Exception when running inside a container

[bh86]

When running the VDB inside a Docker container (through depscan image), we got the following exception:

 Performing regular scan for / using plugin bom
Traceback (most recent call last):
  File "/usr/local/bin/depscan", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/dep-scan/depscan/cli.py", line 1032, in main
    vdb_results, pkg_aliases, sug_version_dict, purl_aliases = scan(
                                                               ^^^^^
  File "/opt/dep-scan/depscan/cli.py", line 318, in scan
    results, pkg_aliases, purl_aliases = utils.search_pkgs(
                                         ^^^^^^^^^^^^^^^^^^
  File "/opt/dep-scan/depscan/lib/utils.py", line 242, in search_pkgs
    raw_results = db_lib.pkg_bulk_search(db, quick_res)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/vdb/lib/db.py", line 307, in pkg_bulk_search
    datas = storage.stream_bulk_search(pkg_key_list, _key_func, db_file=db["db_file"])
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/vdb/lib/storage.py", line 93, in stream_bulk_search
    fp.seek(int(store_pos))
OSError: [Errno 25] Inappropriate ioctl for device

For now, this is not being reproduced on Linux but only on mac os.

[prabhu]

@bh86 may be a permission issue. Can you set the environment variable VDB_HOME to a directory that is accessible via the volume mount. Eg:

docker run -v /tmp:/tmp -e VDB_HOME=/tmp

[bh86]

Thanks @prabhu. I'm mounting the directory:

docker run -v /opt/data/vdb:/vdb:rw -t ghcr.io/owasp-dep-scan/dep-scan:v5.0.1 -e VDB_HOME=/vdb

I haven't change this for a long time, it just stopped working few weeks ago. Even for older images I had locally (such as version 4.3.2), which used to work, are not working anymore after I deleted their images locally and pull a new image.

[prabhu]

@bh86, I am unable to replicate this on my mac. Did anything else change in your machine?

[bh86]

It happens on other macs as well. I'm putting the full docker run command, maybe it's related:

docker run -v "/some-output-dir":/output:rw -v /opt/data/vdb:/vdb:rw -e VDB_HOME=/vdb -e SCAN_DEBUG_MODE=true -e NVD_START_YEAR=2014 -t ghcr.io/owasp-dep-scan/dep-scan:v5.0.1 --bom "/output/sbon.vex.json --reports-dir /output/reports --no-suggest --no-banner"

[prabhu]

@bh86, can you try -it instead of just -t? On my mac, it works with or without the -i. Is there any EDR tool or security feature enabled in all the macs tested?

[bh86]

I'm sorry but I forgot to mention something important - I'm running the docker from nodeJS :-;
I'm using spawn to run Docker, so this is probably related.
I've tried with -it (and all possible combinations) - still got the errors :-(

Something like:

const runCommand = `run -v "/some-output-dir":/output:rw -v /opt/data/vdb:/vdb:rw -e VDB_HOME=/vdb -e SCAN_DEBUG_MODE=true -e NVD_START_YEAR=2014 -t ghcr.io/owasp-dep-scan/dep-scan:v5.0.1 --bom "/output/sbon.vex.json" --reports-dir /output/reports --no-suggest --no-banner`;
const args = runCommand.split(' ');
const process = spawn('docker', args, {
    shell: true,
    cwd: process.cwd(),
  });

process.stdout?.on('data', (data) => {});
process.stderr?.on('data', (data) => {});
process.on('exit', (code) => {});

Thank you for your help!

[prabhu]

Maybe try stdio: 'pipe' or inherit with spawn? Or use a bash script and invoke that from node directly.

[bh86]

Thanks! We will look into this, but I think it's still worth supporting a non-interactive mode. It used to work few weeks ago, so maybe something changed in one of the previous versions.

[prabhu]

@bh86, interesting. Let's keep this issue open since I'm not sure what changed in the dockerfile to cause this issue.