Merge pull request #112 from kubescape/401

retry pulling image without credentials on 401
kubescape · May 28, 2023 · f9c77d5 · f9c77d5
2 parents a2503a1 + ad91dd0
commit f9c77d5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/adapters/v1/syft.go b/adapters/v1/syft.go
@@ -24,6 +24,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	containerregistryV1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/instanceidhandler/v1"
@@ -99,6 +100,13 @@ func (s *SyftAdapter) CreateSBOM(ctx context.Context, imageID string, options do
 	// download image
 	logger.L().Debug("downloading image", helpers.String("imageID", imageID))
 	src, err := newFromRegistry(t, sourceInput, registryOptions, s.maxImageSize)
+	// check for 401 error and retry without credentials
+	var transportError *transport.Error
+	if errors.As(err, &transportError) && transportError.StatusCode == http.StatusUnauthorized {
+		logger.L().Debug("got 401, retrying without credentials", helpers.String("imageID", imageID))
+		registryOptions.Credentials = nil
+		src, err = newFromRegistry(t, sourceInput, registryOptions, s.maxImageSize)
+	}
 	switch {
 	case errors.Is(err, ErrImageTooLarge):
 		logger.L().Ctx(ctx).Warning("Image exceeds size limit", helpers.Int("maxImageSize", int(s.maxImageSize)), helpers.String("imageID", imageID))

diff --git a/adapters/v1/syft_test.go b/adapters/v1/syft_test.go
@@ -40,13 +40,13 @@ func Test_syftAdapter_CreateSBOM(t *testing.T) {
 			format:  string(fileContent("testdata/alpine-sbom.format.json")),
 		},
 		{
-			name:    "valid image with registry credentials produces well-formed SBOM",
+			name:    "public image with invalid registry credentials falls back to unauthenticated and produces well-formed SBOM",
 			imageID: "library/alpine@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501",
 			format:  string(fileContent("testdata/alpine-sbom.format.json")),
 			options: domain.RegistryOptions{
 				Credentials: []domain.RegistryCredentials{
 					{
-						Authority: "docker.io",
+						Authority: "index.docker.io",
 						Username:  "username",
 						Password:  "password",
 						Token:     "token",