Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Report's report.artifact.digest field is the artifact's image_id not digest #2259

Open
dkulchinsky opened this issue Sep 10, 2024 · 0 comments
Open

Vulnerability Report's report.artifact.digest field is the artifact's image_id not digest #2259

dkulchinsky opened this issue Sep 10, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@dkulchinsky
Copy link
Contributor

What steps did you take and what happened:

We've been trying to understand why the report.artifact.digest value doesn't match the actual image digest.

After digging a bit through the code, we realized that the value of report.artifact.digest is actually the image_id.

here's an example:

report:
  artifact:
    digest: sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb
    repository: <image repo>
    tag: v0.47.3
  os:
    family: alpine
    name: 3.18.4
  registry:
    server: <registry>

per above the digest is sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb

however, when we scan the same image with trivy cli, we get the following:

trivy i --format json <registry>/<image repo>:v0.47.3

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-09T21:20:23.838423-04:00",
  "ArtifactName": "<registry>/<image repo>:v0.47.3",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.18.4"
    },
    "ImageID": "sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb",
    "DiffIDs": [
      "sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438",
      "sha256:8d7be0d3cbdd44bc6fa563f60e8bc1a373d5e60f035d8c089918a2bcc92fee25",
      "sha256:94e5b30b4e4869f384d25800811d245e2a09d04eeb6295a0eadd34ef3bf62677",
      "sha256:f9733b6837c92fb7242b3513ccc51ed17051488e31115c5dd57ac1ee229f64e9",
      "sha256:1b1eb4aa471edd83d2c07371ae5c7a43435e8f445d749f055f48cb915ed52c21",
      "sha256:1624be5bf90422992672ea3698f7f48b1835627808d52126c46d4539e14eeb7e",
      "sha256:654cfc253da32ff012d018bb56208d1c5de1657e1f39e8f3a8c78bd016c14834",
      "sha256:bd978dcc58af2e02683ddcadad5142fea925718a2154791a45f41e5944fc8c91"
    ],
    "RepoTags": [
      "<registry>/<image repo>:v0.47.3"
    ],
    "RepoDigests": [
      "<registry>/<image repo>@sha256:cf3e3b3a98edde46eac58d4745a2467b9da2bc49a11191565a893ffac38034a3"
    ],

as you can see, the report.artifact.digest value is Metadata.ImageID in the Trivy report:

"ImageID": "sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb",

The actual Digest is in the Metadata.RepoDigests field:

    "RepoDigests": [
      "<registry>/<image repo>@sha256:cf3e3b3a98edde46eac58d4745a2467b9da2bc49a11191565a893ffac38034a3"
    ],

What did you expect to happen:

We expect that report.artifact.digest would show the actual image digest value, instead of image_id.

perhaps it's worth to include both?

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Trivy-Operator version (use trivy-operator version): v0.22.0
  • Kubernetes version (use kubectl version): 1.28.13
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): N/A
@dkulchinsky dkulchinsky added the kind/bug Categorizes issue or PR as related to a bug. label Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dkulchinsky