Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermittent binary listings, different results every time #2035

Closed
aptalca opened this issue Aug 17, 2023 · 3 comments · Fixed by #2036
Closed

Intermittent binary listings, different results every time #2035

aptalca opened this issue Aug 17, 2023 · 3 comments · Fixed by #2036
Labels
bug Something isn't working

Comments

@aptalca
Copy link

aptalca commented Aug 17, 2023

What happened:
When I run syft multiple times on the same docker image, I get a different list every time because the binary results change every time.

What you expected to happen:
I expect to get the same results every time.

Steps to reproduce the issue:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
Run this back to back after pulling ghcr.io/linuxserver/mastodon:glitch

Anything else we need to know?:
The binaries for node, nginx, php-cli and php-fpm are intermittently included in the list.
The first run results in:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro  ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
[0019]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unable to parse package.json author: json: cannot unmarshal array into Go value of type map[string]string location=/app/www/node_modules/react-motion/package.json
@babel/helper-builder-binary-assignment-operator-visitor                       7.22.10                              npm           
binary-extensions                                                              1.13.1                               npm           
binary-extensions                                                              2.2.0                                npm           
is-binary-path                                                                 1.0.1                                npm           
is-binary-path                                                                 2.1.0                                npm           
nginx                                                                          1.24.0                               binary        
php-cli                                                                        8.2.8                                binary

Second run results in:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro  ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
[0018]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unable to parse package.json author: json: cannot unmarshal array into Go value of type map[string]string location=/app/www/node_modules/react-motion/package.json
@babel/helper-builder-binary-assignment-operator-visitor                       7.22.10                              npm           
binary-extensions                                                              1.13.1                               npm           
binary-extensions                                                              2.2.0                                npm           
is-binary-path                                                                 1.0.1                                npm           
is-binary-path                                                                 2.1.0                                npm           
node                                                                           18.17.0                              binary        
php-cli                                                                        8.2.8                                binary

Third run results in:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro  ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
[0018]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unable to parse package.json author: json: cannot unmarshal array into Go value of type map[string]string location=/app/www/node_modules/react-motion/package.json
@babel/helper-builder-binary-assignment-operator-visitor                       7.22.10                              npm           
binary-extensions                                                              1.13.1                               npm           
binary-extensions                                                              2.2.0                                npm           
is-binary-path                                                                 1.0.1                                npm           
is-binary-path                                                                 2.1.0                                npm           
node                                                                           18.17.0                              binary

You can see the binaries listed change every time even though it's the same image that's being scanned.

Environment:

  • Output of syft version: Latest syft docker image
Application:        syft
Version:            0.87.0
JsonSchemaVersion:  10.0.0
BuildDate:          2023-08-14T18:02:28Z
GitCommit:          b3d7ba569b64376cf33df717e3bc40d8375e033b
GitDescription:     v0.87.0
Platform:           linux/amd64
GoVersion:          go1.20.7
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
    Ubuntu Jammy
@aptalca aptalca added the bug Something isn't working label Aug 17, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 17, 2023

Thanks for the report @aptalca. I've been able to reproduce this on the latest Syft (same as you indicated: 0.87.0)

@kzantow kzantow moved this to In Progress in OSS Aug 17, 2023
@aptalca
Copy link
Author

aptalca commented Aug 17, 2023

It's been causing havoc for our ci, which commits the package list to our repo and triggers another build. It's been looping all morning 😅
https://github.com/linuxserver/docker-mastodon/commits/glitch

@kzantow kzantow mentioned this issue Aug 17, 2023
Merged
@kzantow kzantow moved this from In Progress to In Review in OSS Aug 17, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 17, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 17, 2023

Sorry for the inconvenience! This should be fixed now in the latest release: https://github.com/anchore/syft/releases/tag/v0.87.1

This was referenced Aug 18, 2023
Open
Closed
Closed
Closed
This was referenced Aug 28, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: inconsistent removal of binaries by file overlap anchore/syft
2 participants
@aptalca @kzantow