This repository is deprecated and no longer maintained.
If you're looking for a host-local container vulnerability scanner see our new projects:
Software Bill of Materials for Containers: Syft
Container Vulnerability Scanning: Grype
This project is deprecated. Work is now done on https://github.com/anchore/syft and https://github.com/anchore/grype for local-host Software Bill of Materials and vulnerability scanning tools.
License: Apache License 2.0
I'm using v1.1.1 and the feeds synchronization activity output goes to stderr:
[root@hostname ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
syncing group data: centos:6: ...
syncing group data: debian:unstable: ...
syncing group data: ubuntu:16.10: ...
syncing group data: centos:7: ...
syncing group data: ubuntu:15.10: ...
syncing group data: ubuntu:16.04: ...
syncing group data: ubuntu:15.04: ...
syncing group data: debian:9: ...
syncing group data: ubuntu:12.10: ...
syncing group data: ubuntu:12.04: ...
syncing group data: centos:5: ...
syncing group data: alpine:3.4: ...
syncing group data: debian:8: ...
syncing group data: alpine:3.3: ...
syncing group data: ubuntu:14.04: ...
syncing group data: ubuntu:13.04: ...
syncing group data: ubuntu:14.10: ...
syncing group data: debian:7: ...
syncing group data: alpine:3.5: ...
skipping data sync for unsubscribed feed (packages) ...
[root@hostname ~]# anchore feeds sync 2>/dev/null
[root@hostname ~]#
[root@hostname ~]# anchore feeds sync 1>/dev/null
syncing data for subscribed feed (vulnerabilities) ...
skipping group data: centos:6: already synced
skipping group data: debian:unstable: already synced
skipping group data: ubuntu:16.10: already synced
skipping group data: centos:7: already synced
skipping group data: ubuntu:15.10: already synced
skipping group data: ubuntu:16.04: already synced
skipping group data: ubuntu:15.04: already synced
skipping group data: debian:9: already synced
skipping group data: ubuntu:12.10: already synced
skipping group data: ubuntu:12.04: already synced
skipping group data: centos:5: already synced
skipping group data: alpine:3.4: already synced
skipping group data: debian:8: already synced
skipping group data: alpine:3.3: already synced
skipping group data: ubuntu:14.04: already synced
skipping group data: ubuntu:13.04: already synced
skipping group data: ubuntu:14.10: already synced
skipping group data: debian:7: already synced
skipping group data: alpine:3.5: already synced
skipping data sync for unsubscribed feed (packages) ...
for cron activities it would be more beneficial to only send to stderr real errors. this is more of an Enhancement than a Bug.
Failures to extract package information or other distro-specific analysis should result in UNSUPPORTED_DISTRO triggers for policy rather than analysis failure. At minimum, the distro detector can place a lower bound on the version supported for each distro within reasonable bounds. e.g. debian 6+, centos 5+, etc.
Error trace from a specific dpkg failure:
Example: debian/eof:woody
[root@1254cba0cb9d ~]# anchore analyze --image debian/eol:woody
Analyzing image: debian/eol:woody
7136fd1ad6a3: analyzing ...
ERROR analyzer status: failed
ERROR analyzer exitcode: 1
ERROR analyzer output: dpkg-query: warning: parsing file '/root/.anchore/anchoretmp/4562356.anchoretmp/rootfs/var/lib/dpkg/status' near line 15 package 'telnet':
missing architecture
dpkg-query: warning: parsing file '/root/.anchore/anchoretmp/4562356.anchoretmp/rootfs/var/lib/dpkg/status' near line 28 package 'mbr':
missing architecture
dpkg-query: warning: parsing file '/root/.anchore/anchoretmp/4562356.anchoretmp/rootfs/var/lib/dpkg/status' near line 48 package 'libwrap0':
missing architecture
... (those 4 lines repeated for all packages in the image)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/11_package_detail_list.py", line 136, in
pkglist[p] = json.dumps(pkgs[p])
File "/usr/lib64/python2.7/json/init.py", line 243, in dumps
return _default_encoder.encode(obj)
File "/usr/lib64/python2.7/json/encoder.py", line 207, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/usr/lib64/python2.7/json/encoder.py", line 270, in iterencode
return _iterencode(o, 0)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xe1 in position 5: invalid continuation byte
ERROR analyzer failed to run on image 7136fd1ad6a3491ab0ba8b626b186c63320765b8c8ce273015e31d608bd4eac3, skipping the rest
ERROR analyzers failed to run on one or more images.
ERROR analysis failed.
ERROR analysis failed for one or more images.
Under anchore query --extended-help
it is said that Image IDs can be specified as repo names
However, after analyzing a bunch of my private images using anchore analyze --image <repo>/<image>
, anchore query --image <repo> cve-scan all
returns ERROR could not load input images: Input image name <repo> not found in local dockerhost or anchore DB.
My aim is to be able to query / audit all images from a specific repo as part of a workflow process. There may be other images present in docker that I do not intend to analyze.
On a side note, is there a way to easily reset the anchore db / remove all analyzed images instead of rm -rf ~/.anchore
?
Will support for scanning private registries be added with the command line tools eventually? I'd like to be able to scan my OpenShift Registry.
The current implementation of --include-allanchore is to query all local docker images as well as everything in the anchore db. This is confusing. It seems with this name it should only include known images in the db, not all docker images. The side-effect is that asking queries about everthing in the db requires all local images to be analyzed. The query should succeed even if there are docker images locally that are not analyzed yet, or we should provide another way to do that without enumerating the images.
Example:
> anchore query --include-allanchore list-image-attrs all
ERROR explore operation failed: Image(s) must be analyzed before operation can be performed.
Image: ab2b00916fb87732ffcb9a887f7b3954bf4c1e19f2f5c8c2fb902188c8b36127
ERROR query operation failed: 1
If you follow the readme instructions for running anchore from a Docker image then using docker exec to call anchore analyze as it suggests the command fails.
I believe this is because the command is looking for a Dockerfile within the running Docker container rather than on the hosts filesystem tree:
As you can see the Dockerfile exists and is in the path provided below as per the readme instructions:
ls -l /Users/samm/git/docker-base-image/Dockerfile
However, when called even with the fully qualified path the command files:
docker exec anchore anchore analyze --image 58329f1f1727 --dockerfile /Users/samm/git/docker-base-image/Dockerfile
Usage: anchore analyze [OPTIONS]
Error: Invalid value for "--dockerfile": Path "/Users/samm/git/docker-base-image/Dockerfile" does not exist.
Hi
I am unable to start up completely I get an error when the catalog is enabled..
sh-4.2# /bin/twistd --logger=anchore_engine.subsys.twistd_logger.logger --pidfile /var/run/anchore-catalog.pid -n anchore-catalog --config /config
[service:catalog] 2018-06-26 12:16:09+0000 [-] [bootstrap] [WARNING] no webhooks defined in configuration file - notifications will be disabled
[service:catalog] 2018-06-26 12:16:09+0000 [-] [bootstrap] [INFO] initializing database
[service:catalog] 2018-06-26 12:16:11+0000 [-] [bootstrap] [INFO] Archive initialization complete
[service:catalog] 2018-06-26 12:16:11+0000 [-] [bootstrap] [ERROR] cannot create/init/register service: catalog - exception: unable to initialize default user data - exception: coercing to Unicode: need string or buffer, NoneType found
[service:catalog] 2018-06-26 12:16:11+0000 [-] [bootstrap] [ERROR] cannot start service (see above for information)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore_engine/services/common.py", line 362, in makeService
rc = smodule.initializeService(sname, localconfig)
File "/usr/lib/python2.7/site-packages/anchore_engine/services/catalog/init.py", line 107, in initializeService
raise Exception ("unable to initialize default user data - exception: " + str(err))
Exception: unable to initialize default user data - exception: coercing to Unicode: need string or buffer, NoneType found
Traceback (most recent call last):
File "/bin/twistd", line 11, in
load_entry_point('Twisted==17.5.0', 'console_scripts', 'twistd')()
File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 29, in run
app.run(runApp, ServerOptions)
File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 662, in run
runApp(config)
File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 25, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 380, in run
self.application = self.createOrGetApplication()
File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 440, in createOrGetApplication
ser = plg.makeService(self.config.subOptions)
File "/usr/lib/python2.7/site-packages/twisted/plugins/anchore_catalog.py", line 76, in makeService
r = anchore_engine.services.common.makeService(slist, options)
File "/usr/lib/python2.7/site-packages/anchore_engine/services/common.py", line 387, in makeService
raise Exception("cannot start service (see above for information)")
Exception: cannot start service (see above for information)
I'm trying to set up anchore engine in our environment.
We are set behind a squid proxy server, hence I had to add the http_proxy & https_proxy vars in our docker settings (added the variables in docker-compose.yaml file).
However, when running docker-compose up -d
and then docker logs
for the anchore-engine container, I see the below error:
18-01-08 22:18:20,410 DEBUG connexion.apis.flask_api - ... Adding GET -> anchore_engine.services.policy_engine.api.controllers.synchronous_operations.list_image_users 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Produces: ['application/json'] 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Produces json 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Adding produces decorator (<function <lambda> at 0x65ee230>) 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Security: [{'anchore_basic': []}] 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Security type 'basic' not natively supported by Connexion; you should handle it yourself 2018-01-08 22:18:20,412 DEBUG connexion.operation - ... Adding security decorator (<function security_passthrough at 0x5788aa0>) 2018-01-08 22:18:20,443 INFO policy_engine_bootstrap - Registration complete. 2018-01-08 22:18:20,447 INFO policy_engine_bootstrap - Checking feeds client credentials 2018-01-08 22:18:20,450 DEBUG policy_engine_bootstrap - Initializing a feeds client 2018-01-08 22:18:20,585 ERROR policy_engine_bootstrap - Preflight checks failed with error: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",). Aborting service startup
I have also bind mounted the /etc/pki path from the docker host towards the container, because the host has the in-house root CA already trusted, which didn't help.
Is there a way for me to bypass the SSL verification for this mechanism so that?
Thanks!
Default location could be in ~/.anchore/modules or similiar, and perhaps by default failures in user modules would not failstop by default like the core modules do (for analyzer/gates).
Anchore analysis runs on the "familytree" of the image, which is the set of parentIDs of the layers. Typically this is not a 1:1 mapping to layers, but to images referred to in 'FROM' directives. However, on image builds, docker sets it for each layer. Anchore then runs an unpack() and analysis on each individual layer and all content to that point, causing analysis to take a long time and lots of resources.
Example of build behavior on an image built from ubuntu:latest:
docker history testimage1
IMAGE CREATED CREATED BY SIZE COMMENT
17cada8704f7 30 minutes ago /bin/sh -c #(nop) ENV somekey=somevalue 0 B
389be87be712 30 minutes ago /bin/sh -c echo "Hello5" > /root/hello5 7 B
ba8efdb71b82 30 minutes ago /bin/sh -c echo "Hello4" > /root/hello4 7 B
c487c9eb4267 30 minutes ago /bin/sh -c echo "Hello3" > /root/hello3 7 B
dfeefcddffec 30 minutes ago /bin/sh -c echo "Hello2" > /root/hello2 7 B
ea37c65d781a 30 minutes ago /bin/sh -c echo "Hello1" > /root/hello1 7 B
8b94a7dd04ae 30 minutes ago /bin/sh -c echo "Hello" > /root/hello 6 B
f49eec89601e 4 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B
<missing> 4 weeks ago /bin/sh -c mkdir -p /run/systemd && echo '... 7 B
<missing> 4 weeks ago /bin/sh -c sed -i 's/^#\s*\(deb.*universe\... 1.9 kB
<missing> 4 weeks ago /bin/sh -c rm -rf /var/lib/apt/lists/* 0 B
<missing> 4 weeks ago /bin/sh -c set -xe && echo '#!/bin/sh' >... 745 B
<missing> 4 weeks ago /bin/sh -c #(nop) ADD file:68f83d996c38a09... 129 MB
Images pushed to registries with V2 manifests seem to lose the parentId anyway, so the condition is that on build-servers we have too much familytree data and on pulled images we have none.
Example image built from jenkins:latest with no parentIds populated:
IMAGE CREATED CREATED BY SIZE COMMENT
1a197c741ce8 5 weeks ago /bin/sh -c #(nop) USER [jenkins] 0 B
<missing> 5 weeks ago /bin/sh -c apt-get update && apt-get insta... 120 MB
<missing> 5 weeks ago /bin/sh -c echo "deb https://apt.dockerpro... 58 B
<missing> 5 weeks ago /bin/sh -c apt-key adv --keyserver hkp://h... 2.81 kB
<missing> 5 weeks ago /bin/sh -c apt-get update && apt-get insta... 19.6 MB
<missing> 5 weeks ago /bin/sh -c #(nop) USER [root] 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) COPY file:2a6a3e16202b8d... 5.96 kB
<missing> 8 weeks ago /bin/sh -c #(nop) COPY file:93fb511d485dd2... 3.92 kB
<missing> 8 weeks ago /bin/sh -c #(nop) ENTRYPOINT ["/bin/tini"... 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) COPY file:7eec179a0dd3aa... 1.21 kB
<missing> 8 weeks ago /bin/sh -c #(nop) COPY file:26c3c5818bc876... 5 kB
<missing> 8 weeks ago /bin/sh -c #(nop) USER [jenkins] 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) ENV COPY_REFERENCE_FILE... 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) EXPOSE 50000/tcp 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) EXPOSE 8080/tcp 0 B
<missing> 8 weeks ago |6 JENKINS_SHA=1b65dc498ba7ab1f5cce64200b9... 328 B
<missing> 8 weeks ago /bin/sh -c #(nop) ENV JENKINS_UC=https://... 0 B
<missing> 8 weeks ago |6 JENKINS_SHA=1b65dc498ba7ab1f5cce64200b9... 70.1 MB
<missing> 8 weeks ago /bin/sh -c #(nop) ARG JENKINS_URL=https:/... 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) ARG JENKINS_SHA=1b65dc4... 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) ENV JENKINS_VERSION=2.32.1 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) ARG JENKINS_VERSION 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) COPY file:c629bc0b9ecb5b... 328 B
<missing> 8 weeks ago |4 gid=1000 group=jenkins uid=1000 user=je... 822 kB
<missing> 8 weeks ago /bin/sh -c #(nop) ENV TINI_SHA=0f78709a0e... 0 B
<missing> 8 weeks ago /bin/sh -c #(nop) ENV TINI_VERSION=0.13.1 0 B
<missing> 2 months ago |4 gid=1000 group=jenkins uid=1000 user=je... 0 B
<missing> 2 months ago /bin/sh -c #(nop) VOLUME [/var/jenkins_home] 0 B
<missing> 2 months ago |4 gid=1000 group=jenkins uid=1000 user=je... 335 kB
<missing> 2 months ago /bin/sh -c #(nop) ARG gid=1000 0 B
<missing> 2 months ago /bin/sh -c #(nop) ARG uid=1000 0 B
<missing> 2 months ago /bin/sh -c #(nop) ARG group=jenkins 0 B
<missing> 2 months ago /bin/sh -c #(nop) ARG user=jenkins 0 B
<missing> 2 months ago /bin/sh -c #(nop) ENV JENKINS_SLAVE_AGENT... 0 B
<missing> 2 months ago /bin/sh -c #(nop) ENV JENKINS_HOME=/var/j... 0 B
<missing> 2 months ago /bin/sh -c apt-get update && apt-get insta... 0 B
<missing> 2 months ago /bin/sh -c /var/lib/dpkg/info/ca-certifica... 418 kB
<missing> 2 months ago /bin/sh -c set -x && apt-get update && a... 352 MB
<missing> 2 months ago /bin/sh -c #(nop) ENV CA_CERTIFICATES_JAV... 0 B
<missing> 2 months ago /bin/sh -c #(nop) ENV JAVA_DEBIAN_VERSION... 0 B
<missing> 2 months ago /bin/sh -c #(nop) ENV JAVA_VERSION=8u111 0 B
<missing> 2 months ago /bin/sh -c #(nop) ENV JAVA_HOME=/usr/lib/... 0 B
<missing> 2 months ago /bin/sh -c { echo '#!/bin/sh'; echo 's... 87 B
<missing> 2 months ago /bin/sh -c #(nop) ENV LANG=C.UTF-8 0 B
<missing> 2 months ago /bin/sh -c echo 'deb http://deb.debian.org... 55 B
<missing> 2 months ago /bin/sh -c apt-get update && apt-get insta... 1.29 MB
<missing> 2 months ago /bin/sh -c apt-get update && apt-get insta... 123 MB
<missing> 2 months ago /bin/sh -c apt-get update && apt-get insta... 44.3 MB
<missing> 2 months ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B
<missing> 2 months ago /bin/sh -c #(nop) ADD file:1d214d2782eaccc... 123 MB```
The anchore family-tree detection fails on that image as well:
anchore toolbox --image nightfurys/jendock show-familytree
+--------------+---------------------------+----------------+--------------+
| Image Id | Current Repo Tags | Past Repo Tags | Image Type |
+--------------+---------------------------+----------------+--------------+
| 1a197c741ce8 | nightfurys/jendock:latest | | Intermediate |
+--------------+---------------------------+----------------+--------------+```
Proposed solution is to disable familytree analysis by default so that only the image is extracted and squashed, not each in family tree. A flag, '--familytree' would enable the analysis of each image in the tree if desired.
The buster image is idebtified as Debian/0 rather than Debian 10
docker.io/library/debian:buster
os-release contains
PRETTY_NAME="Debian GNU/Linux buster/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
debian-release contains
buster/sid
We should map wheezy/sid/buster/jessie/etc into their corresponding release versions.
I recently came across a message while implementing anchore that states that Debian 8 is not a supported distro. This is of course not the case as it's supported until 2020, so I assume Anchore is saying it doesn't support Debian 8.
The message I see is while running Anchore in local mode through Jenkins.
Gate: ANCHORESEC
Trigger: UNSUPPORTEDDISTRO
Check Output: cannot perform CVE scan: no CVE data is currently available for the detected base distro type (debian:8)
I am available in IRC if anyone wants to talk about this further.
I followed all the instructions on README to built anchore. But I am getting error when I run following command:
anchore analyze --image nginx:latest --imagetype base
Analyzing image: nginx:latest
5e69fe4b3c31: analyzing ...
ERROR analyzer status: failed
ERROR analyzer exitcode: 1
ERROR analyzer output: Traceback (most recent call last):
File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore_utils.py", line 2076, in get_files_from_path
os.chroot(inpath)
OSError: [Errno 1] Operation not permitted: '/home/wajih/.anchore/anchoretmp/5451369.anchoretmp/rootfs'
Traceback (most recent call last):
File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py", line 38, in <module>
fmap, allfiles = anchore.anchore_utils.get_files_from_path(unpackdir + "/rootfs")
File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore_utils.py", line 2151, in get_files_from_path
os.chroot('.')
OSError: [Errno 1] Operation not permitted: '.'
[Errno 1] Operation not permitted: '/home/wajih/.anchore/anchoretmp/5451369.anchoretmp/rootfs'
Traceback (most recent call last):
File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py", line 61, in <module>
raise err
OSError: [Errno 1] Operation not permitted: '.'
ERROR analyzer failed to run on image 5e69fe4b3c310ea91ead6008e143deca87995d0519f258008cc52e8c0a5366da, skipping the rest
ERROR analyzers failed to run on one or more images.
ERROR analysis failed.
ERROR analysis failed for one or more images.
Any help would be appreciated.
Docker version 17.03.0-ce, build 3a232c8
pip 9.0.1 from /usr/lib/python2.7/site-packages/pip-9.0.1-py2.7.egg (python 2.7)
I have a Jenkins Multi branch DSL pipeline job that calls anchore scans on all the docker images we build. This one is a scan on nginx reverse proxy. Until about 1 hour ago it has been working fine. There has been no change to our system but now it is failing.
I have verified the disk has space.
Jenkins file code that gets called
try {
env.ANCHORE_SETUP = sh([script: "anchore_scan", returnStdout: true]).trim()
print env.ANCHORE_SETUP
anchore bailOnFail: false, inputQueries: [[query: 'cve-scan all'], [query: 'list-packages all'], [query: 'list-files all'], [query: 'show-pkg-diffs base']], name: 'anchore_images'
} catch (Exception e){
sh 'cat anchore_images'
}
This is the file anchore_images that gets referenced that list location of docker file and the image name:
nebulagarage/proxy:development /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile
This is my docker file for the proxy docker image:
from owasp/modsecurity:v3-ubuntu-nginx
ADD nginx.conf /etc/nginx/nginx.conf.template
ADD ssls/* /etc/nginx/ssl/
RUN apt-get update -y && \
apt-get -y install gettext-base mlocate psmisc && \
ionice -c3 updatedb
EXPOSE 80
EXPOSE 443
CMD envsubst < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec /usr/local/nginx/nginx -g "daemon off;"
Bash script for ensuring anchore image is latest, and is pulled
#!/usr/bin/env bash
set +ex
if [[ "$(docker images -q anchore/jenkins:latest 2> /dev/null)" == "" ]]; then
docker pull anchore/jenkins:latest
fi
echo "${DOCKER_IMAGE_NAME}:${PACKAGE_VERSION} ${WORKSPACE}/Dockerfile" > ${WORKSPACE}/anchore_images
As you can see the docker file is not commented on the first line, I have checked disk space the space is free, the pattern for naming and scanning the image hasn't changed.
This is the anchore scan output:
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker Jenkins version: 2.141
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker Anchore Container Image Scanner Plugin version: 1.0.14
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] enabled: true
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] enginemode: anchorelocal
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] engineurl: http://your_anchore_engine_host_ip:your_anchore_engine_port/v1
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] engineuser:
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] enginepass: ****
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] engineverify: false
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] debug: true
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] useSudo: false
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] containerImageId: anchore/jenkins:latest
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] containerId: jenkins_anchore
20:57:18 2018-12-27T20:57:18.047 INFO AnchoreWorker [global] localVol: /var/lib/jenkins/.anchore
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [global] modulesVol: /var/lib/jenkins/.anchore
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] name: anchore_images
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] policyName: anchore_policy
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] globalWhiteList: anchore_global_whitelist
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] anchoreioUser:
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] anchoreioPass: ****
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] userScripts: anchore_user_scripts
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] engineRetries: 300
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] bailOnFail: false
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] bailOnWarn: false
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] bailOnPluginFail: true
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] doCleanup: false
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] useCachedBundle: true
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] policyEvalMethod: plainfile
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] bundleFileOverride: anchore_policy_bundle.json
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] query: cve-scan all
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] query: list-packages all
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] query: list-files all
20:57:18 2018-12-27T20:57:18.048 INFO AnchoreWorker [build] query: show-pkg-diffs base
20:57:18 2018-12-27T20:57:18.051 DEBUG AnchoreWorker Initializing Jenkins workspace
20:57:18 2018-12-27T20:57:18.053 DEBUG AnchoreWorker Creating workspace directory AnchoreReport.development_282
20:57:18 2018-12-27T20:57:18.056 DEBUG AnchoreWorker Initializing Anchore workspace
20:57:18 2018-12-27T20:57:18.056 DEBUG AnchoreWorker Checking container jenkins_anchore
20:57:18 2018-12-27T20:57:18.056 DEBUG AnchoreWorker Executing "docker start jenkins_anchore"
20:57:18 $ docker start jenkins_anchore
20:57:18 jenkins_anchore
20:57:18 2018-12-27T20:57:18.115 DEBUG AnchoreWorker Execution of "docker start jenkins_anchore" returned 0
20:57:18 2018-12-27T20:57:18.116 DEBUG AnchoreWorker Anchore container jenkins_anchore is already running
20:57:18 2018-12-27T20:57:18.116 DEBUG AnchoreWorker Creating build artifact directory /root/anchore.development_282 in Anchore container jenkins_anchore
20:57:18 2018-12-27T20:57:18.116 DEBUG AnchoreWorker Executing "docker exec jenkins_anchore mkdir -p /root/anchore.development_282"
20:57:18 $ docker exec jenkins_anchore mkdir -p /root/anchore.development_282
20:57:18 2018-12-27T20:57:18.246 DEBUG AnchoreWorker Execution of "docker exec jenkins_anchore mkdir -p /root/anchore.development_282" returned 0
20:57:18 2018-12-27T20:57:18.246 DEBUG AnchoreWorker Staging image file in Jenkins workspace
20:57:18 2018-12-27T20:57:18.255 DEBUG AnchoreWorker Copying Dockerfile from Jenkins workspace: /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile, to Anchore workspace: /root/anchore.development_282/dfile.1
20:57:18 2018-12-27T20:57:18.255 DEBUG AnchoreWorker Executing "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile jenkins_anchore:/root/anchore.development_282/dfile.1"
20:57:18 $ docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile jenkins_anchore:/root/anchore.development_282/dfile.1
20:57:18 2018-12-27T20:57:18.570 DEBUG AnchoreWorker Execution of "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile jenkins_anchore:/root/anchore.development_282/dfile.1" returned 0
20:57:18 2018-12-27T20:57:18.570 DEBUG AnchoreWorker Staging sanitized entry: "nebulagarage/proxy:development /root/anchore.development_282/dfile.1"
20:57:18 2018-12-27T20:57:18.570 DEBUG AnchoreWorker Copying staged image file from Jenkins workspace: /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282, to Anchore workspace: /root/anchore.development_282/images
20:57:18 2018-12-27T20:57:18.570 DEBUG AnchoreWorker Executing "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282 jenkins_anchore:/root/anchore.development_282/images"
20:57:18 $ docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282 jenkins_anchore:/root/anchore.development_282/images
20:57:18 2018-12-27T20:57:18.878 DEBUG AnchoreWorker Execution of "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282 jenkins_anchore:/root/anchore.development_282/images" returned 0
20:57:18 2018-12-27T20:57:18.880 DEBUG AnchoreWorker No user scripts/modules found, using default Anchore modules
20:57:18 2018-12-27T20:57:18.883 INFO AnchoreWorker Bundle file either not specified or does not exist, using default Anchore policy
20:57:18 2018-12-27T20:57:18.885 INFO AnchoreWorker Policy file either not specified or does not exist, using default Anchore policy
20:57:18 2018-12-27T20:57:18.888 INFO AnchoreWorker Global whitelist file either not specified or does not exist, using default Anchore global whitelist
20:57:18 2018-12-27T20:57:18.888 DEBUG AnchoreWorker Build worker initialized
20:57:18 2018-12-27T20:57:18.888 INFO AnchoreWorker Running Anchore Analyzer
20:57:18 2018-12-27T20:57:18.888 DEBUG AnchoreWorker Executing "docker exec jenkins_anchore anchore --debug analyze --skipgates --imagefile /root/anchore.development_282/images"
20:57:18 $ docker exec jenkins_anchore anchore --debug analyze --skipgates --imagefile /root/anchore.development_282/images
20:57:19 2018-12-27 20:57:19,180 DEBUG anchore_image_db_fs.py __init__ using directory for anchore image data: /root/.anchore/data
20:57:19 2018-12-27 20:57:19,181 DEBUG anchore_image_db_fs.py __init__ using directory for anchore feed data: /root/.anchore/feeds
20:57:19 2018-12-27 20:57:19,181 DEBUG anchore_image_db_fs.py __init__ using directory for anchore policy data: /root/.anchore/policy
20:57:19 2018-12-27 20:57:19,184 DEBUG auth.py find_config_file Trying paths: ['/root/.docker/config.json', '/root/.dockercfg']
20:57:19 2018-12-27 20:57:19,184 DEBUG auth.py find_config_file No config file found
20:57:19 2018-12-27 20:57:19,191 DEBUG connectionpool.py _make_request "GET /version HTTP/1.1" 200 537
20:57:19 2018-12-27 20:57:19,194 DEBUG connectionpool.py _make_request "GET /v1.38/version HTTP/1.1" 200 537
20:57:19 2018-12-27 20:57:19,215 DEBUG connectionpool.py _make_request "GET /v1.38/images/json?only_ids=0&all=1 HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,216 DEBUG anchore_image_db_fs.py __init__ using directory for anchore image data: /root/.anchore/data
20:57:19 2018-12-27 20:57:19,216 DEBUG anchore_image_db_fs.py __init__ using directory for anchore feed data: /root/.anchore/feeds
20:57:19 2018-12-27 20:57:19,216 DEBUG anchore_image_db_fs.py __init__ using directory for anchore policy data: /root/.anchore/policy
20:57:19 2018-12-27 20:57:19,217 DEBUG anchore_utils.py discover_imageId looking for name (nebulagarage/proxy:development) in docker_images
20:57:19 2018-12-27 20:57:19,217 DEBUG anchore_utils.py discover_imageId looking for alternative names (nebulagarage/proxy:development) in docker_images
20:57:19 2018-12-27 20:57:19,218 DEBUG analyzer.py __init__ analyzer initialization: begin
20:57:19 2018-12-27 20:57:19,218 DEBUG analyzer.py __init__ init input processed, loading input images: [u'nebulagarage/proxy:development']
20:57:19 2018-12-27 20:57:19,218 DEBUG anchore_image.py __init__ initializing image: nebulagarage/proxy:development
20:57:19 2018-12-27 20:57:19,218 DEBUG anchore_utils.py discover_imageId looking for name (nebulagarage/proxy:development) in docker_images
20:57:19 2018-12-27 20:57:19,218 DEBUG anchore_utils.py discover_imageId looking for alternative names (nebulagarage/proxy:development) in docker_images
20:57:19 Analyzing image: nebulagarage/proxy:development
20:57:19 2018-12-27 20:57:19,219 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/reports/image_report.json), but failed to load for imageId (4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,253 DEBUG connectionpool.py _make_request "GET /v1.38/images/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,257 DEBUG connectionpool.py _make_request "GET /v1.38/images/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,258 DEBUG anchore_image.py __init__ initializing image: 1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10
20:57:19 2018-12-27 20:57:19,258 DEBUG anchore_utils.py discover_imageId looking for name (1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10) in docker_images
20:57:19 2018-12-27 20:57:19,258 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/reports/image_report.json), but failed to load for imageId (1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,260 DEBUG connectionpool.py _make_request "GET /v1.38/images/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,264 DEBUG connectionpool.py _make_request "GET /v1.38/images/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,265 DEBUG anchore_image.py __init__ initializing image: 28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c
20:57:19 2018-12-27 20:57:19,265 DEBUG anchore_utils.py discover_imageId looking for name (28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c) in docker_images
20:57:19 2018-12-27 20:57:19,266 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/reports/image_report.json), but failed to load for imageId (28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,268 DEBUG connectionpool.py _make_request "GET /v1.38/images/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,271 DEBUG connectionpool.py _make_request "GET /v1.38/images/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,271 DEBUG anchore_image.py __init__ initializing image: f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b
20:57:19 2018-12-27 20:57:19,271 DEBUG anchore_utils.py discover_imageId looking for name (f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b) in docker_images
20:57:19 2018-12-27 20:57:19,272 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/reports/image_report.json), but failed to load for imageId (f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,273 DEBUG connectionpool.py _make_request "GET /v1.38/images/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,277 DEBUG connectionpool.py _make_request "GET /v1.38/images/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,278 DEBUG anchore_image.py __init__ initializing image: 10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505
20:57:19 2018-12-27 20:57:19,278 DEBUG anchore_utils.py discover_imageId looking for name (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) in docker_images
20:57:19 2018-12-27 20:57:19,278 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/reports/image_report.json), but failed to load for imageId (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,280 DEBUG connectionpool.py _make_request "GET /v1.38/images/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,283 DEBUG connectionpool.py _make_request "GET /v1.38/images/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,284 DEBUG anchore_image.py __init__ initializing image: 1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946
20:57:19 2018-12-27 20:57:19,284 DEBUG anchore_utils.py discover_imageId looking for name (1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946) in docker_images
20:57:19 2018-12-27 20:57:19,284 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/reports/image_report.json), but failed to load for imageId (1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,286 DEBUG connectionpool.py _make_request "GET /v1.38/images/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,290 DEBUG connectionpool.py _make_request "GET /v1.38/images/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,290 DEBUG anchore_image.py __init__ initializing image: fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90
20:57:19 2018-12-27 20:57:19,290 DEBUG anchore_utils.py discover_imageId looking for name (fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90) in docker_images
20:57:19 2018-12-27 20:57:19,297 DEBUG connectionpool.py _make_request "GET /v1.38/images/fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,298 DEBUG connectionpool.py _make_request "GET /v1.38/images/fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,301 DEBUG connectionpool.py _make_request "GET /v1.38/images/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,304 DEBUG connectionpool.py _make_request "GET /v1.38/images/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,307 DEBUG connectionpool.py _make_request "GET /v1.38/images/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,310 DEBUG connectionpool.py _make_request "GET /v1.38/images/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,314 DEBUG connectionpool.py _make_request "GET /v1.38/images/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,314 DEBUG analyzer.py __init__ loaded input images, checking that all input images have been loaded [u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea']
20:57:19 2018-12-27 20:57:19,315 DEBUG analyzer.py __init__ analyzer initialization: end
20:57:19 2018-12-27 20:57:19,315 DEBUG analyzer.py run main image analysis on images: [u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea']: begin
20:57:19 2018-12-27 20:57:19,315 DEBUG analyzer.py run images to be analyzed: [u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea']
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_retrieve_files.py
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/10_package_list.py
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_java_packages.py
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/02_layers.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_npm_package_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/20_file_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_secret_search.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/30_file_checksums.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/11_package_detail_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_content_search.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_python_packages.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/40_file_suids.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/01_analyzer_meta.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/31_file_package_verify.py
20:57:19 2018-12-27 20:57:19,319 DEBUG analyzer.py run_analyzers analyzer commands all finished with successful exit codes
20:57:19 2018-12-27 20:57:19,319 DEBUG analyzer.py run_analyzers saving image information with updated analysis data
20:57:19 2018-12-27 20:57:19,321 INFO analyzer.py run_analyzers fa21bf78d25e: analyzed.
20:57:19 2018-12-27 20:57:19,321 DEBUG analyzer.py run_analyzers running analyzers on image: fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90: end
20:57:19 2018-12-27 20:57:19,323 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_retrieve_files.py
20:57:19 2018-12-27 20:57:19,324 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/10_package_list.py
20:57:19 2018-12-27 20:57:19,324 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_java_packages.py
20:57:19 2018-12-27 20:57:19,324 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/02_layers.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_npm_package_list.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/20_file_list.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_secret_search.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/30_file_checksums.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/11_package_detail_list.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_content_search.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_python_packages.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/40_file_suids.py
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/01_analyzer_meta.py
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/31_file_package_verify.py
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers analyzer commands all finished with successful exit codes
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers saving image information with updated analysis data
20:57:19 2018-12-27 20:57:19,329 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/reports/image_report.json), but failed to load for imageId (4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,330 ERROR common.py anchore_print_err failed to run analyzer
20:57:19 Traceback (most recent call last):
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/cli/analyzer.py", line 392, in analyze
20:57:19 rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run()
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 416, in run
20:57:19 success = self.run_analyzers(image)
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 368, in run_analyzers
20:57:19 image.save_image()
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/anchore_image.py", line 263, in save_image
20:57:19 self.anchore_db.save_image_report(self.meta['imageId'], report)
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/anchore_image_db/anchore_image_db_fs.py", line 625, in save_image_report
20:57:19 diff = list(set(oldreport['anchore_current_tags']).symmetric_difference(set(report['anchore_current_tags'])))
20:57:19 TypeError: unhashable type: 'list'
20:57:19 2018-12-27 20:57:19,331 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'fa21bf78d25e', 'usertype': None, 'shortId': u'1fc25d14020a', 'imagename': u'1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946', 'parentId': u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', 'shortname': u'1fc25d14020a', 'imageId': u'1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946', 'sizebytes': '261815094', 'humanname': u'1fc25d14020a'}
20:57:19 2018-12-27 20:57:19,331 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/reports/image_report.json), but failed to load for imageId (1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x32bd090>> ignored
20:57:19 2018-12-27 20:57:19,331 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'10cc4becbe9f', 'usertype': None, 'shortId': u'f1495ea6b72c', 'imagename': u'f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b', 'parentId': u'10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505', 'shortname': u'f1495ea6b72c', 'imageId': u'f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b', 'sizebytes': '306857985', 'humanname': u'f1495ea6b72c'}
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/reports/image_report.json), but failed to load for imageId (f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dcf90>> ignored
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'28dcf4463643', 'usertype': None, 'shortId': u'1706df414124', 'imagename': u'1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10', 'parentId': u'28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c', 'shortname': u'1706df414124', 'imageId': u'1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10', 'sizebytes': '306857985', 'humanname': u'1706df414124'}
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/reports/image_report.json), but failed to load for imageId (1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dcb10>> ignored
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'f1495ea6b72c', 'usertype': None, 'shortId': u'28dcf4463643', 'imagename': u'28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c', 'parentId': u'f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b', 'shortname': u'28dcf4463643', 'imageId': u'28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c', 'sizebytes': '306857985', 'humanname': u'28dcf4463643'}
20:57:19 2018-12-27 20:57:19,333 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/reports/image_report.json), but failed to load for imageId (28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dce50>> ignored
20:57:19 2018-12-27 20:57:19,333 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'1fc25d14020a', 'usertype': None, 'shortId': u'10cc4becbe9f', 'imagename': u'10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505', 'parentId': u'1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946', 'shortname': u'10cc4becbe9f', 'imageId': u'10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505', 'sizebytes': '261824606', 'humanname': u'10cc4becbe9f'}
20:57:19 2018-12-27 20:57:19,333 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/reports/image_report.json), but failed to load for imageId (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x32bd490>> ignored
20:57:19 2018-12-27 20:57:19,333 ERROR common.py anchore_print_err analysis failed for one or more images.
20:57:19 Traceback (most recent call last):
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/cli/analyzer.py", line 392, in analyze
20:57:19 rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run()
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 416, in run
20:57:19 success = self.run_analyzers(image)
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 368, in run_analyzers
20:57:19 image.save_image()
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/anchore_image.py", line 263, in save_image
20:57:19 self.anchore_db.save_image_report(self.meta['imageId'], report)
20:57:19 File "/usr/lib/python2.7/site-packages/anchore/anchore_image_db/anchore_image_db_fs.py", line 625, in save_image_report
20:57:19 diff = list(set(oldreport['anchore_current_tags']).symmetric_difference(set(report['anchore_current_tags'])))
20:57:19 TypeError: unhashable type: 'list'
20:57:19 2018-12-27 20:57:19,334 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'', 'usertype': None, 'shortId': u'fa21bf78d25e', 'imagename': u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', 'parentId': u'', 'shortname': u'fa21bf78d25e', 'imageId': u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', 'sizebytes': '261809129', 'humanname': u'owasp/modsecurity:v3-ubuntu-nginx'}
20:57:19 2018-12-27 20:57:19,335 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'1706df414124', 'usertype': 'user', 'shortId': u'4a2f8bce9861', 'imagename': u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea', 'parentId': u'1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10', 'shortname': u'4a2f8bce9861', 'imageId': u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea', 'sizebytes': '306857985', 'humanname': u'4a2f8bce9861'}
20:57:19 2018-12-27 20:57:19,336 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/reports/image_report.json), but failed to load for imageId (4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dc990>> ignored
20:57:19 2018-12-27T20:57:19.382 DEBUG AnchoreWorker Execution of "docker exec jenkins_anchore anchore --debug analyze --skipgates --imagefile /root/anchore.development_282/images" returned 1
20:57:19 2018-12-27T20:57:19.382 ERROR AnchoreWorker Anchore analyzer failed with return code 1, check output above for details
20:57:19 2018-12-27T20:57:19.382 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin build step due to errors in plugin execution
20:57:19 hudson.AbortException: Anchore analyzer failed, check output above for details
20:57:19 at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzerLocal(BuildWorker.java:295)
20:57:19 at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzer(BuildWorker.java:175)
20:57:19 at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:233)
20:57:19 at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
20:57:19 at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
20:57:19 at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49)
20:57:19 at hudson.security.ACL.impersonate(ACL.java:290)
20:57:19 at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46)
20:57:19 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
20:57:19 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
20:57:19 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
20:57:19 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
20:57:19 at java.lang.Thread.run(Thread.java:748)
20:57:19 2018-12-27T20:57:19.382 DEBUG AnchoreWorker Cleaning up build artifacts
20:57:19 2018-12-27T20:57:19.382 DEBUG AnchoreWorker Deleting Jenkins workspace AnchoreReport.development_282
20:57:19 2018-12-27T20:57:19.385 DEBUG AnchoreWorker Deleting Anchore container workspace /root/anchore.development_282
20:57:19 2018-12-27T20:57:19.385 DEBUG AnchoreWorker Executing "docker exec jenkins_anchore rm -rf /root/anchore.development_282"
20:57:19 $ docker exec jenkins_anchore rm -rf /root/anchore.development_282
20:57:19 2018-12-27T20:57:19.544 DEBUG AnchoreWorker Execution of "docker exec jenkins_anchore rm -rf /root/anchore.development_282" returned 0
20:57:19 2018-12-27T20:57:19.545 INFO AnchorePlugin Completed Anchore Container Image Scanner build step
[Pipeline] sh
20:57:19 [neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA] Running shell script
20:57:19 + cat anchore_images
20:57:19 nebulagarage/proxy:development /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile
Hi, I have been testing anchore against several images and it seems the results are the same. I use the command like anchore-cli image vuln maineffort/kbastani-movie-microservice os
.
For example all the images of the Spring PetClinic microservices have the same results, even with images from another repository.
root@test-virtual-machine:~/tester/rep# du --all --human-readable --apparent-size
120K ./spring-petclinic-vets-service.txt
120K ./spring-petclinic-visits-service.txt
120K ./spring-petclinic-customers-service.txt
120K ./spring-petclinic-api-gateway.txt
120K ./kbastani-movie-microservice.txt
120K ./kbastani-movies-ui.txt
Note - here I am just illustrating using file sizes but I have also compared the raw results.
Am I mixing the commands or what am I missing ? I expect the results to be different even when similar base images are used. Cheers.
`
Interactions with docker on the localhost via the unix socket can timeout in cases where docker is busy, so we should add retry logic around calls to the client to handle temporary failures.
Have seen this issue during image analysis with failures coming from: anchore/anchore_image.py:730 where it calls get_image().data on the docker client.
root@ubuntu:~# anchore analyze --imagetype none
Analyzing image: sha256:72d4ec634f1f24ae2afbc4a1b482865fb3ad5e6575750d335249ce3be612deea
72d4ec634f1f: analyzed.
72d4ec634f1f: evaluating policies ...
72d4ec634f1f: evaluated.
Analyzing image: sha256:cbd13d085eca4fb914aaab37534205924bf2c38430147af0e7389d1cccaabbdf
cbd13d085eca: analyzing ...
cbd13d085eca: analyzed.
cbd13d085eca: evaluating policies ...
cbd13d085eca: evaluated.
Analyzing image: sha256:693bce72514984f01f217e878d143162b5f4c1b83b018e7e6dc7394f055e7cd5
693bce725149: analyzing ...
693bce725149: analyzed.
693bce725149: evaluating policies ...
693bce725149: evaluated.
Analyzing image: sha256:0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d
0d409d33b27e: analyzed.
0d409d33b27e: evaluating policies ...
0d409d33b27e: evaluated.
Analyzing image: sha256:e07b99ee7733d7a6f669cde12c677ea36fbd2490adf3ef3ac59e53c2e9e018e4
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_utils.py", line 287, in image_context_add
newimage = anchore_image.AnchoreImage(i, anchore_datadir, docker_cli=docker_cli, allimages=allimages, dockerfile=dockerfile, tmpdirroot=tmproot, usertype=usertype, anchore_db=anchore_db)
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_image.py", line 123, in init
self.discover_layers()
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_image.py", line 395, in discover_layers
imagedir = self.unpack()
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_image.py", line 730, in unpack
FH.write(self.docker_cli.get_image(shortid).data)
File "/usr/local/lib/python2.7/dist-packages/docker/utils/decorators.py", line 21, in wrapped
return f(self, resource_id, _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/docker/api/image.py", line 17, in get_image
res = self._get(self._url("/images/{0}/get", image), stream=True)
File "/usr/local/lib/python2.7/dist-packages/docker/utils/decorators.py", line 47, in inner
return f(self, _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/docker/client.py", line 120, in _get
return self.get(url, *_self._set_request_timeout(kwargs))
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 487, in get
return self.request('GET', url, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, *_send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 479, in send
raise ReadTimeout(e, request=request)
ReadTimeout: UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
Exception TypeError: "'NoneType' object is not iterable" in <bound method AnchoreImage.del of <anchore.anchore_image.AnchoreImage object at 0x7f7915338c50>> ignored
ERROR failed to run analyzer: Could not load/initialize all input images.
Image: sha256:e07b99ee7733d7a6f669cde12c677ea36fbd2490adf3ef3ac59e53c2e9e018e4
Info: UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
Currently RHEL CVE feeds are not being used, so scanning RHEL/Scientific linux results in "cannot perform CVE scan: no CVE data is currently available for the detected base distro type (redhat:6,redhat:6.9)"
Any plans to sync redhat distro CVE feeds?
I'm having a hard time finding out what's changed in version 1.0.2 or 1.0.3
Hi!
Any of my containers that use another one of my containers as a base image isn't being analyzed. It also breaks anchore query cve-scan all
query for the same reason.
As a work-around, I think I could just delete all containers where the distro is unknown, but is it possible that those containers have vulnerabilities that I might miss?
Many Thanks,
Bryan
We're seeing several false positives with up to date debian jessie images.
I've constructed a simple example at https://github.com/rmoriz/anchore-false-positive to reproduce.
test.sh will
build a docker image based on the latest debian:jessie
and install libgnutls-deb0-28
package libgnutls-deb0-28:amd64 3.3.8-6+deb8u7
gets installed
sets up anchore and does the test.
However docker exec anchore anchore query --image false-positive cve-scan all
returns several HIGH issues regarding that package:
| CVE-2017-533 | High | 1 | libgnutls-de | None | e6e3610342fb | None | https |
| 7 | | | b0-28-3.3.8- | | (false-posit | | ://security- |
| | | | 6+deb8u7 | | ive:latest) | | tracker.debi |
| | | | | | | | an.org/track |
| | | | | | | | er/CVE-2017- |
| | | | | | | | 5337 |
| CVE-2017-533 | High | 1 | libgnutls-de | None | e6e3610342fb | None | https |
| 6 | | | b0-28-3.3.8- | | (false-posit | | ://security- |
| | | | 6+deb8u7 | | ive:latest) | | tracker.debi |
| | | | | | | | an.org/track |
| | | | | | | | er/CVE-2017- |
| | | | | | | | 5336 |
| CVE-2017-533 | Medium | 1 | libgnutls-de | None | e6e3610342fb | None | https |
| 5 | | | b0-28-3.3.8- | | (false-posit | | ://security- |
| | | | 6+deb8u7 | | ive:latest) | | tracker.debi |
| | | | | | | | an.org/track |
| | | | | | | | er/CVE-2017- |
| | | | | | | | 5335 |
| CVE-2017-533 | High | 1 | libgnutls-de | None | e6e3610342fb | None | https |
| 4 | | | b0-28-3.3.8- | | (false-posit | | ://security- |
| | | | 6+deb8u7 | | ive:latest) | | tracker.debi |
| | | | | | | | an.org/track |
| | | | | | | | er/CVE-2017- |
| | | | | | | | 5334 |
Debian Security Tracker claims that version "3.3.8-6+deb8u7" is fixed for all issues:
like so - useful for quick mapping of tags/ids as well as see the distro that the image is based on
[root@tele ~]# anchore toolbox --image nginx show
IMAGEID='0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d'
REPOTAGS='nginx:latest'
DISTRO='debian'
DISTROVERS='8'
SHORTID='0d409d33b27e'
PARENTID=''
BASEID='0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d'
When running analysis on a host using OverlayFS storage driver the tar command may produce the following error:
"directory renamed before status could be extracted"
other log entries may include
"tar: Exiting with failure status due to previous errors
ERROR Error: Untar of unpacked image layer failed.
ERROR Command: tar -C "
This is a result of a currently unfixed issue with the OverlayFS driver in Docker.
The upstream issue is : moby/moby#19647
Until upstream docker/moby project fixes the driver you should use another driver such as AUFS.
Default allowed port is 22 in the dockerfile check, when in fact should be the opposite
Currently, anchore tool cleans up all working dir (tmpdir) artifacts upon failure - suggest leaving the artifacts if --debug is passed to the CLI for debugging purposes
Hello, I recently used Anchore service and Anchore REST API to check image vulnerabilities.
At first time I ran Anchore for using docker-compose on public GCE and It worked well.
Then I copied 'db' directory to my local pc in order to re-test in my local offline Environment.
But this time, Anchore did not work properly. I could get the manifest / digest value through the API, but the image was not analyzed.
[
{
"analysis_status": "not_analyzed",
"analyzed_at": null,
"annotations": {},
"created_at": "2018-07-03T04:33:57Z",
"imageDigest": "sha256:a08ed346dfbb55cf7819dbe60f574f19fe387f2e7486cdc2073f1272d1344ec9",
"image_content": {
"metadata": {
"arch": null,
"distro": null,
"distro_version": null,
"dockerfile_mode": null,
"image_size": null,
"layer_count": null
}
},
...
I would like to test the Anchore service in offline environment.
In this case, what else do I need to do In addition to moving the db directory?
anchore does not take packages status into account while listing packages (see
). This leads to false positive when a package is marked as rc (i.e. removed).I wll suggest that you also retrieve ${Status} variables and filter out packages marked as "deinstall".
Enable tab completion on the set of queries currently available. Will require writing a wrapper for click around each script in the queries directory and wiring it up at command time for --help output.
anchore explore query --help Should also output the set of queries available.
How to Scan Docker images and container, using Docker reset api's using anchore?
Docker version :- 1.12.6
Thanks
Asura
Wouldn't it make sense for a container security tool to actually have a container image that we can run the tool from instead of requiring to actually install it on a specific Linux OS?
At least from what the README shows, it's all manual installation.
Sample output from --plain scan
CVE-2013-1667 Medium 1 perl-5.14.2-13 perl-5.14.2-13ubuntu0.2 3e314f95dcac(docker.io/ubuntu:quantal) None
It would simplify scripting if we added a space between 3e314f95dcac AND (docker.io/ubuntu:quantal)
Hi,
I added anchore in our Jenkins pipelines for quite a while, but since today I get this strange error
INFO AnchoreWorker Jenkins version: 2.93
INFO AnchoreWorker Anchore Container Image Scanner Plugin version: 1.0.12
INFO AnchoreWorker [global] enabled: true
INFO AnchoreWorker [global] enginemode: anchorelocal
INFO AnchoreWorker [global] engineurl: null
INFO AnchoreWorker [global] engineuser: null
INFO AnchoreWorker [global] enginepass: ****
INFO AnchoreWorker [global] engineverify: false
INFO AnchoreWorker [global] debug: false
INFO AnchoreWorker [global] useSudo: false
INFO AnchoreWorker [global] containerImageId: anchore/jenkins:latest
INFO AnchoreWorker [global] containerId: jenkins_anchore
INFO AnchoreWorker [global] localVol: /data/jenkins/anchore/data
INFO AnchoreWorker [global] modulesVol:
INFO AnchoreWorker [build] name: anchore_images
INFO AnchoreWorker [build] policyName: jenkins/anchore/anchore_policy
INFO AnchoreWorker [build] globalWhiteList: anchore_global_whitelist
INFO AnchoreWorker [build] anchoreioUser:
INFO AnchoreWorker [build] anchoreioPass: ****
INFO AnchoreWorker [build] userScripts: anchore_user_scripts
INFO AnchoreWorker [build] engineRetries: 300
INFO AnchoreWorker [build] bailOnFail: false
INFO AnchoreWorker [build] bailOnWarn: false
INFO AnchoreWorker [build] bailOnPluginFail: false
INFO AnchoreWorker [build] doCleanup: false
INFO AnchoreWorker [build] useCachedBundle: true
INFO AnchoreWorker [build] policyEvalMethod: plainfile
INFO AnchoreWorker [build] bundleFileOverride: anchore_policy_bundle.json
INFO AnchoreWorker [build] query: list-packages all
INFO AnchoreWorker [build] query: list-files all
INFO AnchoreWorker [build] query: cve-scan all
INFO AnchoreWorker [build] query: show-pkg-diffs base
$ docker start jenkins_anchore
Error response from daemon: No such container: jenkins_anchore
Error: failed to start containers: jenkins_anchore
$ docker inspect anchore/jenkins:latest
INFO AnchoreWorker Launching Anchore container jenkins_anchore from image anchore/jenkins:latest
$ docker run -d -v /var/run/docker.sock:/var/run/docker.sock -v /data/jenkins/anchore/data:/root/.anchore --name jenkins_anchore anchore/jenkins:latest
$ docker exec jenkins_anchore mkdir -p /root/anchore.feature/WEB-3093_10
$ docker cp /data/jenkins/workspace/app_feature_WEB-3093/Dockerfile.prod jenkins_anchore:/root/anchore.feature/WEB-3093_10/dfile.1
$ docker cp /data/jenkins/workspace/app_feature_WEB-3093/AnchoreReport.feature/WEB-3093_10/staged_images.feature/WEB-3093_10 jenkins_anchore:/root/anchore.feature/WEB-3093_10/images
INFO AnchoreWorker Bundle file either not specified or does not exist, using default Anchore policy
$ docker cp /data/jenkins/workspace/app_feature_WEB-3093/jenkins/anchore/anchore_policy jenkins_anchore:/root/anchore.feature/WEB-3093_10/policy
INFO AnchoreWorker Global whitelist file either not specified or does not exist, using default Anchore global whitelist
INFO AnchoreWorker Running Anchore Analyzer
$ docker exec jenkins_anchore anchore analyze --skipgates --imagefile /root/anchore.feature/WEB-3093_10/images
3f9ba64c4f25: analyzing ...
3f9ba64c4f25: analyzed.
99b5f7513629: analyzing ...
99b5f7513629: analyzed.
INFO AnchoreWorker Running Anchore Gates
$ docker exec jenkins_anchore anchore --json gate --imagefile /root/anchore.feature/WEB-3093_10/images --show-triggerids --show-whitelisted --policy /root/anchore.feature/WEB-3093_10/policy
99b5f75136297a93285bc8220cc021db814fe919ce50e6f1b7c7c305897a8e17: evaluating policies...
ERROR FAILED
ERROR CMD: /usr/lib/python2.7/site-packages/anchore/anchore-modules/gates/11_check_image.py /root/.anchore/querytmp/queryimages.13485700 /root/.anchore/data /root/.anchore/querytmp all
ERROR EXITCODE: 1
ERROR OUTPUT:
ERROR failed to run gates: one or more gates failed to execute
2017-12-07T10:18:33.922 ERROR AnchoreWorker Gate output file not found or empty: /data/jenkins/workspace/app_feature_WEB-3093/AnchoreReport.feature/WEB-3093_10/anchore_gates.json
2017-12-07T10:18:33.922 WARN AnchorePlugin Marking Anchore Container Image Scanner build step as successful despite errors in plugin execution
$ docker exec jenkins_anchore rm -rf /root/anchore.feature/WEB-3093_10
2017-12-07T10:18:34.066 INFO AnchorePlugin Completed Anchore Container Image Scanner build step
the dockerfile check gate looks for dockerfiles with no "from" however the use of "from scratch" has the same effect. We should consider adding this check to the 'no from' check or adding specific check
I found issue in my local environment,
will be great, if some one help.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 0458a4468cbc 2 months ago 112MB
anchore-cli latest ed50bcd9815c 5 hours ago 859MB
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1b65f2961cf4 anchore-cli:latest "tail -F /var/log/an…" 10 minutes ago Up 10 minutes anchore
$ anchore feeds list
Available:
packages:
description: Feed record for type packages
Subscribed:
nvd:
description: Feed record for type nvd
vulnerabilities:
description: Feed record for type vulnerabilities
$ anchore analyze --image ubuntu:latest --imagetype base
ERROR could not load any images: Input image name 'ubuntu:latest' not found in local dockerhost or anchore DB.
Hi ,
I have setup anchore-engine using docker-compose but i am not able to analyze any image.
Docker-compose ps
Name Command State Ports
aevolume_anchore-db_1 docker-entrypoint.sh Up 5432/tcp
postgres
aevolume_anchore- /bin/sh -c Up 0.0.0.0:8083->8083/tcp
engine_1 /usr/bin/anchor ... , 0.0.0.0:8084->8084/t
cp, 0.0.0.0:8087->8087
/tcp, 0.0.0.0:8228->82
28/tcp,
0.0.0.0:8338->8338/tcp
when i add the image it always returns status as not_analyzed.
anchore-cli image add registry.gitlab.com/its_vedu/nginx-docker:latest
Image Digest: sha256:21a54b24b692dd1b7e7acc623ade182b649a12cbc63eb090abc801d5556c58d4
Analysis Status: not_analyzed
Image Type: docker
Image ID: de278a11a415411431f9ca81a14ca2a6250a7cf03576c09236b0d6d37a8c587f
Dockerfile Mode: None
Distro: None
Distro Version: None
Size: None
Architecture: None
Layer Count: None
Full Tag: registry.gitlab.com/its_vedu/nginx-docker:latest
i came to know if the imaged in queued it goes to not_analyzed state and hence managed to get some logs .
anchore-engine_1 | [service:simplequeue] 2018-07-25 23:09:00+0000 [-] "172.18.0.3" - - [25/Jul/2018:23:09:00 +0000] "POST /v1/queues/watcher_tasks/is_inqueue HTTP/1.1" 200 3 "-" "python-requests/2.17.3"
anchore-engine_1 | [service:simplequeue] 2018-07-25 23:09:00+0000 [-] "172.18.0.3" - - [25/Jul/2018:23:09:00 +0000] "POST /v1/queues/watcher_tasks/?qcount=0&forcefirst=False HTTP/1.1" 200 5 "-" "python-requests/2.17.3"
anchore-engine_1 | [service:simplequeue] 2018-07-25 23:09:28+0000 [-] "172.18.0.3" - - [25/Jul/2018:23:09:28 +0000] "GET /v1/leases/analyzer_queue/release/?client_id=d1ea844bb62d:17:140187329885952:&epoch=2302[service:policy_engine] 2018-07-25 23:09:29+0000 [-] [bootstrap] [INFO] Registration complete.
anchore-engine_1 | [service:policy_engine] 2018-07-25 23:09:29+0000 [-] [bootstrap] [INFO] Checking feeds client credentials
anchore-engine_1 | Traceback (most recent call last):
anchore-engine_1 | File "/usr/lib/python2.7/site-packages/anchore_manager/cli/service.py", line 140, in startup_service
anchore-engine_1 | raise Exception("process exited: " + str(rc))
anchore-engine_1 | Exception: process exited: 1
anchore-engine_1 | [anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] service process exited at (Wed Jul 25 23:09:30 2018): process exited: 1
anchore-engine_1 | [anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] exiting service thread
Any help is greatly appreciated.
Thanks,
VedaPrasad
I apologize in advance if this is already available, but is there a way to view everything you analyzed? I've automated the analysis process, but just realized I couldn't find the command to view all the containers that Anchore has analyzed.
Hello, I have installed Anchore Scanner on my own centos7 host, all other commands are ok except the command "anchore feeds list/sync". It raised errors as follows:
$ anchore feeds list
| ERROR could not sync feed metadata from service: cannot get list of feeds from service
| Message from server: "connection timed out: increase anchore_auth_conn_timeout higher or try again"
Then I try to debug the code:
headers = {'x-anchore-password': password}
try:
import pdb;pdb.set_trace()
r = requests.get(url, headers=headers, timeout=conn_timeout)
except:
# print "request timed out"
ret['text'] = json.dumps("connection timed out: increase anchore_auth_conn_timeout higher or try again")
return (False, ret)
Then it raise the true error as follows:
$ anchore feeds list
| ERROR could not sync feed metadata from service: cannot get list of feeds from service
| Message from server: server error: HTTPSConnectionPool(host='ancho.re', port=443): Max retries exceeded with url: /v1/account/users/[email protected] (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))
I use all default config so I can not figure out this problem. so I need team's help, thanks!
I wonder if the user/pwd provided in code ([email protected]/pbiU2RYZ2XrmYQ) is expired?
It seems to be a flip of the coin for successfully downloading debian group data when running 'feeds sync' Any particular reason why? If the issue is upstream, could we maybe include a retry if a failure occurred?
Since, I'm planning to periodically build an anchore container image so that it has fresh CVE data instead of running a 'feed sync' before each scan, this could lead to an image not containing any CVE data for debian.
Sample Output:
�[0m�[91m syncing group data: debian:unstable: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:unstable): check --debug output and/or try again
�[0m�[91m syncing group data: ubuntu:16.04: ...
�[0m�[91m syncing group data: centos:6: ...
�[0m�[91m syncing group data: centos:7: ...
�[0m�[91m syncing group data: centos:5: ...
�[0m�[91m syncing group data: ubuntu:14.10: ...
�[0m�[91m syncing group data: ubuntu:15.04: ...
�[0m�[91m syncing group data: debian:9: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:9): check --debug output and/or try again
�[0m�[91m syncing group data: debian:8: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:8): check --debug output and/or try again
�[0m�[91m syncing group data: ubuntu:12.04: ...
�[0m�[91m syncing group data: debian:7: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:7): check --debug output and/or try again
The documentation says there is support for jenkins integration, is there some example how this works or a blog post ?
Hi !
When using Anchore docker container to scan a specific image, it is useless to sync all OS group data.
I didn't find any option to filter the group data I need to sync.
Is there such an option ? If not wouldn't it be nice to have it ?
Thanks !
Hi,
do you have any plans to add the new version of alpine to your supported distro list?
Would be great :)
I'm noticing some false positives when performing CVE scanning on an alpine image
In the screenshot above you can see that CVE-2016-4074 is reported against jq-1.5-r1, I was able to find the following db - https://github.com/eedevops/alpine-cve-db/blob/master/alpine-linux-package-
cve-db.json that shows that jq-1.5-r0 was vulnerable. I'm also not seeing this CVE reported in the alpine sec-db: https://git.alpinelinux.org/cgit/alpine-secdb/tree/v3.4
Additionally, it is also reporting CVE-2015-3717 which is not listed in any of the alpine secdbs. Is the CVE scanning also including data from non-alpine cve feeds?
Go to https://anchore.io/image/dockerhub/anchore%2Fcli%3Alatest and click on 'Copy badge links'. You will see options to copy markdown or html. Either choice provides the image badge that links to https://anchore.io
instead of the intended url for this container image.
Here are the markdown results:
[![Anchore Image Overview](https://anchore.io/service/badges/image/64e95dd583882673b5ea2957bbff88e308c7c95a3bf26c0c88c7014d92281dae)](https://anchore.io)
Here are the html results:
<a style="margin:0;padding:0;text-decoration-none;color:transparent;" href="https://anchore.io" target="_blank" ><img src="https://anchore.io/service/badges/image/64e95dd583882673b5ea2957bbff88e308c7c95a3bf26c0c88c7014d92281dae" /></a>
Some operations support 'repo' or 'repo:tag' style or 12 character hex ID style, but some do not (queries for example). Best if the CLI supported a general lookup for any input style wherever an 'image' is an input parameter.
currently, only 'base' is supported well as a parameter to pass to show-*-diffs queries. useful feature would be to add the ability to compare the input image(s) to any other image
the filelist analyzer uses awk to extract file names and permissions
tar tvf $UNPACKDIR/squashed.tar | awk '{print $6, $1}' | sort -k 1 | uniq > $OUTPUTDIR/files.all
In cases where a filename contains spaces then only the first part of the filename, preceding the space, will be retrieved.
When using a filter value in 'anchore subscription show' the result component for 'current subscriptions' is empty when it should contain results that match the filter.
root@ubuntu:/# anchore subscriptions show node
Available:
- node
Current Subscription: []
root@ubuntu:/# anchore subscriptions show
Available:
- mongo
- redis
- node
- debian
- elasticsearch
- centos
- nginx
- ubuntu
- postgres
- mysql
- busybox
Current Subscription:
- redis:latest
- node:latest
- ubuntu:latest
- centos:latest
- mongo:latest
Would be good for anchore to include a tool for listing together all the names a particular container image has that is referencable by the tool (repo, repo:tag, short ID, digest, long ID)
suggest for example
# anchore toolbox list-images
<list of repo:tags> <shortId> <longId> <digest> <list of all past repo:tags> <location> <is-analyzed> <imagetype>
...
...
'location' could initially be one or more of: in-docker, in-anchore
Hi,
I am evaluating the plugin to be using as part of CI pipeline on Jenkins.
However the Anchore analysis's failing with the following error:
$ docker exec jenkins_anchore anchore analyze --skipgates --imagefile /root/anchore.TestAnchoreAnalysis_6/images
Error setting up/reading Anchore configuration
Info: [Errno 13] Permission denied: '/root/.anchore/conf'
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore/cli/init.py", line 150, in main_entry
anchore_conf = AnchoreConfiguration(cliargs=args)
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 83, in init
self.config_dir, self.config_file = self.find_config_file()
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 172, in find_config_file
os.makedirs(self.DEFAULT_CONFIG_DIR)
File "/usr/lib64/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/root/.anchore/conf'
Expected, but did not find configuration file at /root/.anchore/conf/config.yaml
2017-11-01T14:13:42.024 ERROR AnchoreWorker Anchore analyzer failed with return code 1, check output above for details
2017-11-01T14:13:42.024 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin build step due to errors in plugin execution
hudson.AbortException: Anchore analyzer failed, check output above for details
at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzerLocal(BuildWorker.java:295)
at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzer(BuildWorker.java:175)
at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:233)
at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49)
at hudson.security.ACL.impersonate(ACL.java:260)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
$ docker exec jenkins_anchore rm -rf /root/anchore.TestAnchoreAnalysis_6
$ docker exec jenkins_anchore anchore toolbox --image experiencedevops/customerservice:6-d27f03d delete --dontask
Error setting up/reading Anchore configuration
Info: [Errno 13] Permission denied: '/root/.anchore/conf'
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore/cli/init.py", line 150, in main_entry
anchore_conf = AnchoreConfiguration(cliargs=args)
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 83, in init
self.config_dir, self.config_file = self.find_config_file()
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 172, in find_config_file
os.makedirs(self.DEFAULT_CONFIG_DIR)
File "/usr/lib64/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/root/.anchore/conf'
Expected, but did not find configuration file at /root/.anchore/conf/config.yaml
2017-11-01T14:13:42.527 WARN AnchoreWorker Failed to delete analytics for experiencedevops/customerservice:6-d27f03d from Anchore database, process returned 1
Can you please help.
Followed the config as provided in the project.
Thanks in advance
Milind
Due to duplicate CVE records in the data feed, anchore CLI versions < 1.1.1 may incorrectly merge new CVE data with old CVE data, leading to the resulting output for anchore cve-scan, cve-scan simple, and anchoresec gates containing duplicate entries for CVEs with multiple records in the stored data feed.
To ensure the latest and most accurate CVE reporting, users should upgrade to anchore >= 1.1.1, which supports unique CVE record checking from the anchore vulnerability data feed service, regardless of whether duplicates exist from previous anchore feed syncs locally.
Hi, I recently installed anchore engine using docker-compose and the python command line client.
Reading through the documentation, i discovered another command pattern aside anchore-cli ...
. There are instructions using anchore .... e.g. anchore analyze --image 96eecaf1019a --imagetype none
.
Trying the command results in an error:
WARNING:root:could not open file '/etc/apt/sources.list'
anchore: command not found
Please are these different ? Also it seems the latter command is richer ??
Will be glad to get more clarity. Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.