search

chainguard-dev / rumble

Data collection for base image CVEs etc.
Apache License 2.0
3 stars 8 forks source link

Ignore k3s-images:latest #87

Closed luhring closed 1 year ago

luhring commented 1 year ago

It's been failing consistently with:

failed to catalog: could not fetch image "cgr.dev/chainguard/k3s-images:latest": unable to use OciRegistry source: failed to get image descriptor from registry: GET https://cgr.dev/v2/chainguard/k3s-images/manifests/latest: MANIFEST_UNKNOWN: Unknown manifest

(Latest job run: https://github.com/chainguard-dev/rumble/actions/runs/5506740051/jobs/10035870769)

Reproducible with:

$ crane manifest cgr.dev/chainguard/k3s-images:latest
Error: fetching manifest cgr.dev/chainguard/k3s-images:latest: GET https://cgr.dev/v2/chainguard/k3s-images/manifests/latest: MANIFEST_UNKNOWN: Unknown manifest

📣 Feel free to just close this PR if there's a better immediate solution! 😃

jspeed-meyers commented 1 year ago

Thank you, @luhring! Any thoughts from any of the proposed reviewers?

jspeed-meyers commented 1 year ago

I say merge if @joshrwolf says merge. Any objections? Let's merge by 5 PM ET today unless someone speaks up.

joshrwolf commented 1 year ago

for everyones peace of mind, here is where the image data is being pulled from. ignoring this image means we avoid double scanning (if grype can even effectively scan this format?)

luhring commented 1 year ago

(if grype can even effectively scan this format?)

Grype can scan crane pulled local images (using --formats of either tarball or oci), but it doesn't expect to find images within other images IIRC