Tern fails to perform analysis for Buildpack images #684
Assignees
Milestone
Comments
|
Not related to super issue: #678 It looks like CNB does not use GNU tar to tar their buildpack tarballs, thus creating leading Tern reports any messages to stderr as a "Malformed tarball" even though tar takes care of the security issue by default. So I think we just need to check for this message and ignore it if present. |
nishakm
pushed a commit
to nishakm/tern
that referenced
this issue
May 13, 2020
Currently, we use tar -t to test if tar can untar a given tarball before we extract the tarball. This allows us to take advantage of tar's testing of malformed or malicious tarballs. GNU tar will remove leading forwardslashes in members if it finds any. This gets piped to stderr with a message. We check if any error exists and exit, despite the fact that in this case, GNU tar successfully extracted the tarball while dealing with a possible security issue. Hence in this change, we check to see if the error message is what we would expect if GNU tar encounters the leading forwardslash. If that is the error, we continue on. Resolves tern-tools#684 Signed-off-by: Nisha K <[email protected]>
rnjudge
pushed a commit
that referenced
this issue
May 13, 2020
Currently, we use tar -t to test if tar can untar a given tarball before we extract the tarball. This allows us to take advantage of tar's testing of malformed or malicious tarballs. GNU tar will remove leading forwardslashes in members if it finds any. This gets piped to stderr with a message. We check if any error exists and exit, despite the fact that in this case, GNU tar successfully extracted the tarball while dealing with a possible security issue. Hence in this change, we check to see if the error message is what we would expect if GNU tar encounters the leading forwardslash. If that is the error, we continue on. Resolves #684 Signed-off-by: Nisha K <[email protected]>
nishakm
pushed a commit
to nishakm/tern
that referenced
this issue
May 20, 2020
Currently, we use tar -t to test if tar can untar a given tarball before we extract the tarball. This allows us to take advantage of tar's testing of malformed or malicious tarballs. GNU tar will remove leading forwardslashes in members if it finds any. This gets piped to stderr with a message. We check if any error exists and exit, despite the fact that in this case, GNU tar successfully extracted the tarball while dealing with a possible security issue. Hence in this change, we check to see if the error message is what we would expect if GNU tar encounters the leading forwardslash. If that is the error, we continue on. Resolves tern-tools#684 Signed-off-by: Nisha K <[email protected]>
rnjudge
pushed a commit
to rnjudge/tern
that referenced
this issue
Jun 5, 2020
Currently, we use tar -t to test if tar can untar a given tarball before we extract the tarball. This allows us to take advantage of tar's testing of malformed or malicious tarballs. GNU tar will remove leading forwardslashes in members if it finds any. This gets piped to stderr with a message. We check if any error exists and exit, despite the fact that in this case, GNU tar successfully extracted the tarball while dealing with a possible security issue. Hence in this change, we check to see if the error message is what we would expect if GNU tar encounters the leading forwardslash. If that is the error, we continue on. Resolves tern-tools#684 Signed-off-by: Nisha K <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If you create or pull an image from dockerhub that was created with kpack, Tern fails to perform any analysis. Note: this has been seen on a variety of buildpack images.
To Reproduce
Error in terminal
Expected behavior
Tern would ideally be able to unpack the buildpack image and perform analysis on it.
Environment you are running Tern on
Enter all that apply
Possibly related super issue: #678
The text was updated successfully, but these errors were encountered: