Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan a nameless image by digest #3048

Closed
pmengelbert opened this issue Oct 20, 2022 · 1 comment · Fixed by #3075
Closed

Scan a nameless image by digest #3048

pmengelbert opened this issue Oct 20, 2022 · 1 comment · Fixed by #3075
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@pmengelbert
Copy link
Contributor

pmengelbert commented Oct 20, 2022
edited
Loading

If I run the following:

$ trivy -q image --offline-scan sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10
2022-10-19T20:30:43.546-0400    FATAL   image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
        * unable to inspect the image (sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * unable to initialize Podman client: no podman socket found: stat /run/user/1000/podman/podman.sock: no such file or directory
        * failed to get sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10: image "docker.io/library/sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10": not found
        * GET https://index.docker.io/v2/library/sha256/manifests/8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]

I get errors showing that the digest is not recognized. However, it is present there in the containerd store. I verified using strace that id did indeed connect to the containerd socket.

There are a couple of issues that lead to this:

  • The name gets mangled in the parsing, and gets converted to docker.io/library/sha256:8421d...
  • In pkg/fanal/image/daemon/containerd.go, you are using a call to client.GetImage(), which only searches the containerd store for images by name
  • the below modification allows for grabbing the image by digest:
matches, err := client.ListImages(ctx, `target.digest==sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10`)
if err != nil {
	return nil, cleanup, xerrors.Errorf("failed to get %s: %w", imageName, err)
}
img := matches[0]

This uses containerd's built-in filtering syntax, which could be leveraged to scan images by digest.

The use-case of this is in scanning the container runtime of a Kubernetes node, which can accumulate images over time. If a new image is pulled with the same name:tag, the old image can persist in the containerd store as a nameless, digested image.
@pmengelbert pmengelbert added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 20, 2022
@pmengelbert pmengelbert mentioned this issue Oct 20, 2022
Closed
@pmengelbert
Copy link
Contributor Author

Related: rancher-sandbox/rancher-desktop#539

This was referenced Oct 20, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(containerd): scan image by digest pmengelbert/trivy
1 participant
@pmengelbert