Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reporter panics on k8s container image scan #801

Closed
czunker opened this issue Oct 4, 2023 · 1 comment
Closed

reporter panics on k8s container image scan #801

czunker opened this issue Oct 4, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@czunker
Copy link
Contributor

czunker commented Oct 4, 2023

Describe the bug
The cnspec CLI reporter panics when scanning k8s container images.

I came across this inside a minikube cluster, while testing mondoohq/mondoo-operator#873.

But I could also reproduce it outside the cluster:

Scanned 15 assets

Alpine Linux v3.18
    B index.docker.io/mondoo/cnspec@c4fcf2666941

Distroless
    C quay.io/jetstack/cert-manager-cainjector@7c65d8478484
    C quay.io/jetstack/cert-manager-controller@63a7aa17a1b1
    C quay.io/jetstack/cert-manager-webhook@c5644d09c6cf
    C registry.k8s.io/etcd@51eae8381dcb
    C registry.k8s.io/kube-apiserver@697cd88d94f7
    C registry.k8s.io/kube-controller-manager@6286e500782a
    C registry.k8s.io/kube-proxy@4bcb707da989
    C registry.k8s.io/kube-scheduler@5897d7a97d23
    C registry.k8s.io/metrics-server/metrics-server@ee4304963fb0

Red Hat Enterprise Linux 8.8 (Ootpa)
    C index.docker.io/calico/node@8e34517775f3

scratch
    U gcr.io/k8s-minikube/storage-provisioner@18eb69d1418e
    U index.docker.io/calico/cni@3be3c67ddba1
    U index.docker.io/calico/kube-controllers@01ce29ea8f2b
    U registry.k8s.io/coredns/coredns@a0ead06651cf

Summary
=======

Score Distribution		Asset Distribution
------------------		------------------
A   0 assets      		scratch                                4
B   1 assets      		Red Hat Enterprise Linux 8.8 (Ootpa)   1
C  10 assets      		Alpine Linux v3.18                     1
D   0 assets      		Distroless                             9
F   0 assets
U   4 assets

panic: runtime error: index out of range [1] with length 0

goroutine 1 [running]:
go.mondoo.com/cnspec/cli/reporter.(*defaultReporter).printSummary(0xc0051e9a98, {0xc001ae03c0, 0xf, 0x0?})
	/home/runner/_work/cnspec/cnspec/cli/reporter/print_compact.go:174 +0xe45
go.mondoo.com/cnspec/cli/reporter.(*defaultReporter).print(0xc0051e9a98)
	/home/runner/_work/cnspec/cnspec/cli/reporter/print_compact.go:71 +0x24f
go.mondoo.com/cnspec/cli/reporter.(*Reporter).Print(0xa096e63?, 0x7?, {0xb2839c0?, 0xc0000f0038?})
	/home/runner/_work/cnspec/cnspec/cli/reporter/reporter.go:53 +0x12f
go.mondoo.com/cnspec/apps/cnspec/cmd.printReports(0xa093bb6?, 0xc001b48780, 0x9b520c0?)
	/home/runner/_work/cnspec/cnspec/apps/cnspec/cmd/scan.go:715 +0xa5
go.mondoo.com/cnspec/apps/cnspec/cmd.glob..func22(0x0?, {0xc003213440, 0x0, 0x4}, 0x0?, 0x0?)
	/home/runner/_work/cnspec/cnspec/apps/cnspec/cmd/scan.go:417 +0x1a8
go.mondoo.com/cnquery/apps/cnquery/cmd/builder.kubernetesProviderCmd.func1(0x0?, {0xc003213440?, 0x0?, 0x0?})
	/home/runner/go/pkg/mod/go.mondoo.com/[email protected]/apps/cnquery/cmd/builder/builder.go:316 +0x28
go.mondoo.com/cnquery/apps/cnquery/cmd/builder/common.KubernetesProviderCmd.func2(0xc003066a00?, {0xc003213440?, 0x4?, 0xa09059b?})
	/home/runner/go/pkg/mod/go.mondoo.com/[email protected]/apps/cnquery/cmd/builder/common/common.go:295 +0x75
github.com/spf13/cobra.(*Command).execute(0xc003090000, {0xc003213400, 0x4, 0x4})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:944 +0x863
github.com/spf13/cobra.(*Command).ExecuteC(0x102d82e0)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
go.mondoo.com/cnspec/apps/cnspec/cmd.Execute()
	/home/runner/_work/cnspec/cnspec/apps/cnspec/cmd/root.go:79 +0x1a
main.main()
	/home/runner/_work/cnspec/cnspec/apps/cnspec/cnspec.go:6 +0xf

It does not always happen. I didn't happen when scanning against prod, but against edge.

To Reproduce
Steps to reproduce the behavior:

  1. Command: cnspec scan k8s --discover container-images --config ~/workspace/mondoo/sa-edge-default.json
  2. Note the error

Expected behavior
I'd expect no panic.

Desktop (please complete the following information):

  • cnspec 8.28.4 (2fbca64, 2023-09-20T10:27:51Z)

Additional context
I'm not sure what's the difference is between edge and prod. Perhaps I've different policies active.

I didn't check v9 so far.

@czunker czunker added the bug Something isn't working label Oct 4, 2023
@czunker
Copy link
Contributor Author

czunker commented Oct 4, 2023

The same worked with v9:

cnspec scan k8s --discover container-images --config ~/workspace/mondoo/sa-edge-default.json
...
Scanned 15 assets

Alpine Linux v3.18
    B index.docker.io/mondoo/cnspec@17c97d6e602b

Distroless
    C quay.io/jetstack/cert-manager-cainjector@da7e239ee264
    C quay.io/jetstack/cert-manager-controller@2642e7f41545
    C quay.io/jetstack/cert-manager-webhook@a3205d026246
    C registry.k8s.io/etcd@8ae03c7bbd43
    C registry.k8s.io/kube-apiserver@dcf39b4579f8
    C registry.k8s.io/kube-controller-manager@c4765f949306
    C registry.k8s.io/kube-proxy@ce9abe867450
    C registry.k8s.io/kube-scheduler@9c58009453cf
    C registry.k8s.io/metrics-server/metrics-server@9f50dd170c11

Red Hat Enterprise Linux 8.8 (Ootpa)
    C index.docker.io/calico/node@9459d1b28319

scratch
    U gcr.io/k8s-minikube/storage-provisioner@c4c05d6ad6c0
    U index.docker.io/calico/cni@86779fab56f3
    U index.docker.io/calico/kube-controllers@2c5526ad8cd6
    U registry.k8s.io/coredns/coredns@be7652ce0b43

Summary
=======

Score Distribution		Asset Distribution
------------------		------------------
A   0 assets      		scratch                                4
B   1 assets      		Red Hat Enterprise Linux 8.8 (Ootpa)   1
C  10 assets      		Alpine Linux v3.18                     1
D   0 assets      		Distroless                             9
F   0 assets
U   4 assets

See more scan results and asset relationships on the Mondoo Console: https://edge.console.mondoo.com/space/inventory?spaceId=elastic-payne-456551

I used latest main for the test.

@czunker czunker closed this as completed Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant