Some installed files are missed in the installed DB
luhring opened this issue · 0 comments
luhring commented
Problem
It looks like there are cases where apko installs a package but doesn't record all of the package's files to the APK installed DB at /lib/apk/db/installed
. This creates "software dark matter" and has adverse effects for downstream image scans. I believe this behavior also breaks from the APK spec: https://wiki.alpinelinux.org/wiki/Apk_spec.
Steps to reproduce
- Build an image with the
kots
Wolfi package.
example.apko.yaml
:
contents:
packages:
- kots
- Build and publish the image to somewhere.
apko publish -r "https://packages.wolfi.dev/os" -k "https://packages.wolfi.dev/os/wolfi-signing.rsa.pub" --arch aarch64 ./example.apko.yaml ttl.sh/dldl
-
See that this file exists in the image:
/kots
. -
Look for this file to be recorded in the APK installed DB.
$ crane export --platform linux/arm64 ttl.sh/dldl@sha256:<digest> - | tar -tf - | grep '^kots$'
kots
- Look for an entry for this
/kots
file in the APK installed DB.
$ crane export --platform linux/arm64 ttl.sh/dldl@sha256:<digest>- | tar -xOf - lib/apk/db/installed | grep '^R:kots'
R:kotsadm_params.yaml
R:kots-1.103.0-r0.spdx.json
Notes
It could be that the only missing case is files installed at the root of the filesystem. But we should be as sure as we can that there are no logic paths where we'd miss a file's recording in the DB.