#1511 Incomplete SBOM generated from Docker image #1512
Conversation
robross0606
force-pushed
the
fix/remove-strict-tar-extraction
branch
2 times, most recently
from
609a835 to
0eac060
Compare
| @@ -804,36 +807,17 @@ export const extractTar = async (fullImageName, dir) => { | |||
| "Please run cdxgen from a powershell terminal with admin privileges to create symlinks.", | |||
| ); | |||
| console.log(err); | |||
| } else if ( | |||
There was a problem hiding this comment.
Any reason why we need to remove these blocks?
There was a problem hiding this comment.
Yes, they seemed to be mostly pointless. The logic of the old if/then/else doesn't wastes performance for several reasons:
- Once we turn off
strictmode, several of these will not be thrown as errors as per documentation. This includes anything that starts withTAR_ENTRY_. - The current if/then/else re-tests the same
err.codemultiple times. It testsTAR_BAD_ARCHIVE,TAR_ENTRY_INFOandTAR_ENTRY_INVALIDmultiple times for no reason. Flipping the order of theif/then/elsehas the same end result with better performance. - Using
array.includesis non-performant and gains little in terms of end result.
There was a problem hiding this comment.
If it helps, here is a summary of how all those tests should shake out now:
| Code | Old | New |
|---|---|---|
| TAR_BAD_ARCHIVE | Prints "Archive ${fullImageName} is empty. Skipping." and ends extraction. | Prints "Archive ${fullImageName} is empty. Skipping." and ends extraction. |
| TAR_ENTRY_INFO | Black holed without any message and ends extraction. | Prints warning only if DEBUG_MODE is true and continues extraction. |
| TAR_ENTRY_INVALID | Black holed without any message and ends extraction. | Prints warning and continues extraction. |
| TAR_ENTRY_ERROR | Prints err and ends extraction. |
Prints warning and continues extraction. |
| TAR_ENTRY_UNSUPPORTED | Prints err and ends extraction. |
Prints warning and continues extraction. |
| TAR_ABORT | Prints err and ends extraction. |
Prints "Error while extracting image..." and ends extraction. |
| EACCES | Prints err and ends extraction. |
Prints err and ends extraction. |
| EPERM | Prints "Please run cdxgen from a powershell terminal..." and ends extraction. | Prints "Please run cdxgen from a powershell terminal..." and ends extraction. |
| Anything unexpected | Prints "Error while extracting image..." and ends extraction. | Prints "Error while extracting image..." and ends extraction. |
| // ignore | ||
| if (code !== "TAR_ENTRY_INFO" || DEBUG_MODE) { |
There was a problem hiding this comment.
This will print a lot of messages in debug mode including the thing that says removing /?
There was a problem hiding this comment.
I wouldn't say "a lot" but, yes, it will. IMO, that is desirable for DEBUG_MODE. The tar command in linux does the same thing.
There was a problem hiding this comment.
The problem with your approach is that it relies on the error message matching your expectations. That creates a regression problem you're not prepared to address without adding more detailed unit testing. Your solution also didn't look at the code which is far more likely to remain unchanged with subsequent releases.
There was a problem hiding this comment.
Can we just make this if (DEBUG_MODE) ? We are getting more output like this
There was a problem hiding this comment.
You're suggesting that issues of types like TAR_ENTRY_INVALID should be simply ignored without any printed message unless the user enables DEBUG_MODE. Skipping TAR_ENTRY_INFO is fine. Skipping the other ones is NOT fine. I can tell you that, if you did this, we would opt to not use cdxgen at all and go with syft or something else. Simply black-holing warnings that are causing entries to not be expanded is a BIG DEAL. That means that cdxgen is not scanning whatever wasn't expanded, and the user has no idea this happened. This means that, technically, the current version of cdxgen already potentially has a security issue if people are relying on this SBOM for vulnerability assessment.
Based on your other responses on this MR, I'm not sure you're realizing the potential scope of the problem or that you've yet conceded the current version of cdxgen is scarily broken with respect to scanning docker images. The user currently has no idea that things were not expanded and there is no determinate pattern to what can be skipped. The only reason we know about it now is because the expansion happened to not expand the package.json file. But what if it failed to expand other files (OS, components, etc.) that the scanner then skips? The user gets no errors, no warning messages and, most importantly, inaccurate SBOM output.
If you are getting all those issues, then the TAR may have problems. What I would suggest is that we include the code in that warning message so we can at least tell what type of warning it is. Then we can circle back on next steps.
There was a problem hiding this comment.
Doing strict: false is actually a far bigger problem than making some warnings only show up in DEBUG_MODE. I have to balance the amount of messages cdxgen throws up in default mode, since our users would happily create an issue for each and every message, without the slightest hesitation.
It is work-in-progress, alright. There is only so much a small unfunded team could do. You can always feel free to go with another tool or rollup the sleeves and help us with dev and testing.
robross0606
force-pushed
the
fix/remove-strict-tar-extraction
branch
from
0eac060 to
821cc52
Compare
|
Thank you so much. Do you have any ideas for adding any new test cases or this is good to go? |
|
Let me do some more manual tests as well. Meanwhile, can you make strict: false in the other places as well as shown in my PR? Also run pnpm run lint. |
| @@ -754,11 +754,14 @@ export const extractTar = async (fullImageName, dir) => { | |||
| preserveOwner: false, | |||
| noMtime: true, | |||
| noChmod: true, | |||
| strict: true, | |||
| strict: false, | |||
There was a problem hiding this comment.
Let's make strict: false in other places as well.
|
I also have another question. Other than the image you shared, are there any other images that are not working without strict: false. If the sample size happens to be just one or a small value, perhaps we make it an optional flag instead? I am unsure of the security and performance implications of this change. |
|
@robross0606 Can you test the new PR #1513 ? |
The sample size is not small at all. In fact, it appears to be happening on almost every expanded TAR from a docker image. Literally any |
…warnings do not prematurely end expansion. Signed-off-by: Robert Ross <robross0606@gmail.com>
robross0606
force-pushed
the
fix/remove-strict-tar-extraction
branch
from
821cc52 to
c971cbd
Compare
|
Ok, please test my new PR. I have made it to work in strict mode. |
strictmode withnode-tarso warnings do not prematurely end expansion.DEBUG_MODEis enabled.