Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide feedback to user when an exact manifest digest was not provided #485

Open
luhring opened this issue Oct 29, 2021 · 0 comments
Open

Provide feedback to user when an exact manifest digest was not provided #485

luhring opened this issue Oct 29, 2021 · 0 comments
Labels
enhancement New feature or request I/O Describes bug or enhancement around application input or output

Comments

@luhring
Copy link
Contributor

luhring commented Oct 29, 2021

Background

Today, Grype (and Syft) can scan an image from an OCI registry. To do this, the user can specify the image in a number of ways:

  1. image manifest digest (e.g. syft registry:ubuntu@<manifestDigest>)
  2. manifest list digest (e.g. syft registry:ubuntu@<manifestListDigest>)
  3. image tag (e.g. syft registry:ubuntu:latest)
  4. image w/o tag (e.g. syft registry:ubuntu)

Case 1 is explicit, and there's no ambiguity: the user's reference refers to exactly one image, and that image is what the tool scans.

But cases 2, 3, and 4 are implicit: The user is not providing an exact image digest to the tool, so the tool chooses an image out of the possible images for which the user's provided reference applies.

The good

Grype and Syft do show exactly what image was selected. For example, if you run:

syft -o json registry:ubuntu:latest | jq '.source.target'

...you'll see both the user input that was provided and the exact manifest digest that was analyzed:

{
  "userInput": "ubuntu:latest", // <----
  "imageID": "sha256:ba6acccedd2923aee4c2acc6a23780b14ed4b8a5fa4e14e252a23b846df9b6c1",
  "manifestDigest": "sha256:7cc0576c7c0ec2384de5cbf245f41567e922aab1b075f3e8ad565f508032df17", // <----
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
// ...

The bad

The output doesn't tell you how this image was selected.

Also, it's not immediately obvious to users that an image was selected by the tool on the user's behalf. (Technically, users can conclude whether this happened by determining if the userInput differs from the manifestDigest, but this is implicit and not always shown to the user.)

What would you like to be added

In our community Slack, I asked @xtreme-conor-nosal how Grype or Syft would ideally respond to an implicit image reference, and he provided this answer:

verbosely and unambiguously. That could mean:

  • scan everything in the index (and make it clear which results come from which image)
  • abort because the index itself is not an image
  • choose the "best" image in the index to scan (and make it clear what choice was made)
  • prompt the user to choose from the above options

💬 Further discussion is needed on which of these options make the most sense for Grype (and Syft)...

But, the chosen implementation should satisfy these criteria:

  1. It's obvious to a user when an image selection is being performed on their behalf
  2. The user can determine via the tool's output how the image was selected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request I/O Describes bug or enhancement around application input or output
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@luhring