-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recognition of files in a folder works inconsistently between Linux distributions. #2808
Comments
I wasn't able to reproduce what you are seeing, specifically doing the equivalent of your script yields the same SBOM for me:
I've attached both (identical) SBOMs to this comment below. arch-sbom.json I didn't use your script exactly since the real steps it appeared you were trying to get across were (using docker instead): # from rocky
curl -Lo /tmp/docker-ce-23.0.2-1.el8.x86_64.rpm https://download.docker.com/linux/centos/8/x86_64/stable/Packages/docker-ce-23.0.2-1.el8.x86_64.rpm
mkdir /tmp/rpm
rpm2cpio /tmp/docker-ce-23.0.2-1.el8.x86_64.rpm | cpio -idmv
# ... now there is a populated /tmp/rpm dir
syft dir:/tmp/rpm -o json > /volumemount/rocky.sbom.json
# from the host
docker cp alpinectrid:/tmp/rpm ./rpm
docker cp ./rpm rockyctrid:/tmp
# from alpine
syft dir:/tmp/rpm -o json > /volumemount/alpine.sbom.json The differences from your script and what I did were:
One of these differences might be a sensitive factor, so I can try and repeat this again and report back. |
Thanks for the issue report @jhojczak - I was able to reproduce the same steps and got the same outcome. I appreciate the detailed steps in a script! That made this a lot easier. This issue was fixed in Syft v1.6.0, likely via PR #2918. tl;dr This was due to a (now fixed) bug in the way Syft deals with different types of filesystems. The As such, in Syft up to v1.5.0, on Arch the
The long version. i.e. how I figured this out. I did this all on an Ubuntu 24.04 host, with incus installed from the Ubuntu repo. From verbose logging of syft v1.2.0 (note the
We can see an $ grep ignoring arch-log-verbose-syft-1.2.0.txt | wc -l
16
$ grep ignoring arch-log-verbose-syft-1.2.0.txt | grep target
[0000] DEBUG ignoring system mountpoint mountpoint=/target
$ echo $? For Rocky though, things differ. The $ grep ignoring rocky-log-verbose-syft-1.2.0.txt | wc -l
18
$ grep ignoring rocky-log-verbose-syft-1.2.0.txt | grep target
$ echo $?
1 Here's a very w i d e
This likely explains why on Rocky it's producing output for the go packages: $ tail -n
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy v23.0.2 go-module
github.com/docker/docker/cmd/dockerd v23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate) But Arch doesn't: $ tail -n 4 archlog.txt
[0000] DEBUG executable cataloger processed 0 files
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop
No packages discovered First thing to check, is this fixed in the latest Syft, v1.10.0? $ incus exec arch-tmp -- docker run --rm -v /tmp/rpm:/target anchore/syft:v1.10.0 scan dir:/target
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy 23.0.2 go-module
github.com/docker/docker/cmd/dockerd 23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate)
$ incus exec rocky-tmp -- docker run --rm -v /tmp/rpm:/target anchore/syft:v1.10.0 scan dir:/target
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy 23.0.2 go-module
github.com/docker/docker/cmd/dockerd 23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate) Yes. Okay. Which release fixed it? Let's just look at the broken one, Arch. $ for syftver in v1.2.0 v1.3.0 v1.4.0 v1.4.1 v1.5.0 v1.6.0 v1.7.0 v1.8.0 v1.9.0 v1.10.0; do echo "Syft $syftver"; incus exec arch-tmp -- docker run --rm -v /tmp/rpm:/target anchore/syft:$syftver dir:/target; done
Syft v1.2.0
No packages discovered
Syft v1.3.0
No packages discovered
Syft v1.4.0
No packages discovered
Syft v1.4.1
No packages discovered
Syft v1.5.0
No packages discovered
Syft v1.6.0
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy v23.0.2 go-module
github.com/docker/docker/cmd/dockerd v23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate)
Syft v1.7.0
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy v23.0.2 go-module
github.com/docker/docker/cmd/dockerd v23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate)
Syft v1.8.0
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy v23.0.2 go-module
github.com/docker/docker/cmd/dockerd v23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate)
Syft v1.9.0
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy v23.0.2 go-module
github.com/docker/docker/cmd/dockerd v23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate)
Syft v1.10.0
NAME VERSION TYPE
github.com/docker/docker/cmd/docker-proxy 23.0.2 go-module
github.com/docker/docker/cmd/dockerd 23.0.2 go-module
stdlib go1.19.7 go-module (+1 duplicate) So it's fixed in v1.6.0.. Lets look at the release notes for Syft v1.6.0...
Spidey Sense Tingling The test script uses incus exec --cwd /tmp/rpm ${VM_ROCKY} -- bash -c "rpm2cpio /tmp/docker-ce-23.0.2-1.el8.x86_64.rpm | cpio -idmv"
incus file pull --recursive ${VM_ROCKY}/tmp/rpm ./
incus file push --recursive ./rpm ${VM_ARCH}/tmp Indeed the test script runs incus exec ${VM_ROCKY} -- mkdir /tmp/rpm` I suspect there's some difference between $ incus exec rocky-tmp -- mount | grep "/tmp"
$ echo $?
1
$ incus exec arch-tmp -- mount | grep "/tmp"
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64) Ok, I think I'm done here. It was a bug, now isn't, and is yet another lesson for me on the fun with Spidey-swings out of here Until next time. Closing this issue |
@popey @wagoodman Thank you for solving this!:) |
What happened:
Syft does not recognize binary files on archlinux that are recognized on rockylinux even though the contents of the folder are identical.
I have prepared a script that reproduces this behavior.
The script using 'incus' starts two VMs with different Linux distributions (rockylinux and archlinux) and runs syft from a container inside the VMs to scan the folder. The folder contains the unpacked docker-ce rpm package.
I decided to unpack the rpm before scanning because the purl/cpe generated by syft from the packed package does not allow finding CVEs assigned to docker. Which in most databases are either assigned to the moby project or to the github/docker/docker repository or prul pkg:rpm/docker repository.
What you expected to happen:
Syft should produce the same report from folders containing the same files on both Linux distributions.
Steps to reproduce the issue:
Anything else we need to know?:
To run the script, you must have 'incus' or
lxd
installed with the ability to create virtual machines. In the case of lxd, replace the 'incus' command withlxc
in the script.Environment:
syft version
:cat /etc/os-release
:The text was updated successfully, but these errors were encountered: