[QUESTION] Error apt upgradable

[rodrigoasf9]

What is your question?

I'm using copa to check an image for vulnerabilities with the following command:

copa patch -i $trivyImage

But it always stops at the error below:

10 sh -c apt list --upgradable 2>/dev/null | grep -q upgradable || exit 1

10 ERROR: process "sh -c apt list --upgradable 2>/dev/null | grep -q upgradable || exit 1" did not complete successfully: exit code: 1

Error: process "sh -c apt list --upgradable 2>/dev/null | grep -q upgradable || exit 1" did not complete successfully: exit code: 1

[ashnamehrotra]

Hi @rodrigoasf9 it looks like your image does not have any outdated packages. Would you be able to share the image you used in order to confirm?

[rodrigoasf9]

I expected that to be the case, but I would like to know if there is any way to avoid this type of error in a pipeline?

[ashnamehrotra]

@rodrigoasf9 to ignore errors you can run copa with the "--ignore-errors" flag

[evertonlsouza]

@ashnamehrotra hello,

I have the same problem in my pipeline, some work, others don't work and all that don't work have the same error message and I'm already using the --igonre-errors parameter, I'll share the pipeline yml:

jobs:      
  - job: Run_Trivy_ACR_and_Git
    displayName: Run Trivy ACR and Git
    pool:
      vmImage: 'ubuntu-latest'

    steps:
     - task: Docker@2
       inputs:
     command: 'build'
     containerRegistry: <my registry>
     repository: <my repos>
     Dockerfile: <my dockerfile>
     buildContext: **
     tags: $(Build.BuildId)
       displayName: 'Docker build'

     - task: Docker@2
       inputs:
     command: 'push'
     containerRegistry: <my registry>
     repository: <my repos>
     tags: $(Build.BuildId)
        displayName: 'Docker push'

      - task: Docker@2
        displayName: Login docker
        inputs:
          containerRegistry: <my registry>
          command: 'login'
          addBaseImageData: true
          addPipelineData: true

      - task: trivy@1
        displayName: Run Trivy on the Repos
        inputs:
          version: 'v0.54.1'
          docker: false
          path: '$(System.DefaultWorkingDirectory)'
          severities: 'CRITICAL,HIGH'
          exitCode: '0'
          ignoreUnfixed: true

      - task: trivy@1
        displayName: Run Trivy in ACR
        inputs:
          version: 'v0.54.1'
          docker: false
          loginDockerConfig: true
          image: <my image>
          severities: 'CRITICAL,HIGH'
          ignoreUnfixed: true
          exitCode: '0'

      - script: |
          sudo apt-get update
          sudo apt-get install -y wget
          wget https://github.com/project-copacetic/copacetic/releases/download/v0.8.0/copa_0.8.0_linux_amd64.tar.gz
          tar -xvzf copa_0.8.0_linux_amd64.tar.gz
          mv copa /usr/local/bin/copa
          sudo chmod +x /usr/local/bin/copa
        displayName: 'Download and Install COPA Cetic Binary'

      - script: |
          export DOCKER_BUILDKIT=1
          mkdir -p ~/.docker/cli-plugins
          curl -SL https://github.com/docker/buildx/releases/download/v0.17.1/buildx-v0.17.1.linux-amd64 -o ~/.docker/cli-plugins/docker-buildx
          chmod +x ~/.docker/cli-plugins/docker-buildx
          docker buildx create --use
          docker buildx inspect --bootstrap
        displayName: 'Setup BuildKit and Buildx v0.17.1'

      - task: Bash@3
        displayName: 'Run COPA Cetic for vulnerability correction'
        env: 
          trivyImage: <my image>
        inputs:
          targetType: 'inline'
          script: |
            echo "Starting Update/Upgrade packages"
            sudo apt-get update && sudo apt-get upgrade -y || true
            echo "Starting COPA Cetic..."
            copa patch -i $trivyImage --ignore-errors

      - task: Docker@2
        displayName: 'Push Patched Docker Image to ACR'
        inputs:
          command: 'push'
          repository: <my repos>
          tags: |
            $(imageTag)-patched
          containerRegistry: <my registry>

When you reach the Run COPA Cetic for vulnerability correction step, the error occurs. Is there anything else that needs to be done?

[ashnamehrotra]

@evertonlsouza is there a reason you are running sudo apt-get update && sudo apt-get upgrade -y || true before the copa patch? would you also be able to share the image you are using to see if we can reproduce?

[evertonlsouza]

Hi @ashnamehrotra

I am using sudo apt-get update && sudo apt-get upgrade -y || true to do some tests to see if it worked but the error persisted, there is no specific reason.

Regarding the images, I tested with these:

FROM node:18-bookworm-slim AS packages

FROM node:18-bookworm-slim AS build

FROM node:18-bookworm-slim

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build

[ashnamehrotra]

@rodrigoasf9 @evertonlsouza you are correct, we error out when there are no upgradable packages since we do not want to create a patched image tag with no changes. Currently, --ignore-errors does not ignore this specific case, but we will add support for that!

[evertonlsouza]

@ashnamehrotra thank you!

[rodrigoasf9]

@ashnamehrotra We’re eagerly awaiting that feature, but I’d also like to ask if you suggest any workarounds for these cases. In our experience, some images successfully go through the Copa patching process, while others don’t, returning the type of error we previously shared.

[ashnamehrotra]

@rodrigoasf9 there currently aren't any workaround within copa, however, you can check for vulnerabilities before choosing to patch the image similar to how we do in this example for the copa action: https://github.com/project-copacetic/copa-action/blob/00f0ef529529d7a7d49a1f3b9f5f5cf54ba2235e/.github/workflows/patch.yaml#L1-L81. This way, we will not patch an image if it is already up to date and will not encounter that error. You can also check for/catch the specific error you are seeing in this case.