-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft panics when scanning OCI image that contains packaged helm chart #2745
Comments
Hi @matthyx, thank you for the report! Can you upgrade to the latest Syft (1.1.0) and see if the problem reproduces? 0.70 is from February 2023 so it's quite out of date now. Thanks! |
Hey @matthyx, sorry, I spoke too soon. I've reproduced this crash on 1.1.0 myself. We will take a look when we are able. Thanks again for the report! |
Sorry for the version mismatch, I had 2 syft installed, the old one by hand in |
Whoops, hit Return too soon. Dev notes: Here is the output from the stereoscope test script which includes just a little more information:
|
Thanks @matthyx for the report! It looks like $ docker pull demo.goharbor.io/forcharts/redpanda:5.7.23
5.7.23: Pulling from forcharts/redpanda
unsupported media type application/vnd.cncf.helm.config.v1+json
$ helm pull oci://demo.goharbor.io/forcharts/redpanda --version 5.7.23
Pulled: demo.goharbor.io/forcharts/redpanda:5.7.23
Digest: sha256:e3fd748dad865a292c94d77ca71aca55d61585e413c5855011ea587dd6fe1c7d
$ ls
redpanda-5.7.23.tgz
$ tar -tzf redpanda-5.7.23.tgz
redpanda/Chart.yaml
... snip ... Syft doesn't currently support scanning helm charts directly, but definitely shouldn't panic when someone tries! I'll make a PR to syft (or more likely https://github.com/anchore/stereoscope, the library Syft uses to handle OCI image interactions) to prevent the panic and fail gracefully in the case when Syft is asked to scan an image that turns out to be an OCI-packaged helm chart. If you were trying to get a list of all the packages that will be involved if you deploy the helm chart, you might be able to make some progress by pulling the helm chart and looking at |
What happened:
What you expected to happen:
Return a list of packages from the image.
Steps to reproduce the issue:
syft packages demo.goharbor.io/forcharts/redpanda:5.7.23
Anything else we need to know?:
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: