anchore / anchore Goto Github PK

This project is deprecated. Work is now done on https://github.com/anchore/syft and https://github.com/anchore/grype for local-host Software Bill of Materials and vulnerability scanning tools.

License: Apache License 2.0

Python 94.49% Shell 1.44% Roff 4.07%

containers docker security python

anchore's Introduction

This repository is deprecated and no longer maintained.

If you're looking for a host-local container vulnerability scanner see our new projects:

Software Bill of Materials for Containers: Syft

Container Vulnerability Scanning: Grype

anchore's People

Contributors

Stargazers

Watchers

Forkers

tgerla neilsoman silverfox pombredanne poeblu fortunado philipz zanhsieh jjediny khaliqgaffar deedee bobhenkel nomisbeme gravitasse lukiffer the-interesting-times-gang tbeckham superpoussin22 xinity robertnorthard start621 crudbug mylespollie wurstbrot darg0001 aculich abharath309 lynzabo raghu999 koncybernet talanor dustyhorizon m00zh33 markjacksonfishing bigbigx chubbymaggie ufwt mdedonno1337 luksjobs zhy1991 berez23 ik-security catalin-costras decentl loknathsingh mendickxiao botranvan marciopocebon rahulkiit andrewng kevindwei nickthebarista alavalakishan laashub-soa longfeide2008 alainlompo chandrasekarmariappan zhangxy-yan strivepan

anchore's Issues

output of 'anchore feeds sync' to go to stdout not stderr

I'm using v1.1.1 and the feeds synchronization activity output goes to stderr:

[root@hostname ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
syncing group data: centos:6: ...
syncing group data: debian:unstable: ...
syncing group data: ubuntu:16.10: ...
syncing group data: centos:7: ...
syncing group data: ubuntu:15.10: ...
syncing group data: ubuntu:16.04: ...
syncing group data: ubuntu:15.04: ...
syncing group data: debian:9: ...
syncing group data: ubuntu:12.10: ...
syncing group data: ubuntu:12.04: ...
syncing group data: centos:5: ...
syncing group data: alpine:3.4: ...
syncing group data: debian:8: ...
syncing group data: alpine:3.3: ...
syncing group data: ubuntu:14.04: ...
syncing group data: ubuntu:13.04: ...
syncing group data: ubuntu:14.10: ...
syncing group data: debian:7: ...
syncing group data: alpine:3.5: ...
skipping data sync for unsubscribed feed (packages) ...
[root@hostname ~]# anchore feeds sync 2>/dev/null
[root@hostname ~]#
[root@hostname ~]# anchore feeds sync 1>/dev/null
syncing data for subscribed feed (vulnerabilities) ...
skipping group data: centos:6: already synced
skipping group data: debian:unstable: already synced
skipping group data: ubuntu:16.10: already synced
skipping group data: centos:7: already synced
skipping group data: ubuntu:15.10: already synced
skipping group data: ubuntu:16.04: already synced
skipping group data: ubuntu:15.04: already synced
skipping group data: debian:9: already synced
skipping group data: ubuntu:12.10: already synced
skipping group data: ubuntu:12.04: already synced
skipping group data: centos:5: already synced
skipping group data: alpine:3.4: already synced
skipping group data: debian:8: already synced
skipping group data: alpine:3.3: already synced
skipping group data: ubuntu:14.04: already synced
skipping group data: ubuntu:13.04: already synced
skipping group data: ubuntu:14.10: already synced
skipping group data: debian:7: already synced
skipping group data: alpine:3.5: already synced
skipping data sync for unsubscribed feed (packages) ...

for cron activities it would be more beneficial to only send to stderr real errors. this is more of an Enhancement than a Bug.

Old and unexpected versions of supported distros can cause analysis

Failures to extract package information or other distro-specific analysis should result in UNSUPPORTED_DISTRO triggers for policy rather than analysis failure. At minimum, the distro detector can place a lower bound on the version supported for each distro within reasonable bounds. e.g. debian 6+, centos 5+, etc.

Error trace from a specific dpkg failure:
Example: debian/eof:woody

[root@1254cba0cb9d ~]# anchore analyze --image debian/eol:woody
Analyzing image: debian/eol:woody
7136fd1ad6a3: analyzing ...
ERROR analyzer status: failed
ERROR analyzer exitcode: 1
ERROR analyzer output: dpkg-query: warning: parsing file '/root/.anchore/anchoretmp/4562356.anchoretmp/rootfs/var/lib/dpkg/status' near line 15 package 'telnet':
missing architecture
dpkg-query: warning: parsing file '/root/.anchore/anchoretmp/4562356.anchoretmp/rootfs/var/lib/dpkg/status' near line 28 package 'mbr':
missing architecture
dpkg-query: warning: parsing file '/root/.anchore/anchoretmp/4562356.anchoretmp/rootfs/var/lib/dpkg/status' near line 48 package 'libwrap0':
missing architecture
... (those 4 lines repeated for all packages in the image)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/11_package_detail_list.py", line 136, in
pkglist[p] = json.dumps(pkgs[p])
File "/usr/lib64/python2.7/json/init.py", line 243, in dumps
return _default_encoder.encode(obj)
File "/usr/lib64/python2.7/json/encoder.py", line 207, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/usr/lib64/python2.7/json/encoder.py", line 270, in iterencode
return _iterencode(o, 0)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xe1 in position 5: invalid continuation byte

ERROR analyzer failed to run on image 7136fd1ad6a3491ab0ba8b626b186c63320765b8c8ce273015e31d608bd4eac3, skipping the rest
ERROR analyzers failed to run on one or more images.
ERROR analysis failed.
ERROR analysis failed for one or more images.

Repo names are not actually supported as an image id

Under anchore query --extended-help it is said that Image IDs can be specified as repo names

However, after analyzing a bunch of my private images using anchore analyze --image <repo>/<image>, anchore query --image <repo> cve-scan all returns ERROR could not load input images: Input image name <repo> not found in local dockerhost or anchore DB.

My aim is to be able to query / audit all images from a specific repo as part of a workflow process. There may be other images present in docker that I do not intend to analyze.

On a side note, is there a way to easily reset the anchore db / remove all analyzed images instead of rm -rf ~/.anchore?

Support for private registries?

Will support for scanning private registries be added with the command line tools eventually? I'd like to be able to scan my OpenShift Registry.

Queries should not require all docker images on localhost to be analyzed, and usage of --include-allanchore is confusing

The current implementation of --include-allanchore is to query all local docker images as well as everything in the anchore db. This is confusing. It seems with this name it should only include known images in the db, not all docker images. The side-effect is that asking queries about everthing in the db requires all local images to be analyzed. The query should succeed even if there are docker images locally that are not analyzed yet, or we should provide another way to do that without enumerating the images.

Example:
> anchore query --include-allanchore list-image-attrs all
ERROR explore operation failed: Image(s) must be analyzed before operation can be performed.
Image: ab2b00916fb87732ffcb9a887f7b3954bf4c1e19f2f5c8c2fb902188c8b36127
ERROR query operation failed: 1

Dockerfile does not exist

If you follow the readme instructions for running anchore from a Docker image then using docker exec to call anchore analyze as it suggests the command fails.

I believe this is because the command is looking for a Dockerfile within the running Docker container rather than on the hosts filesystem tree:

As you can see the Dockerfile exists and is in the path provided below as per the readme instructions:

ls -l /Users/samm/git/docker-base-image/Dockerfile

However, when called even with the fully qualified path the command files:

docker exec anchore anchore analyze --image 58329f1f1727 --dockerfile /Users/samm/git/docker-base-image/Dockerfile
Usage: anchore analyze [OPTIONS]

Error: Invalid value for "--dockerfile": Path "/Users/samm/git/docker-base-image/Dockerfile" does not exist.

Docker version 17.07.0-ce-rc1, build 8c4be39
MacOS 10.12.6

Catalog Service error

I am unable to start up completely I get an error when the catalog is enabled..

sh-4.2# /bin/twistd --logger=anchore_engine.subsys.twistd_logger.logger --pidfile /var/run/anchore-catalog.pid -n anchore-catalog --config /config
[service:catalog] 2018-06-26 12:16:09+0000 [-] [bootstrap] [WARNING] no webhooks defined in configuration file - notifications will be disabled
[service:catalog] 2018-06-26 12:16:09+0000 [-] [bootstrap] [INFO] initializing database
[service:catalog] 2018-06-26 12:16:11+0000 [-] [bootstrap] [INFO] Archive initialization complete
[service:catalog] 2018-06-26 12:16:11+0000 [-] [bootstrap] [ERROR] cannot create/init/register service: catalog - exception: unable to initialize default user data - exception: coercing to Unicode: need string or buffer, NoneType found
[service:catalog] 2018-06-26 12:16:11+0000 [-] [bootstrap] [ERROR] cannot start service (see above for information)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore_engine/services/common.py", line 362, in makeService
rc = smodule.initializeService(sname, localconfig)
File "/usr/lib/python2.7/site-packages/anchore_engine/services/catalog/init.py", line 107, in initializeService
raise Exception ("unable to initialize default user data - exception: " + str(err))
Exception: unable to initialize default user data - exception: coercing to Unicode: need string or buffer, NoneType found
Traceback (most recent call last):
File "/bin/twistd", line 11, in
load_entry_point('Twisted==17.5.0', 'console_scripts', 'twistd')()
File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 29, in run
app.run(runApp, ServerOptions)
File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 662, in run
runApp(config)
File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 25, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 380, in run
self.application = self.createOrGetApplication()
File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 440, in createOrGetApplication
ser = plg.makeService(self.config.subOptions)
File "/usr/lib/python2.7/site-packages/twisted/plugins/anchore_catalog.py", line 76, in makeService
r = anchore_engine.services.common.makeService(slist, options)
File "/usr/lib/python2.7/site-packages/anchore_engine/services/common.py", line 387, in makeService
raise Exception("cannot start service (see above for information)")
Exception: cannot start service (see above for information)

Disable SSL verification for feeds sync / policy_engine_bootstrap

I'm trying to set up anchore engine in our environment.
We are set behind a squid proxy server, hence I had to add the http_proxy & https_proxy vars in our docker settings (added the variables in docker-compose.yaml file).
However, when running docker-compose up -d and then docker logs for the anchore-engine container, I see the below error:

18-01-08 22:18:20,410 DEBUG connexion.apis.flask_api - ... Adding GET -> anchore_engine.services.policy_engine.api.controllers.synchronous_operations.list_image_users 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Produces: ['application/json'] 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Produces json 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Adding produces decorator (<function <lambda> at 0x65ee230>) 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Security: [{'anchore_basic': []}] 2018-01-08 22:18:20,411 DEBUG connexion.operation - ... Security type 'basic' not natively supported by Connexion; you should handle it yourself 2018-01-08 22:18:20,412 DEBUG connexion.operation - ... Adding security decorator (<function security_passthrough at 0x5788aa0>) 2018-01-08 22:18:20,443 INFO policy_engine_bootstrap - Registration complete. 2018-01-08 22:18:20,447 INFO policy_engine_bootstrap - Checking feeds client credentials 2018-01-08 22:18:20,450 DEBUG policy_engine_bootstrap - Initializing a feeds client 2018-01-08 22:18:20,585 ERROR policy_engine_bootstrap - Preflight checks failed with error: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",). Aborting service startup

I have also bind mounted the /etc/pki path from the docker host towards the container, because the host has the in-house root CA already trusted, which didn't help.

Is there a way for me to bypass the SSL verification for this mechanism so that?
Thanks!

Feature: add separate location for user modules (analyzer, gate, query) for testing

Default location could be in ~/.anchore/modules or similiar, and perhaps by default failures in user modules would not failstop by default like the core modules do (for analyzer/gates).

Running analyzers on same host as image build can be very slow due to image build artifacts

Anchore analysis runs on the "familytree" of the image, which is the set of parentIDs of the layers. Typically this is not a 1:1 mapping to layers, but to images referred to in 'FROM' directives. However, on image builds, docker sets it for each layer. Anchore then runs an unpack() and analysis on each individual layer and all content to that point, causing analysis to take a long time and lots of resources.

Example of build behavior on an image built from ubuntu:latest:

docker history testimage1
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
17cada8704f7        30 minutes ago      /bin/sh -c #(nop)  ENV somekey=somevalue        0 B
389be87be712        30 minutes ago      /bin/sh -c echo "Hello5" > /root/hello5         7 B
ba8efdb71b82        30 minutes ago      /bin/sh -c echo "Hello4" > /root/hello4         7 B
c487c9eb4267        30 minutes ago      /bin/sh -c echo "Hello3" > /root/hello3         7 B
dfeefcddffec        30 minutes ago      /bin/sh -c echo "Hello2" > /root/hello2         7 B
ea37c65d781a        30 minutes ago      /bin/sh -c echo "Hello1" > /root/hello1         7 B
8b94a7dd04ae        30 minutes ago      /bin/sh -c echo "Hello" > /root/hello           6 B
f49eec89601e        4 weeks ago         /bin/sh -c #(nop)  CMD ["/bin/bash"]            0 B
<missing>           4 weeks ago         /bin/sh -c mkdir -p /run/systemd && echo '...   7 B
<missing>           4 weeks ago         /bin/sh -c sed -i 's/^#\s*\(deb.*universe\...   1.9 kB
<missing>           4 weeks ago         /bin/sh -c rm -rf /var/lib/apt/lists/*          0 B
<missing>           4 weeks ago         /bin/sh -c set -xe   && echo '#!/bin/sh' >...   745 B
<missing>           4 weeks ago         /bin/sh -c #(nop) ADD file:68f83d996c38a09...   129 MB

Images pushed to registries with V2 manifests seem to lose the parentId anyway, so the condition is that on build-servers we have too much familytree data and on pulled images we have none.

Example image built from jenkins:latest with no parentIds populated:

IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
1a197c741ce8        5 weeks ago         /bin/sh -c #(nop)  USER [jenkins]               0 B
<missing>           5 weeks ago         /bin/sh -c apt-get update && apt-get insta...   120 MB
<missing>           5 weeks ago         /bin/sh -c echo "deb https://apt.dockerpro...   58 B
<missing>           5 weeks ago         /bin/sh -c apt-key adv --keyserver hkp://h...   2.81 kB
<missing>           5 weeks ago         /bin/sh -c apt-get update && apt-get insta...   19.6 MB
<missing>           5 weeks ago         /bin/sh -c #(nop)  USER [root]                  0 B
<missing>           8 weeks ago         /bin/sh -c #(nop) COPY file:2a6a3e16202b8d...   5.96 kB
<missing>           8 weeks ago         /bin/sh -c #(nop) COPY file:93fb511d485dd2...   3.92 kB
<missing>           8 weeks ago         /bin/sh -c #(nop)  ENTRYPOINT ["/bin/tini"...   0 B
<missing>           8 weeks ago         /bin/sh -c #(nop) COPY file:7eec179a0dd3aa...   1.21 kB
<missing>           8 weeks ago         /bin/sh -c #(nop) COPY file:26c3c5818bc876...   5 kB
<missing>           8 weeks ago         /bin/sh -c #(nop)  USER [jenkins]               0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  ENV COPY_REFERENCE_FILE...   0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  EXPOSE 50000/tcp             0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  EXPOSE 8080/tcp              0 B
<missing>           8 weeks ago         |6 JENKINS_SHA=1b65dc498ba7ab1f5cce64200b9...   328 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  ENV JENKINS_UC=https://...   0 B
<missing>           8 weeks ago         |6 JENKINS_SHA=1b65dc498ba7ab1f5cce64200b9...   70.1 MB
<missing>           8 weeks ago         /bin/sh -c #(nop)  ARG JENKINS_URL=https:/...   0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  ARG JENKINS_SHA=1b65dc4...   0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  ENV JENKINS_VERSION=2.32.1   0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  ARG JENKINS_VERSION          0 B
<missing>           8 weeks ago         /bin/sh -c #(nop) COPY file:c629bc0b9ecb5b...   328 B
<missing>           8 weeks ago         |4 gid=1000 group=jenkins uid=1000 user=je...   822 kB
<missing>           8 weeks ago         /bin/sh -c #(nop)  ENV TINI_SHA=0f78709a0e...   0 B
<missing>           8 weeks ago         /bin/sh -c #(nop)  ENV TINI_VERSION=0.13.1      0 B
<missing>           2 months ago        |4 gid=1000 group=jenkins uid=1000 user=je...   0 B
<missing>           2 months ago        /bin/sh -c #(nop)  VOLUME [/var/jenkins_home]   0 B
<missing>           2 months ago        |4 gid=1000 group=jenkins uid=1000 user=je...   335 kB
<missing>           2 months ago        /bin/sh -c #(nop)  ARG gid=1000                 0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ARG uid=1000                 0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ARG group=jenkins            0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ARG user=jenkins             0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ENV JENKINS_SLAVE_AGENT...   0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ENV JENKINS_HOME=/var/j...   0 B
<missing>           2 months ago        /bin/sh -c apt-get update && apt-get insta...   0 B
<missing>           2 months ago        /bin/sh -c /var/lib/dpkg/info/ca-certifica...   418 kB
<missing>           2 months ago        /bin/sh -c set -x  && apt-get update  && a...   352 MB
<missing>           2 months ago        /bin/sh -c #(nop)  ENV CA_CERTIFICATES_JAV...   0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ENV JAVA_DEBIAN_VERSION...   0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ENV JAVA_VERSION=8u111       0 B
<missing>           2 months ago        /bin/sh -c #(nop)  ENV JAVA_HOME=/usr/lib/...   0 B
<missing>           2 months ago        /bin/sh -c {   echo '#!/bin/sh';   echo 's...   87 B
<missing>           2 months ago        /bin/sh -c #(nop)  ENV LANG=C.UTF-8             0 B
<missing>           2 months ago        /bin/sh -c echo 'deb http://deb.debian.org...   55 B
<missing>           2 months ago        /bin/sh -c apt-get update && apt-get insta...   1.29 MB
<missing>           2 months ago        /bin/sh -c apt-get update && apt-get insta...   123 MB
<missing>           2 months ago        /bin/sh -c apt-get update && apt-get insta...   44.3 MB
<missing>           2 months ago        /bin/sh -c #(nop)  CMD ["/bin/bash"]            0 B
<missing>           2 months ago        /bin/sh -c #(nop) ADD file:1d214d2782eaccc...   123 MB```

The anchore family-tree detection fails on that image as well:

Proposed solution is to disable familytree analysis by default so that only the image is extracted and squashed, not each in family tree. A flag, '--familytree' would enable the analysis of each image in the tree if desired.

Debian buster not correctly identified

The buster image is idebtified as Debian/0 rather than Debian 10
docker.io/library/debian:buster

os-release contains

PRETTY_NAME="Debian GNU/Linux buster/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

debian-release contains
buster/sid

We should map wheezy/sid/buster/jessie/etc into their corresponding release versions.

debian:8 not supported on initial sync

I recently came across a message while implementing anchore that states that Debian 8 is not a supported distro. This is of course not the case as it's supported until 2020, so I assume Anchore is saying it doesn't support Debian 8.

The message I see is while running Anchore in local mode through Jenkins.

Gate: ANCHORESEC
Trigger: UNSUPPORTEDDISTRO
Check Output: cannot perform CVE scan: no CVE data is currently available for the detected base distro type (debian:8)

I am available in IRC if anyone wants to talk about this further.

Readme instructions are not working

I followed all the instructions on README to built anchore. But I am getting error when I run following command:

anchore analyze --image nginx:latest --imagetype base
Analyzing image: nginx:latest
5e69fe4b3c31: analyzing ...
ERROR analyzer status: failed
ERROR analyzer exitcode: 1
ERROR analyzer output: Traceback (most recent call last):
  File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore_utils.py", line 2076, in get_files_from_path
    os.chroot(inpath)
OSError: [Errno 1] Operation not permitted: '/home/wajih/.anchore/anchoretmp/5451369.anchoretmp/rootfs'
Traceback (most recent call last):
  File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py", line 38, in <module>
    fmap, allfiles = anchore.anchore_utils.get_files_from_path(unpackdir + "/rootfs")
  File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore_utils.py", line 2151, in get_files_from_path
    os.chroot('.')
OSError: [Errno 1] Operation not permitted: '.'
[Errno 1] Operation not permitted: '/home/wajih/.anchore/anchoretmp/5451369.anchoretmp/rootfs'
Traceback (most recent call last):
  File "/home/wajih/.local/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py", line 61, in <module>
    raise err
OSError: [Errno 1] Operation not permitted: '.'

ERROR analyzer failed to run on image 5e69fe4b3c310ea91ead6008e143deca87995d0519f258008cc52e8c0a5366da, skipping the rest
ERROR analyzers failed to run on one or more images.
ERROR analysis failed.
ERROR analysis failed for one or more images.

Any help would be appreciated.

Docker version 17.03.0-ce, build 3a232c8
pip 9.0.1 from /usr/lib/python2.7/site-packages/pip-9.0.1-py2.7.egg (python 2.7)

Anchore scans started failing with 0 change to my jenkins setup DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/reports/image_report.json), but failed to load for imageId (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) - exception: No JSON object could be decoded 20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.del of <anchore.anchore_image.AnchoreImage object at 0x32bd490>> ignored

I have a Jenkins Multi branch DSL pipeline job that calls anchore scans on all the docker images we build. This one is a scan on nginx reverse proxy. Until about 1 hour ago it has been working fine. There has been no change to our system but now it is failing.

I have verified the disk has space.

Jenkins file code that gets called

                       try {
                            env.ANCHORE_SETUP = sh([script: "anchore_scan", returnStdout: true]).trim()
                            print env.ANCHORE_SETUP
                            anchore bailOnFail: false, inputQueries: [[query: 'cve-scan all'], [query: 'list-packages all'], [query: 'list-files all'], [query: 'show-pkg-diffs base']], name: 'anchore_images'
                       } catch (Exception e){
                            sh 'cat anchore_images'
                       }

This is the file anchore_images that gets referenced that list location of docker file and the image name:

nebulagarage/proxy:development /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile

This is my docker file for the proxy docker image:

from owasp/modsecurity:v3-ubuntu-nginx

ADD nginx.conf /etc/nginx/nginx.conf.template
ADD ssls/* /etc/nginx/ssl/
RUN apt-get update -y && \
    apt-get -y install gettext-base mlocate psmisc && \
    ionice -c3 updatedb

EXPOSE 80
EXPOSE 443
CMD envsubst < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec /usr/local/nginx/nginx -g "daemon off;"

Bash script for ensuring anchore image is latest, and is pulled

#!/usr/bin/env bash
set +ex
if [[ "$(docker images -q anchore/jenkins:latest  2> /dev/null)" == "" ]]; then
    docker pull anchore/jenkins:latest
fi
echo "${DOCKER_IMAGE_NAME}:${PACKAGE_VERSION} ${WORKSPACE}/Dockerfile" > ${WORKSPACE}/anchore_images

As you can see the docker file is not commented on the first line, I have checked disk space the space is free, the pattern for naming and scanning the image hasn't changed.

This is the anchore scan output:

20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   Jenkins version: 2.141
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   Anchore Container Image Scanner Plugin version: 1.0.14
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] enabled: true
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] enginemode: anchorelocal
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] engineurl: http://your_anchore_engine_host_ip:your_anchore_engine_port/v1
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] engineuser: 
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] enginepass: ****
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] engineverify: false
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] debug: true
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] useSudo: false
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] containerImageId: anchore/jenkins:latest
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] containerId: jenkins_anchore
20:57:18 2018-12-27T20:57:18.047 INFO   AnchoreWorker   [global] localVol: /var/lib/jenkins/.anchore
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [global] modulesVol: /var/lib/jenkins/.anchore
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] name: anchore_images
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] policyName: anchore_policy
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] globalWhiteList: anchore_global_whitelist
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] anchoreioUser: 
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] anchoreioPass: ****
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] userScripts: anchore_user_scripts
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] engineRetries: 300
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] bailOnFail: false
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] bailOnWarn: false
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] bailOnPluginFail: true
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] doCleanup: false
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] useCachedBundle: true
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] policyEvalMethod: plainfile
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] bundleFileOverride: anchore_policy_bundle.json
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] query: cve-scan all
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] query: list-packages all
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] query: list-files all
20:57:18 2018-12-27T20:57:18.048 INFO   AnchoreWorker   [build] query: show-pkg-diffs base
20:57:18 2018-12-27T20:57:18.051 DEBUG  AnchoreWorker   Initializing Jenkins workspace
20:57:18 2018-12-27T20:57:18.053 DEBUG  AnchoreWorker   Creating workspace directory AnchoreReport.development_282
20:57:18 2018-12-27T20:57:18.056 DEBUG  AnchoreWorker   Initializing Anchore workspace
20:57:18 2018-12-27T20:57:18.056 DEBUG  AnchoreWorker   Checking container jenkins_anchore
20:57:18 2018-12-27T20:57:18.056 DEBUG  AnchoreWorker   Executing "docker start jenkins_anchore"
20:57:18 $ docker start jenkins_anchore
20:57:18 jenkins_anchore
20:57:18 2018-12-27T20:57:18.115 DEBUG  AnchoreWorker   Execution of "docker start jenkins_anchore" returned 0
20:57:18 2018-12-27T20:57:18.116 DEBUG  AnchoreWorker   Anchore container jenkins_anchore is already running
20:57:18 2018-12-27T20:57:18.116 DEBUG  AnchoreWorker   Creating build artifact directory /root/anchore.development_282 in Anchore container jenkins_anchore
20:57:18 2018-12-27T20:57:18.116 DEBUG  AnchoreWorker   Executing "docker exec jenkins_anchore mkdir -p /root/anchore.development_282"
20:57:18 $ docker exec jenkins_anchore mkdir -p /root/anchore.development_282
20:57:18 2018-12-27T20:57:18.246 DEBUG  AnchoreWorker   Execution of "docker exec jenkins_anchore mkdir -p /root/anchore.development_282" returned 0
20:57:18 2018-12-27T20:57:18.246 DEBUG  AnchoreWorker   Staging image file in Jenkins workspace
20:57:18 2018-12-27T20:57:18.255 DEBUG  AnchoreWorker   Copying Dockerfile from Jenkins workspace: /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile, to Anchore workspace: /root/anchore.development_282/dfile.1
20:57:18 2018-12-27T20:57:18.255 DEBUG  AnchoreWorker   Executing "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile jenkins_anchore:/root/anchore.development_282/dfile.1"
20:57:18 $ docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile jenkins_anchore:/root/anchore.development_282/dfile.1
20:57:18 2018-12-27T20:57:18.570 DEBUG  AnchoreWorker   Execution of "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile jenkins_anchore:/root/anchore.development_282/dfile.1" returned 0
20:57:18 2018-12-27T20:57:18.570 DEBUG  AnchoreWorker   Staging sanitized entry: "nebulagarage/proxy:development /root/anchore.development_282/dfile.1"
20:57:18 2018-12-27T20:57:18.570 DEBUG  AnchoreWorker   Copying staged image file from Jenkins workspace: /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282, to Anchore workspace: /root/anchore.development_282/images
20:57:18 2018-12-27T20:57:18.570 DEBUG  AnchoreWorker   Executing "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282 jenkins_anchore:/root/anchore.development_282/images"
20:57:18 $ docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282 jenkins_anchore:/root/anchore.development_282/images
20:57:18 2018-12-27T20:57:18.878 DEBUG  AnchoreWorker   Execution of "docker cp /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/AnchoreReport.development_282/staged_images.development_282 jenkins_anchore:/root/anchore.development_282/images" returned 0
20:57:18 2018-12-27T20:57:18.880 DEBUG  AnchoreWorker   No user scripts/modules found, using default Anchore modules
20:57:18 2018-12-27T20:57:18.883 INFO   AnchoreWorker   Bundle file either not specified or does not exist, using default Anchore policy
20:57:18 2018-12-27T20:57:18.885 INFO   AnchoreWorker   Policy file either not specified or does not exist, using default Anchore policy
20:57:18 2018-12-27T20:57:18.888 INFO   AnchoreWorker   Global whitelist file either not specified or does not exist, using default Anchore global whitelist
20:57:18 2018-12-27T20:57:18.888 DEBUG  AnchoreWorker   Build worker initialized
20:57:18 2018-12-27T20:57:18.888 INFO   AnchoreWorker   Running Anchore Analyzer
20:57:18 2018-12-27T20:57:18.888 DEBUG  AnchoreWorker   Executing "docker exec jenkins_anchore anchore --debug analyze --skipgates --imagefile /root/anchore.development_282/images"
20:57:18 $ docker exec jenkins_anchore anchore --debug analyze --skipgates --imagefile /root/anchore.development_282/images
20:57:19 2018-12-27 20:57:19,180 DEBUG anchore_image_db_fs.py __init__ using directory for anchore image data: /root/.anchore/data
20:57:19 2018-12-27 20:57:19,181 DEBUG anchore_image_db_fs.py __init__ using directory for anchore feed data: /root/.anchore/feeds
20:57:19 2018-12-27 20:57:19,181 DEBUG anchore_image_db_fs.py __init__ using directory for anchore policy data: /root/.anchore/policy
20:57:19 2018-12-27 20:57:19,184 DEBUG auth.py find_config_file Trying paths: ['/root/.docker/config.json', '/root/.dockercfg']
20:57:19 2018-12-27 20:57:19,184 DEBUG auth.py find_config_file No config file found
20:57:19 2018-12-27 20:57:19,191 DEBUG connectionpool.py _make_request "GET /version HTTP/1.1" 200 537
20:57:19 2018-12-27 20:57:19,194 DEBUG connectionpool.py _make_request "GET /v1.38/version HTTP/1.1" 200 537
20:57:19 2018-12-27 20:57:19,215 DEBUG connectionpool.py _make_request "GET /v1.38/images/json?only_ids=0&all=1 HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,216 DEBUG anchore_image_db_fs.py __init__ using directory for anchore image data: /root/.anchore/data
20:57:19 2018-12-27 20:57:19,216 DEBUG anchore_image_db_fs.py __init__ using directory for anchore feed data: /root/.anchore/feeds
20:57:19 2018-12-27 20:57:19,216 DEBUG anchore_image_db_fs.py __init__ using directory for anchore policy data: /root/.anchore/policy
20:57:19 2018-12-27 20:57:19,217 DEBUG anchore_utils.py discover_imageId looking for name (nebulagarage/proxy:development) in docker_images
20:57:19 2018-12-27 20:57:19,217 DEBUG anchore_utils.py discover_imageId looking for alternative names (nebulagarage/proxy:development) in docker_images
20:57:19 2018-12-27 20:57:19,218 DEBUG analyzer.py __init__ analyzer initialization: begin
20:57:19 2018-12-27 20:57:19,218 DEBUG analyzer.py __init__ init input processed, loading input images: [u'nebulagarage/proxy:development']
20:57:19 2018-12-27 20:57:19,218 DEBUG anchore_image.py __init__ initializing image: nebulagarage/proxy:development
20:57:19 2018-12-27 20:57:19,218 DEBUG anchore_utils.py discover_imageId looking for name (nebulagarage/proxy:development) in docker_images
20:57:19 2018-12-27 20:57:19,218 DEBUG anchore_utils.py discover_imageId looking for alternative names (nebulagarage/proxy:development) in docker_images
20:57:19 Analyzing image: nebulagarage/proxy:development
20:57:19 2018-12-27 20:57:19,219 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/reports/image_report.json), but failed to load for imageId (4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,253 DEBUG connectionpool.py _make_request "GET /v1.38/images/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,257 DEBUG connectionpool.py _make_request "GET /v1.38/images/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,258 DEBUG anchore_image.py __init__ initializing image: 1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10
20:57:19 2018-12-27 20:57:19,258 DEBUG anchore_utils.py discover_imageId looking for name (1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10) in docker_images
20:57:19 2018-12-27 20:57:19,258 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/reports/image_report.json), but failed to load for imageId (1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,260 DEBUG connectionpool.py _make_request "GET /v1.38/images/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,264 DEBUG connectionpool.py _make_request "GET /v1.38/images/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,265 DEBUG anchore_image.py __init__ initializing image: 28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c
20:57:19 2018-12-27 20:57:19,265 DEBUG anchore_utils.py discover_imageId looking for name (28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c) in docker_images
20:57:19 2018-12-27 20:57:19,266 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/reports/image_report.json), but failed to load for imageId (28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,268 DEBUG connectionpool.py _make_request "GET /v1.38/images/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,271 DEBUG connectionpool.py _make_request "GET /v1.38/images/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,271 DEBUG anchore_image.py __init__ initializing image: f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b
20:57:19 2018-12-27 20:57:19,271 DEBUG anchore_utils.py discover_imageId looking for name (f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b) in docker_images
20:57:19 2018-12-27 20:57:19,272 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/reports/image_report.json), but failed to load for imageId (f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,273 DEBUG connectionpool.py _make_request "GET /v1.38/images/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,277 DEBUG connectionpool.py _make_request "GET /v1.38/images/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,278 DEBUG anchore_image.py __init__ initializing image: 10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505
20:57:19 2018-12-27 20:57:19,278 DEBUG anchore_utils.py discover_imageId looking for name (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) in docker_images
20:57:19 2018-12-27 20:57:19,278 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/reports/image_report.json), but failed to load for imageId (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,280 DEBUG connectionpool.py _make_request "GET /v1.38/images/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,283 DEBUG connectionpool.py _make_request "GET /v1.38/images/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,284 DEBUG anchore_image.py __init__ initializing image: 1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946
20:57:19 2018-12-27 20:57:19,284 DEBUG anchore_utils.py discover_imageId looking for name (1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946) in docker_images
20:57:19 2018-12-27 20:57:19,284 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/reports/image_report.json), but failed to load for imageId (1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,286 DEBUG connectionpool.py _make_request "GET /v1.38/images/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,290 DEBUG connectionpool.py _make_request "GET /v1.38/images/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,290 DEBUG anchore_image.py __init__ initializing image: fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90
20:57:19 2018-12-27 20:57:19,290 DEBUG anchore_utils.py discover_imageId looking for name (fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90) in docker_images
20:57:19 2018-12-27 20:57:19,297 DEBUG connectionpool.py _make_request "GET /v1.38/images/fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90/json HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,298 DEBUG connectionpool.py _make_request "GET /v1.38/images/fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,301 DEBUG connectionpool.py _make_request "GET /v1.38/images/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,304 DEBUG connectionpool.py _make_request "GET /v1.38/images/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,307 DEBUG connectionpool.py _make_request "GET /v1.38/images/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,310 DEBUG connectionpool.py _make_request "GET /v1.38/images/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,314 DEBUG connectionpool.py _make_request "GET /v1.38/images/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/history HTTP/1.1" 200 None
20:57:19 2018-12-27 20:57:19,314 DEBUG analyzer.py __init__ loaded input images, checking that all input images have been loaded [u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea']
20:57:19 2018-12-27 20:57:19,315 DEBUG analyzer.py __init__ analyzer initialization: end
20:57:19 2018-12-27 20:57:19,315 DEBUG analyzer.py run main image analysis on images: [u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea']: begin
20:57:19 2018-12-27 20:57:19,315 DEBUG analyzer.py run images to be analyzed: [u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea']
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_retrieve_files.py
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/10_package_list.py
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_java_packages.py
20:57:19 2018-12-27 20:57:19,317 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/02_layers.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_npm_package_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/20_file_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_secret_search.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/30_file_checksums.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/11_package_detail_list.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_content_search.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_python_packages.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/40_file_suids.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/01_analyzer_meta.py
20:57:19 2018-12-27 20:57:19,318 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/31_file_package_verify.py
20:57:19 2018-12-27 20:57:19,319 DEBUG analyzer.py run_analyzers analyzer commands all finished with successful exit codes
20:57:19 2018-12-27 20:57:19,319 DEBUG analyzer.py run_analyzers saving image information with updated analysis data
20:57:19 2018-12-27 20:57:19,321 INFO analyzer.py run_analyzers fa21bf78d25e: analyzed.
20:57:19 2018-12-27 20:57:19,321 DEBUG analyzer.py run_analyzers running analyzers on image: fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90: end
20:57:19 2018-12-27 20:57:19,323 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_retrieve_files.py
20:57:19 2018-12-27 20:57:19,324 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/10_package_list.py
20:57:19 2018-12-27 20:57:19,324 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_java_packages.py
20:57:19 2018-12-27 20:57:19,324 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/02_layers.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_npm_package_list.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/20_file_list.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/12_gem_package_list.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_secret_search.py
20:57:19 2018-12-27 20:57:19,325 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/30_file_checksums.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/11_package_detail_list.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/13_content_search.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/32_python_packages.py
20:57:19 2018-12-27 20:57:19,326 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/40_file_suids.py
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/01_analyzer_meta.py
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers skipping analyzer (no change in analyzer/config and prior run succeeded): /usr/lib/python2.7/site-packages/anchore/anchore-modules/analyzers/31_file_package_verify.py
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers analyzer commands all finished with successful exit codes
20:57:19 2018-12-27 20:57:19,327 DEBUG analyzer.py run_analyzers saving image information with updated analysis data
20:57:19 2018-12-27 20:57:19,329 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/reports/image_report.json), but failed to load for imageId (4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea) - exception: No JSON object could be decoded
20:57:19 2018-12-27 20:57:19,330 ERROR common.py anchore_print_err failed to run analyzer
20:57:19 Traceback (most recent call last):
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/cli/analyzer.py", line 392, in analyze
20:57:19     rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run()
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 416, in run
20:57:19     success = self.run_analyzers(image)
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 368, in run_analyzers
20:57:19     image.save_image()
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/anchore_image.py", line 263, in save_image
20:57:19     self.anchore_db.save_image_report(self.meta['imageId'], report)
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/anchore_image_db/anchore_image_db_fs.py", line 625, in save_image_report
20:57:19     diff = list(set(oldreport['anchore_current_tags']).symmetric_difference(set(report['anchore_current_tags'])))
20:57:19 TypeError: unhashable type: 'list'
20:57:19 2018-12-27 20:57:19,331 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'fa21bf78d25e', 'usertype': None, 'shortId': u'1fc25d14020a', 'imagename': u'1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946', 'parentId': u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', 'shortname': u'1fc25d14020a', 'imageId': u'1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946', 'sizebytes': '261815094', 'humanname': u'1fc25d14020a'}
20:57:19 2018-12-27 20:57:19,331 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946/reports/image_report.json), but failed to load for imageId (1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x32bd090>> ignored
20:57:19 2018-12-27 20:57:19,331 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'10cc4becbe9f', 'usertype': None, 'shortId': u'f1495ea6b72c', 'imagename': u'f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b', 'parentId': u'10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505', 'shortname': u'f1495ea6b72c', 'imageId': u'f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b', 'sizebytes': '306857985', 'humanname': u'f1495ea6b72c'}
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b/reports/image_report.json), but failed to load for imageId (f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dcf90>> ignored
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'28dcf4463643', 'usertype': None, 'shortId': u'1706df414124', 'imagename': u'1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10', 'parentId': u'28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c', 'shortname': u'1706df414124', 'imageId': u'1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10', 'sizebytes': '306857985', 'humanname': u'1706df414124'}
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10/reports/image_report.json), but failed to load for imageId (1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dcb10>> ignored
20:57:19 2018-12-27 20:57:19,332 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'f1495ea6b72c', 'usertype': None, 'shortId': u'28dcf4463643', 'imagename': u'28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c', 'parentId': u'f1495ea6b72c139a0c3d8c0bac27dc09400987a6fdda0525b55133f76c3bfe2b', 'shortname': u'28dcf4463643', 'imageId': u'28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c', 'sizebytes': '306857985', 'humanname': u'28dcf4463643'}
20:57:19 2018-12-27 20:57:19,333 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c/reports/image_report.json), but failed to load for imageId (28dcf4463643a526c95b1de34e9d50450c952d250efae04c04aec769e053917c) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dce50>> ignored
20:57:19 2018-12-27 20:57:19,333 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'1fc25d14020a', 'usertype': None, 'shortId': u'10cc4becbe9f', 'imagename': u'10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505', 'parentId': u'1fc25d14020a53ce9cbb9af0a1ef2b835feb4f799a1c2e3fab07867250fb8946', 'shortname': u'10cc4becbe9f', 'imageId': u'10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505', 'sizebytes': '261824606', 'humanname': u'10cc4becbe9f'}
20:57:19 2018-12-27 20:57:19,333 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505/reports/image_report.json), but failed to load for imageId (10cc4becbe9fc8ab3901a74588ffef73a1a16109173efa25545a51abfb511505) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x32bd490>> ignored
20:57:19 2018-12-27 20:57:19,333 ERROR common.py anchore_print_err analysis failed for one or more images.
20:57:19 Traceback (most recent call last):
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/cli/analyzer.py", line 392, in analyze
20:57:19     rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run()
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 416, in run
20:57:19     success = self.run_analyzers(image)
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/analyzer.py", line 368, in run_analyzers
20:57:19     image.save_image()
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/anchore_image.py", line 263, in save_image
20:57:19     self.anchore_db.save_image_report(self.meta['imageId'], report)
20:57:19   File "/usr/lib/python2.7/site-packages/anchore/anchore_image_db/anchore_image_db_fs.py", line 625, in save_image_report
20:57:19     diff = list(set(oldreport['anchore_current_tags']).symmetric_difference(set(report['anchore_current_tags'])))
20:57:19 TypeError: unhashable type: 'list'
20:57:19 2018-12-27 20:57:19,334 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'', 'usertype': None, 'shortId': u'fa21bf78d25e', 'imagename': u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', 'parentId': u'', 'shortname': u'fa21bf78d25e', 'imageId': u'fa21bf78d25e1fa3d46660182ec8ca383f294e18e780a8b2538163c6ce8e4f90', 'sizebytes': '261809129', 'humanname': u'owasp/modsecurity:v3-ubuntu-nginx'}
20:57:19 2018-12-27 20:57:19,335 DEBUG anchore_image.py __del__ destructor called: {'shortparentId': u'1706df414124', 'usertype': 'user', 'shortId': u'4a2f8bce9861', 'imagename': u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea', 'parentId': u'1706df4141241db1af14f78ed8f4ecfcb7977fca0fb0978be985c53277761e10', 'shortname': u'4a2f8bce9861', 'imageId': u'4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea', 'sizebytes': '306857985', 'humanname': u'4a2f8bce9861'}
20:57:19 2018-12-27 20:57:19,336 DEBUG anchore_image_db_fs.py load_image_report image report json found (/root/.anchore/data/4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea/reports/image_report.json), but failed to load for imageId (4a2f8bce98614ce0020cdad29260d9150536956eac6dd61ad7d2af4c70288aea) - exception: No JSON object could be decoded
20:57:19 Exception TypeError: "unhashable type: 'list'" in <bound method AnchoreImage.__del__ of <anchore.anchore_image.AnchoreImage object at 0x31dc990>> ignored
20:57:19 2018-12-27T20:57:19.382 DEBUG  AnchoreWorker   Execution of "docker exec jenkins_anchore anchore --debug analyze --skipgates --imagefile /root/anchore.development_282/images" returned 1
20:57:19 2018-12-27T20:57:19.382 ERROR  AnchoreWorker   Anchore analyzer failed with return code 1, check output above for details
20:57:19 2018-12-27T20:57:19.382 ERROR  AnchorePlugin   Failing Anchore Container Image Scanner Plugin build step due to errors in plugin execution
20:57:19 hudson.AbortException: Anchore analyzer failed, check output above for details
20:57:19 	at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzerLocal(BuildWorker.java:295)
20:57:19 	at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzer(BuildWorker.java:175)
20:57:19 	at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:233)
20:57:19 	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
20:57:19 	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
20:57:19 	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49)
20:57:19 	at hudson.security.ACL.impersonate(ACL.java:290)
20:57:19 	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46)
20:57:19 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
20:57:19 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
20:57:19 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
20:57:19 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
20:57:19 	at java.lang.Thread.run(Thread.java:748)
20:57:19 2018-12-27T20:57:19.382 DEBUG  AnchoreWorker   Cleaning up build artifacts
20:57:19 2018-12-27T20:57:19.382 DEBUG  AnchoreWorker   Deleting Jenkins workspace AnchoreReport.development_282
20:57:19 2018-12-27T20:57:19.385 DEBUG  AnchoreWorker   Deleting Anchore container workspace /root/anchore.development_282
20:57:19 2018-12-27T20:57:19.385 DEBUG  AnchoreWorker   Executing "docker exec jenkins_anchore rm -rf /root/anchore.development_282"
20:57:19 $ docker exec jenkins_anchore rm -rf /root/anchore.development_282
20:57:19 2018-12-27T20:57:19.544 DEBUG  AnchoreWorker   Execution of "docker exec jenkins_anchore rm -rf /root/anchore.development_282" returned 0
20:57:19 2018-12-27T20:57:19.545 INFO   AnchorePlugin   Completed Anchore Container Image Scanner build step
[Pipeline] sh
20:57:19 [neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA] Running shell script
20:57:19 + cat anchore_images
20:57:19 nebulagarage/proxy:development /home/ubuntu/workspace/neb-proxy_development-TDIDJWKBYTRESTCEVAPDJLMGQL67ZFAEKTH4KKKXBUL2ORCCFWJA/Dockerfile

Same vulnerability results across several images

Hi, I have been testing anchore against several images and it seems the results are the same. I use the command like anchore-cli image vuln maineffort/kbastani-movie-microservice os.
For example all the images of the Spring PetClinic microservices have the same results, even with images from another repository.
root@test-virtual-machine:~/tester/rep# du --all --human-readable --apparent-size
120K ./spring-petclinic-vets-service.txt
120K ./spring-petclinic-visits-service.txt
120K ./spring-petclinic-customers-service.txt
120K ./spring-petclinic-api-gateway.txt
120K ./kbastani-movie-microservice.txt
120K ./kbastani-movies-ui.txt

Note - here I am just illustrating using file sizes but I have also compared the raw results.

Am I mixing the commands or what am I missing ? I expect the results to be different even when similar base images are used. Cheers.

Handle read timeouts from docker with retries

Interactions with docker on the localhost via the unix socket can timeout in cases where docker is busy, so we should add retry logic around calls to the client to handle temporary failures.

Have seen this issue during image analysis with failures coming from: anchore/anchore_image.py:730 where it calls get_image().data on the docker client.

root@ubuntu:~# anchore analyze --imagetype none
Analyzing image: sha256:72d4ec634f1f24ae2afbc4a1b482865fb3ad5e6575750d335249ce3be612deea
72d4ec634f1f: analyzed.
72d4ec634f1f: evaluating policies ...
72d4ec634f1f: evaluated.
Analyzing image: sha256:cbd13d085eca4fb914aaab37534205924bf2c38430147af0e7389d1cccaabbdf
cbd13d085eca: analyzing ...
cbd13d085eca: analyzed.
cbd13d085eca: evaluating policies ...
cbd13d085eca: evaluated.
Analyzing image: sha256:693bce72514984f01f217e878d143162b5f4c1b83b018e7e6dc7394f055e7cd5
693bce725149: analyzing ...
693bce725149: analyzed.
693bce725149: evaluating policies ...
693bce725149: evaluated.
Analyzing image: sha256:0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d
0d409d33b27e: analyzed.
0d409d33b27e: evaluating policies ...
0d409d33b27e: evaluated.
Analyzing image: sha256:e07b99ee7733d7a6f669cde12c677ea36fbd2490adf3ef3ac59e53c2e9e018e4
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_utils.py", line 287, in image_context_add
newimage = anchore_image.AnchoreImage(i, anchore_datadir, docker_cli=docker_cli, allimages=allimages, dockerfile=dockerfile, tmpdirroot=tmproot, usertype=usertype, anchore_db=anchore_db)
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_image.py", line 123, in init
self.discover_layers()
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_image.py", line 395, in discover_layers
imagedir = self.unpack()
File "/usr/local/lib/python2.7/dist-packages/anchore/anchore_image.py", line 730, in unpack
FH.write(self.docker_cli.get_image(shortid).data)
File "/usr/local/lib/python2.7/dist-packages/docker/utils/decorators.py", line 21, in wrapped
return f(self, resource_id, _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/docker/api/image.py", line 17, in get_image
res = self._get(self._url("/images/{0}/get", image), stream=True)
File "/usr/local/lib/python2.7/dist-packages/docker/utils/decorators.py", line 47, in inner
return f(self, _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/docker/client.py", line 120, in _get
return self.get(url, *_self._set_request_timeout(kwargs))
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 487, in get
return self.request('GET', url, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, *_send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 479, in send
raise ReadTimeout(e, request=request)
ReadTimeout: UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
Exception TypeError: "'NoneType' object is not iterable" in <bound method AnchoreImage.del of <anchore.anchore_image.AnchoreImage object at 0x7f7915338c50>> ignored
ERROR failed to run analyzer: Could not load/initialize all input images.
Image: sha256:e07b99ee7733d7a6f669cde12c677ea36fbd2490adf3ef3ac59e53c2e9e018e4
Info: UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)

Support Scientific Linux CVEs [edited]

Currently RHEL CVE feeds are not being used, so scanning RHEL/Scientific linux results in "cannot perform CVE scan: no CVE data is currently available for the detected base distro type (redhat:6,redhat:6.9)"

Any plans to sync redhat distro CVE feeds?

A CHANGELOG.rst file would be very helpful

I'm having a hard time finding out what's changed in version 1.0.2 or 1.0.3

Failed to analyze Docker Container with Internal Base Image

Hi!

Any of my containers that use another one of my containers as a base image isn't being analyzed. It also breaks anchore query cve-scan all query for the same reason.

As a work-around, I think I could just delete all containers where the distro is unknown, but is it possible that those containers have vulnerabilities that I might miss?

Many Thanks,
Bryan

Debian: false positives

We're seeing several false positives with up to date debian jessie images.

I've constructed a simple example at https://github.com/rmoriz/anchore-false-positive to reproduce.

test.sh will

build a docker image based on the latest debian:jessie and install libgnutls-deb0-28
package libgnutls-deb0-28:amd64 3.3.8-6+deb8u7 gets installed
sets up anchore and does the test.

However docker exec anchore anchore query --image false-positive cve-scan all returns several HIGH issues regarding that package:

| CVE-2017-533 | High       | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 7            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5337         |
| CVE-2017-533 | High       | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 6            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5336         |
| CVE-2017-533 | Medium     | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 5            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5335         |
| CVE-2017-533 | High       | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 4            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5334         |

Debian Security Tracker claims that version "3.3.8-6+deb8u7" is fixed for all issues:

add toolbox 'show' feature to get quick summary information about image

like so - useful for quick mapping of tags/ids as well as see the distro that the image is based on

[root@tele ~]# anchore toolbox --image nginx show
IMAGEID='0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d'
REPOTAGS='nginx:latest'
DISTRO='debian'
DISTROVERS='8'
SHORTID='0d409d33b27e'
PARENTID=''
BASEID='0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d'

Error reported during analysis - "directory renamed before status could be extracted"

When running analysis on a host using OverlayFS storage driver the tar command may produce the following error:
"directory renamed before status could be extracted"

other log entries may include
"tar: Exiting with failure status due to previous errors
ERROR Error: Untar of unpacked image layer failed.
ERROR Command: tar -C "

This is a result of a currently unfixed issue with the OverlayFS driver in Docker.
The upstream issue is : moby/moby#19647

Until upstream docker/moby project fixes the driver you should use another driver such as AUFS.

Default allowed port list should not include 22

Default allowed port is 22 in the dockerfile check, when in fact should be the opposite

Leave working directory artifacts on failure

Currently, anchore tool cleans up all working dir (tmpdir) artifacts upon failure - suggest leaving the artifacts if --debug is passed to the CLI for debugging purposes

Offline vulnerabilities check

Hello, I recently used Anchore service and Anchore REST API to check image vulnerabilities.

At first time I ran Anchore for using docker-compose on public GCE and It worked well.

Then I copied 'db' directory to my local pc in order to re-test in my local offline Environment.

But this time, Anchore did not work properly. I could get the manifest / digest value through the API, but the image was not analyzed.

[
    {
        "analysis_status": "not_analyzed",
        "analyzed_at": null,
        "annotations": {},
        "created_at": "2018-07-03T04:33:57Z",
        "imageDigest": "sha256:a08ed346dfbb55cf7819dbe60f574f19fe387f2e7486cdc2073f1272d1344ec9",
        "image_content": {
            "metadata": {
                "arch": null,
                "distro": null,
                "distro_version": null,
                "dockerfile_mode": null,
                "image_size": null,
                "layer_count": null
            }
        },
...

I would like to test the Anchore service in offline environment.
In this case, what else do I need to do In addition to moving the db directory?

Incorrect packages list on Debian & false positive

anchore does not take packages status into account while listing packages (see

anchore/anchore/anchore-modules/analyzers/11_package_detail_list.py

Line 36 in 8a4d5b9

    
           cmd = ["dpkg-query", "--admindir="+unpackdir+"/rootfs/var/lib/dpkg", "-W", "-f="+"${Package}|ANCHORETOK|${Version}|ANCHORETOK|${Architecture}|ANCHORETOK|${Installed-Size}|ANCHORETOK|${source:Package}-${source:Version}|ANCHORETOK|${Maintainer}\\n"]

). This leads to false positive when a package is marked as rc (i.e. removed).

I wll suggest that you also retrieve ${Status} variables and filter out packages marked as "deinstall".

Support auto completion on query names

Enable tab completion on the set of queries currently available. Will require writing a wrapper for click around each script in the queries directory and wiring it up at command time for --help output.

anchore explore query --help Should also output the set of queries available.

How to scan Docker images through Docker REST API?

How to Scan Docker images and container, using Docker reset api's using anchore?

Docker version :- 1.12.6

Thanks
Asura

Docker image?

Wouldn't it make sense for a container security tool to actually have a container image that we can run the tool from instead of requiring to actually install it on a specific Linux OS?

At least from what the README shows, it's all manual installation.

cvescan: Add space between image id and imagename

Sample output from --plain scan
CVE-2013-1667 Medium 1 perl-5.14.2-13 perl-5.14.2-13ubuntu0.2 3e314f95dcac(docker.io/ubuntu:quantal) None

It would simplify scripting if we added a space between 3e314f95dcac AND (docker.io/ubuntu:quantal)

ERROR failed to run gates

Hi,

I added anchore in our Jenkins pipelines for quite a while, but since today I get this strange error

INFO   AnchoreWorker   Jenkins version: 2.93
INFO   AnchoreWorker   Anchore Container Image Scanner Plugin version: 1.0.12
INFO   AnchoreWorker   [global] enabled: true
INFO   AnchoreWorker   [global] enginemode: anchorelocal
INFO   AnchoreWorker   [global] engineurl: null
INFO   AnchoreWorker   [global] engineuser: null
INFO   AnchoreWorker   [global] enginepass: ****
INFO   AnchoreWorker   [global] engineverify: false
INFO   AnchoreWorker   [global] debug: false
INFO   AnchoreWorker   [global] useSudo: false
INFO   AnchoreWorker   [global] containerImageId: anchore/jenkins:latest
INFO   AnchoreWorker   [global] containerId: jenkins_anchore
INFO   AnchoreWorker   [global] localVol: /data/jenkins/anchore/data
INFO   AnchoreWorker   [global] modulesVol: 
INFO   AnchoreWorker   [build] name: anchore_images
INFO   AnchoreWorker   [build] policyName: jenkins/anchore/anchore_policy
INFO   AnchoreWorker   [build] globalWhiteList: anchore_global_whitelist
INFO   AnchoreWorker   [build] anchoreioUser: 
INFO   AnchoreWorker   [build] anchoreioPass: ****
INFO   AnchoreWorker   [build] userScripts: anchore_user_scripts
INFO   AnchoreWorker   [build] engineRetries: 300
INFO   AnchoreWorker   [build] bailOnFail: false
INFO   AnchoreWorker   [build] bailOnWarn: false
INFO   AnchoreWorker   [build] bailOnPluginFail: false
INFO   AnchoreWorker   [build] doCleanup: false
INFO   AnchoreWorker   [build] useCachedBundle: true
INFO   AnchoreWorker   [build] policyEvalMethod: plainfile
INFO   AnchoreWorker   [build] bundleFileOverride: anchore_policy_bundle.json
INFO   AnchoreWorker   [build] query: list-packages all
INFO   AnchoreWorker   [build] query: list-files all
INFO   AnchoreWorker   [build] query: cve-scan all
INFO   AnchoreWorker   [build] query: show-pkg-diffs base
$ docker start jenkins_anchore
Error response from daemon: No such container: jenkins_anchore
Error: failed to start containers: jenkins_anchore
$ docker inspect anchore/jenkins:latest
INFO   AnchoreWorker   Launching Anchore container jenkins_anchore from image anchore/jenkins:latest
$ docker run -d -v /var/run/docker.sock:/var/run/docker.sock -v /data/jenkins/anchore/data:/root/.anchore --name jenkins_anchore anchore/jenkins:latest
$ docker exec jenkins_anchore mkdir -p /root/anchore.feature/WEB-3093_10
$ docker cp /data/jenkins/workspace/app_feature_WEB-3093/Dockerfile.prod jenkins_anchore:/root/anchore.feature/WEB-3093_10/dfile.1
$ docker cp /data/jenkins/workspace/app_feature_WEB-3093/AnchoreReport.feature/WEB-3093_10/staged_images.feature/WEB-3093_10 jenkins_anchore:/root/anchore.feature/WEB-3093_10/images
INFO   AnchoreWorker   Bundle file either not specified or does not exist, using default Anchore policy
$ docker cp /data/jenkins/workspace/app_feature_WEB-3093/jenkins/anchore/anchore_policy jenkins_anchore:/root/anchore.feature/WEB-3093_10/policy
INFO   AnchoreWorker   Global whitelist file either not specified or does not exist, using default Anchore global whitelist
INFO   AnchoreWorker   Running Anchore Analyzer
$ docker exec jenkins_anchore anchore analyze --skipgates --imagefile /root/anchore.feature/WEB-3093_10/images
3f9ba64c4f25: analyzing ...
3f9ba64c4f25: analyzed.
99b5f7513629: analyzing ...
99b5f7513629: analyzed.
INFO   AnchoreWorker   Running Anchore Gates
$ docker exec jenkins_anchore anchore --json gate --imagefile /root/anchore.feature/WEB-3093_10/images --show-triggerids --show-whitelisted --policy /root/anchore.feature/WEB-3093_10/policy
99b5f75136297a93285bc8220cc021db814fe919ce50e6f1b7c7c305897a8e17: evaluating policies...
ERROR FAILED
ERROR 	CMD: /usr/lib/python2.7/site-packages/anchore/anchore-modules/gates/11_check_image.py /root/.anchore/querytmp/queryimages.13485700 /root/.anchore/data /root/.anchore/querytmp all
ERROR 	EXITCODE: 1
ERROR 	OUTPUT: 
ERROR failed to run gates: one or more gates failed to execute
2017-12-07T10:18:33.922 ERROR  AnchoreWorker   Gate output file not found or empty: /data/jenkins/workspace/app_feature_WEB-3093/AnchoreReport.feature/WEB-3093_10/anchore_gates.json
2017-12-07T10:18:33.922 WARN   AnchorePlugin   Marking Anchore Container Image Scanner build step as successful despite errors in plugin execution
$ docker exec jenkins_anchore rm -rf /root/anchore.feature/WEB-3093_10
2017-12-07T10:18:34.066 INFO   AnchorePlugin   Completed Anchore Container Image Scanner build step

nofrom dockerfile check should also look for 'from scratch'

the dockerfile check gate looks for dockerfiles with no "from" however the use of "from scratch" has the same effect. We should consider adding this check to the 'no from' check or adding specific check

ERROR could not load any images: Input image name 'ubuntu:latest' not found in local dockerhost or anchore DB.

I found issue in my local environment,
will be great, if some one help.

$ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 0458a4468cbc 2 months ago 112MB
anchore-cli latest ed50bcd9815c 5 hours ago 859MB

$ docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1b65f2961cf4 anchore-cli:latest "tail -F /var/log/an…" 10 minutes ago Up 10 minutes anchore

$ anchore feeds list

Available:
packages:
description: Feed record for type packages
Subscribed:
nvd:
description: Feed record for type nvd
vulnerabilities:
description: Feed record for type vulnerabilities

$ anchore analyze --image ubuntu:latest --imagetype base

ERROR could not load any images: Input image name 'ubuntu:latest' not found in local dockerhost or anchore DB.

Docker image not getting anlyzed with anchore-engine

Hi ,

I have setup anchore-engine using docker-compose but i am not able to analyze any image.

Docker-compose ps

     Name                   Command                   State                    Ports

aevolume_anchore-db_1 docker-entrypoint.sh Up 5432/tcp
postgres
aevolume_anchore- /bin/sh -c Up 0.0.0.0:8083->8083/tcp
engine_1 /usr/bin/anchor ... , 0.0.0.0:8084->8084/t
cp, 0.0.0.0:8087->8087
/tcp, 0.0.0.0:8228->82
28/tcp,
0.0.0.0:8338->8338/tcp

when i add the image it always returns status as not_analyzed.
anchore-cli image add registry.gitlab.com/its_vedu/nginx-docker:latest
Image Digest: sha256:21a54b24b692dd1b7e7acc623ade182b649a12cbc63eb090abc801d5556c58d4
Analysis Status: not_analyzed
Image Type: docker
Image ID: de278a11a415411431f9ca81a14ca2a6250a7cf03576c09236b0d6d37a8c587f
Dockerfile Mode: None
Distro: None
Distro Version: None
Size: None
Architecture: None
Layer Count: None

Full Tag: registry.gitlab.com/its_vedu/nginx-docker:latest
i came to know if the imaged in queued it goes to not_analyzed state and hence managed to get some logs .

anchore-engine_1 | [service:simplequeue] 2018-07-25 23:09:00+0000 [-] "172.18.0.3" - - [25/Jul/2018:23:09:00 +0000] "POST /v1/queues/watcher_tasks/is_inqueue HTTP/1.1" 200 3 "-" "python-requests/2.17.3"
anchore-engine_1 | [service:simplequeue] 2018-07-25 23:09:00+0000 [-] "172.18.0.3" - - [25/Jul/2018:23:09:00 +0000] "POST /v1/queues/watcher_tasks/?qcount=0&forcefirst=False HTTP/1.1" 200 5 "-" "python-requests/2.17.3"

anchore-engine_1 | [service:simplequeue] 2018-07-25 23:09:28+0000 [-] "172.18.0.3" - - [25/Jul/2018:23:09:28 +0000] "GET /v1/leases/analyzer_queue/release/?client_id=d1ea844bb62d:17:140187329885952:&epoch=2302[service:policy_engine] 2018-07-25 23:09:29+0000 [-] [bootstrap] [INFO] Registration complete.
anchore-engine_1 | [service:policy_engine] 2018-07-25 23:09:29+0000 [-] [bootstrap] [INFO] Checking feeds client credentials

anchore-engine_1 | Traceback (most recent call last):
anchore-engine_1 | File "/usr/lib/python2.7/site-packages/anchore_manager/cli/service.py", line 140, in startup_service
anchore-engine_1 | raise Exception("process exited: " + str(rc))
anchore-engine_1 | Exception: process exited: 1
anchore-engine_1 | [anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] service process exited at (Wed Jul 25 23:09:30 2018): process exited: 1
anchore-engine_1 | [anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] exiting service thread

Any help is greatly appreciated.

Thanks,
VedaPrasad

Anchore List All Analyzed Containers

I apologize in advance if this is already available, but is there a way to view everything you analyzed? I've automated the analysis process, but just realized I couldn't find the command to view all the containers that Anchore has analyzed.

anchore feeds list/sync cause certificate verify failed

Hello, I have installed Anchore Scanner on my own centos7 host, all other commands are ok except the command "anchore feeds list/sync". It raised errors as follows:

$ anchore feeds list
| ERROR could not sync feed metadata from service: cannot get list of feeds from service
| Message from server: "connection timed out: increase anchore_auth_conn_timeout higher or try again"

Then I try to debug the code:
headers = {'x-anchore-password': password}
try:
import pdb;pdb.set_trace()
r = requests.get(url, headers=headers, timeout=conn_timeout)
except:
# print "request timed out"
ret['text'] = json.dumps("connection timed out: increase anchore_auth_conn_timeout higher or try again")
return (False, ret)

Then it raise the true error as follows:

$ anchore feeds list
| ERROR could not sync feed metadata from service: cannot get list of feeds from service
| Message from server: server error: HTTPSConnectionPool(host='ancho.re', port=443): Max retries exceeded with url: /v1/account/users/[email protected] (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))

I use all default config so I can not figure out this problem. so I need team's help, thanks!
I wonder if the user/pwd provided in code ([email protected]/pbiU2RYZ2XrmYQ) is expired?

Inconsistencies when downloading debian feed data

It seems to be a flip of the coin for successfully downloading debian group data when running 'feeds sync' Any particular reason why? If the issue is upstream, could we maybe include a retry if a failure occurred?

Since, I'm planning to periodically build an anchore container image so that it has fresh CVE data instead of running a 'feed sync' before each scan, this could lead to an image not containing any CVE data for debian.

Sample Output:
�[0m�[91m syncing group data: debian:unstable: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:unstable): check --debug output and/or try again
�[0m�[91m syncing group data: ubuntu:16.04: ...
�[0m�[91m syncing group data: centos:6: ...
�[0m�[91m syncing group data: centos:7: ...
�[0m�[91m syncing group data: centos:5: ...
�[0m�[91m syncing group data: ubuntu:14.10: ...
�[0m�[91m syncing group data: ubuntu:15.04: ...
�[0m�[91m syncing group data: debian:9: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:9): check --debug output and/or try again
�[0m�[91m syncing group data: debian:8: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:8): check --debug output and/or try again
�[0m�[91m syncing group data: ubuntu:12.04: ...
�[0m�[91m syncing group data: debian:7: ...
�[0m�[91m WARN: failed to download feed/group data (vulnerabilities/debian:7): check --debug output and/or try again

sample jenkins integration

The documentation says there is support for jenkins integration, is there some example how this works or a blog post ?

Filter group data sync

Hi !

When using Anchore docker container to scan a specific image, it is useless to sync all OS group data.

I didn't find any option to filter the group data I need to sync.

Is there such an option ? If not wouldn't it be nice to have it ?

Thanks !

alpine:3.7 not supported

Hi,

do you have any plans to add the new version of alpine to your supported distro list?

Would be great :)

Alpine cve-scan false positives

I'm noticing some false positives when performing CVE scanning on an alpine image

In the screenshot above you can see that CVE-2016-4074 is reported against jq-1.5-r1, I was able to find the following db - https://github.com/eedevops/alpine-cve-db/blob/master/alpine-linux-package-
cve-db.json that shows that jq-1.5-r0 was vulnerable. I'm also not seeing this CVE reported in the alpine sec-db: https://git.alpinelinux.org/cgit/alpine-secdb/tree/v3.4

Additionally, it is also reporting CVE-2015-3717 which is not listed in any of the alpine secdbs. Is the CVE scanning also including data from non-alpine cve feeds?

Navigator 'Copy badge links' provide an incorrect url (site root) instead of the intended container image url

Go to https://anchore.io/image/dockerhub/anchore%2Fcli%3Alatest and click on 'Copy badge links'. You will see options to copy markdown or html. Either choice provides the image badge that links to https://anchore.io instead of the intended url for this container image.

Here are the markdown results:
[![Anchore Image Overview](https://anchore.io/service/badges/image/64e95dd583882673b5ea2957bbff88e308c7c95a3bf26c0c88c7014d92281dae)](https://anchore.io)

Here are the html results:
<a style="margin:0;padding:0;text-decoration-none;color:transparent;" href="https://anchore.io" target="_blank" ><img src="https://anchore.io/service/badges/image/64e95dd583882673b5ea2957bbff88e308c7c95a3bf26c0c88c7014d92281dae" /></a>

image input strings are inconsistent

Some operations support 'repo' or 'repo:tag' style or 12 character hex ID style, but some do not (queries for example). Best if the CLI supported a general lookup for any input style wherever an 'image' is an input parameter.

allow any image to be specified as parameter to show-pkg-diffs and show-file-diffs queries

currently, only 'base' is supported well as a parameter to pass to show-*-diffs queries. useful feature would be to add the ability to compare the input image(s) to any other image

Handle spaces in filenames

the filelist analyzer uses awk to extract file names and permissions

tar tvf $UNPACKDIR/squashed.tar | awk '{print $6, $1}' | sort -k 1 | uniq > $OUTPUTDIR/files.all

In cases where a filename contains spaces then only the first part of the filename, preceding the space, will be retrieved.

anchore subscription show <filter> returns incorrect current subscription value

When using a filter value in 'anchore subscription show' the result component for 'current subscriptions' is empty when it should contain results that match the filter.


root@ubuntu:/# anchore subscriptions show node
Available:
 - node
Current Subscription: []

root@ubuntu:/# anchore subscriptions show
Available:
- mongo
- redis
- node
- debian
- elasticsearch
- centos
- nginx
- ubuntu
- postgres
- mysql
- busybox
Current Subscription:
- redis:latest
- node:latest
- ubuntu:latest
- centos:latest
- mongo:latest

Feature: add image name list tool to anchore toolbox

Would be good for anchore to include a tool for listing together all the names a particular container image has that is referencable by the tool (repo, repo:tag, short ID, digest, long ID)

suggest for example

# anchore toolbox list-images
<list of repo:tags> <shortId> <longId> <digest> <list of all past repo:tags> <location> <is-analyzed> <imagetype>
...
...

'location' could initially be one or more of: in-docker, in-anchore

Plugin Issue on Jenkins

Hi,

I am evaluating the plugin to be using as part of CI pipeline on Jenkins.

However the Anchore analysis's failing with the following error:

$ docker exec jenkins_anchore anchore analyze --skipgates --imagefile /root/anchore.TestAnchoreAnalysis_6/images
Error setting up/reading Anchore configuration
Info: [Errno 13] Permission denied: '/root/.anchore/conf'
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore/cli/init.py", line 150, in main_entry
anchore_conf = AnchoreConfiguration(cliargs=args)
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 83, in init
self.config_dir, self.config_file = self.find_config_file()
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 172, in find_config_file
os.makedirs(self.DEFAULT_CONFIG_DIR)
File "/usr/lib64/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/root/.anchore/conf'
Expected, but did not find configuration file at /root/.anchore/conf/config.yaml
2017-11-01T14:13:42.024 ERROR AnchoreWorker Anchore analyzer failed with return code 1, check output above for details
2017-11-01T14:13:42.024 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin build step due to errors in plugin execution
hudson.AbortException: Anchore analyzer failed, check output above for details
at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzerLocal(BuildWorker.java:295)
at com.anchore.jenkins.plugins.anchore.BuildWorker.runAnalyzer(BuildWorker.java:175)
at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:233)
at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49)
at hudson.security.ACL.impersonate(ACL.java:260)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
$ docker exec jenkins_anchore rm -rf /root/anchore.TestAnchoreAnalysis_6
$ docker exec jenkins_anchore anchore toolbox --image experiencedevops/customerservice:6-d27f03d delete --dontask
Error setting up/reading Anchore configuration
Info: [Errno 13] Permission denied: '/root/.anchore/conf'
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore/cli/init.py", line 150, in main_entry
anchore_conf = AnchoreConfiguration(cliargs=args)
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 83, in init
self.config_dir, self.config_file = self.find_config_file()
File "/usr/lib/python2.7/site-packages/anchore/configuration.py", line 172, in find_config_file
os.makedirs(self.DEFAULT_CONFIG_DIR)
File "/usr/lib64/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/root/.anchore/conf'
Expected, but did not find configuration file at /root/.anchore/conf/config.yaml
2017-11-01T14:13:42.527 WARN AnchoreWorker Failed to delete analytics for experiencedevops/customerservice:6-d27f03d from Anchore database, process returned 1

Can you please help.

Followed the config as provided in the project.

Thanks in advance

Milind

anchore CLI < 1.1.1 may show duplicate CVE entries for cve-scan query

Due to duplicate CVE records in the data feed, anchore CLI versions < 1.1.1 may incorrectly merge new CVE data with old CVE data, leading to the resulting output for anchore cve-scan, cve-scan simple, and anchoresec gates containing duplicate entries for CVEs with multiple records in the stored data feed.

To ensure the latest and most accurate CVE reporting, users should upgrade to anchore >= 1.1.1, which supports unique CVE record checking from the anchore vulnerability data feed service, regardless of whether duplicates exist from previous anchore feed syncs locally.

Confusion about using commands

Hi, I recently installed anchore engine using docker-compose and the python command line client.
Reading through the documentation, i discovered another command pattern aside anchore-cli ... . There are instructions using anchore .... e.g. anchore analyze --image 96eecaf1019a --imagetype none.

Trying the command results in an error:
WARNING:root:could not open file '/etc/apt/sources.list'
anchore: command not found

Please are these different ? Also it seems the latter command is richer ??
Will be glad to get more clarity. Thanks.