Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redis not listed in the artifact lists of the bitnami/redis image #2764

Open
dwertent opened this issue Apr 10, 2024 · 2 comments
Open

Redis not listed in the artifact lists of the bitnami/redis image #2764

dwertent opened this issue Apr 10, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@dwertent
Copy link

What happened:
I am creating an SBOM for the docker.io/bitnami/redis image.
As I was looking at the artifacts, I noticed that the redis binary was absent from the list of artifacts in the SBOM.
bitnami/redis SBOM syft-1.1.1

What you expected to happen:
The redis binary should be listed as an artifact in the SBOM

Steps to reproduce the issue:

syft docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 --output syft-json=syft-redis-sbom.json

Anything else we need to know?:

I compared the SBOM with syft version 0.101.1 and the only difference is that in the older version there is a mention of the redis in the list of artifacts:

{
            "id": "0063efe371213ed7",
            "name": "Redis (TM)",
            "version": "7.2.4-3",
            "type": "UnknownPackage",
            "foundBy": "sbom-cataloger",
            "locations": [
                {
                    "path": "/opt/bitnami/redis/.spdx-redis.spdx",
                    "layerID": "sha256:730b9522f949b7d691cf82395a311ffe8fbf2d9d18fac0a1a06f3697f12aad55",
                    "accessPath": "/opt/bitnami/redis/.spdx-redis.spdx",
                    "annotations": {
                        "evidence": "primary"
                    }
                }
            ],
            "licenses": [
                {
                    "value": "BSD-3-Clause",
                    "spdxExpression": "BSD-3-Clause",
                    "type": "concluded",
                    "urls": [],
                    "locations": []
                },
                {
                    "value": "BSD-3-Clause",
                    "spdxExpression": "BSD-3-Clause",
                    "type": "declared",
                    "urls": [],
                    "locations": []
                }
            ],
            "language": "",
            "cpes": [
                "cpe:2.3:*:redis:redis:7.2.4:*:*:*:*:*:*:*",
                "cpe:2.3:a:Redis_\\(TM\\):Redis_\\(TM\\):7.2.4-3:*:*:*:*:*:*:*"
            ],
            "purl": "pkg:bitnami/redis@7.2.4-3?arch=arm64&distro=debian-12"
        },

bitnami/redis SBOM syft-0.101.1

Environment:

  • Output of syft version:
Application: syft
Version:    1.1.1
BuildDate:  2024-04-04T14:34:19Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.22.2
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar): macos, m1
@dwertent dwertent added the bug Something isn't working label Apr 10, 2024
@willmurphyscode
Copy link
Contributor

I think this is because the binary classifier for redis matches against the amd64 build of redis but _not_the arm64 build.

❯ syft -q --platform=linux/amd64 docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 | grep -i ^redis
redis                             7.2.4                  binary
❯ syft -q --platform=linux/arm64 docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 | grep -i ^redis

I believe the digest points to a multi-architecture manifest, so when syft asks docker to pull the image, the client decides which platform to pull, and if the client pulls the linux/amd64 platform, redis is found, but not if it pulls the linux/arm64 platform.

I'll leave this issue open as a request to enhance the binary classifier to detect the arm64 build of redis.

@willmurphyscode willmurphyscode added enhancement New feature or request and removed bug Something isn't working labels Apr 11, 2024
@witchcraze
Copy link
Contributor

Please let me report additional not listed cases.

syft does not detect redis frmo 3/8 OS/ARCH of redis:latest.

$ syft -q --platform=linux/386 redis | grep redis
$

$ syft -q --platform=linux/arm/v5 redis | grep redis
$

$ syft -q --platform=linux/arm/v7 redis | grep redis
$

format includes text - buildkitsandbox

$ docker run -it --rm --platform linux/386 redis sh -c "apt update && apt install -y binutils && strings /usr/local/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4buildkitsandbox-1712714399000000000

$ docker run -it --rm --platform linux/arm/v5 redis sh -c "apt update && apt install -y binutils && strings /usr/local/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4buildkitsandbox-1712788833000000000

$ docker run -it --rm --platform linux/arm/v7 redis sh -c "apt update && apt install -y binutils && strings /usr/local/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4buildkitsandbox-1712788833000000000

bitnami

$ docker run -it --rm --platform=linux/arm64 --user root docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 sh -c "apt update && apt install -y binutils && strings /opt/bitnami/redis/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4af940fca2d06-1706617069000000000
/bitnami/blacksmith-sandox/redis-7.2.4/src
/bitnami/blacksmith-sandox/redis-7.2.4/deps/hiredis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
3 participants
@willmurphyscode @dwertent @witchcraze