1. Home
  2. Categories
  3. Support
  4. Image Scanning

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Image Scanning

  • G

    Hi,

    Im testing Proget (2024.32) for my company, and one of the features i was really excited about having was the image scanning, when an image is pushed to the repository (or pulled via connector).

    Im having some trouble with this. The image enters the feed, the blob scanner starts, but then it ends with:

    Error scanning blob <blob identifier> (id=<id>) TarBuffer.ReadBlock - no input stream defined.

    The error changes from the previous, to

    Cannot be less than zero (Parameter 'value')

    or

    Header checksum is invalid

    All the images that were pulled/pushed into the feed have "Not scanned" and shows no vulnerabilities, even the ones i know they have. No information on the packages tab of the image.

    Am i missing some configuration? What can i do?

    Other question, is there a way to populate the vulnerabilities database with a script? My instalation will have no internet access, so it will not be able to update the database.

    Thanks!

    0 atripp 1 Reply
    Log in to reply
     
  • atripp
    inedo-engineer

    Hi @guilherme-silva_2532 ,

    This error means there's some kind of problem/issue with the format of the blob file. Tar is a very finicky format, so we'd need to be able to recreate this in a lab/debug setting.

    If you can create a simple repro case then we'd be happy to investigate further.

    As for vulnerabilities, each version of ProGet ships with an offline database. So you should be fine as long as you upgrade semi-regularly.

    Cheers,
    Alana

    0 G 1 Reply
  • G

    Hi @atripp

    Thanks for your reply.

    For testing purposes, im running in a Windows host, with internet access.

    So, i have a clean install via Inedo Hub. Just entered the trial License Key, created a feed, connected it to registry.hub.docker.com and pulled vulnerables/web-dvwa (latest). I can see the error/warn in the executions.

    I'm not sure this is the intended way to use it.

    0
  • Dan_Woolf
    inedo-engineer

    Hi @guilherme-silva_2532,

    The warnings in the blob layer scanner are to be expected in most images. Not every layer includes a file system. The layer scanner scans each layer for an application database. This will vary from layer to layer.

    There was also a bug released in ProGet 2024.32 that was not recording certain layer scanner results properly. This will be fixed in PG-2943 and will be released in the maintenance release this Friday. This may be why you are not seeing any packages found in this container.

    Thanks,
    Dan

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation