Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Report's report.artifact.digest field is the artifact's image_id not digest #2259

Open
dkulchinsky opened this issue Sep 10, 2024 · 6 comments · May be fixed by #2310
Open

Vulnerability Report's report.artifact.digest field is the artifact's image_id not digest #2259

dkulchinsky opened this issue Sep 10, 2024 · 6 comments · May be fixed by #2310
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone

Comments

@dkulchinsky
Copy link
Contributor

What steps did you take and what happened:

We've been trying to understand why the report.artifact.digest value doesn't match the actual image digest.

After digging a bit through the code, we realized that the value of report.artifact.digest is actually the image_id.

here's an example:

report:
  artifact:
    digest: sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb
    repository: <image repo>
    tag: v0.47.3
  os:
    family: alpine
    name: 3.18.4
  registry:
    server: <registry>

per above the digest is sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb

however, when we scan the same image with trivy cli, we get the following:

trivy i --format json <registry>/<image repo>:v0.47.3
{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-09T21:20:23.838423-04:00",
  "ArtifactName": "<registry>/<image repo>:v0.47.3",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.18.4"
    },
    "ImageID": "sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb",
    "DiffIDs": [
      "sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438",
      "sha256:8d7be0d3cbdd44bc6fa563f60e8bc1a373d5e60f035d8c089918a2bcc92fee25",
      "sha256:94e5b30b4e4869f384d25800811d245e2a09d04eeb6295a0eadd34ef3bf62677",
      "sha256:f9733b6837c92fb7242b3513ccc51ed17051488e31115c5dd57ac1ee229f64e9",
      "sha256:1b1eb4aa471edd83d2c07371ae5c7a43435e8f445d749f055f48cb915ed52c21",
      "sha256:1624be5bf90422992672ea3698f7f48b1835627808d52126c46d4539e14eeb7e",
      "sha256:654cfc253da32ff012d018bb56208d1c5de1657e1f39e8f3a8c78bd016c14834",
      "sha256:bd978dcc58af2e02683ddcadad5142fea925718a2154791a45f41e5944fc8c91"
    ],
    "RepoTags": [
      "<registry>/<image repo>:v0.47.3"
    ],
    "RepoDigests": [
      "<registry>/<image repo>@sha256:cf3e3b3a98edde46eac58d4745a2467b9da2bc49a11191565a893ffac38034a3"
    ],

as you can see, the report.artifact.digest value is Metadata.ImageID in the Trivy report:

"ImageID": "sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb",

The actual Digest is in the Metadata.RepoDigests field:

    "RepoDigests": [
      "<registry>/<image repo>@sha256:cf3e3b3a98edde46eac58d4745a2467b9da2bc49a11191565a893ffac38034a3"
    ],

What did you expect to happen:

We expect that report.artifact.digest would show the actual image digest value, instead of image_id.

perhaps it's worth to include both?

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Trivy-Operator version (use trivy-operator version): v0.22.0
  • Kubernetes version (use kubectl version): 1.28.13
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): N/A
@dkulchinsky dkulchinsky added the kind/bug Categorizes issue or PR as related to a bug. label Sep 10, 2024
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Nov 10, 2024
@d-mankowski-synerise
Copy link
Contributor

Encountered the same issue :/ I guess the source of confusion is the fact, that what Trivy and Docker call image digest, Kubernetes calls imageID (which is a totally different entity) - e.g. for image quay.io/jetstack/cert-manager-controller:v1.15.1 for linux/amd64, Kubernetes reports:

❯ k get pod -o json cert-manager-6947bb5c7f-k7vwj | jq -r '.status.containerStatuses.[].imageID'                                                                (syn-s001-eu-west-aks-loki1-001-admin/cert-manager)
quay.io/jetstack/cert-manager-controller@sha256:057ace5734b53ebdec20b3a0d182c37c9ef0014e9f6364f9b99018e76936e984

while Docker shows:

❯ docker image ls --digests --no-trunc quay.io/jetstack/cert-manager-controller                                                                                 
REPOSITORY                                 TAG       DIGEST                                                                    IMAGE ID                                                                  CREATED        SIZE
quay.io/jetstack/cert-manager-controller   v1.15.1   sha256:057ace5734b53ebdec20b3a0d182c37c9ef0014e9f6364f9b99018e76936e984   sha256:1d33ee05f4c869bf0591c4b176f943833fcdb9e7e48bbd219347eba87f4a7801   4 months ago   66.4MB

@d-mankowski-synerise
Copy link
Contributor

d-mankowski-synerise commented Nov 10, 2024

By looking at the logic here, if imageRef is of form xxxx@sha256:yyy, then the image digest reported by Trivy Operator is correct. In other (most) cases, incorrect imageID is returned, instead of the actual digest. Will submit PR to fix this.

d-mankowski-synerise added a commit to d-mankowski-synerise/trivy-operator that referenced this issue Nov 10, 2024
Trivy Operator incorrectly reported imageID as image digest.

Fixes aquasecurity#2259
@d-mankowski-synerise d-mankowski-synerise linked a pull request Nov 10, 2024 that will close this issue
4 tasks
@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Nov 11, 2024
@dkulchinsky
Copy link
Contributor Author

Hey @d-mankowski-synerise! thanks for raising the PR, I think that makes sense.

@chen-keinan sorry for tagging, but was hoping you'd have a chance to take a look and consider the proposed change? I think this makes sense overall and would be better aligned.

@itaysk
Copy link

itaysk commented Nov 12, 2024

Chen is no longer maintaining this project. we will review the PR eventually but I'm afraid it will take some time to get to it given the current capacity and priorities

@dkulchinsky
Copy link
Contributor Author

Thanks for responding @itaysk! looking forward for the PR to be reviewed, in the meantime if there's anything we can help with - let us know.

@simar7 simar7 added this to the v0.24.0 milestone Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants