-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(image): prevent scanning oversized container images #8178
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: nikpivkin <[email protected]>
f188f2d
to
84689dd
Compare
Signed-off-by: nikpivkin <[email protected]>
72f3146
to
eddcbf8
Compare
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
@knqyf263 I was thinking that we could download the compressed layer and then decompress it ourselves. I saw that downloader.Download is used for decompression. Does it support all the compression types that |
This is what was in my mind.
|
@knqyf263 Then we can't display the progress bar correctly, because we don't know the size of the uncompressed layer. |
Can't we use the progress in ggcr? |
If it doesn't work, we can use |
@knqyf263 I kept the old behavior, if no flag is passed, to avoid unnecessary disk operations. But then the progress bar will be displayed only when the flag is passed. What do you think? |
pkg/fanal/artifact/image/image.go
Outdated
@@ -88,6 +100,11 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) { | |||
diffIDs := a.diffIDs(configFile) | |||
a.logger.Debug("Detected diff ID", log.Any("diff_ids", diffIDs)) | |||
|
|||
defer os.RemoveAll(a.cacheDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Each artifact must have Clean()
method so that the caller can be responsible for cleanup. What if moving that to Clean()
? It might help in case Inspect()
is called several times (we don't assume such usage, though).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done bba405b
pkg/fanal/artifact/image/image.go
Outdated
@@ -36,6 +40,8 @@ type Artifact struct { | |||
handlerManager handler.Manager | |||
|
|||
artifactOption artifact.Option | |||
|
|||
cacheDir string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Trivy already has several kinds of cache, like scan cache, cache assets, etc. cacheDir
looks like the root directory of the cache directory controlled by --cache-dir
. I'd rename it to the explicit name.
cacheDir string | |
layerCacheDir string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done bba405b
@nikpivkin I got an idea. |
This might be better.
|
Even better
|
@knqyf263 Ok, I'll think about how to use this with the progress bar pool otherwise there is flickering in the terminal when loading in parallel |
@nikpivkin Actually, the progress bar should be discussed in #8186. I'll re-post it there. |
Signed-off-by: nikpivkin <[email protected]>
cmd/trivy/main.go
Outdated
var userErr *types.UserError | ||
if errors.As(err, &userErr) { | ||
fmt.Println("Error: " + userErr.Error()) | ||
os.Exit(1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can wait for feedback from users.
But perhaps some users will want to set custom exit code.
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
BTW, Trivy also supports VM images. I'm unsure, but users may want to introduce the same functionality in the future. Do you think we want to rename |
Description
This PR adds the
--max-image-size
flag. If the flag is specified and the uncompressed image size exceeds the maximum size, Trivy exits with an error. If the flag is not specified, the behaviour does not change.For more implementation details, see #8176
Related issues
Checklist