Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for multiple image refs of same sha in OCI layout #1544

Closed
saisatishkarra opened this issue Feb 7, 2023 · 6 comments
Closed

Support for multiple image refs of same sha in OCI layout #1544

saisatishkarra opened this issue Feb 7, 2023 · 6 comments
Assignees
Labels
enhancement New feature or request

Comments

@saisatishkarra
Copy link

What would you like to be added:

  1. Syft should be able to scan and detect multiple image refs of mediaType application/vnd.oci.image.index.v1+json for the same sha in single oci-layout

Why is this needed:
Needed to avoid scanning twice for images with the same sha and different tag

Additional context:
Screen Shot 2023-02-07 at 11 43 05 AM

@saisatishkarra saisatishkarra added the enhancement New feature or request label Feb 7, 2023
@saisatishkarra saisatishkarra changed the title Support for multiple indexes in OCI layout Support for multiple image refs of same sha in OCI layout Feb 7, 2023
@tgerla
Copy link
Contributor

tgerla commented Feb 23, 2023

Hi @saisatishkarra, thanks for filing the issue. We have a couple of questions over here. Usually these OCI manifests are used, for instance, to list different architectures of the same image (which would have different SHAs), so we are a little bit confused as to why you would have a manifest with two instances of the same exact image (same SHA). Can you provide a few more details about where this manifest came from, what build tool created it, or how to create it, and we can take a closer look? Thanks!

@saisatishkarra
Copy link
Author

saisatishkarra commented Mar 21, 2023

@tgerla This index manifest is produced when using a build-push-action with multiple tags (list/csv) for a single architecture of the same image. Each tag is considered to produce a separate manifest within the index.json with differing io.containerd.image.name pointing to tag variants in the annotations section for the same image as attached in the description screenshot!!

@spiffcs
Copy link
Contributor

spiffcs commented May 18, 2023

There is a potential enhancement we can make in https://github.com/anchore/stereoscope where we check the manifest list, and if all of the digest are equal, we can proceed with the scan. @wagoodman if we find that this is only one single image we can just pick one and go right?

I've added this to the backlog as a stereoscope enhancement while we wait for a 2nd from @wagoodman

@saisatishkarra
Copy link
Author

@spiffcs Is there an update on this?

@spiffcs
Copy link
Contributor

spiffcs commented Sep 19, 2023

@saisatishkarra just filed a PR in stereoscope to address this.

Apologies for the long response time here!

@spiffcs spiffcs self-assigned this Sep 19, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Sep 19, 2023

This PR has been merged so I'll look to get this brought into syft for the next release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Archived in project
Development

No branches or pull requests

3 participants