search

mondoohq / cnquery

open source, cloud-native, graph-based asset inventory
https://cnquery.io
Other
303 stars 20 forks source link

`could not sync assets` for container image #1952

Closed czunker closed 1 year ago

czunker commented 1 year ago

Describe the bug

cnspec scan container image alpine:3.8.4 --config ~/demo.agent.credentials.json 
! CLI pre-processing encountered an issue error="unknown flag: --config"
→ loaded configuration from /home/christian/demo.agent.credentials.json using source --config
→ using service account credentials
→ discover related assets for 1 asset(s)
→ synchronize assets
FTL failed to run scan error="rpc error: code = Internal desc = could not sync assets"

Works with v8 cnspec, so credentials seem fine.

I also tried it with edge. Same result.

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Select '....'
  3. Scroll down to '....'
  4. Note the error

Expected behavior cnspec should sync the scanned assets.

Aditional context For a vagrant scan it looks good:

→ synchronize assets
DBG initialize client authentication issuer=mondoo/ams kid=//agents.api.mondoo.app/spaces/dazzling-golick-767384/serviceaccounts/2AyMRoi8pfJa6gOqq16QWstmKPK
DBG got assets details assets=2
DBG asset mapping asset=//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2VyU5e8hHEY6zi9ETy00UtvNmiW platform-mrn=de7443b8b43d48c3b1fe5bb543137fba
DBG asset mapping asset=//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2VyU5e8hHEY6zi9ETy00UtvNmiW platform-mrn=localhost.localdomain
DBG update asset asset=default platform-ids=["localhost.localdomain","de7443b8b43d48c3b1fe5bb543137fba"]
DBG connecting to asset default (Rocky Linux 8.8 (Green Obsidian))
preslavgerchev commented 1 year ago

I just tried v8 versus v9, v9:

TRC curl -X 'POST' -d '{"space_mrn":"//captain.api.mondoo.app/spaces/peaceful-lewin-815181","list":[{"platform":{"name":"alpine","arch":"amd64","title":"Alpine Linux v3.8","family":["linux","unix","os"],"version":"3.8.4","kind":"container-image","runtime":"docker-image"},"connections":[{"backend":"tar","host":"alpine:3.8.4","id":1,"type":"docker-image","discover":{"targets":["auto"]},"capabilities":["file"]}],"id_detector":["hostname"]}]}' -H 'Accept: application/json' -H 'Content-Length: 419' -H 'Content-Type: application/json' 'https://api.edge.mondoo.com/QueryConductor/SynchronizeAssets'

v8:

TRC curl -X 'POST' -d '{"space_mrn":"//captain.api.mondoo.app/spaces/peaceful-lewin-815181","list":[{"name":"index.docker.io/library/alpine@04696b491e0c","platform_ids":["//platformid.api.mondoo.app/runtime/docker/images/04696b491e0cc3c58a75bace8941c14c924b9f313b03ce5029ebbc040ed9dcd9"],"state":9,"platform":{"name":"alpine","arch":"amd64","title":"Alpine Linux v3.8","family":["linux","unix","os"],"version":"3.8.4","kind":2,"runtime":"docker-image"},"connections":[{"backend":6,"host":"index.docker.io/library/alpine@sha256:04696b491e0cc3c58a75bace8941c14c924b9f313b03ce5029ebbc040ed9dcd9","options":{"platform-override":""},"kind":2,"runtime":"docker-registry","platform_id":"//platformid.api.mondoo.app/runtime/docker/images/04696b491e0cc3c58a75bace8941c14c924b9f313b03ce5029ebbc040ed9dcd9"}],"labels":{"docker.io/digest":"sha256:04696b491e0cc3c58a75bace8941c14c924b9f313b03ce5029ebbc040ed9dcd9","docker.io/tags":"3.8.4"}}]}' -H 'Accept: application/json' -H 'Content-Length: 906' -H 'Content-Type: application/json' 'https://api.edge.mondoo.com/PolicyResolver/SynchronizeAssets'

One's hitting the query conductor and the other one is hitting the policy resolver, this might be the issue

vjeffrey commented 1 year ago

most likely now fixed, needs to be retested