Closed andrewgazelka closed 9 months ago
/cc @cdupuis
I'm also getting this error when scanning the Chainguard Wolfi image.
$ docker pull cgr.dev/chainguard/wolfi-base
Using default tag: latest
latest: Pulling from chainguard/wolfi-base
33f07347d8b7: Pull complete
Digest: sha256:d141305384203efd88710c735d71a3975371174ad882c181b5ce0bdb583615e6
Status: Downloaded newer image for cgr.dev/chainguard/wolfi-base:latest
cgr.dev/chainguard/wolfi-base:latest
$
$ docker sbom cgr.dev/chainguard/wolfi-base
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [14 packages]
NAME VERSION TYPE
apk-tools 2.14.0-r0 apk
busybox 1.36.1-r2 apk
ca-certificates-bundle 20230506-r0 apk
glibc 2.38-r1 apk
glibc-locale-posix 2.38-r1 apk
ld-linux 2.38-r1 apk
libcrypt1 2.38-r1 apk
libcrypto3 3.1.3-r0 apk
libssl3 3.1.3-r0 apk
openssl-config 3.1.3-r0 apk
wolfi-base 1-r3 apk
wolfi-baselayout 20230201-r6 apk
wolfi-keys 1-r5 apk
zlib 1.3-r0 apk
$
$ docker scout cves cgr.dev/chainguard/wolfi-base
Analyzing image cgr.dev/chainguard/wolfi-base
✓ Image stored for indexing
⠋ Indexing panic: runtime error: index out of range [0] with length 0
goroutine 13 [running]:
github.com/anchore/syft/syft/pkg/cataloger/apkdb.stripVersionSpecifier(...)
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/apkdb/parse_apk_db.go:356
github.com/anchore/syft/syft/pkg/cataloger/apkdb.discoverPackageDependencies({0x14000292c00, 0xe, 0x140012312d2?})
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/apkdb/parse_apk_db.go:316 +0x898
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x14000126e58?, 0x140004af0c8?}, 0x1400101a2b0, {{{{0x140004af0c8, 0x15}, {0x14000fa73b0, 0x47}}, {0x140012263c0, 0x15}, {0x86, ...}}, ...})
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/apkdb/parse_apk_db.go:101 +0x614
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0x14001929920, {0x106953c90, 0x14000126e58})
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/generic/cataloger.go:129 +0x6b8
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x106944740, 0x14001929920}, {0x106953c90?, 0x14000126e58})
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/catalog.go:57 +0x15c
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/catalog.go:127 +0xcc
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
/home/runner/go/pkg/mod/github.com/anchore/syft@v0.66.7/syft/pkg/cataloger/catalog.go:122 +0x250
@willdeane what version of the Scout CLI are you on? I believe this was fixed already.
❯ docker scout cves cgr.dev/chainguard/wolfi-base
✓ Pulled
✓ Image stored for indexing
✓ Indexed 16 packages
✓ No vulnerable package detected
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────────
Image reference │ cgr.dev/chainguard/wolfi-base:latest
│ 43f3fb67f990
platform │ linux/arm64
vulnerabilities │ 0C 0H 0M 0L
size │ 4.7 MB
packages │ 16
## Packages and Vulnerabilities
I am running this on a
scratch
image, which I know makes no sense. My guess is this is what is causing the issue.