could not parse reference

[aep-sunlife]

When I try to scan locally built Docker images with the Docker Scout GUI, then I get a security report.

However, when I use the Docker Scout CLI, then it crashes with a strange error trace. I think the error handling may be broken.

$ docker images
REPOSITORY                         TAG               IMAGE ID       CREATED          SIZE
SecOps/hello-world-ant             latest            0d023c25ffb5   3 minutes ago    251MB

$ docker scout cves -e SecOps/hello-world-ant

 Display CVEs identified in a software artifact

Usage
  docker scout cves [OPTIONS] [IMAGE|DIRECTORY|ARCHIVE]

Description
The docker scout cves command analyzes a software artifact for vulnerabilities.

If no image is specified, the most recently built image is used.

The following artifact types are supported:

- Images
- OCI layout directories
- Tarball archives, as created by docker save
- Local directory or file
- SPDX file or in-toto attestation file with SPDX predicate

The tool analyzes the provided software artifact, and generates a vulnerability report.

By default, the tool expects an image reference, such as:

- redis
- curlimages/curl:7.87.0
- mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory,
or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

- image:// (default) use a local image, or fall back to a registry lookup
- local:// use an image from the local image store (don't do a registry lookup)
- registry:// use an image from a registry (don't use a local image)
- oci-dir:// use an OCI layout directory
- archive:// use a tarball archive, as created by docker save
- fs:// use a local directory or file
- sbom:// use an SBOM as SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file

Flags
      --details                     Print details on default text output
      --env string                  Name of environment
      --epss                        Display the EPSS scores and organize the package's CVEs according to their EPSS score
      --epss-percentile float32     Exclude CVEs with EPSS scores less than the specified percentile (0 to 1)
      --epss-score float32          Exclude CVEs with EPSS scores less than the specified value (0 to 1)
  -e, --exit-code                   Return exit code '2' if vulnerabilities are detected
      --format string               Output format of the generated vulnerability report:
                                    - packages: default output, plain text with vulnerabilities grouped by packages
                                    - sarif: json Sarif output
                                    - spdx: json SPDX output
                                    - gitlab: json GitLab output
                                    - markdown: markdown output (including some html tags like collapsible sections)
                                    - sbom: json SBOM output
                                     (default "packages")
      --ignore-base                 Filter out CVEs introduced from base image
      --ignore-suppressed           Filter CVEs found in Scout exceptions based on the specified exception scope
      --locations                   Print package locations including file paths and layer diff_id
      --multi-stage                 Show packages from multi-stage Docker builds
      --only-base                   Only show CVEs introduced by the base image
      --only-cisa-kev               Filter to CVEs listed in the CISA KEV catalog
      --only-cve-id strings         Comma separated list of CVE ids (like CVE-2021-45105) to search for
      --only-fixed                  Filter to fixable CVEs
      --only-metric strings         Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by
      --only-package strings        Comma separated regular expressions to filter packages by
      --only-package-type strings   Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
      --only-severity strings       Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
      --only-stage strings          Comma separated list of multi-stage Docker build stage names
      --only-unfixed                Filter to unfixed CVEs
      --only-vex-affected           Filter CVEs by VEX statements with status not affected
      --only-vuln-packages          When used with --format=only-packages ignore packages with no vulnerabilities
      --org string                  Namespace of the Docker organization
  -o, --output string               Write the report to a file
      --platform string             Platform of image to analyze
      --ref string                  Reference to use if the provided tarball contains multiple references.
                                    Can only be used with archive
      --vex-author strings          List of VEX statement authors to accept
      --vex-location strings        File location of directory or file containing VEX statements

Examples
  Display vulnerabilities for the most recently built image
  $ docker scout cves

  Display vulnerabilities grouped by package
  $ docker scout cves alpine

  Display vulnerabilities from a docker save tarball
  $ docker save alpine > alpine.tar
  $ docker scout cves archive://alpine.tar

  Display vulnerabilities from an OCI directory
  $ skopeo copy --override-os linux docker://alpine oci:alpine
  $ docker scout cves oci-dir://alpine

  Display vulnerabilities from the current directory
  $ docker scout cves fs://.

  Export vulnerabilities to a SARIF JSON file
  $ docker scout cves --format sarif --output alpine.sarif.json alpine

  Markdown output, including HTML tags. To be used in Pull Request comments for instance.
  $ docker scout cves --format markdown alpine

  List all Go packages of the image that are vulnerable
  $ docker scout cves --format only-packages --only-package-type golang --only-vuln-packages golang:1.18.0

  List vulnerabilities from an SPDX file
  $ syft -o spdx-json alpine | docker scout cves sbom://

Learn More
  Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/

Report Issues
  Raise bugs and feature requests at https://github.com/docker/scout-cli/issues

Send Feedback
  Send feedback with docker feedback

ERROR   Status: could not parse reference: SecOps/hello-world-ant, Code: 1

Also tried using the option to scan the most recently built image:

$ docker scout cves
    ✓ SBOM of image already cached, 201 packages indexed
ERROR   Status: could not apply VEX statements: could not parse image name: could not parse reference: SecOps/hello-world-ant, Code: 1

Tried configuring export DOCKER_DEFAULT_PLATFORM='linux/amd64'.

Tried explicitly providing --platform linux/amd64

Tried rebuilding the image without the SecOps/ prefix.

Tried referencing the image with an explicit :latest tag suffix.

Tried removing the -e option for meaningful exit codes.

Tried macOS and Windows.

Tried Docker Scout 14 and Docker Scout 15.

Tried relaunching Docker.

Tried docker system prune -f.

No change in behavior.

[mcandre]

To clarify, the image is built with conventional docker build -t <name> . commands, no special sauce.

[cdupuis]

@mcandre, this is another issue with the different interpretations of the OCI spec. While docker build supports creating images with names like SecOps/hello-world-ant other commands don't support them. Those names are not compatible with the OCI spec which is why this is failing in our of our dependencies. If you can lowercase the namespace part of your image name, it would work.

More oddities, when trying to pull this image:

❯ docker pull SecOps/hello-world-ant
Using default tag: latest
Error response from daemon: failed to resolve reference "SecOps/hello-world-ant:latest": failed to do request: Head "https://SecOps/v2/hello-world-ant/manifests/latest": dialing SecOps:443 container via direct connection because  has no HTTPS proxy: connecting to SecOps:443: dial tcp: lookup SecOps: no such host

[mcandre]

Interesting.

Please apply validation, with a message indicating that the requested image name uses nonportable characters, with a URL to some documentation on standardized image names.