Image scan fails with a popup having no useful information

[ibmmi]

Actual Behavior

I pulled the image registry.redhat.io/openshift4/ose-cli:latest, which is publicly available to RedHat registered users. When trying to scan I obtain a popup with the message "Error trying to scan registry.redhat.io/openshift4/ose-cli:latest"

Steps to Reproduce

• RD on Windows 11
• Register to RedHat
• docker pull registry.redhat.io/openshift4/ose-cli:latest
• scan the pulled image

Result

Error popup having the message "Error trying to scan registry.redhat.io/openshift4/ose-cli:latest"

Expected Behavior

Scan report with vulnerabilities or, in the worst case scenario, an useful error message that allows me to fix the problem.

Additional Information

No response

Rancher Desktop Version

1.16.0

Rancher Desktop K8s Version

not enabled

Which container engine are you using?

moby (docker cli)

What operating system are you using?

Windows

Operating System / Build Version

Windows 11 Enterprise Version 23H2 OS Build 22631.4602

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

Undisclosed, I don't think this has any impact on the problem at hand

[jandubois]

The issue is likely that Trivy is not scanning the local image but trying to scan it again. And then fails because it has no access to the registry:

❯ docker pull registry.redhat.io/openshift4/ose-cli:latest
Error response from daemon: Head "https://registry.redhat.io/v2/openshift4/ose-cli/manifests/latest": unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication

We need to verify if the scanner can get access to the credentials from the host.

[jandubois]

I don't have access to the redhat registry, so can't test this directly. Need to check against a different image that needs credentials.

It looks like only the root user inside the VM has access to registry credentials from the host, and it also looks like trivy is being executed via the regular user account.

[ibmmi]

AFAIK, registration to RedHat should be free. Have you tried registering? After registration just docker login with the username and password...

[jandubois]

registration to RedHat should be free. Have you tried registering?

Registration is free for individual, personal use only, which would not apply here. Even though Rancher Desktop is free and open source, it is not a personal project, so I think using a personal account would be a violation of their terms of use.

I have tested this functionality with a local registry that requires authentication. For nerdctl the image scanning indeed fails because the image cannot be downloaded again (and the containerd socket is not in the default location, and some other reasons regarding image names).

With docker however I could scan the local disk image without problem. So I think the issue with the RedHat registry is something else. Could you attach the log files, or at least ~/Library/Logs/rancher-desktop/images.log, so I could check for additional information?

Please restart Rancher Desktop and just scan the image, so there is no other information in the log file.

We will have a fix for containerd/nerdctl in Rancher Desktop 1.18.0, but it seems like that will not make a difference for the RedHat registry.

[jandubois]

I did all my previous testing on macOS, but I now repeated the test on Windows 10 with an image pulled from a private registry requiring authentication.

After pulling it from the shell using docker login and docker pull I selected the image in the UI and asked to "Scan" it. After a longish delay (it downloads almost 2GB of vulnerability databases on first run) it displayed the scan results just fine.

I've also confirmed that I cannot use a personal RedHat account to investigate issues while at work.

So unless I get additional log files with more details, there is not much else I can do.

[ibmmi]

Hello Jan, Thank you for your patience and support so far. PFA the requested log . I can see these lats lines: 2025-01-27T08:17:33.975Z: > moby --quiet --quiet image --format json registry.redhat.io/openshift4/ose-cli:latest: 2025-01-27T09:17:33+01:00     FATAL Fatal error image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: unable to scan OS packages: failed vulnerability detection of OS packages: failed detection: redhat vulnerability detection error: failed to get Red Hat advisories: unable to find CPE indices. See aquasecurity/trivy-db#435 for details 2025-01-27T08:17:33.975Z: Failed to scan image registry.redhat.io/openshift4/ose-cli:latest: {} I hope this helps with the investigation, Thank you, Mihai

…

________________________________ From: Jan Dubois ***@***.***> Sent: Friday, January 24, 2025 11:42 PM To: rancher-sandbox/rancher-desktop ***@***.***> Cc: Mihai Ungureanu ***@***.***>; Author ***@***.***> Subject: [EXTERNAL] Re: [rancher-sandbox/rancher-desktop] Image scan fails with a popup having no useful information (Issue #8090) This Message Is From an External Sender This message came from outside your organization. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/AdhS1Rd-!-ZFTOH34OQXTtl0TpS4K2vePl2B-BmBQ04CTqNAJxdhs_hbSCgjXLtdjmuCNRafgbcmg1IzORx-yhH_NRPiExbezTMjOKp7v7PtQQIRL9U1o9FZ8_2kAt_H-3i9n$> I did all my previous testing on macOS, but I now repeated the test on Windows 10 with an image pulled from a private registry requiring authentication. After pulling it from the shell using docker login and docker pull I selected the image in the UI and asked to "Scan" it. After a longish delay (it downloads almost 2GB of vulnerability databases on first run) it displayed the scan results just fine. I've also confirmed that I cannot use a personal RedHat account to investigate issues while at work. So unless I get additional log files with more details, there is not much else I can do. — Reply to this email directly, view it on GitHub<#8090 (comment) >, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BJXITB3VPNJ3I7VDFRCRNHD2MK6UVAVCNFSM6AAAAABVHZ4MTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJTGUZTGNRQGQ >. You are receiving this because you authored the thread. Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20090 Segrate (MI) Cap. Soc. euro 347.256.998,80 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation

[jandubois]

This seems to be a problem with outdated cached information in your VM. Please run

❯ rdctl shell trivy clean --all

2025-01-27T10:35:56-08:00	INFO	Removing scan cache...
2025-01-27T10:35:56-08:00	INFO	Removing vulnerability database...
2025-01-27T10:35:56-08:00	INFO	Removing Java database...
2025-01-27T10:35:56-08:00	INFO	Removing check bundle...
2025-01-27T10:35:56-08:00	INFO	Removing VEX repositories...

And then try the scan again.

[ibmmi]

Hi, I have done that and the error persists. [cid:1fe22045-89bf-4a49-a886-42448b794665] I have also retagged the image to "xx", but it doesn't change anything. 2025-01-28T08:20:46.802Z: > moby --quiet --quiet image --format json xx:latest: 2025-01-28T09:20:46+01:00     FATAL Fatal error image scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: unable to scan OS packages: failed vulnerability detection of OS packages: failed detection: redhat vulnerability detection error: failed to get Red Hat advisories: unable to find CPE indices. See aquasecurity/trivy-db#435 for details Thanks, Mihai

…

________________________________ From: Jan Dubois ***@***.***> Sent: Monday, January 27, 2025 7:37 PM To: rancher-sandbox/rancher-desktop ***@***.***> Cc: Mihai Ungureanu ***@***.***>; Author ***@***.***> Subject: [EXTERNAL] Re: [rancher-sandbox/rancher-desktop] Image scan fails with a popup having no useful information (Issue #8090) This seems to be a problem with outdated cached information in your VM. Please run ❯ rdctl shell trivy clean --all 2025-01-27T10: 35: 56-08: 00 INFO Removing scan cache. . . 2025-01-27T10: 35: 56-08: 00 INFO Removing vulnerability database. . . 2025-01-27T10: 35: 56-08: 00 This seems to be a problem with outdated cached information in your VM. Please run ❯ rdctl shell trivy clean --all 2025-01-27T10:35:56-08:00 INFO Removing scan cache... 2025-01-27T10:35:56-08:00 INFO Removing vulnerability database... 2025-01-27T10:35:56-08:00 INFO Removing Java database... 2025-01-27T10:35:56-08:00 INFO Removing check bundle... 2025-01-27T10:35:56-08:00 INFO Removing VEX repositories... And then try the scan again. — Reply to this email directly, view it on GitHub<#8090 (comment) >, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BJXITBZ73K5HLWMEPLWDGPT2MZ4FXAVCNFSM6AAAAABVHZ4MTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJWGYYDEMJUGI >. You are receiving this because you authored the thread.Message ID: ***@***.***> Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20090 Segrate (MI) Cap. Soc. euro 347.256.998,80 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation

[jandubois]

I have done that and the error persists.

In that case there is nothing else I can do. The error seems to be between trivy and the redhat image.

I would recommend to file a new issue on trivy-db including the image you want to scan, and the error you get, including the reference to aquasecurity/trivy-db#435.

Please close this issue unless you get any information from trivy that indicates there is something in Rancher Desktop that could help to mitigate this problem!