New path filtering logic excluding large number of unintended paths #2667
Comments
…nchore#2644)" This change caused the skipping of any paths including "/proc", "/dev" and "/sys" which was not the intended change and excludes many things that should be scanned. anchore#2667 This reverts commit a909e3c.
…nchore#2644)" This change caused the skipping of any paths including "/proc", "/dev" and "/sys" which was not the intended change and excludes many things that should be scanned. anchore#2667 This reverts commit a909e3c. Signed-off-by: Joseph Palermo <joseph.palermo@broadcom.com>
|
I wonder if a better way to handle this sort of exclusion would be to (when initializing/starting the scan) find filesystem paths that have |
|
I like the suggestion to look for forbidden mounts instead of leaning on mount naming conventions. We can't revert this PR since we have had other users that are mounting these filesystems within nested directories. That doesn't explain away the reason for reverting this though... I think there are unintended consequences. @jpalermo / @klakin-pivotal would either of you be interested in implementing the suggestion within the file resolver for finding forbidden filesystems first? |
|
It seems like the "correct fix" for the original problem is incredibly difficult, so somebody who wants it should work on it. An alternative is people who are scanning mounted images can exclude the paths they don't want scanned. As far as not reverting, the current syft is in a very bad state because of the original PR. Large chunks of code bases are currently being excluded accidentally, meaning the generated sboms are incorrect. |
|
I'm not interested in implementing the proper zero-false-exclusions version of the "Don't scan kernel pseudo-filesystems because we know that there are no artifacts we care about in there" code. Conceptually it's not tough to do, but I've no knowledge of how the filesystem scanner code works. Even a version of the code in the PR that just scans for directories named |
|
No worries! I wanted to offer it up in case there was interest --I can take a stab at this later this week. |
What happened:
#2644 introduced new logic to prevent scanning of
unixSystemRuntimePrefixeseven if those paths are not at the root, for example remounted root file systems. The solution however prevents scanning any paths that include a/proc,/devor/syswithin them. For example:folder/syslog-scan.sbom.jsonsource_code/system/filessource_code/dev/other_filesare all skipped after this change.
What you expected to happen:
Only
/proc,/devand/systhat are part of fs roots should be excluded, not anything including those strings.Steps to reproduce the issue:
Attempt to scan an sbom file that starts with the string
sysAnything else we need to know?:
Environment:
syft version:0.105.0cat /etc/os-releaseor similar): AnyThe text was updated successfully, but these errors were encountered: