Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scan: expected exactly one APK package, found 2 #1409

Open
xnox opened this issue Jan 23, 2025 · 2 comments · May be fixed by #1420
Open

scan: expected exactly one APK package, found 2 #1409

xnox opened this issue Jan 23, 2025 · 2 comments · May be fixed by #1420
Labels
bug Something isn't working needs-triage applied to all new customer/user issues. Removed after triage occurs.

Comments

@xnox
Copy link
Member

xnox commented Jan 23, 2025
edited
Loading

Description

Fetch .apk from https://github.com/wolfi-dev/os/pull/39152/checks?check_run_id=36032861217 which implements https://systemd.io/ELF_PACKAGE_METADATA/

wolfictl scan on those fails like so:

wget https://apk.cgr.dev/wolfi-presubmit/6ae23109d7ecb9d4b9cf77cc9584575b09a63dd1/aarch64/scanelf-1.3.8-r2.apk
wolfictl scan scanelf-1.3.8-r2.apk 
🔎 Scanning "scanelf-1.3.8-r2.apk"
2025/01/23 02:47:55 ERRO failed to scan "scanelf-1.3.8-r2.apk": failed to scan APK: expected exactly one APK package, found 2

Note the binary package name is scanelf, but the origin for it is pax-utils:

tar xf scanelf-1.3.8-r2.apk
readelf --notes usr/bin/scanelf 

Displaying notes found in: .note.ABI-tag
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 4.9.0

Displaying notes found in: .note.package
  Owner                Data size 	Description
  FDO                  0x00000060	FDO_PACKAGING_METADATA
    Packaging Metadata: {"type":"apk","os":"wolfi","name":"pax-utils","version":"1.3.8-r2","architecture":"aarch64"}

Note syft knows how to catalog that

syft usr/bin/scanelf 
 ✔ Indexed file system                                                                                                                     usr/bin/scanelf
 ✔ Cataloged contents                                                                     437aa67b5123c73eb3bcb75c26bf3b27cd2abf3cfc59a3615309f718d876a946
   ├── ✔ Packages                        [1 packages]  
   ├── ✔ File digests                    [1 files]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ Executables                     [1 executables]  
NAME       VERSION   TYPE   
pax-utils  1.3.8-r2  apk   
A newer version of syft is available for download: 1.19.0 (installed version is 1.18.1)

More details

$ wolfictl scan -vv scanelf-1.3.8-r2.apk 
2025/01/23 10:26:30 DEBU checking cache for SBOM expectedPath=/home/xnox/.cache/wolfictl/sbom/apk/scanelf-1.3.8-r2-sha256-8f340707e80c5a4159c41ef40ed6d3e2dc052f806b5cfbf906b1ade9b575ab14.syft.json
2025/01/23 10:26:30 DEBU SBOM cache hit cachedPath=/home/xnox/.cache/wolfictl/sbom/apk/scanelf-1.3.8-r2-sha256-8f340707e80c5a4159c41ef40ed6d3e2dc052f806b5cfbf906b1ade9b575ab14.syft.json
🔎 Scanning "scanelf-1.3.8-r2.apk"
2025/01/23 10:26:31 DEBU scanning APK SBOM for vulnerabilities packageCount=2
2025/01/23 10:26:31 ERRO failed to scan "scanelf-1.3.8-r2.apk": failed to scan APK: expected exactly one APK package, found 2

Which has

{
  "artifacts": [
    {
      "id": "28c90cec071e0118",
      "name": "pax-utils",
      "version": "1.3.8-r2",
      "type": "apk",
      "foundBy": "elf-binary-package-cataloger",
      "locations": [
        {
          "path": "usr/bin/scanelf",
          "accessPath": "usr/bin/scanelf",
          "annotations": {
            "evidence": "primary"
          }
        }
      ],
      "licenses": [],
      "language": "",
      "cpes": [
        {
          "cpe": "cpe:2.3:a:pax-utils:pax-utils:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        },
        {
          "cpe": "cpe:2.3:a:pax-utils:pax_utils:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        },
        {
          "cpe": "cpe:2.3:a:pax_utils:pax-utils:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        },
        {
          "cpe": "cpe:2.3:a:pax_utils:pax_utils:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        },
        {
          "cpe": "cpe:2.3:a:pax:pax-utils:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        },
        {
          "cpe": "cpe:2.3:a:pax:pax_utils:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        }
      ],
      "purl": "pkg:apk/[email protected]",
      "metadataType": "elf-binary-package-note-json-payload",
      "metadata": {
        "type": "apk",
        "architecture": "aarch64",
        "os": "wolfi"
      }
    },
    {
      "id": "0b4aac8b80c2df13",
      "name": "scanelf",
      "version": "1.3.8-r2",
      "type": "apk",
      "foundBy": "wolfictl",
      "locations": [
        {
          "path": ".PKGINFO",
          "accessPath": ".PKGINFO"
        }
      ],
      "licenses": [
        {
          "value": "GPL-2.0-only",
          "spdxExpression": "GPL-2.0-only",
          "type": "declared",
          "urls": [],
          "locations": []
        }
      ],
      "language": "",
      "cpes": [
        {
          "cpe": "cpe:2.3:a:scanelf:scanelf:1.3.8-r2:*:*:*:*:*:*:*",
          "source": "syft-generated"
        }
      ],
      "purl": "pkg:apk/wolfi/[email protected]?arch=aarch64&origin=pax-utils",
      "metadataType": "apk-db-entry",
      "metadata": {
        "package": "scanelf",
        "originPackage": "pax-utils",
        "maintainer": "",
        "version": "1.3.8-r2",
        "architecture": "aarch64",
        "url": "",
        "description": "",
        "size": 340106,
        "installedSize": 0,
        "pullDependencies": [
          "so:ld-linux-aarch64.so.1",
          "so:libc.so.6"
        ],
        "provides": [
          "cmd:scanelf=1.3.8-r2"
        ],
        "pullChecksum": "efba6480c8c28321a737ec3c0fd87e05dbd27e556b02de91b31dadb3c9dae24e",
        "gitCommitOfApkPort": "6ae23109d7ecb9d4b9cf77cc9584575b09a63dd1",
        "files": [
          {
            "path": "."
          },
          {
            "path": ".PKGINFO"
          },
          {
            "path": ".melange.yaml"
          },
          {
            "path": "usr"
          },
          {
            "path": "usr/bin"
          },
          {
            "path": "usr/bin/scanelf"
          },
          {
            "path": "var"
          },
          {
            "path": "var/lib"
          },
          {
            "path": "var/lib/db"
          },
          {
            "path": "var/lib/db/sbom"
          },
          {
            "path": "var/lib/db/sbom/scanelf-1.3.8-r2.spdx.json"
          }
        ]
      }
    }
  ],
  "artifactRelationships": [],
  "source": {
    "id": "(redacted for determinism)",
    "name": "scanelf",
    "version": "1.3.8-r2",
    "type": "directory",
    "metadata": {
      "path": "scanelf-1.3.8-r2.apk"
    }
  },
  "distro": {
    "id": "wolfi"
  },
  "descriptor": {
    "name": "wolfictl",
    "version": ""
  },
  "schema": {
    "version": "16.0.18",
    "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.0.18.json"
  }
}

I am hoping for this to just work.

The packaging metadata we provide is similar to what other distributions do, i.e.:

# rpm -qf /usr/bin/udevadm 
systemd-udev-252.16-1.amzn2023.0.1.x86_64
# readelf --notes /usr/bin/udevadm  | grep Packaging
    Packaging Metadata: {"type":"rpm","name":"systemd","version":"252.16-1.amzn2023.0.1","architecture":"x86_64","osCpe":"cpe:2.3:o:amazon:amazon_linux:2023"}
@xnox xnox added bug Something isn't working needs-triage applied to all new customer/user issues. Removed after triage occurs. labels Jan 23, 2025
@xnox xnox mentioned this issue Jan 23, 2025
Draft
@luhring
Copy link
Member

luhring commented Jan 23, 2025

Adding notes from our discussion this morning:

Ultimately it sounds like we don't want the ELF metadata to result in a second APK package in Syft's analysis, because we don't consider it a distinct package in an SCA sense, and we don't intend for the second package to be subject to vulnerability scanning.

We should figure out the right way to deduplicate these two packages, either in wolfictl (if we believe the duplicate APK package would not also be present when upstream Syft/Grype scan our images), or by proposing a change upstream in Syft.

@xnox
Copy link
Member Author

xnox commented Jan 23, 2025

Adding notes from our discussion this morning:

Ultimately it sounds like we don't want the ELF metadata to result in a second APK package in Syft's analysis, because we don't consider it a distinct package in an SCA sense, and we don't intend for the second package to be subject to vulnerability scanning.

We should figure out the right way to deduplicate these two packages, either in wolfictl (if we believe the duplicate APK package would not also be present when upstream Syft/Grype scan our images), or by proposing a change upstream in Syft.

for syft i think it is more subtle. I think currently it identifies it as a binary packges; rather than a secondary discovered location (also present as).

@xnox xnox linked a pull request Jan 25, 2025 that will close this issue
Draft
xnox added a commit to xnox/wolfictl that referenced this issue Jan 25, 2025
@xnox
sbom: remove elf-package cataloger during .apk scan
e6b91c6 
With this change .apk which contain ELF package notes scan the same
way as they did before. This unblocks enabling ELF package notes,
whilst design on how to incorporate them into `wolfictl scan` can then
iterate on that at a later point.

```
$ ./wolfictl --log-level=debug  scan scanelf-1.3.8-r2.apk
2025/01/25 22:10:38 DEBU checking cache for SBOM expectedPath=/home/xnox/.cache/wolfictl/sbom/apk/scanelf-1.3.8-r2-sha256-8f340707e80c5a4159c41ef40ed6d3e2dc052f806b5cfbf906b1ade9b575ab14.syft.json
2025/01/25 22:10:38 DEBU SBOM cache miss cachedPath=/home/xnox/.cache/wolfictl/sbom/apk/scanelf-1.3.8-r2-sha256-8f340707e80c5a4159c41ef40ed6d3e2dc052f806b5cfbf906b1ade9b575ab14.syft.json
2025/01/25 22:10:38 INFO generating SBOM for APK file path=scanelf-1.3.8-r2.apk distroID=wolfi
2025/01/25 22:10:38 DEBU created temp directory to unpack APK path=/tmp/wolfictl-sbom-2146823426
2025/01/25 22:10:38 DEBU unpacked APK file to temp directory apkFilePath=scanelf-1.3.8-r2.apk
2025/01/25 22:10:38 DEBU apk temp directory item path=.
2025/01/25 22:10:38 DEBU apk temp directory item path=.PKGINFO
2025/01/25 22:10:38 DEBU apk temp directory item path=.melange.yaml
2025/01/25 22:10:38 DEBU apk temp directory item path=usr
2025/01/25 22:10:38 DEBU apk temp directory item path=usr/bin
2025/01/25 22:10:38 DEBU apk temp directory item path=usr/bin/scanelf
2025/01/25 22:10:38 DEBU apk temp directory item path=var
2025/01/25 22:10:38 DEBU apk temp directory item path=var/lib
2025/01/25 22:10:38 DEBU apk temp directory item path=var/lib/db
2025/01/25 22:10:38 DEBU apk temp directory item path=var/lib/db/sbom
2025/01/25 22:10:38 DEBU apk temp directory item path=var/lib/db/sbom/scanelf-1.3.8-r2.spdx.json
2025/01/25 22:10:38 DEBU synthesized APK package for SBOM name=scanelf version=1.3.8-r2 id=0b4aac8b80c2df13
2025/01/25 22:10:38 DEBU created Syft source from directory description="{fae5e479007d6102592372c66694727566238f1264d6deafd13639209ca07b7e /tmp/wolfictl-sbom-2146823426  {/tmp/wolfictl-sbom-2146823426 }}"
2025/01/25 22:10:39 INFO finished Syft SBOM generation packageCount=1
2025/01/25 22:10:39 DEBU cleaning up temp directory path=/tmp/wolfictl-sbom-2146823426
🔎 Scanning "scanelf-1.3.8-r2.apk"
2025/01/25 22:10:40 DEBU scanning APK SBOM for vulnerabilities packageCount=1
2025/01/25 22:10:40 INFO converted packages to grype packages packageCount=1
2025/01/25 22:10:40 DEBU grype matching finished matchCount=0
✅ No vulnerabilities found
```

Fixes: wolfi-dev#1409
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-triage applied to all new customer/user issues. Removed after triage occurs.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sbom: remove elf-package cataloger during .apk scan xnox/wolfictl
2 participants
@xnox @luhring