Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability report is returned for non-final index reports (IndexError or still in progress) #1962

Closed
frostmar opened this issue Jan 29, 2024 · 2 comments

Comments

@frostmar
Copy link
Contributor

frostmar commented Jan 29, 2024

Description of Problem / Feature Request

A potentially incorrect Clair vulnerability report is returned when the digest's index report has not completed successfully (ie. index report is not in state="IndexFinished")

The vulnerability report returned is potentially incorrect as it's based on incomplete information, but the recipient can't tell that from the fields included. Clients can attempt to guess that empty distributions or packages may still have indexing in progress, but that's not definitive and could also be seen for eg. scratch images with indexing complete.

Expected Outcome

When state is IndexError
Perhaps HTTP500 with a body error structure suggesting it's a permanent error affecting this digest? Perhaps HTTP404?

When state is any other non-final
Suggest: HTTP404 similar to the result for not-present

curl -v -s localhost:6060/matcher/api/v1/vulnerability_report/sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff | jq .
*   Trying [::1]:6060...
* Connected to localhost (::1) port 6060
> GET /matcher/api/v1/vulnerability_report/sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff HTTP/1.1
> Host: localhost:6060
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Content-Type: application/json
< Trailer: Clair-Error
< X-Content-Type-Options: nosniff
< Date: Mon, 29 Jan 2024 15:05:19 GMT
< Transfer-Encoding: chunked
< 
{ [155 bytes data]
* Connection #0 to host localhost left intact
{
  "code": "not-found",
  "message": "index report for manifest \"sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\" not found"
}

Actual Outcome

state=IndexError example:

when the DB column indexreport.scan_result contains:

{
  "err": "failed to fetch layers: encountered error while fetching a layer: error realizing layer sha256:a2e84cb56b2b64f359029d7a59023b4ef96578ff90566e256a019e0173a633cb: tarfs: error finding segments: bad block at 0: got magic \" ]\\n  }\"",
  "state": "IndexError",
  "success": false,
  "packages": {},
  "repository": {},
  "environments": {},
  "distributions": {},
  "manifest_hash": "sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690"
}

A vuln report request completes successfully, and appears to be completely clean:

curl -s localhost:6060/matcher/api/v1/vulnerability_report/sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690 | jq .
{
  "manifest_hash": "sha256:4a595675213b020a5d57264743c5cf05ef2a0ba3dd639849726e7060a45ac690",
  "packages": {},
  "distributions": {},
  "repository": {},
  "environments": {},
  "vulnerabilities": {},
  "package_vulnerabilities": {},
  "enrichments": {}
}

state in progress example:
This is harder to catch in progress, but as the indexing state machine updates the DB each step, I believe there'll be a row present in table indexreport after the first step, but the package list won't be complete until every scanner has run on every layer.

While the indexing is in progress, a vuln report will be partly-complete, giving varying info depending on what's been found so far.

Environment

  • Clair version/image: we're running v4.7.2, from code inspection it'd still be true on the current main
  • Clair client name/version: curl
  • Host OS: Linux
  • Kernel (e.g. uname -a):
  • Kubernetes version (use kubectl version): n/a
  • Network/Firewall setup: n/a
@crozzy
Copy link
Collaborator

crozzy commented Nov 13, 2024

Can this be closed @frostmar ?

@frostmar
Copy link
Contributor Author

yup, should have been resolved by PR #1963

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants