Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with broken symlinks while scaning some containers #1234

Open
Mariuxdeangelo opened this issue Jun 28, 2023 · 2 comments
Open

Problem with broken symlinks while scaning some containers #1234

Mariuxdeangelo opened this issue Jun 28, 2023 · 2 comments

Comments

@Mariuxdeangelo
Copy link

Describe the bug
I'm currently trying to scan some containers with tern and have trouble for some because the application runs into an error ERROR - rootfs - Command failed. cp: not writing through dangling symlink '/root/.tern/temp/mergedir/sbin/ip' there i find, that ip is a dangling symlink to /bin/busybox what is odd because i'm working on a archlinux system. I also tried it out on Ubuntu and also in a docker container as described in the README.md. Ip is not the only symlink that is located there that can make issues. I also have seen others like unzip ...

I have also seen in the release nodes that something similar with symlinks in Alpine was already fixed in Version 2.2.0 (i use 2.12.0) might be related? #769
https://github.com/search?q=repo%3Atern-tools%2Ftern%20busybox&type=code

I have seen this issue also with other containers:

  • ngoduykhanh/wireguard-ui:latest
  • bonita:latest
  • consul:1.15.4
  • drupal:latest

I would be very happy if somebody could tell me what i'm doing wrong or confirm this behavior.

Error in terminal
Here the full command i used to scan the container:

###
-- with a PIP install (tern Version 2.12.0)
tern report -f spdxjson -i ngoduykhanh/wireguard-ui:latest -o tern.spdx.json

-- in docker
docker run --rm ternd report -f spdxjson -i ngoduykhanh/wireguard-ui:latest

Here also the full Tracelog:

Traceback (most recent call last):
  File "/usr/local/bin/tern", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/tern/__main__.py", line 311, in main
    do_main(args)
  File "/usr/local/lib/python3.9/site-packages/tern/__main__.py", line 123, in do_main
    crun.execute_image(args)
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/run.py", line 80, in execute_image
    cimage.default_analyze(full_image, args)
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/image.py", line 75, in default_analyze
    multi_layer.analyze_subsequent_layers(
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/multi_layer.py", line 168, in analyze_subsequent_layers
    fresh_analysis(image_obj, curr_layer, prereqs, options)
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/multi_layer.py", line 113, in fresh_analysis
    target = prep_layers(image_obj, curr_layer, options.driver)
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/multi_layer.py", line 71, in prep_layers
    return apply_layers(image_obj, top_layer)
  File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/container/multi_layer.py", line 63, in apply_layers
    rootfs.root_command(['cp', '-r'] + glob.glob(layer_contents), target)
  File "/usr/local/lib/python3.9/site-packages/tern/utils/rootfs.py", line 71, in root_command
    raise subprocess.CalledProcessError(  # nosec
subprocess.CalledProcessError: Command '['cp', '-r', '/root/.tern/temp/3/contents/var', '/root/.tern/temp/3/contents/sbin', '/root/.tern/temp/3/contents/usr', '/root/.tern/temp/3/contents/lib', '/root/.tern/temp/3/contents/etc', '/root/.tern/temp/3/contents/bin', '/root/.tern/temp/mergedir']' returned non-zero exit status 1.

Environment you are running Tern on

  • Version 2.12.0
  • archlinux / ubuntu / docker
@rnjudge
Copy link
Contributor

rnjudge commented Jun 28, 2023

May be related to #1189? Does the dockerfile have any type of symlink creation?

Thanks for the issue by the way! I'll take a look.

@Mariuxdeangelo
Copy link
Author

Thanks for you reply.

I took a look into it. And i don't think that it's the same problem. Somehow tern ends up with some symlinks that assume the container is based on busybox even if this is not the case.

I also checked the Dockerfile of one of this containers and did not found something described in #1189
https://github.com/ngoduykhanh/wireguard-ui/blob/master/Dockerfile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants