Syft panics when scanning OCI image that contains packaged helm chart
matthyx opened this issue · comments
What happened:
$ syft packages demo.goharbor.io/forcharts/redpanda:5.7.23
panic: runtime error: index out of range [0] with length 0
goroutine 52 [running]:
github.com/anchore/stereoscope/pkg/image.newLayerMetadata({{0xc000536140, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {{0x0, ...}}, ...}, ...}, ...)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/pkg/image/layer_metadata.go:26 +0x1dd
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(_, _, {{0xc000536140, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, ...}, ...}, ...}, ...)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/pkg/image/layer.go:85 +0xe5
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0xc0004a5500)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/pkg/image/image.go:204 +0x4f0
github.com/anchore/stereoscope.GetImageFromSource({0x14baba0, 0xc000038080}, {0x7fff6b15427a, 0x2a}, 0x5, {0xc000142248, 0x1, 0xc00022f5f0?})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.0-20221208011002-c5ff155d72f1/client.go:93 +0x2d5
github.com/anchore/syft/syft/source.getImageWithRetryStrategy({{0x7fff6b15427a, 0x2a}, {0x12b303a, 0xb}, 0x5, {0x7fff6b15427a, 0x2a}, {0x0, 0x0}, {0x0, ...}, ...}, ...)
/home/runner/work/syft/syft/syft/source/source.go:172 +0x2a7
github.com/anchore/syft/syft/source.generateImageSource({{0x7fff6b15427a, 0x2a}, {0x12b303a, 0xb}, 0x5, {0x7fff6b15427a, 0x2a}, {0x0, 0x0}, {0x0, ...}, ...}, ...)
/home/runner/work/syft/syft/syft/source/source.go:138 +0x58
github.com/anchore/syft/syft/source.New({{0x7fff6b15427a, 0x2a}, {0x12b303a, 0xb}, 0x5, {0x7fff6b15427a, 0x2a}, {0x0, 0x0}, {0x0, ...}, ...}, ...)
/home/runner/work/syft/syft/syft/source/source.go:125 +0x118
github.com/anchore/syft/cmd/syft/cli/packages.execWorker.func1()
/home/runner/work/syft/syft/cmd/syft/cli/packages/packages.go:69 +0x1e5
created by github.com/anchore/syft/cmd/syft/cli/packages.execWorker
/home/runner/work/syft/syft/cmd/syft/cli/packages/packages.go:66 +0x12c
What you expected to happen:
Return a list of packages from the image.
Steps to reproduce the issue:
syft packages demo.goharbor.io/forcharts/redpanda:5.7.23
Anything else we need to know?:
Environment:
- Output of
syft version:
Application: syft
Version: 0.70.0
JsonSchemaVersion: 6.2.0
BuildDate: 2023-02-03T18:16:55Z
GitCommit: 9995950c70e849f9921919faffbfcf46401f71f3
GitDescription: v0.70.0
Platform: linux/amd64
GoVersion: go1.19.5
Compiler: gc
- OS (e.g:
cat /etc/os-releaseor similar):
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Hi @matthyx, thank you for the report! Can you upgrade to the latest Syft (1.1.0) and see if the problem reproduces? 0.70 is from February 2023 so it's quite out of date now. Thanks!
Hey @matthyx, sorry, I spoke too soon. I've reproduced this crash on 1.1.0 myself. We will take a look when we are able. Thanks again for the report!
Sorry for the version mismatch, I had 2 syft installed, the old one by hand in /usr/local/bin/syft and the new one by apt in /usr/bin/syft.
Thanks for looking at it :)
Whoops, hit Return too soon.
Dev notes: Here is the output from the stereoscope test script which includes just a little more information:
tgerla@Timothys-MacBook-Pro-2 stereoscope % go run examples/basic.go demo.goharbor.io/forcharts/redpanda:5.7.23
[0000] DEBUG image: source= location=demo.goharbor.io/forcharts/redpanda:5.7.23
[0000] TRACE trying podman socket path=/Users/tgerla/Library/Application Support/podman/podman.sock
[0000] TRACE trying podman socket path=/run/podman/podman.sock
[0000] TRACE unable to connect to podman via unix socket error=no socket address
github.com/anchore/stereoscope/internal/podman.init
/Users/tgerla/git/anchore/stereoscope/internal/podman/client.go:18
runtime.doInit1
/usr/local/go/src/runtime/proc.go:6740
runtime.doInit
/usr/local/go/src/runtime/proc.go:6707
runtime.main
/usr/local/go/src/runtime/proc.go:249
runtime.goexit
/usr/local/go/src/runtime/asm_arm64.s:1197
[0000] TRACE trying containerd socket path=/var/run/containerd/containerd.sock
[0000] DEBUG pulling image info directly from registry image="demo.goharbor.io/forcharts/redpanda:5.7.23"
[0000] DEBUG no registry credentials configured for "demo.goharbor.io", using the default keychain
[0002] DEBUG image metadata: digest=sha256:3d34c672cbed928c11048e901f8c2d81490e11b32cdd834736d3aef20b55ce4e mediaType=application/vnd.oci.image.manifest.v1+json tags=[]
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/anchore/stereoscope/pkg/image.newLayerMetadata({{0x14000222eb0, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {{0x0, ...}}, ...}, ...}, ...)
/Users/tgerla/git/anchore/stereoscope/pkg/image/layer_metadata.go:26 +0x178
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(_, _, {{0x14000222eb0, 0x47}, 0x0, {{0x0, 0x0}, {0x0, 0x0}, {0x0, ...}, ...}, ...}, ...)
/Users/tgerla/git/anchore/stereoscope/pkg/image/layer.go:88 +0xc0
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0x1400040c380)
/Users/tgerla/git/anchore/stereoscope/pkg/image/image.go:227 +0x60c
github.com/anchore/stereoscope/pkg/image/oci.(*registryImageProvider).Provide(0x14000100720, {0x104dd4c90, 0x14000112690})
/Users/tgerla/git/anchore/stereoscope/pkg/image/oci/registry_provider.go:93 +0x948
github.com/anchore/stereoscope.getImageFromSource({0x104dd4c90, 0x14000112690}, {0x16babf8b3, 0x2a}, {0x0, 0x0}, {0x0, 0x0, 0x0})
/Users/tgerla/git/anchore/stereoscope/client.go:110 +0x388
github.com/anchore/stereoscope.GetImage({0x104dd4c90, 0x14000112690}, {0x16babf8b3, 0x2a}, {0x0, 0x0, 0x0})
/Users/tgerla/git/anchore/stereoscope/client.go:72 +0x70
main.main()
/Users/tgerla/git/anchore/stereoscope/examples/basic.go:36 +0x134
exit status 2
tgerla@Timothys-MacBook-Pro-2 stereoscope %
Thanks @matthyx for the report!
It looks like demo.goharbor.io/forcharts/redpanda:5.7.23 is a helm chart packaged as an OCI image, but not a container image:
$ docker pull demo.goharbor.io/forcharts/redpanda:5.7.23
5.7.23: Pulling from forcharts/redpanda
unsupported media type application/vnd.cncf.helm.config.v1+json
$ helm pull oci://demo.goharbor.io/forcharts/redpanda --version 5.7.23
Pulled: demo.goharbor.io/forcharts/redpanda:5.7.23
Digest: sha256:e3fd748dad865a292c94d77ca71aca55d61585e413c5855011ea587dd6fe1c7d
$ ls
redpanda-5.7.23.tgz
$ tar -tzf redpanda-5.7.23.tgz
redpanda/Chart.yaml
... snip ...Syft doesn't currently support scanning helm charts directly, but definitely shouldn't panic when someone tries!
I'll make a PR to syft (or more likely https://github.com/anchore/stereoscope, the library Syft uses to handle OCI image interactions) to prevent the panic and fail gracefully in the case when Syft is asked to scan an image that turns out to be an OCI-packaged helm chart.
If you were trying to get a list of all the packages that will be involved if you deploy the helm chart, you might be able to make some progress by pulling the helm chart and looking at Chart.yaml to see which images would be pulled, and pointing syft at those, but I'm not an expert in helm and I don't know whether that would give you a complete list.