Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Syft panics when scanning OCI image that contains packaged helm chart #2745

Closed
matthyx opened this issue Apr 3, 2024 · 5 comments · Fixed by #2757
Closed

Syft panics when scanning OCI image that contains packaged helm chart #2745

matthyx opened this issue Apr 3, 2024 · 5 comments · Fixed by #2757
Assignees
Labels
bug Something isn't working

Comments

@matthyx
Copy link

matthyx commented Apr 3, 2024

What happened:

$ syft packages demo.goharbor.io/forcharts/redpanda:5.7.23
panic: runtime error: index out of range [0] with length 0

goroutine 52 [running]:
github.com/anchore/stereoscope/pkg/image.newLayerMetadata({{0xc000536140, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {{0x0, ...}}, ...}, ...}, ...)
        /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/pkg/image/layer_metadata.go:26 +0x1dd
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(_, _, {{0xc000536140, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, ...}, ...}, ...}, ...)
        /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/pkg/image/layer.go:85 +0xe5
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0xc0004a5500)
        /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/pkg/image/image.go:204 +0x4f0
github.com/anchore/stereoscope.GetImageFromSource({0x14baba0, 0xc000038080}, {0x7fff6b15427a, 0x2a}, 0x5, {0xc000142248, 0x1, 0xc00022f5f0?})
        /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/client.go:93 +0x2d5
github.com/anchore/syft/syft/source.getImageWithRetryStrategy({{0x7fff6b15427a, 0x2a}, {0x12b303a, 0xb}, 0x5, {0x7fff6b15427a, 0x2a}, {0x0, 0x0}, {0x0, ...}, ...}, ...)
        /home/runner/work/syft/syft/syft/source/source.go:172 +0x2a7
github.com/anchore/syft/syft/source.generateImageSource({{0x7fff6b15427a, 0x2a}, {0x12b303a, 0xb}, 0x5, {0x7fff6b15427a, 0x2a}, {0x0, 0x0}, {0x0, ...}, ...}, ...)
        /home/runner/work/syft/syft/syft/source/source.go:138 +0x58
github.com/anchore/syft/syft/source.New({{0x7fff6b15427a, 0x2a}, {0x12b303a, 0xb}, 0x5, {0x7fff6b15427a, 0x2a}, {0x0, 0x0}, {0x0, ...}, ...}, ...)
        /home/runner/work/syft/syft/syft/source/source.go:125 +0x118
github.com/anchore/syft/cmd/syft/cli/packages.execWorker.func1()
        /home/runner/work/syft/syft/cmd/syft/cli/packages/packages.go:69 +0x1e5
created by github.com/anchore/syft/cmd/syft/cli/packages.execWorker
        /home/runner/work/syft/syft/cmd/syft/cli/packages/packages.go:66 +0x12c

What you expected to happen:
Return a list of packages from the image.

Steps to reproduce the issue:
syft packages demo.goharbor.io/forcharts/redpanda:5.7.23

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:        syft
Version:            0.70.0
JsonSchemaVersion:  6.2.0
BuildDate:          2023-02-03T18:16:55Z
GitCommit:          9995950c70e849f9921919faffbfcf46401f71f3
GitDescription:     v0.70.0
Platform:           linux/amd64
GoVersion:          go1.19.5
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
@matthyx matthyx added the bug Something isn't working label Apr 3, 2024
@tgerla
Copy link
Contributor

tgerla commented Apr 3, 2024

Hi @matthyx, thank you for the report! Can you upgrade to the latest Syft (1.1.0) and see if the problem reproduces? 0.70 is from February 2023 so it's quite out of date now. Thanks!

@tgerla
Copy link
Contributor

tgerla commented Apr 3, 2024

Hey @matthyx, sorry, I spoke too soon. I've reproduced this crash on 1.1.0 myself. We will take a look when we are able. Thanks again for the report!

@matthyx
Copy link
Author

matthyx commented Apr 3, 2024

Sorry for the version mismatch, I had 2 syft installed, the old one by hand in /usr/local/bin/syft and the new one by apt in /usr/bin/syft.
Thanks for looking at it :)

@tgerla
Copy link
Contributor

tgerla commented Apr 3, 2024

Whoops, hit Return too soon.

Dev notes: Here is the output from the stereoscope test script which includes just a little more information:

tgerla@Timothys-MacBook-Pro-2 stereoscope % go run examples/basic.go demo.goharbor.io/forcharts/redpanda:5.7.23
[0000] DEBUG image: source= location=demo.goharbor.io/forcharts/redpanda:5.7.23
[0000] TRACE trying podman socket path=/Users/tgerla/Library/Application Support/podman/podman.sock
[0000] TRACE trying podman socket path=/run/podman/podman.sock
[0000] TRACE unable to connect to podman via unix socket error=no socket address
github.com/anchore/stereoscope/internal/podman.init
	/Users/tgerla/git/anchore/stereoscope/internal/podman/client.go:18
runtime.doInit1
	/usr/local/go/src/runtime/proc.go:6740
runtime.doInit
	/usr/local/go/src/runtime/proc.go:6707
runtime.main
	/usr/local/go/src/runtime/proc.go:249
runtime.goexit
	/usr/local/go/src/runtime/asm_arm64.s:1197
[0000] TRACE trying containerd socket path=/var/run/containerd/containerd.sock
[0000] DEBUG pulling image info directly from registry image="demo.goharbor.io/forcharts/redpanda:5.7.23"
[0000] DEBUG no registry credentials configured for "demo.goharbor.io", using the default keychain
[0002] DEBUG image metadata: digest=sha256:3d34c672cbed928c11048e901f8c2d81490e11b32cdd834736d3aef20b55ce4e mediaType=application/vnd.oci.image.manifest.v1+json tags=[]
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/anchore/stereoscope/pkg/image.newLayerMetadata({{0x14000222eb0, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {{0x0, ...}}, ...}, ...}, ...)
	/Users/tgerla/git/anchore/stereoscope/pkg/image/layer_metadata.go:26 +0x178
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(_, _, {{0x14000222eb0, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, ...}, ...}, ...}, ...)
	/Users/tgerla/git/anchore/stereoscope/pkg/image/layer.go:88 +0xc0
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0x1400040c380)
	/Users/tgerla/git/anchore/stereoscope/pkg/image/image.go:227 +0x60c
github.com/anchore/stereoscope/pkg/image/oci.(*registryImageProvider).Provide(0x14000100720, {0x104dd4c90, 0x14000112690})
	/Users/tgerla/git/anchore/stereoscope/pkg/image/oci/registry_provider.go:93 +0x948
github.com/anchore/stereoscope.getImageFromSource({0x104dd4c90, 0x14000112690}, {0x16babf8b3, 0x2a}, {0x0, 0x0}, {0x0, 0x0, 0x0})
	/Users/tgerla/git/anchore/stereoscope/client.go:110 +0x388
github.com/anchore/stereoscope.GetImage({0x104dd4c90, 0x14000112690}, {0x16babf8b3, 0x2a}, {0x0, 0x0, 0x0})
	/Users/tgerla/git/anchore/stereoscope/client.go:72 +0x70
main.main()
	/Users/tgerla/git/anchore/stereoscope/examples/basic.go:36 +0x134
exit status 2
tgerla@Timothys-MacBook-Pro-2 stereoscope %

@willmurphyscode willmurphyscode self-assigned this Apr 3, 2024
@willmurphyscode
Copy link
Contributor

Thanks @matthyx for the report!

It looks like demo.goharbor.io/forcharts/redpanda:5.7.23 is a helm chart packaged as an OCI image, but not a container image:

$ docker pull demo.goharbor.io/forcharts/redpanda:5.7.23
5.7.23: Pulling from forcharts/redpanda
unsupported media type application/vnd.cncf.helm.config.v1+json
$ helm pull oci://demo.goharbor.io/forcharts/redpanda --version 5.7.23
Pulled: demo.goharbor.io/forcharts/redpanda:5.7.23
Digest: sha256:e3fd748dad865a292c94d77ca71aca55d61585e413c5855011ea587dd6fe1c7d
$ ls
redpanda-5.7.23.tgz
$ tar -tzf redpanda-5.7.23.tgz
redpanda/Chart.yaml
... snip ...

Syft doesn't currently support scanning helm charts directly, but definitely shouldn't panic when someone tries!

I'll make a PR to syft (or more likely https://github.com/anchore/stereoscope, the library Syft uses to handle OCI image interactions) to prevent the panic and fail gracefully in the case when Syft is asked to scan an image that turns out to be an OCI-packaged helm chart.

If you were trying to get a list of all the packages that will be involved if you deploy the helm chart, you might be able to make some progress by pulling the helm chart and looking at Chart.yaml to see which images would be pulled, and pointing syft at those, but I'm not an expert in helm and I don't know whether that would give you a complete list.

@willmurphyscode willmurphyscode changed the title Panic when downloading demo.goharbor.io/forcharts/redpanda:5.7.23 Syft panics when scanning OCI image that contains packaged helm chart Apr 3, 2024
@willmurphyscode willmurphyscode moved this to In Progress in OSS Apr 8, 2024
@willmurphyscode willmurphyscode moved this from In Progress to In Review in OSS Apr 8, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Apr 23, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants