search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

Parsing error: JAVA_OPTS:: bad variable name #1231

Open dnelaturi opened 1 year ago

dnelaturi commented 1 year ago

while running tern on container image with alpine base image seeing following errors

    Layer 2:
            info: Layer created by commands: /bin/sh -c apk add --no-cache openjdk17
            info: Retrieved package metadata using apk default method.

            error: /bin/sh: export: line 0: JAVA_OPTS:: bad variable name

/bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name

    File licenses found in Layer:  None
    Packages found in Layer: None

To Reproduce Steps to reproduce the behavior:

  1. run tern scan from docker image (ternd report -w test.tar -o test.txt)
  2. seeing this error 2023-04-28 12:56:09,110 - ERROR - rootfs - Command failed. /bin/sh: export: line 0: JAVA_OPTS:: bad variable name

  3. for image layer1 the output is clean Layer 1: info: Layer created by commands: /bin/sh -c #(nop) ADD file:9a4f77dfaba7fd2aa78186e4ef0e7486ad55101cefc1fabbc1b385601bb38920 in / info: Found 'Alpine Linux v3.17' in /etc/os-release. info: Retrieved package metadata using apk default method.

    File licenses found in Layer:  None
Packages found in Layer:
+------------------------+-------------+-------------------------------------------+------------+
| Package                | Version     | License(s)                                | Pkg Format |
+------------------------+-------------+-------------------------------------------+------------+
| alpine-baselayout-data | 3.4.0-r0    | GPL-2.0-only                              | apk        |
| musl                   | 1.2.3-r4    | MIT                                       | apk        |
| busybox                | 1.35.0-r29  | GPL-2.0-only                              | apk        |
| busybox-binsh          | 1.35.0-r29  | GPL-2.0-only                              | apk        |
| alpine-baselayout      | 3.4.0-r0    | GPL-2.0-only                              | apk        |
| alpine-keys            | 2.4-r1      | MIT                                       | apk        |
| ca-certificates-bundle | 20220614-r4 | MPL-2.0 AND MIT                           | apk        |
| libcrypto3             | 3.0.8-r3    | Apache-2.0                                | apk        |
| libssl3                | 3.0.8-r3    | Apache-2.0                                | apk        |
| ssl_client             | 1.35.0-r29  | GPL-2.0-only                              | apk        |
| zlib                   | 1.2.13-r0   | Zlib                                      | apk        |
| apk-tools              | 2.12.10-r1  | GPL-2.0-only                              | apk        |
| scanelf                | 1.3.5-r1    | GPL-2.0-only                              | apk        |
| musl-utils             | 1.2.3-r4    | MIT AND BSD-2-Clause AND GPL-2.0-or-later | apk        |
| libc-utils             | 0.7.2-r3    | BSD-2-Clause AND BSD-3-Clause             | apk        |
+------------------------+-------------+-------------------------------------------+------------+
  4. subsequent layers it doesn't show the correct results

=======================================================================================

    Layer 2:
            info: Layer created by commands: /bin/sh -c apk add --no-cache openjdk17
            info: Retrieved package metadata using apk default method.

            error: /bin/sh: export: line 0: JAVA_OPTS:: bad variable name

/bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name /bin/sh: export: line 0: JAVA_OPTS:: bad variable name

    File licenses found in Layer:  None
    Packages found in Layer: None

=======================================================================================

Expected behavior Expected to see the results without errors.

Environment you are running Tern on Enter all that apply

Please attach files if they exist

rnjudge commented 1 year ago

Hi @dnelaturi, thanks for the issue! Can you please provide the Dockerfile for your image so I may debug? From what I can see this is not an issue with the Alpine base image. Rather, I suspect there is some type of unique line in the Dockerfile that Tern's parser does not recognize or an environment variable that Tern cannot properly export, hence the /bin/sh: export: line 0: JAVA_OPTS:: bad variable name error that is throwing off the results.