Skip to content

Container Scanning fails for "from scratch" Images

Is

Scanning a "from scratch" docker image fails with

...
021-12-22T07:34:45.807Z	DEBUG	OS is not detected and vulnerabilities in OS packages are not detected.
2021-12-22T07:34:45.807Z	DEBUG	Detected OS: unknown
2021-12-22T07:34:45.807Z	INFO	Number of language-specific files: 0

[ERROR] [2021-12-22 07:34:45 +0000] []  ▶  private method `select' called for nil:NilClass

Expected The scan should finish without errors

Analysis

I think gtcs has wrong assumption for the json output of trivy. The Keys metadata / os Family , metadata / os / Name, Results and perhaps others do not always exist. This is where https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/master/lib/gcs/dependency_list_converter.rb#L26 and following will fail.

Implementation Plan

  • backend in lib/gcs/dependency_list_converter.rb in container-scanning analyzer return empty report when there JSON report from Trivy does not contain Result section.
Edited by Alan (Maciej) Paruszewski