Support for uncompressed OCI layers

[elerch]

Running trivy in debug mode on an OCI image I ran across the error message:

unexpected media type: application/vnd.oci.image.layer.v1.tar for layer: sha256:

The stack trace pointed to docker.go:220, where I lost the trail for the moment since it's now calling an interface method and I didn't have the time to work out the runtime type at play. Note that docker.go has been refactored since this commit a few weeks ago.

I noticed that application/vnd.oci.image.layer.v1.tar+gzip is explicitly part of the test suite, but not application/vnd.oci.image.layer.v1.tar. It does look like uncompressed image layers are supported by the underlying library - see OCIUncompressedLayer vs OCILayer in go-containerregistry:/pkg/v1/types/types_test.go.

Here's the full debug output in case it's interesting at all. Trivy version is 0.8.0, run with an OCI image created with this command:

buildah push docker.lerch.org/zoom-us:5.0.398100.0427 oci:./zoom-5

2020-06-01T14:10:53.940-0700    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-06-01T14:10:53.945-0700    DEBUG   cache dir:  /home/lobo/.cache/trivy
2020-06-01T14:10:53.946-0700    DEBUG   DB update was skipped because DB is the latest
2020-06-01T14:10:53.946-0700    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2020-06-01 12:09:35.398005814 +0000 UTC, NextUpdate: 2020-06-02 00:09:35.398005514 +0000 UTC
2020-06-01T14:10:53.946-0700    DEBUG   Vulnerability type:  [os library]
2020-06-01T14:10:53.951-0700    FATAL   error in image scan:
    github.com/aquasecurity/trivy/internal/standalone.run
        /home/circleci/project/internal/standalone/run.go:100
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanImage
        /home/circleci/project/pkg/scanner/scan.go:85
  - analyze error:
    github.com/aquasecurity/fanal/analyzer.Config.Analyze
        /go/pkg/mod/github.com/aquasecurity/[email protected]/analyzer/analyzer.go:115
  - failed to analyze layer: sha256:993eeab5755c709342dc56aee695598a390258d1c0c5c7e4cafba219e1eb60f0 :
    github.com/aquasecurity/fanal/analyzer.Config.analyze.func1
        /go/pkg/mod/github.com/aquasecurity/[email protected]/analyzer/analyzer.go:134
  - unable to extract files from layer sha256:993eeab5755c709342dc56aee695598a390258d1c0c5c7e4cafba219e1eb60f0:
    github.com/aquasecurity/fanal/analyzer.Config.analyzeLayer
        /go/pkg/mod/github.com/aquasecurity/[email protected]/analyzer/analyzer.go:170
  - failed to get the layer (sha256:993eeab5755c709342dc56aee695598a390258d1c0c5c7e4cafba219e1eb60f0):
    github.com/aquasecurity/fanal/extractor/docker.Extractor.ExtractLayerFiles
        /go/pkg/mod/github.com/aquasecurity/[email protected]/extractor/docker/docker.go:220
  - unexpected media type: application/vnd.oci.image.layer.v1.tar for layer: sha256:7faae7f37d36e2a5dac1da9233bbb6c8acab26fdb3bdffd6f665ca2a8d6a71f0

[elerch]

More info on this - the image was a locally built image. Buildah leaves local images uncompressed, but compresses them on push to a registry. See --disable-compression commentary at https://github.com/containers/buildah/blob/master/docs/buildah-bud.md

[sushiMix]

Hello do you plan to support it ?