search

jenkinsci / amazon-inspector-image-scanner-plugin

Apache License 2.0
0 stars 1 forks source link

Sbom scanning output formatted incorrectly #48

Closed delia-iuga closed 5 months ago

delia-iuga commented 5 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.451 OS: Linux - 6.5.0-1014-aws Java: 17.0.10 - Private Build (OpenJDK 64-Bit Server VM) --- amazon-inspector-image-scanner:261.vea_d401357b_42 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 aws-credentials:231.v08a_59f17d742 aws-java-sdk-ec2:1.12.671-445.ve02f9b_558f2e aws-java-sdk-minimal:1.12.671-445.ve02f9b_558f2e bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1152.v6f101e97dd77 build-timeout:1.32 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.0.2 cloudbees-folder:6.928.v7c780211d66e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-95.v22a_d30ee5d36 credentials:1337.v60b_d7b_c7b_c9f credentials-binding:657.v2b_19db_7d6e6d dark-theme:439.vdef09f81f85e display-url-api:2.200.vb_9327d658781 durable-task:550.v0930093c4b_a_6 echarts-api:5.5.0-1 email-ext:2.105 font-awesome-api:6.5.1-3 git:5.2.1 git-client:4.7.0 github:1.38.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1785.v99802b_69816c gradle:2.10 gson-api:2.10.1-15.v0d99f670e0a_7 instance-identity:185.v303dc7c645f9 ionicons-api:70.v2959a_b_74e3cf jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jjwt-api:0.11.5-112.ve82dfb_224b_a_d joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 ldap:719.vcb_d039b_77d0d mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:822.824.v14451b_c0fd42 metrics:4.2.21-449.v6960d7c54c69 mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.10 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:234.v984087d1eb_25 pipeline-groovy-lib:704.vc58b_8890a_384 pipeline-input-step:491.vb_07d21da_1a_fb_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2184.v0b_358b_953e69 pipeline-model-definition:2.2184.v0b_358b_953e69 pipeline-model-extensions:2.2184.v0b_358b_953e69 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2184.v0b_358b_953e69 plain-credentials:179.vc5cb_98f6db_38 plugin-util-api:4.1.0 resource-disposer:0.23 scm-api:689.v237b_6d3a_ef7f script-security:1326.vdb_c154de8669 snakeyaml-api:2.2-111.vc6598e30cc65 ssh-credentials:334.v7732563deee1 ssh-slaves:2.948.vb_8050d697fec structs:337.v1b_04ea_4df7c8 theme-manager:215.vc1ff18d67920 timestamper:1.26 token-macro:400.v35420b_922dcb_ trilead-api:2.142.v748523a_76693 variant:60.v7290fc0eb_b_cd workflow-aggregator:596.v8c21c963d92d workflow-api:1291.v51fd2a_625da_7 workflow-basic-steps:1049.v257a_e6b_30fb_d workflow-cps:3889.v937e0b_3412d3 workflow-durable-task-step:1331.vc8c2fed35334 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.va_6eb_ef636fb_d workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:896.v175a_a_9c5b_78f ws-cleanup:0.45 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240301

Reproduction steps

  1. Installed Jenkins 2.451
  2. Installed amazon-inspector-image-scanner:261.vea_d401357b_42
  3. Created new project + added Amazon Inspector Scan step:

Expected Results

Job runs and provides outcome regarding the image vulnerabilities.

Actual Results

Running as SYSTEM Building in workspace /var/lib/jenkins/workspace/demo Automatic SBOMGen Sourcing selected, downloading now... No credential provided, running without. Making downloaded SBOMGen executable... Running command... [/tmp/sbomgen922047404730143073/inspector_sbomgen/inspector-sbomgen-1.1.0/linux/amd64/inspector-sbomgen, container, --image, hello-world:latest] Plugin execution ran into an error and is being aborted! Exception:com.amazon.inspector.jenkins.amazoninspectorbuildstep.exception.MalformedScanOutputException: Sbom scanning output formatted incorrectly. Sbom Content: time="2024-04-02T09:10:56Z" level=info msg="Amazon Inspector SBOM Generator v1.1.0 - linux amd64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved" time="2024-04-02T09:10:56Z" level=info msg="[/tmp/sbomgen922047404730143073/inspector_sbomgen/inspector-sbomgen-1.1.0/linux/amd64/inspector-sbomgen container --image hello-world:latest]" time="2024-04-02T09:10:56Z" level=info msg="writing log file to: /var/lib/jenkins/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-04-02_09-10-56.txt" time="2024-04-02 09:10:56" level=info msg="initializing target artifact" file="coreV1.go:34:" time="2024-04-02 09:10:56" level=info msg="created temporary staging directory: /var/lib/jenkins/.inspector-sbomgen/artifact-cache334814225" file="stagingdir.go:60:" time="2024-04-02 09:10:56" level=info msg="checking if image is a tarball" file="imageInit.go:28:" time="2024-04-02 09:10:56" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:" time="2024-04-02 09:10:56" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:" time="2024-04-02 09:10:56" level=info msg="downloading remote container image: index.docker.io/library/hello-world:latest" file="imageInit.go:153:" time="2024-04-02 09:10:57" level=info msg="executing pre-processors" file="coreV1.go:44:" time="2024-04-02 09:10:57" level=info msg="initializing analyzers" file="artifactContainer.go:134:" time="2024-04-02 09:10:57" level=info msg="inventorying the image; this may take some time depending on your image size..." file="artifactContainer.go:139:"

| [0s]

/ [0s] time="2024-04-02 09:10:57" level=info msg="initializing artifact system info" file="systeminfo.go:41:" time="2024-04-02 09:10:57" level=fatal msg="unable to initialization sysinfo with non-linux container" file="artifactContainer.go:151:" null

com.amazon.inspector.jenkins.amazoninspectorbuildstep.exception.MalformedScanOutputException: Sbom scanning output formatted incorrectly. Sbom Content: time="2024-04-02T09:10:56Z" level=info msg="Amazon Inspector SBOM Generator v1.1.0 - linux amd64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved" time="2024-04-02T09:10:56Z" level=info msg="[/tmp/sbomgen922047404730143073/inspector_sbomgen/inspector-sbomgen-1.1.0/linux/amd64/inspector-sbomgen container --image hello-world:latest]" time="2024-04-02T09:10:56Z" level=info msg="writing log file to: /var/lib/jenkins/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-04-02_09-10-56.txt" time="2024-04-02 09:10:56" level=info msg="initializing target artifact" file="coreV1.go:34:" time="2024-04-02 09:10:56" level=info msg="created temporary staging directory: /var/lib/jenkins/.inspector-sbomgen/artifact-cache334814225" file="stagingdir.go:60:" time="2024-04-02 09:10:56" level=info msg="checking if image is a tarball" file="imageInit.go:28:" time="2024-04-02 09:10:56" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:" time="2024-04-02 09:10:56" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:" time="2024-04-02 09:10:56" level=info msg="downloading remote container image: index.docker.io/library/hello-world:latest" file="imageInit.go:153:" time="2024-04-02 09:10:57" level=info msg="executing pre-processors" file="coreV1.go:44:" time="2024-04-02 09:10:57" level=info msg="initializing analyzers" file="artifactContainer.go:134:" time="2024-04-02 09:10:57" level=info msg="inventorying the image; this may take some time depending on your image size..." file="artifactContainer.go:139:"

| [0s]

/ [0s] time="2024-04-02 09:10:57" level=info msg="initializing artifact system info" file="systeminfo.go:41:" time="2024-04-02 09:10:57" level=fatal msg="unable to initialization sysinfo with non-linux container" file="artifactContainer.go:151:" null

at com.amazon.inspector.jenkins.amazoninspectorbuildstep.sbomgen.SbomgenUtils.processSbomgenOutput(SbomgenUtils.java:20)
at com.amazon.inspector.jenkins.amazoninspectorbuildstep.sbomgen.SbomgenRunner.runSbomgen(SbomgenRunner.java:83)
at com.amazon.inspector.jenkins.amazoninspectorbuildstep.sbomgen.SbomgenRunner.run(SbomgenRunner.java:40)
at com.amazon.inspector.jenkins.amazoninspectorbuildstep.AmazonInspectorBuilder.perform(AmazonInspectorBuilder.java:166)
at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:80)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:818)
at hudson.model.Build$BuildExecution.build(Build.java:199)
at hudson.model.Build$BuildExecution.doRun(Build.java:164)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:526)
at hudson.model.Run.execute(Run.java:1893)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:44)
at hudson.model.ResourceController.execute(ResourceController.java:101)
at hudson.model.Executor.run(Executor.java:442)

Build step 'Amazon Inspector Scan' changed build result to ABORTED Finished: ABORTED

Anything else?

Using same EC2 instance for the controller and running the jobs.

Are you interested in contributing a fix?

No response

cjbaco commented 5 months ago

Thanks for the report. At this time, the Inspector plugin does not support scratch images. Compatibility with these will be added in a future update.

delia-iuga commented 5 months ago

Thanks for the response, indeed, when trying with a different image it works, will close the issue now.