-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Report's report.artifact.digest field is the artifact's image_id not digest #2259
Comments
This issue is stale because it has been labeled with inactivity. |
Encountered the same issue :/ I guess the source of confusion is the fact, that what Trivy and Docker call ❯ k get pod -o json cert-manager-6947bb5c7f-k7vwj | jq -r '.status.containerStatuses.[].imageID' (syn-s001-eu-west-aks-loki1-001-admin/cert-manager)
quay.io/jetstack/cert-manager-controller@sha256:057ace5734b53ebdec20b3a0d182c37c9ef0014e9f6364f9b99018e76936e984 while Docker shows:
|
By looking at the logic here, if |
Trivy Operator incorrectly reported imageID as image digest. Fixes aquasecurity#2259
Hey @d-mankowski-synerise! thanks for raising the PR, I think that makes sense. @chen-keinan sorry for tagging, but was hoping you'd have a chance to take a look and consider the proposed change? I think this makes sense overall and would be better aligned. |
Chen is no longer maintaining this project. we will review the PR eventually but I'm afraid it will take some time to get to it given the current capacity and priorities |
Thanks for responding @itaysk! looking forward for the PR to be reviewed, in the meantime if there's anything we can help with - let us know. |
What steps did you take and what happened:
We've been trying to understand why the
report.artifact.digest
value doesn't match the actual image digest.After digging a bit through the code, we realized that the value of
report.artifact.digest
is actually the image_id.here's an example:
per above the digest is
sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb
however, when we scan the same image with
trivy
cli, we get the following:as you can see, the
report.artifact.digest
value isMetadata.ImageID
in the Trivy report:The actual Digest is in the
Metadata.RepoDigests
field:What did you expect to happen:
We expect that
report.artifact.digest
would show the actual image digest value, instead of image_id.perhaps it's worth to include both?
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
trivy-operator version
): v0.22.0kubectl version
): 1.28.13The text was updated successfully, but these errors were encountered: