Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Survive indexing not accessible files #3286

Open
edhinard opened this issue Sep 27, 2024 · 1 comment
Open

Survive indexing not accessible files #3286

edhinard opened this issue Sep 27, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@edhinard
Copy link

What happened:
syft crash when a symlink is referencing a file which is not accessible (under not readable dir)

What you expected to happen:
syft should continue ignoring the file as for other non readable ones

Steps to reproduce the issue:

  • /tmp/dir1 is root owned rwxrwx---
  • /tmp/link -> /tmp/dir1/dir2/file
  • syft /tmp run as non root

Use the attached docker file:

$ mv Dockerfile.txt Dockerfile
$ docker build -t syftissue .
$ docker run --rm -it syftissue
 ✔ Indexed file system                                                                                                               /tmp
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  WARN unable to access path="/tmp/dir1": open /tmp/dir1: permission denied
unable to get file resolver: unable to create directory resolver: unable to index filesystem path="/tmp/dir1/dir2/file": lstat /tmp/dir1/dir2: permission denied
returned code: 1

Anything else we need to know?:
looks like #2645 (but already closed) and #3258 (not exactely the same since the directory is not excluded)

Environment:

  • Output of syft version: syft 1.13.0
  • OS : first encountered in Red Hat Enterprise Linux 9.4 (Plow) then reproduced in Alpine

Dockerfile.txt
@edhinard edhinard added the bug Something isn't working label Sep 27, 2024
@popey
Copy link
Contributor

popey commented Sep 27, 2024

Hi @edhinard - thank you for this issue, and the steps to reproduce it. I have reproduced it here.

docker run --rm -it syftissue
 ✔ Indexed file system                                                                                                                    /tmp
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  WARN unable to access path="/tmp/dir1": open /tmp/dir1: permission denied
unable to get file resolver: unable to create directory resolver: unable to index filesystem path="/tmp/dir1/dir2/file": lstat /tmp/dir1/dir2: permission denied
returned code: 1

Here's the full trace in case anyone needs it.

docker run --rm -it syftissue
[0000]  INFO syft version: 1.13.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  config: ""
  output:
      - syft-table
  format:
      pretty: null
      template:
          path: ""
          legacy: false
      json:
          legacy: false
          pretty: false
      spdx-json:
          pretty: false
      cyclonedx-json:
          pretty: false
      cyclonedx-xml:
          pretty: false
  check-for-app-update: true
  default-catalogers: []
  select-catalogers: []
  package:
      search-unindexed-archives: false
      search-indexed-archives: true
      exclude-binary-overlap-by-ownership: true
  file:
      metadata:
          selection: owned-by-package
          digests:
              - sha1
              - sha256
      content:
          skip-files-above-size: 256000
          globs: []
      executable:
          globs: []
  scope: squashed
  parallelism: 1
  relationships:
      package-file-ownership: true
      package-file-ownership-overlap: true
  compliance:
      missing-name: drop
      missing-version: stub
  enrich: []
  golang:
      search-local-mod-cache-licenses: null
      local-mod-cache-dir: /home/user/go/pkg/mod
      search-remote-licenses: null
      proxy: https://proxy.golang.org,direct
      no-proxy: ""
      main-module-version:
          from-ld-flags: true
          from-contents: true
          from-build-settings: true
  java:
      use-network: null
      use-maven-local-repository: null
      maven-local-repository-dir: /home/user/.m2/repository
      maven-url: https://repo1.maven.org/maven2
      max-parent-recursive-depth: 0
  javascript:
      search-remote-licenses: null
      npm-base-url: ""
  linux-kernel:
      catalog-modules: true
  python:
      guess-unpinned-requirements: false
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  from: []
  platform: ""
  source:
      name: ""
      version: ""
      base-path: ""
      file:
          digests:
              - SHA-256
      image:
          default-pull-source: ""
  exclude: []
  cache:
      dir: /home/user/.cache/syft
      ttl: 7d
[0000] DEBUG checking if a new version of syft is available
[0000] DEBUG no new syft update available
[0000] TRACE looking for matching encoder name=syft-table version=
[0000] TRACE considering format aliases=[json syft] name=syft-json version=16.0.17
[0000] TRACE considering format aliases=[table] name=syft-table version=
[0000] TRACE considering format aliases=[text] name=syft-text version=
[0000] TRACE considering format aliases=[github] name=github-json version=
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.0
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.1
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.2
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.3
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.4
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.5
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.6
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.2
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.3
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.4
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.5
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.6
[0000] TRACE considering format aliases=[] name=spdx-json version=2.2
[0000] TRACE considering format aliases=[] name=spdx-json version=2.3
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.1
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.2
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.3
[0000] TRACE found matching encoder name=syft-table version=
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000] TRACE indexing filetree path=/tmp
[0000]  WARN unable to access path="/tmp/dir1": open /tmp/dir1: permission denied
[0000] TRACE indexing filetree path=/tmp/dir1/dir2/file
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop
unable to get file resolver: unable to create directory resolver: unable to index filesystem path="/tmp/dir1/dir2/file": lstat /tmp/dir1/dir2: permission denied
returned code: 1

@willmurphyscode willmurphyscode moved this to Ready in OSS Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@popey @edhinard