Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syft produces different output when run with sudo #1391

Closed
Hritik14 opened this issue Dec 7, 2022 · 2 comments · Fixed by #1693
Closed

syft produces different output when run with sudo #1391

Hritik14 opened this issue Dec 7, 2022 · 2 comments · Fixed by #1693
Assignees
@wagoodman
Labels
bug Something isn't working

Comments

@Hritik14
Copy link

Hritik14 commented Dec 7, 2022

Please provide a set of steps on how to reproduce the issue
On an arm machine (Technically, any machine other than x86 will do).

syft rust:1.42-slim-buster | grep x86
 ✔ Parsed image
 ✔ Cataloged packages      [113 packages]
binutils-x86-64-linux-gnu  2.31.1-16               deb

sudo syft rust:1.42-slim-buster | grep x86
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [111 packages]

sudo syft rust:1.42-slim-buster | grep aarch
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [111 packages]
binutils-aarch64-linux-gnu  2.31.1-16               deb

What happened:
syft running with sudo yields different results than without sudo.

What you expected to happen:
Both runs should have same output.

Anything else we need to know?:
When run with sudo, docker daemon is available and is used. Without sudo, syft uses OCI registry via stereoscope.
Stereoscope takes the following approach while determining image pull methodology:

// DetermineDefaultImagePullSource takes an image reference string as input, and
// determines a Source to use to pull the image. If the input doesn't specify an
// image reference (i.e. an image that can be _pulled_), UnknownSource is
// returned. Otherwise, if the Docker daemon is available, DockerDaemonSource is
// returned, and if not, OciRegistrySource is returned.
func DetermineDefaultImagePullSource(userInput string) Source {

Source: https://github.com/anchore/stereoscope/blob/3b80d983223f6e6fc2d33b0ffa003d30268418e9/pkg/image/source.go#L134-L139

and because there are inconsistencies between OCI source and docker daemon in stereoscope when respective Providers are run without supplying a platform, it bubbles out to syft yielding different images (one x86 and other arm) and thus different SBOMs.
See:

This can be avoided by having a correct default value for platform

Environment:

  • Output of syft version:
Application:        syft
Version:            0.62.3
JsonSchemaVersion:  6.0.0
BuildDate:          2022-11-30T19:01:12Z
GitCommit:          247b054ab56f848c477495218754166272f470b5
GitDescription:     v0.62.3
Platform:           linux/arm64
GoVersion:          go1.18.8
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
@Hritik14 Hritik14 added the bug Something isn't working label Dec 7, 2022
@kzantow
Copy link
Contributor

kzantow commented Dec 7, 2022

Hi @Hritik14 -- this is effectively the issue you reported against stereoscope, right? anchore/stereoscope#149

@Hritik14
Copy link
Author

Hritik14 commented Dec 7, 2022

@kzantow Hi, Yes. Keeping it here as an end-user issue.

@Hritik14 Hritik14 mentioned this issue Dec 7, 2022
Closed
@kzantow kzantow added this to OSS Dec 10, 2022
@wagoodman wagoodman moved this to Backlog (Pulled Forward for Priority) in OSS Dec 15, 2022
@wagoodman wagoodman mentioned this issue Jan 12, 2023
Merged
@wagoodman wagoodman moved this from Backlog to In Progress in OSS Mar 23, 2023
@wagoodman wagoodman self-assigned this Mar 23, 2023
@wagoodman wagoodman mentioned this issue Mar 23, 2023
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS Mar 23, 2023
This was referenced Mar 31, 2023
Merged
Closed
Closed
Merged
Merged
Merged
Closed
This was referenced Apr 10, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): update stereoscope to d7551b7f46f53179922d6229709d3d1602881080 anchore/syft
3 participants
@wagoodman @kzantow @Hritik14