New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not Able to Scan Vulnerabilities for Scratch Image #383
Comments
looks like it is not able to detect distro for alpine images |
@bnanda2006 Thanks for the issue. What version of Grype are you using? (Shown if you run I'm not able to reproduce a failure to detect the distro. When I run this:
I get the output: {
"name": "alpine",
"version": "3.14.1",
"idLike": ""
} Regarding the number of vulnerabilities, I also see 0 vulnerabilities surfaced by Thanks! |
i am using, just updated to 0.16
Docker image
cmd
logs
|
Thanks for the additional information! Based on your Dockerfile, it looks like you're using a multi-stage build. It looks like your final stage is based on |
ok. So multi stage can't be supported? |
No, multi-stage builds are fine to use with Grype. 👍 It's just that the image you're building isn't actually an Alpine-based image (it's a (When you use a multi-stage build, all of the image content created above the LAST |
ok. So, Do grype supports scratch image vulnerabilities? Because most of the images are having Last FROM as Scratch with me |
It ends up depending on what data is left present in the image when the build is complete. I'm looking at your Dockerfile, specifically at the lines that would affect the filesystem in the final image: # ...
FROM scratch
# ...
COPY --from=0 /zoneinfo.zip /
COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=0 /etc/passwd /etc/passwd
# ...
COPY main /
COPY locale /locale
COPY swagger.json /
COPY config.json /
COPY licensepolicy.json / Are you saying that one or more of these lines are introducing vulnerabilities that should be reported by Grype? If so, which lines, and why? |
No my intention is - if there is any vulnerable package added in future in any docker image which use last as |
It just depends — in order to find a vulnerability for a package, Grype needs:
So it depends on what files end up in the final stage of your image build. You could conceivably have a final stage that uses Most (if not all) uses of Having said that, if you have a specific use case where you need packages installed in the image, but you're using |
Thanks @luhring |
Of course! So from what I'm understanding, there's no bug in Grype here — unless I've missed something. I'll plan on closing this issue unless you object. 😃 |
What happened:
i have image with using
FROM alpine:latest
What you expected to happen:
Using latest version, i am not able to get any vulnerabilities, but if i change to
FROM ubuntu:18.04
image i get more than 200How to reproduce it (as minimally and precisely as possible):
grype -vv -o json --scope all-layers
Anything else we need to know?:
there is no change other than above mentioned in docker file
Environment:
grype version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: