Skopeo inspect fails if Image-Repository (Sonatype Nexus) returns 'null' Tag

[timbocau]

We use Sonatype Nexus as Image Repository. When calling the tags/list Endpoint of some images a 'null' Tag is returned:

{
    "name": "imagename",
    "tags": [
        null,
        "1.0.0-1",
        "1.0.0-10",
        "1.0.0-11",
        "1.0.0-12",
[...]

This causes Skopeo inspect to fail with error "Error determining repository tags: registry returned invalid tag "": invalid tag format"

Running the following command produces the output below:

skopeo --debug inspect docker://my-nexus.mydomain/my-image:1.0.1-3

...
time="2024-08-27T14:30:44+02:00" level=debug msg="GET https://my-nexus.mydomain/my-image/tags/list"
time="2024-08-27T14:31:04+02:00" level=fatal msg="Error determining repository tags: registry returned invalid tag \"\": invalid tag format"

The error occurs with Skopeo versions 1.14.4. and newer. With Skopeo versions 1.14.3 and older (did not test all older versions) the error does not occur.

Is this a bug or a feature?

[mtrmac]

Thanks for reaching out.

I think this is primarily a bug in the server: The spec at https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-tags shows the values as strings, and null is not that. Also https://github.com/opencontainers/distribution-spec/blob/main/spec.md#pulling-manifests “ as a tag” contains a regular expression which requires a tag to be non-empty text; neither null (nor the "" value Go parses it as) is valid.

Skopeo 1.14.4 ’s code has, as a part of fixing CVE-2024-3727 , started rejecting invalid tag values, so that further uses of the tag can avoid unexpected behavior.

Ideally, this should be fixed in the server’s implementation.

That said, we have already added one workaround for a registry returning unexpected values, so I guess we can add one more…

[timbocau]

Thanks for your reply.

I agree that this is mainly caused by a bug in the Server implementation. I was just wondering what's different between 1.14.3 and 1.14.4.

Actually we found a workaround for that problem. As we do not need the Tag list we added Parameter -n to skopeo inspect command to suppress the processing of the Tag list and the command succeeds although the Tag list still contains invalid "null" values.

For others that want to process the Tag list a workaround in the Skopeo implementation to handle "null" values in the Tag list would surely be helpful.

[mtrmac]

@timbocau would you be able to confirm that containers/image#2544 fixes the failure?

Also, could you identify the specific version of the server that exhibits this behavior for you, please?

[timbocau]

@mtrmac
Although I am not an expert for the Go programming language, I would confirm that containers/image#2544 fixes the failure.

We are using Nexus 3.58 OSS. We posted a question in the Nexus community, too: https://community.sonatype.com/t/tags-list-yields-null-as-first-tag/13117

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[vrothberg]

With containers/image#2544 being merged, I think we can close this issue. Thanks!