On-demand scan detects no vulnerabilities on images build with Kaniko

[patrickschur]

Describe the bug The indexer-app detects no vulnerabilities on images build with Kaniko.

To Reproduce

1. Create a Dockerfile:

   FROM alpine:3.16

2. Build the image with Kaniko:

   docker run -it --rm -v $(pwd):/workspace \
   gcr.io/kaniko-project/executor:v1.8.1-debug -f Dockerfile --no-push --tarPath kaniko.tar -d kaniko -c . --cleanup

3. Scan the image:

   jf s kaniko.tar

11:47:13 [🔵Info] [Thread 2] Indexing file: kaniko.tar
11:47:16 [🔵Info]
11:47:17 [🔵Info] Waiting for scan to complete...
The full scan results are available here: /tmp/jfrog.cli.temp.-1656589638-3448319061
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
┌─────────────────────────────────────┐
│ ✨ No vulnerabilities were found ✨ │
└─────────────────────────────────────┘
11:47:18 [🔵Info] Scan completed successfully.

Expected behavior The indexer-app should detect vulnerabilities and support the image format used by Kaniko.

Versions

• JFrog CLI version: 2.19.0
• Artifactory version: 7.38.8
• Xray version: 3.48.2

Additional context At the moment only the image format used by Docker is supported:

docker load < kaniko.tar
docker save -o docker.tar kaniko
jf s docker.tar

11:46:39 [🔵Info] [Thread 2] Indexing file: docker.tar
11:46:42 [🔵Info] 2022-06-30T11:46:40.3625282Z [jfxia] [INFO ] [] [docker_layer_tar:169          ] [main                ] Encountered release info file 'etc/alpine-release'
2022-06-30T11:46:40.3632098Z [jfxia] [INFO ] [] [docker_layer_tar:169          ] [main                ] Encountered release info file 'etc/os-release'
2022-06-30T11:46:42.9810997Z [jfxia] [INFO ] [] [tar:82                        ] [main                ] Finished indexing layers of docker /tmp/jfrog.cli.temp.-1656589599-4108843292/18502706-ce47-42ab-7307-e884cc04cf7d/165658960032915780/ (sha256:1fe6c686d3bfcc5d26158f2b946fbcd493d2f167da7b7b5cea3b0921709e5df1)

11:46:44 [🔵Info] Waiting for scan to complete...
The full scan results are available here: /tmp/jfrog.cli.temp.-1656589604-653889428
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌──────────┬──────────────┬────────────┬────────┬──────────┬───────────┬───────────┬────────────────┐
│ SEVERITY │ IMPACTED     │ IMPACTED   │ TYPE   │ FIXED    │ COMPONENT │ COMPONENT │ CVE            │
│          │ PACKAGE      │ PACKAGE    │        │ VERSIONS │           │ VERSION   │                │
│          │              │ VERSION    │        │          │           │           │                │
├──────────┼──────────────┼────────────┼────────┼──────────┼───────────┼───────────┼────────────────┤
│ 🔥High   │ 3.16:busybox │ 1.35.0-r13 │ Alpine │          │ kaniko    │ latest    │ CVE-2022-30065 │
└──────────┴──────────────┴────────────┴────────┴──────────┴───────────┴───────────┴────────────────┘
11:46:44 [🔵Info] Scan completed successfully.

[kamilsimek-ecb]

I can confirm the same issue.

JFrog CLI version: jf version 2.14.0 Artifactory version: 7.37.15 Xray version: 3.47.3

[sverdlov93]

Hi @patrickschur and @kamilsimek-ecb, First of all, we recently introduced the jf docker scan, which creates a tar file and runs a specific scan for docker images. Currently, OCI image (kaniko / podman) scanning is not supported, but adding them is one of our goals for the near future.

[patrickschur]

Hi @sverdlov93, we build our images with Kaniko therefore jf docker scan is not an option for us because it requires Docker. The result between both commands is also the same. The only difference is that jf docker scan creates a tar file via docker save while jf scan scans arbitrary files and doesn't require Docker at all.

After some digging I came up with a workaround and I'm now using skopeo copy to change the image format. You can find the workaround here: https://gist.github.com/patrickschur/6bf5e43f7f1ded22530b646a51ace65a

With the workaround I get the same number of vulnerabilities back as with the image build by Docker. But sometimes I still get strange results back. Here is the result I got with an internal test image:

jf s kaniko.tar # 1 critical, 6 high, 4 medium
jf s skopeo.tar # 1 critical, 6 high, 39 medium, 43 low
jf s docker.tar # 1 critical, 6 high, 39 medium, 43 low

But if I upload the image to Artifactory, Xray finds only 54 vulnerabilities (1 critical, 6 high, 20 medium, 26 low and 1 unknown) while the indexer-app finds much more vulnerabilities in the image. Why are the results so different? I would expect that the indexer-app finds the same number of vulnerabilities as Xray.

[eyalbe4]

Thanks so much for sharing this information @patrickschur! As we're building the new OCI scanning capabilities, we may use the information you provided here. As @sverdlov93 mentioned, this is something we plan to introduce.

[Pradebban]

@sverdlov93 @eyalbe4 - Do we have timelines when will support for OCI image (kaniko) scanning be available ? Is there documented workaround in the meanwhile ?

[sverdlov93]

Hi @patrickschur @kamilsimek-ecb @Pradebban , Since JFrog Xray 3.61.5 jf scan commands support OCI images (kaniko, podman and etc) To use the functionality you should use the OCI's save command to create the image tar and then run the jf scan. For example:

podman save -o alpine.tar alpine:2.6
jf scan alpine.tar

One of our following goals is to create a direct command for each tech that runs the save command behind the scenes and scans the image's tar. ( like the jf docker scan command)