search

whitesource / unified-agent-distribution

51 stars 48 forks source link

Scanning distroless docker images: not able to extract layer.tar #2

Closed tkatrichenko closed 4 years ago

tkatrichenko commented 4 years ago

I'm trying to increase security by using distroless image for my containers, using this image from google as base image https://github.com/GoogleContainerTools/distroless/tree/master/java

When I'm trying to scan it locally with the command java -jar wss-unified-agent.jar -apiKey $API_KEY -wss.url $URL -c whitesource-docker.properties -project mytestproject -product mytestproduct

I receive some warns in the log and 0 system packages. As result, no new projects created

[INFO] [2020-02-21 18:09:01,051 +0700] - Extracting file /tmp/WhiteSource-Docker_507e746a-ee9f-4158-b2c5-22d13f4da998/gcr.io-distroless-java.tar - Size 197453824 Bytes (188 MBs)- Free Space 227714412544 Bytes (217165 MBs)
[WARN] [2020-02-21 18:09:01,589 +0700] - Error extracting file layer.tar: /tmp/WhiteSource-Docker_507e746a-ee9f-4158-b2c5-22d13f4da998/gcr.io-distroless-java/7bff0f034dc797b09394b6136265054e798556abd7438fa31417f04302f23db7/./usr/share/doc/ca-certificates/copyright (No such file or directory)
[WARN] [2020-02-21 18:09:01,590 +0700] - Was not able to extract layer.tar (docker image TAR file)
[INFO] [2020-02-21 18:09:03,711 +0700] - Found 0 system packages in image 'gcr.io/distroless/java'

In my whitesource-docker.properties I have this option docker.includes=my_distroless gcr.io/distroless/java

Is it expected behavior?

jorgeramirezws commented 4 years ago

Hi,

I'm a Support Manager at WhiteSource. We noticed you reported this issue while trying to use our unified agent. I'd like to track this problem via our regular support tracking system. I can open a case on your behalf there but I"ll need the name of the company you are associated with to validate your support. Also if you can please share your name I can confirm if you have a user registered in our support community. Looking forward to hearing back from you

Regards,

--Jorge Ramirez Sr. Manager Technical Support WhiteSource

tkatrichenko commented 4 years ago

Why don't we keep the conversation here? I don't have access to your tracking system

jorgeramirezws commented 4 years ago

Hi,

I need to validate that you have Support with WhiteSource before we can proceed further. If you can let me know what company you are associated with, I will create the case for you and one of our Engineers will be ready to help you. Also, if you have support with us, you can register on our community here (https://whitesourcesoftware.force.com/CustomerCommunity/s) in order to access our tracking system. Please let me know.

Regards,

--Jorge Ramirez Sr. Manager Technical Support WhiteSource

tkatrichenko commented 4 years ago

Just needed to change the include section to

includes=**/*.jar