-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RPM Scanner does not work on layers where /var/lib/rpm is a symlink #368
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
What happened:
I was testing the RPM scanner functionality and noticed it was returning no packages on recent Fedora images (36+), compared to running generate on debian images.
Here testing with fedora 38 amd64 image quay.io/fedora/fedora@sha256:3a1fa4954928d6b8244b36c5de3b6f30d7e6b55227f4f329bba1125a093ae4f9
Analysis
Recent Fedora and derived distributions have made
/var/lib/rpm
a symlink to../../usr/lib/sysimage/rpm
This will also be broken on OSTree images and recent SUSE, and probably future RHEL
See https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
The current rpmdb extraction code checks that the full rpmdb (eg
var/lib/rpm/rpmdb.sqlite
) path exists in the tar, however ifvar/lib/rpm
is a symlink the existence check will failhttps://github.com/kubernetes-sigs/bom/blob/main/pkg/osinfo/scanner_rpm.go#L67I'm happy to create a PR to fix this
What you expected to happen:
Fedora RPM packages to be included in the generated spdx file
How to reproduce it (as minimally and precisely as possible):
go run cmd/bom/main.go generate --output=fedora.spdx --image quay.io/fedora/fedora@sha256:3a1fa4954928d6b8244b36c5de3b6f30d7e6b55227f4f329bba1125a093ae4f9
go run cmd/bom/main.go document outline fedora.spdx
/kind bug
The text was updated successfully, but these errors were encountered: