Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-32983

Base image detection skipped for delegated scans

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • 4.10.0
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      USER PROBLEM
      What is the user experiencing as a result of the bug? Include steps to reproduce.

      • Scanned images do not show base image information (`baseImageInfo` is empty) even when matching base images exist in the database.
      • Steps to reproduce:
        1. Configure delegated scanning (`enabledFor: ALL` or for specific registries)
        2. Configure base image repositories (e.g., `registry.access.redhat.com/ubi8` with pattern `8.10-*`)
        3. Wait for base image watcher to discover and populate base images
        4. Scan an image derived from a configured base image (e.g., `registry.redhat.io/jboss-eap-7/eap74-openjdk8-openshift-rhel8:7.4.19-7`)
        5. Check the image via API: `GET /v1/images/ {id}` → `baseImageInfo: []`

      CONDITIONS
      What conditions need to exist for a user to be affected? Is it everyone? Is it only those with a specific integration? Is it specific to someone with particular database content? etc.

      • Delegated scanning is enabled (`enabledFor: ALL` or `SPECIFIC` with matching registries)
      • Base image detection feature is enabled (`ROX_BASE_IMAGE_DETECTION=true`)
      • Base image repositories are configured and populated
      • Affects all images scanned via delegation

      ROOT CAUSE
      What is the root cause of the bug?

      • In `pkg/images/enricher/enricher_impl.go`, the `EnrichImage` function returns early (line 234) after successful delegation, before base image detection code executes (lines 277-294).
      • The `delegateEnrichImage` function (lines 136-191) successfully sends the scan to a secured cluster, receives the result, and merges it into the image object. It then returns `(true, nil)`.
      • The calling code at lines 232-234 checks for success and returns immediately:
      if shouldDelegate {
if err == nil
{ return EnrichmentResult{ImageUpdated: true, ScanResult: ScanSucceeded}, nil }
}
      • Base image detection at lines 277-294 is in the "normal enrichment flow" section, which is entirely skipped for delegated scans.

      FIX
      How was the bug fixed (this is more important if a workaround was implemented rather than an actual fix)?

      • pending
      • Suggested fix: Move base image detection to run after delegation completes but before returning, or extract it to a separate function called from both code paths.

              rh-ee-yli3 Yi Li
              jvmartin@redhat.com J. Victor Martins
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: