Vulnerability report is returned for non-final index reports (`IndexError` or still in progress)
frostmar opened this issue · comments
Description of Problem / Feature Request
A potentially incorrect Clair vulnerability report is returned when the digest's index report has not completed successfully (ie. index report is not in state="IndexFinished"
)
The vulnerability report returned is potentially incorrect as it's based on incomplete information, but the recipient can't tell that from the fields included. Clients can attempt to guess that empty distributions
or packages
may still have indexing in progress, but that's not definitive and could also be seen for eg. scratch images with indexing complete.
Expected Outcome
When state is IndexError
Perhaps HTTP500 with a body error structure suggesting it's a permanent error affecting this digest? Perhaps HTTP404?
When state is any other non-final
Suggest: HTTP404 similar to the result for not-present
curl -v -s localhost:6060/matcher/api/v1/vulnerability_report/sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff | jq .
* Trying [::1]:6060...
* Connected to localhost (::1) port 6060
> GET /matcher/api/v1/vulnerability_report/sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff HTTP/1.1
> Host: localhost:6060
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: application/json
< Trailer: Clair-Error
< X-Content-Type-Options: nosniff
< Date: Mon, 29 Jan 2024 15:05:19 GMT
< Transfer-Encoding: chunked
<
{ [155 bytes data]
* Connection #0 to host localhost left intact
{
"code": "not-found",
"message": "index report for manifest \"sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\" not found"
}
Actual Outcome
state=IndexError example:
when the DB column indexreport.scan_result
contains:
{
"err": "failed to fetch layers: encountered error while fetching a layer: error realizing layer sha256:a2e84cb56b2b64f359029d7a59023b4ef96578ff90566e256a019e0173a633cb: tarfs: error finding segments: bad block at 0: got magic \" ]\\n }\"",
"state": "IndexError",
"success": false,
"packages": {},
"repository": {},
"environments": {},
"distributions": {},
"manifest_hash": "sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690"
}
A vuln report request completes successfully, and appears to be completely clean:
curl -s localhost:6060/matcher/api/v1/vulnerability_report/sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690 | jq .
{
"manifest_hash": "sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690",
"packages": {},
"distributions": {},
"repository": {},
"environments": {},
"vulnerabilities": {},
"package_vulnerabilities": {},
"enrichments": {}
}
state in progress example:
This is harder to catch in progress, but as the indexing state machine updates the DB each step, I believe there'll be a row present in table indexreport
after the first step, but the package list won't be complete until every scanner has run on every layer.
While the indexing is in progress, a vuln report will be partly-complete, giving varying info depending on what's been found so far.
Environment
- Clair version/image: we're running
v4.7.2
, from code inspection it'd still be true on the currentmain
- Clair client name/version: curl
- Host OS: Linux
- Kernel (e.g.
uname -a
): - Kubernetes version (use
kubectl version
): n/a - Network/Firewall setup: n/a