Container scanning fails for images that do not have an operating system
Summary
When an image is created from scratch Container Scanner will fail when detecting an operating system.
This is likely coming from Output GitLab metadata properties in Container ... (#426356 - closed)
Steps to reproduce
-
Create an image using a simple
Dockerfile
:FROM scratch
-
Scan with Container Scanning:
include: - template: Jobs/Build.gitlab-ci.yml - template: Security/Container-Scanning.gitlab-ci.yml container_scanning: variables: SECURE_LOG_LEVEL: 'debug'
-
Container scanning job fails
Generated SBOM report
report
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:043b7bc8-f808-4ddb-b1c9-9df2acc8bfe0",
"version": 1,
"metadata": {
"timestamp": "2023-10-18T15:20:37+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "0.36.1"
}
],
"component": {
"bom-ref": "pkg:oci/main@sha256:adf10351862ad5351ac2e714e04a0afb020b9df658ac99a07cbf49c0e18f8e43?repository_url=registry.gitlab.com%2Fbrytannia%2Fcs-scratch%2Fmain\u0026arch=amd64",
"type": "container",
"name": "registry.gitlab.com/brytannia/cs-scratch/main:60c1ced811b037afdd106383d6ea7c6c2a4609cd",
"purl": "pkg:oci/main@sha256:adf10351862ad5351ac2e714e04a0afb020b9df658ac99a07cbf49c0e18f8e43?repository_url=registry.gitlab.com%2Fbrytannia%2Fcs-scratch%2Fmain\u0026arch=amd64",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
},
{
"name": "aquasecurity:trivy:ImageID",
"value": "sha256:71de1148337f4d1845be01eb4caf15d78e4eb15a1ab96030809826698a5b7e30"
},
{
"name": "aquasecurity:trivy:RepoDigest",
"value": "registry.gitlab.com/brytannia/cs-scratch/main@sha256:adf10351862ad5351ac2e714e04a0afb020b9df658ac99a07cbf49c0e18f8e43"
},
{
"name": "aquasecurity:trivy:RepoTag",
"value": "registry.gitlab.com/brytannia/cs-scratch/main:60c1ced811b037afdd106383d6ea7c6c2a4609cd"
}
]
}
},
"components": null,
"dependencies": [
{
"ref": "pkg:oci/main@sha256:adf10351862ad5351ac2e714e04a0afb020b9df658ac99a07cbf49c0e18f8e43?repository_url=registry.gitlab.com%2Fbrytannia%2Fcs-scratch%2Fmain\u0026arch=amd64",
"dependsOn": null
}
],
"vulnerabilities": []
}
Example Project
https://gitlab.com/duncan_harris_ultimate_group/image-scan/
What is the current bug behavior?
Scans for images that do not have an OS fail
What is the expected correct behavior?
Scans for images that do not have an OS should be handled
Relevant logs and/or screenshots
[DEBUG] [2023-10-17 00:53:14 +0000] [container-scanning] > 2023-10-17T00:53:13.870Z DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-10-17T00:53:13.871Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-17T00:53:13.871Z INFO "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-10-17T00:53:13.874Z DEBUG cache dir: /home/gitlab/.cache/trivy/ee
2023-10-17T00:53:14.076Z DEBUG Image ID: sha256:71de1148337f4d1845be01eb4caf15d78e4eb15a1ab96030809826698a5b7e30
2023-10-17T00:53:14.077Z DEBUG Diff IDs: []
2023-10-17T00:53:14.077Z DEBUG Base Layers: []
2023-10-17T00:53:14.077Z DEBUG OS is not detected.
[DEBUG] [2023-10-17 00:53:14 +0000] [container-scanning] >
[ERROR] [2023-10-17 00:53:14 +0000] [container-scanning] > undefined method `find' for nil:NilClass
operating_system = report["components"].find { |component| component["type"] == "operating-system" }
^^^^^
[ERROR] [2023-10-17 00:53:14 +0000] [container-scanning] > /usr/local/bundle/gems/gcs-6.2.0/lib/gcs/sbom_converter.rb:34:in `convert'
Output of checks
/label reproduced on GitLab.com
Results of GitLab environment info
GitLab Enterprise Edition 16.5.0-pre d67d92ab28e
Workaround
Pin the Container Scanning image to an earlier version like 6.1.5
.
Warning: this image is not updated on a daily basis to get the latest published advisories. Last update is 2023-10-10.
This can be done via the project variables or via the YAML CI configuration:
variables:
CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6.1.5"