search

fossas / fossa-cli

Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
https://fossa.com
Other
1.3k stars 173 forks source link

Container scanning does not support distroless #1093

Open FraBle opened 2 years ago

FraBle commented 2 years ago

Example upstream image: gcr.io/distroless/nodejs:16

Error observed in output from fossa-cli:

$ fossa container analyze ***.dkr.ecr.us-west-2.amazonaws.com/<folder>/<image>:latest
[ INFO] Inferred registry source: https://<REDACTED>:<REDACTED>@***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest
[ INFO] [ 5 Waiting / 1 Running / 0 Completed ]
[ INFO] [ 3 Waiting / 2 Running / 1 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>.tar
[ INFO] [ 2 Waiting / 2 Running / 2 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>.tar
[ INFO] [ 1 Waiting / 2 Running / 3 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>.tar
[ INFO] [ 0 Waiting / 2 Running / 4 Completed ]
[ INFO] Downloaded: <REDACTED>[12](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/<REDACTED>#step:8:13)<REDACTED>.json
[ INFO] [ 0 Waiting / 1 Running / 5 Completed ]
[ INFO] Gzip extracted & downloaded: <REDACTED>[14](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/5683842951#step:8:15)<REDACTED>.tar
[ INFO] Analyzing exported docker archive: /tmp/fossa-container-registry-tmp-<REDACTED>[17](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/5683842951#step:8:18)<REDACTED>/image.tar
[ INFO] Analyzing Base Layer
Error:  ----------
  An issue occurred

  >>> Relevant errors

    Error

      Error reading file etc/os-release:
          user error (ReadContentBS: Could not find etc/os-release in /tmp/fossa-container-registry-tmp-<REDACTED>/image.tar)

      Traceback:
        - Parsing file 'etc/os-release'
        - Retrieving Os Information
        - Analyzing via registry

    Error

      Error reading file etc/system-release-cpe:
          user error (ReadContentBS: Could not find etc/system-release-cpe in /tmp/fossa-container-registry-tmp-<REDACTED>/image.tar)

      Traceback:
        - Parsing file 'etc/system-release-cpe'
        - Retrieving Os Information
        - Analyzing via registry

    Error

      Error reading file bin/busybox:
          user error (ReadContentBS: Could not find bin/busybox in /tmp/fossa-container-registry-tmp-<REDACTED>/image.tar)

      Traceback:
        - Retrieving Os Information
        - Analyzing via registry

  >>> Possibly-related warnings

    Warning

      Could not find: ***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest in local repository.
      Perform: docker pull ***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest, prior to running fossa.
      >>> Relevant errors

        Error

          Could not locate tarball source at filepath: /home/runner/work/<REDACTED>/<REDACTED>/***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest

          Traceback:
            (none)

        Error

          Error in $: key "Size" not found

          Traceback:
            (none)

        Error

          Command execution failed: 
              command: Command {cmdName = "podman", cmdArgs = ["image","inspect","***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest"], cmdAllowErr = Never}
              dir: /home/runner/work/<REDACTED>/<REDACTED>/
              exit: ExitFailure 1[25](https://github.com/<REDACTED>/<REDACTED>/actions/runs/<REDACTED>/jobs/<REDACTED>#step:8:26)
              stdout: 
                []

              stderr: 
                Error: error inspecting object: ***.dkr.ecr.us-west-2.amazonaws.com/<REDACTED>/<REDACTED>:latest: image not known

          If you believe this to be a defect, please report a bug to FOSSA support at https://support.fossa.com/

          Traceback:
            - Running command 'podman'
            - Running command 'podman'
meghfossa commented 2 years ago

Hi - I've patched this with https://github.com/fossas/fossa-cli/releases/tag/v3.6.2; please let us know if you continue to see this issue.

FraBle commented 2 years ago

Hi @meghfossa v3.6.2 solved the original error, but now I see

Error

      The FOSSA endpoint reported an error:

          Container image did not have any artifacts.

      Error UUID from API:

          1daf7b71-ecfa-45f8-ab45-0485afed2231

      If you believe this to be a defect, please report a bug to FOSSA support at https://support.fossa.com/

Though the image does have content:

Screen Shot 2022-11-10 at 4 56 01 PM
jssblck commented 2 years ago

Hey @FraBle!

So the root cause of the error here is that we didn't find any dependencies in the image.

To clarify: is the issue here that you're expecting to see dependencies, or that you're expecting "no dependencies" to be a valid case on which FOSSA should not error?

We've ticketed the latter regardless as we think that should be a supported case, but I just want to make sure whether that's the issue from your perspective as well!