cdxgen: Generating SBOM for a container image from tar file fails
Hi, I’ve been trying to generate a SBOM for a Dockerimage from a tar file and keep hitting the same error:
docker save -o alpine.tar alpine:3.14
SCAN_DEBUG_MODE=debug cdxgen alpine.tar -o bom.json -t docker
Image archive alpine.tar successfully exported to directory /tmp/docker-images-bNqj3V
Extracting /tmp/docker-images-bNqj3V/blobs/sha256 to /tmp/docker-images-bNqj3V/all-layers
Error while extracting image /tmp/docker-images-bNqj3V/blobs/sha256 to /tmp/docker-images-bNqj3V/all-layers. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues
------------
[Error: EISDIR: illegal operation on a directory, read] {
errno: -21,
code: 'EISDIR',
syscall: 'read'
}
------------
pathList [
'/tmp/docker-images-bNqj3V/all-layers/usr/local/go',
'/tmp/docker-images-bNqj3V/all-layers/usr/local/lib',
'/tmp/docker-images-bNqj3V/all-layers/usr/local/lib64',
'/tmp/docker-images-bNqj3V/all-layers/opt',
'/tmp/docker-images-bNqj3V/all-layers/home',
'/tmp/docker-images-bNqj3V/all-layers/usr/share',
'/tmp/docker-images-bNqj3V/all-layers/usr/src',
'/tmp/docker-images-bNqj3V/all-layers/var/www/html',
'/tmp/docker-images-bNqj3V/all-layers/var/lib',
'/tmp/docker-images-bNqj3V/all-layers/mnt',
'/tmp/docker-images-bNqj3V/all-layers/usr/lib',
'/tmp/docker-images-bNqj3V/all-layers/usr/lib64'
]
Executing /usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin/plugins/trivy/trivy-cdxgen-linux-amd64 rootfs --skip-db-update --skip-java-db-update --offline-scan --skip-files **/*.jar --no-progress --exit-code 0 --format cyclonedx --cache-dir /home/user/.cache/trivy --output /tmp/trivy-cdxgen-j9aIc1/trivy-bom.json /tmp/docker-images-bNqj3V/all-layers
Cleaning up /tmp/trivy-cdxgen-j9aIc1
{}
Found 0 OS packages at /tmp/docker-images-bNqj3V/all-layers
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/local/go
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/local/go
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/local/lib
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/local/lib
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/local/lib64
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/local/lib64
Scanning /tmp/docker-images-bNqj3V/all-layers/opt
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/opt
Scanning /tmp/docker-images-bNqj3V/all-layers/home
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/home
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/share
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/share
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/src
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/src
Scanning /tmp/docker-images-bNqj3V/all-layers/var/www/html
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/var/www/html
Scanning /tmp/docker-images-bNqj3V/all-layers/var/lib
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/var/lib
Scanning /tmp/docker-images-bNqj3V/all-layers/mnt
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/mnt
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/lib
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/lib
Scanning /tmp/docker-images-bNqj3V/all-layers/usr/lib64
Found 0 ruby packages at /tmp/docker-images-bNqj3V/all-layers/usr/lib64
BOM includes 0 components and 1 dependencies after dedupe
Cleaning up /tmp/docker-images-bNqj3V
I’m using quite recent versions of node/npm and cdxgen:
npm --version
10.2.4
node --version
v21.6.2
cdxgen --version
10.1.3
The problem is reproducable with other images using Docker (WSL Ubuntu) and Podman (Windows).
Any help would be much appreciated 😃
About this issue
- Original URL
- State: closed
- Created 4 months ago
- Comments: 19 (10 by maintainers)
Commits related to this issue
- Fixes #916. Switched from getting directories to files for untar Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> — committed to CycloneDX/cdxgen by prabhu 3 months ago
- Fixes #916. Switched from getting directories to files for untar Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> — committed to CycloneDX/cdxgen by prabhu 3 months ago
- cdx 1.6 spec support with some goodies (#935) * Begin 1.6 Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> More cbom progress 1.6 Signed-off-by: Prabhu Subramanian <prabhu@appthreat.... — committed to CycloneDX/cdxgen by prabhu 3 months ago
Sorry, missed the steps in the PR; had jumped straight to the main readme.
I can confirm that everything works when building a SBoM from either a Docker v20 or v25 archive.
Thanks for the effort!
@roadSurfer The PR has the instructions. Looks like npm install is missing or check if node_modules got copied over to the image
@roadSurfer @MiyazawaK please test with #935 which includes a fix for this issue.
https://github.com/CycloneDX/cdxgen/pull/935
I archived the same image (
alpine:latest) withpodmanand a SBoM without issue.Comparing the archives, I didn’t spot anything greatly different other than blob locations and Docker not including the
.tarextension.Both TARs and the SBoMs generated for them are in the attached Zip. The Docker Tar triggered the error and resulted in a basically empty SBoM.
Archives.zip
I can see that is going wrong. On docker.js, line 775 it asked for all directories under
/tmp/<name>/blobs/sha256and for some reason it is only getting/tmp/<name>/blobs/sha256as a result. There is then the attempt to extract that directory which obviously fails.If the recursion is disabled then it works as expected.
None of this appears to have changed, so I am not sure what it going on here. Although I am not a Node expert, so I could well be missing something obvious.