search

openshift / check-payload

Apache License 2.0
10 stars 28 forks source link

Payload exception rules not matched by "scan local" command #193

Open nmars opened 2 weeks ago

nmars commented 2 weeks ago

check-payload scan local is not able to match payload* exception rules as entered in config.toml or the toml files under dist/releases.

$ check-payload version
0.3.1-140-g8d062caf

Using the scan image command that relies on podman does work:

$ sudo check-payload scan -V 4.16 image --spec registry.redhat.io/rhacm2/volsync-rhel9@sha256:a9dbd64e00caebf06ed38708fd5464219ccd44132f717e73d806165c5a16d050
...
---- Successful run

However, a local scan, where the rootfs has been unpacked to /tmp fails:

$ check-payload scan -V 4.16 local --path /tmp/rhacm-volsync-rhel9/unpacked-rootfs/
...
I0610 15:37:42.807182   22948 scan.go:429] "scanning failed" image="" path="/usr/local/bin/diskrsync" error="go binary does not contain required symbol(s)" component="" tag="" rpm="" status="failed"
---- Failure Report
+--------------------------+-----------------------------------------------+
| EXECUTABLE NAME          | STATUS                                        |
+--------------------------+-----------------------------------------------+
| /usr/local/bin/diskrsync | go binary does not contain required symbol(s) |
+--------------------------+-----------------------------------------------+

The local scan does not match the rules in the exception file:

$ grep -B5 /usr/local/bin/diskrsync dist/releases/4.16/config.toml
# VolSync packages diskrsync which uses x/crypto/blake2b for local hashing only
# for comparing blocks of data (non-cryptographic)
# Actual network transfer is handled by the ssh executable in the image
[[payload.volsync-container.ignore]]
error = "ErrGoMissingSymbols"
files = ["/usr/local/bin/diskrsync"]

[[payload.volsync-container.ignore]]
error = "ErrNotDynLinked"
files = ["/usr/local/bin/diskrsync"]

[[payload.volsync-container.ignore]]
error = "ErrLibcryptoMissing"
files = ["/usr/local/bin/diskrsync"]

I think this is due to the component not being discovered from the com.redhat.component label during a local scan.

If I'm right, maybe the payload could be discovered via skopeo inspect instead of podman. Or maybe a new flag can be created for scan local so users can specify what component to use to look for the exception rules.

dominikholler commented 2 weeks ago

Yes, the scan local seems to require to set the config files explictly by the config command line parameter like --config /home/dholler/src/github/dominikholler/check-payload/config.toml