Ignoring bad JARs

[Iain Duncan]

We are getting some images that can't be scanned because the Java scanner is unable to process a JAR inside a layer and we get the unidentified error.  This then causes the entire processing of that image to stop because of one bad JAR.  I looked at which JARs were causing this and some from the JVM can trigger the condition such as the jrt-fs.jar so I would imagine it's fairly common.  The MANIFEST.MF for that JAR is:

Manifest-Version: 1.0
Specification-Title: Java Platform API Specification
Specification-Version: 11
Specification-Vendor: Oracle Corporation
Implementation-Title: Java Runtime Environment
Implementation-Version: 11.0.8
Implementation-Vendor: Oracle Corporation

Created-By: 10 (Oracle Corporation)

So it is indeed missing the Implementation-Vendor-Id that Clair looks for but I'm not sure this should mean that the entire scan should fail.

I was thinking it would be better to ignore any errors when parsing JAR files and continue to run the other scanners and scan any well formed JARs that are present rather than exiting when a bad JAR is encountered.

I should have a bit of time next week to put a PR in for this but wanted to double check if there were any gotchas that I am missing before doing so.

Cheers,

Iain

[Hank Donnay]

On Wed, Nov 10, 2021 at 05:54:18AM -0800, Iain Duncan wrote:
>I should have a bit of time next week to put a PR in for this but wanted to
>double check if there were any gotchas that I am missing before doing so.

I think we've addressed this in subsequent claircore patch releases,
specifically with
https://github.com/quay/claircore/commit/b44ca85887f073afe9927b2c1882ed09ab21b04b.

If you're still seeing issues with 1.1.1 or greater, then please send
PRs or open issues.

--
hank