Giters

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

components inside tar.gz / tgz not picked up

mithunms333 opened this issue · comments

commented

What happened:
Using syft, I scanned an image which had few regular linux zipped tar balls (extensions either *.tar.gz or *.tgz). Inside these zipped tar balls, we had many jar files. Syft did not go inside the tar ball and pick up the contents inside it. I believe syft picks up contents inside *.jar etc if they are accessible directly.
Context: we have product images where many contents are kept inside *.tgz files due to logistical and size related reasons. They get extracted at container startup. These images need to be scanned via syft for creating SBOM, and then subsequently scan the SBOM via grype to identify CVEs. So I cannot extract the contents of *.tgz during image creation.
Syft did not identify them, so they did not get scanned for CVEs.

What you expected to happen:
All individual relevant components inside zipped tar ball should have been identified in SBOM. But syft did not identify them for SBOM creation.

Steps to reproduce the issue:
keep some components inside a tar ball. then zip the tar ball. Create any linux container image which contains this zipped tar ball. then scan that image using syft. check the SBOM for the presence of the contents from zipped tar ball - either text or json format.

Anything else we need to know?:
Nothing else at the moment. I will update as I have more data.

Environment:

  • Output of syft version:
    Application: syft
    Version: 0.99.0
    BuildDate: 2023-12-21T16:18:46Z
    GitCommit: 3cffa0b
    GitDescription: v0.99.0
    Platform: linux/amd64
    GoVersion: go1.21.5
    Compiler: gc

  • OS (e.g: cat /etc/os-release or similar): RHEL 8.9 / UBI 8.9

commented

Hi @mithunms333, thank you for the report. We do have an open issue in the backlog for this: #1379 -- I will go ahead and close this issue in favor of the existing one. Feel free to subscribe to that ticket for updates. If you are interested in contributing a pull request, please let us know and we can help you get started!

commented

Dear @tgerla ,
The backlog item #1379 is open since Dec 2022.
Since tars are native to linux, is there any difficulty in inspecting contents inside it?
My programming skillsets are in bash scripting and java. Since the syft coding is in go, I am unable to contribute. If I knew go, I would have been happy to fix it. Let me know your thoughts.