What happened:
I tried scanning a (valid) oci image built by jib with grype and it failed with:
[0005] ERROR failed to catalog: no source providers were able to resolve the input "build/jib-image.tar"
I debugged grype and came to these lines:
|
f, err := v.fs.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(entry.Header.Mode)) |
|
if err != nil { |
|
return err |
|
} |
Which essentially just fail if the parent directories don't exist.
What you expected to happen:
That the image which is successfully loaded by podman and can successfully be pushed to at least the gitlab registry could be scanned without any problems.
How to reproduce it (as minimally and precisely as possible):
podman pull gcr.io/distroless/java17-debian12
podman save gcr.io/distroless/java17-debian12:latest -o test.tar --format oci-archive
mkdir test
tar -xaf test.tar -C test
(cd test; tar -cf ../test-mod.tar blobs/sha256/* index.json oci-layout)
grype oci-archive:test.tar # this works
grype oci-archive:test-mod.tar # this fails
Anything else we need to know?:
I couldn't see how I can make a distinct test case without using grype, but I hope this is still ok.
Environment:
- OS (e.g:
cat /etc/os-release or similar): Arch Linux
What happened:
I tried scanning a (valid) oci image built by jib with grype and it failed with:
I debugged grype and came to these lines:
stereoscope/pkg/file/tarutil.go
Lines 179 to 182 in 2ce1e52
Which essentially just fail if the parent directories don't exist.
What you expected to happen:
That the image which is successfully loaded by podman and can successfully be pushed to at least the gitlab registry could be scanned without any problems.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I couldn't see how I can make a distinct test case without using grype, but I hope this is still ok.
Environment:
cat /etc/os-releaseor similar): Arch Linux