Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Redhat ubi-micro images aren't supported #521

Open
1 task
jpinz opened this issue Mar 7, 2024 · 1 comment
Open
1 task

[BUG] Redhat ubi-micro images aren't supported #521

jpinz opened this issue Mar 7, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@jpinz
Copy link

jpinz commented Mar 7, 2024
edited

Version of copa

v0.6.2

Expected Behavior

Given the trivy scan report of vulnerabilities, I would expect copa to patch the image

Actual Behavior

Command failed with exit code 1: copa patch -i quay.io/kiali/kiali:v1.77.0 -r /scan-trivy-quay_io_kiali_kiali_v1_77_0.json -t v1.77.0 --debug
time="2024-03-06T22:15:46Z" level=debug msg="updates to apply: &{{{redhat 8.9} {amd64}} [{openssl 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3446} {openssl 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3817} {openssl 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-5678} {openssl-libs 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3446} {openssl-libs 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-3817} {openssl-libs 1:1.1.1k-9.el8_7 1:1.1.1k-12.el8_9 CVE-2023-5678}]}"
time="2024-03-06T22:15:46Z" level=debug msg="Trying docker driver"
time="2024-03-06T22:15:46Z" level=debug msg="serving grpc connection"
time="2024-03-06T22:15:46Z" level=debug msg="stopping session"
time="2024-03-06T22:15:46Z" level=debug msg="serving grpc connection"
time="2024-03-06T22:15:47Z" level=debug msg="latest unique RPMs: [{openssl  1:1.1.1k-12.el8_9 } {openssl-libs  1:1.1.1k-12.el8_9 }]"
time="2024-03-06T22:15:47Z" level=debug msg="Using mcr.microsoft.com/cbl-mariner/base/core:2.0 as basis for tooling image"
time="2024-03-06T22:16:34Z" level=debug msg="RPM DB Type in image is: RPMDBBerkley"
time="2024-03-06T22:16:34Z" level=info msg="Checking for available RPM tools in non-distroless image ..."
time="2024-03-06T22:16:34Z" level=debug msg="RPM tools probe results: map[]"
time="2024-03-06T22:16:34Z" level=error msg="image contains no RPM package managers needed for patching"
time="2024-03-06T22:16:34Z" level=error msg="image does not have the rpm tool needed for patch verification"
Error: 2 errors occurred:
	* image contains no RPM package managers needed for patching
	* image does not have the rpm tool needed for patch verification

Steps To Reproduce

Try scanning and patching the image: quay.io/kiali/kiali:v1.77.0 or registry.access.redhat.com/ubi8/openssl

Potentially relevant links

https://github.com/kiali/kiali/blob/master/deploy/docker/Dockerfile-distroless

https://catalog.redhat.com/software/containers/ubi8/openssl/6195a60d65764fb87abae995?architecture=amd64&image=65cba1f6f87d9ae658d7e77f&container-tabs=dockerfile

https://explore.ggcr.dev/fs/registry.access.redhat.com/ubi8/openssl@sha256:7bd53558c2ce8784b1e0d203fc9d5f3e7bb1e0d2b438befdc165233481789e70/

Are you willing to submit PRs to contribute to this bug fix?

  • Yes, I am willing to implement it.
@jpinz jpinz added the bug Something isn't working label Mar 7, 2024
@MiahaCybersec
Copy link
Contributor

Copa currently detects a file which indicates RPM support at /var/lib/rpm/Packages, which in turn makes Copa assume the container isn't distroless. I ran the debugger in GoLand to identify exactly what is happening and have sent my findings to the Copa team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Copacetic Workboard
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpinz @MiahaCybersec