401 unauthorized pulling from public registry

[maciej-markowski]

What happened:
If .grype.yaml contains auth section, grype tries to authenticate even to public (and not specified in config) registries.
The same happens if GRYPE_REGISTRY_AUTH_AUTHORITY, GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD variables are set.

What you expected to happen:
Grype authenticates only to registries specified in config file.

How to reproduce it (as minimally and precisely as possible):
Put auth section in config file eg.

default-image-pull-source: "registry"
registry:
  insecure-skip-tls-verify: true
  auth:
    - authority: "someregistry.io"
      username: "someuser"
      password: "somepassword"

Try to scan publicly available image:

[vagrant@infratest ~]$ grype hello-world:latest
 ✔ Vulnerability DB                [no update available]
1 error occurred:
        * failed to catalog: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: GET https://auth.docker.io/token?scope=repository%3Alibrary%2Fhello-world%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {"details":"incorrect username or password"}

Anything else we need to know?:

Environment:

• Output of grype version: grype 0.73.4

• OS (e.g: cat /etc/os-release or similar): Red Hat Enterprise Linux release 8.8 (Ootpa)

[willmurphyscode]

Hi @maciej-markowski,

Thanks for the bug report! This is fixed in https://github.com/anchore/grype/releases/tag/v0.73.5. Please let us know if you have any questions.