a whole may contain multiple files. Therefore, it is necessary to look up the appropriate buildinfo for each package. https://github.com/aquasecurity/trivy/blob/37d549e5b86a1c5dce6710fbfd2310aec9abe949/pkg/fanal/applier/docker.go#L53-L76

[sayan-biswas]

This is the content set we have used in our config.

aarch64:
- rhel-8-for-aarch64-baseos-rpms
- rhel-8-for-aarch64-appstream-rpms
ppc64le:
- rhel-8-for-ppc64le-baseos-rpms
- rhel-8-for-ppc64le-appstream-rpms
s390x:
- rhel-8-for-s390x-baseos-rpms
- rhel-8-for-s390x-appstream-rpms
x86_64:
- rhel-8-for-x86_64-baseos-rpms
- rhel-8-for-x86_64-appstream-rpms

[knqyf263]

@sayan-biswas Thanks for sharing. We see some content sets, like rhel-8-for-x86_64-appstream-rpms__8. Is it legitimate or a mistake?

$ docker run --rm -it --entrypoint cat registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:b142a2461dcf8bc50cc6311808867c38a3de45c82145df648d34d37a75496d0f -- /root/buildinfo/content_manifests/openshift-enterprise-base-container-v4.15.0-202408260908.p0.g27f1695.assembly.stream.el8.json | jq .cont
ent_sets
[
  "rhel-8-for-aarch64-appstream-rpms__8",
  "rhel-8-for-aarch64-baseos-rpms__8"
]