search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.15k stars 347 forks source link

fix: improve handling if `docker` exits with a non-zero code when trying to scan images #1285

Open G-Rath opened 15 hours ago

G-Rath commented 15 hours ago

By capturing stderr and outputting it as an error when docker exits with a non-zero code, it should make it easier to catch and debug issues such as unsupported images, images that do not exist, or cannot be accessed due to lack of authentication.

Currently this just assumes the output from Docker will be helpful enough since we're not able to rely on a particular structure that'd let us parse and understand the actual error, but it should still be a lot better then the current behaviour of saying the docker image was scanned with no packages being found (which we do still do as changing that would be more complex).

Because we've not got any tests for this, here's some manual testing:

osv-scanner on  improve/docker-error-output [$?] via 🐹 v1.22.7 via  v20.11.0 took 4s
❯ osv-scanner --docker something --docker node:alpine
Scanned docker image with 0 packages
Docker command exited with code 125
> Unable to find image 'something:latest' locally
> docker: Error response from daemon: pull access denied for something, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
> See 'docker run --help'.
Scanned docker image with 0 packages
Docker command exited with code 127
> docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/usr/bin/dpkg-query": stat /usr/bin/dpkg-query: no such file or directory: unknown.
No package sources found, --help for usage information.

Note that since we're using r.Errorf this also means the scanner exits with a non-zero code.

Resolves #119

codecov-commenter commented 9 hours ago

Codecov Report

Attention: Patch coverage is 0% with 19 lines in your changes missing coverage. Please review.

Project coverage is 68.30%. Comparing base (866b3e0) to head (bb52f35).

Files with missing lines Patch % Lines
pkg/osvscanner/osvscanner.go 0.00% 19 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1285 +/- ## ========================================== - Coverage 68.43% 68.30% -0.13% ========================================== Files 175 175 Lines 16798 16816 +18 ========================================== - Hits 11495 11487 -8 - Misses 4673 4698 +25 - Partials 630 631 +1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.