fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

[No Ticket] Stricter redirects when interacting with registry v2 api

Open meghfossa opened this issue 2 years ago • 0 comments

Overview

This PR, addresses some of the root cause of STM transaction errors, seen for some of container scanning runs.

Acceptance criteria

  • fossa-cli does not throw 400 Error, when docker.io decides to use s3 storage proxy for manifests and blobs.

Testing plan

To force non-cloudfront storage proxy (specifically s3),

  1. Login to AWS console.
  2. Spin EC2 instance
  3. Run fossa container-analyze -o --debug node:latest (you should see STM transaction error, and 400 HTTP Error)

Now, (download this PR's fossa binary from Build Action's summary artifact) 4. Run ./fossa container-analyze -o --debug node:latest (you should not see any errors)

Risks

There is open ticket on this: https://github.com/containers/image/issues/641, but consensus is that, we ought to strip headers on redirect. There is also ticket by podman: https://github.com/containers/podman/issues/15187, and https://bugzilla.redhat.com/show_bug.cgi?id=1695236

I think ideal solution is to re-implement same logic, as docker client, which only injects headers, if and only if, it matches host used for token generation - in the redirect chain - but for now I think this should be better alternative, while we replicate /ticket exact docker-client behaviour in redirect chain.

Metrics

N/A

References

I discovered this via bulk testing, as part of tar ticket.

Checklist

  • [x] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • [ ] ~If this PR introduced a user-visible change, I added documentation into docs/.~
  • [x] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
  • [ ] ~If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).~
  • [ ] ~If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.~

meghfossa avatar Oct 19 '23 21:10 meghfossa