Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container scanning issues after switching to OSV-Scalibr #1486

Open
8 of 10 tasks
hogo6002 opened this issue Jan 10, 2025 · 2 comments
Open
8 of 10 tasks

Container scanning issues after switching to OSV-Scalibr #1486

hogo6002 opened this issue Jan 10, 2025 · 2 comments
Labels
container-scanning-mvp blockers for container scanning MVP

Comments

@hogo6002
Copy link
Contributor

hogo6002 commented Jan 10, 2025

Container scanning is currently unavailable due to our ongoing transition to OSV-Scalibr. We've encountered several issues during this process, including:

  • Not able to determine the version of the Ubuntu
    • Version extraction solved by symbolic link handling in osv-scalbr
    • Matching solved by API changes in osv.dev
    • Identify unimportant vulnerabilities from Ubuntu
  • Symbolic link handling failures (Solved by handling symbolic links in osv-scalibr)
  • Unable to identify vulnerabilities in Go binaries (Solved by properly implementing the Stat() function in osv-scalibr)
  • Infinite Loop when attempting to scan nginx
    • Run go run ./cmd/osv-scanner --docker=nginx:1.27.3
    • It will print out a lot of OS id not found or similar, this is fine, this is caused by the symlink issue mentioned above.
    • It will get stuck it seems, or take a very long time, crashes the vscode web terminal even.

Some issues from OSV.dev:

@hogo6002 hogo6002 added the container-scanning-mvp blockers for container scanning MVP label Jan 10, 2025
@oliverchang
Copy link
Collaborator

@another-rex do we how to solve the issues mentioned here? IIRC there's some fixes in OSV-Scalibr already that address the Go binary and symlink issues?

@oliverchang
Copy link
Collaborator

I ran go run ./cmd/osv-scanner --docker=nginx:1.27.3 from https://github.com/another-rex/osv-scanner/tree/use-scalibr-container-scanning, and it finishes pretty quickly:

...
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
2025/01/13 15:26:26 os-release[ID] not set, fallback to 'linux'
No issues found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
container-scanning-mvp blockers for container scanning MVP
Projects
None yet
Development

No branches or pull requests

2 participants