search

containers / skopeo

Work with remote images registries - retrieving information, images, signing content
Apache License 2.0
8.06k stars 766 forks source link

Skopeo inspect fails if Image-Repository (Sonatype Nexus) returns 'null' Tag #2409

Open timbocau opened 2 weeks ago

timbocau commented 2 weeks ago

We use Sonatype Nexus as Image Repository. When calling the tags/list Endpoint of some images a 'null' Tag is returned:

{
    "name": "imagename",
    "tags": [
        null,
        "1.0.0-1",
        "1.0.0-10",
        "1.0.0-11",
        "1.0.0-12",
[...]

This causes Skopeo inspect to fail with error "Error determining repository tags: registry returned invalid tag \"\": invalid tag format"

Running the following command produces the output below:

skopeo --debug inspect docker://my-nexus.mydomain/my-image:1.0.1-3 

...
time="2024-08-27T14:30:44+02:00" level=debug msg="GET https://my-nexus.mydomain/my-image/tags/list"
time="2024-08-27T14:31:04+02:00" level=fatal msg="Error determining repository tags: registry returned invalid tag \"\": invalid tag format"

The error occurs with Skopeo versions 1.14.4. and newer. With Skopeo versions 1.14.3 and older (did not test all older versions) the error does not occur.

Is this a bug or a feature?

mtrmac commented 2 weeks ago

Thanks for reaching out.

I think this is primarily a bug in the server: The spec at https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-tags shows the values as strings, and null is not that. Also https://github.com/opencontainers/distribution-spec/blob/main/spec.md#pulling-manifests as a tag” contains a regular expression which requires a tag to be non-empty text; neither null (nor the "" value Go parses it as) is valid.

Skopeo 1.14.4 ’s code has, as a part of fixing CVE-2024-3727 , started rejecting invalid tag values, so that further uses of the tag can avoid unexpected behavior.

Ideally, this should be fixed in the server’s implementation.

That said, we have already added one workaround for a registry returning unexpected values, so I guess we can add one more…

timbocau commented 2 weeks ago

Thanks for your reply.

I agree that this is mainly caused by a bug in the Server implementation. I was just wondering what's different between 1.14.3 and 1.14.4.

Actually we found a workaround for that problem. As we do not need the Tag list we added Parameter -n to skopeo inspect command to suppress the processing of the Tag list and the command succeeds although the Tag list still contains invalid "null" values.

For others that want to process the Tag list a workaround in the Skopeo implementation to handle "null" values in the Tag list would surely be helpful.

mtrmac commented 2 weeks ago

@timbocau would you be able to confirm that https://github.com/containers/image/pull/2544 fixes the failure?

Also, could you identify the specific version of the server that exhibits this behavior for you, please?

timbocau commented 2 weeks ago

@mtrmac Although I am not an expert for the Go programming language, I would confirm that https://github.com/containers/image/pull/2544 fixes the failure.

We are using Nexus 3.58 OSS. We posted a question in the Nexus community, too: https://community.sonatype.com/t/tags-list-yields-null-as-first-tag/13117