来自私有存储库的 snyk 容器测试

Question

I'm trying to use snyk with a privately hosted repository that is managed using podman.

snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d

I've tried using oci.example.com/image:latest oci.example.com/image:arm64 also and making sure they exist on the repository.

The error I keep getting is: snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests

I can reproduce the same error using the API directly: curl -u 'user:pass' -i -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://oci.example.com/v2/mailpile/image/latest

This works though: curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/[IMAGE]/manifests/latest

I wonder what I'm missing. Maybe snyk relies on a distribution.manifest that podman push oci.example.com/image does not seem to provide, suspected after reading: https://podman.io/blogs/2021/10/11/multiarch.html Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you'll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you're on Podman v3.4, use the buildah tag command instead. Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you'll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you're on Podman v3.4, use the buildah tag command instead. I also verified this peeking with manifest inspect , indeed it seems it only attaches image and no distribution.manifest by default.

The OpenSUSE Debian Podman repo latest version:

$ podman --version
podman version 3.3.1
$ buildah --version
buildah version 1.21.3 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)

From the article The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1. I'm not entirely sure what this means and how this affects my situation.

So I've tried to follow article as above:

podman push oci.example.com/image:arm64
podman manifest add oci.example.com/image:latest docker://oci.example.com/image:arm64
podman manifest push --all oci.example.com/image:latest docker://oci.example.com/image:latest

Then run snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image -d

Still get same error: snyk-test error: FailedToRunTestError: OCI manifest found, but accept header does not support OCI manifests same issue if I attempt :arm64

But attempting :latest tag. snyk container test --username="user" --password="pass" --platform="linux/arm64" oci.example.com/image:latest -d snyk-test error: FailedToRunTestError: Cannot read property 'digest' of undefined

I've tried to delete the image from the registry and start over: curl -u 'user:pass' -i -H "Accept: application/vnd.oci.image.manifest.v1+json" https://oci.example.com/v2/image/manifests/latest

curl -u "user:pass" -X "DELETE" https://oci.example.com/v2/image/manifests/sha256:1298754b84f5fa37425cd5c2ccc4eb7a1f70433611ad430e467d8e8d52caeced

.. but always get similar results.

Answer 1

修复步骤：

podman build --format=docker -t oci.example.com/image .

podman push oci.example.com/image oci.example.com/image