chainguard-dev/apko

Some installed files are missed in the installed DB

luhring opened this issue · 0 comments

Problem

It looks like there are cases where apko installs a package but doesn't record all of the package's files to the APK installed DB at /lib/apk/db/installed. This creates "software dark matter" and has adverse effects for downstream image scans. I believe this behavior also breaks from the APK spec: https://wiki.alpinelinux.org/wiki/Apk_spec.

Steps to reproduce

  1. Build an image with the kots Wolfi package.

example.apko.yaml:

contents:
  packages:
    - kots
  1. Build and publish the image to somewhere.
apko publish -r "https://packages.wolfi.dev/os" -k "https://packages.wolfi.dev/os/wolfi-signing.rsa.pub" --arch aarch64 ./example.apko.yaml ttl.sh/dldl
  1. See that this file exists in the image: /kots.

  2. Look for this file to be recorded in the APK installed DB.

$ crane export --platform linux/arm64 ttl.sh/dldl@sha256:<digest> - | tar -tf - | grep '^kots$'
kots
  1. Look for an entry for this /kots file in the APK installed DB.
$ crane export --platform linux/arm64 ttl.sh/dldl@sha256:<digest>- | tar -xOf - lib/apk/db/installed | grep '^R:kots'
R:kotsadm_params.yaml
R:kots-1.103.0-r0.spdx.json

Notes

It could be that the only missing case is files installed at the root of the filesystem. But we should be as sure as we can that there are no logic paths where we'd miss a file's recording in the DB.