inline_scan doesn't seem to honor -b correctly

[davidmankin]

Followup on #9

The problem

When I try to use the -b flag to point to a policy bundle I get an error that makes me think it doesn't understand the flag. (It tries to scan an image called policy_bundle.json)

Environment

OS X Mojave; bash script calling version 0.6.0 of inline_scan downloaded from github.

Details

When I try to use the -b flag to point to a policy bundle (either by relative path or absolute) I get the following error:

$ anchore-ci-tools/scripts/inline_scan scan -b ../anchore/policy_bundle.json -t 300 -p -r my.docker.registry/my-docker-image@sha256:211de8a383c...
...
time="2019-12-31T20:56:10Z" level=fatal msg="Error loading tar component manifest.json: archive/tar: invalid tar header"
	Ignoring invalid docker archive:  /anchore-engine/policy_bundle.json

Unable to activate policy bundle - /anchore-engine/policy_bundle.json -- using default policy bundle.
...
Error: Policy bundle null not found in DB
HTTP Code: 404
Detail: {'error_codes': []}
...

Actual Behaviour

Seems to run okay but with default policy bundle.

Expected Behaviour

How do you reproduce the error?

Surprisingly it seems somewhat flaky. It never seems to load the policy bundle but it does seem to vary whether it gives the "Error loading tar component" error.

[Btodhunter]

@davidmankin I've verified the same issue on my workstation. I'm looking into what is causing that issue. In my test, the policy bundle was still loaded & activated correctly, however I am also getting the Error loading tar component error. Can you do me a favor and add a copy of your policy bundle to this issue?

[Btodhunter]

Upon further inspection, the Error loading tar component message is a red herring. The image_vuln_scan.sh script is searching the /anchore-engine directory inside of the inline_scan container (which is where all external files are copied) for any files, using docker inspect to determine if the file is a valid image archive, then outputting a message about the validity of the file. I'm working on a fix to make that output more clear.

This leads me to think that your policy bundle might be invalid as my policy bundle is loading & activating correctly.

[quackchewy]

I am getting errors like what was mentioned by OP:
Unable to activate policy bundle - /anchore-engine/policy_bundle.json -- using default policy bundle.
...
Error: Policy bundle null not found in DB
HTTP Code: 404
Detail: {'error_codes': []}
...

When I swap out this custom whitelist:
{ "comment": "Service default whitelist", "id": "service_default_whitelist", "items": [ { "gate": "vulnerabilities", "trigger_id": "CVE-2019-12105+*", "id": "CVE-2019-12105" } ], "name": "Service Default Whitelist", "version": "1_0" }

with this default empty one provided, the error goes away:
{ "comment": "Default global whitelist", "id": "37fd763e-1765-11e8-add4-3b16c029ac5c", "items": [], "name": "Global Whitelist", "version": "1_0" }

@Btodhunter would you happen to know what the issue with the custom whitelist is that causes the bundle to fail? Regardless of whitelist I still get these logs:
time="2019-12-31T20:56:10Z" level=fatal msg="Error loading tar component manifest.json: archive/tar: invalid tar header" Ignoring invalid docker archive: /anchore-engine/policy_bundle.json
Unable to activate policy bundle - /anchore-engine/policy_bundle.json -- using default policy bundle.
but as you mentioned earlier this is just a red herring, so I am not concerned with that.

[quackchewy]

After further testing, it looks like the issue was due to not setting the mappings.whitelist_ids field to match the custom whitelist ID. I suspect OP had a similar issue. Perhaps this should be explicitly stated in this documentation to avoid this mistake in the future?

[luoyimu1]

Hi @Btodhunter ,
Could you pls kindly help review my PR #50 which is partially related to this issue and would fix it if it's a single image scan?
Thanks in advance,
Yimu