jf docker scan return empty table on Circleci machine

[j1an5]

Describe the bug

The customer using circleci to run the build,

When jf docker scan xx is performed, the log returns an empty table

Current behavior

03:47:53 [🔵Info] Waiting for scan to complete...
The full scan results are available here: /tmp/jfrog.cli.temp.-1678160880-3791283235
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌────────────┬──────────────────────────────────────────────────────────────────────────────┬────────────┬───────────────────────────────────┬─────────────────────────┬──────────┬────────┬──────────────────┐
│            │                                                                              │            │                                   │                         │          │        │                  │
├────────────┼──────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│            │                                                                              │            │                                   │                         │          │        │                  │
├────────────┼──────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│            │   

Reproduction steps

1. login https://app.circleci.com/
2. intergrating github code & project
3. add .circleci/config.yml

version: 2.1
jobs:
  docker-build:
    machine:
      image: ubuntu-2204:2022.04.2
    steps:
      - run:
          name: install cli 
          command: curl -fL https://install-cli.jfrog.io | sh
      - run:
          name: cli config
          command: jf config add jfrog-test --artifactory-url=http://xx:xx/artifactory --password='xx' --user=xx --xray-url=http://xx:xx/xray
      - run:
          name: docker pull
          command: docker pull nginx:latest
      - run:
          name: docker scan
          command: jf docker scan nginx:latest --format=table

workflows:
  sample:
    jobs:
      - docker-build

Expected behavior

Returns data as a table, like:

12:48:52 [🔵Info] Log path: /root/.jfrog/logs/jfrog-cli.2023-03-07.12-48-52.20168.log
The full scan results are available here: /tmp/jfrog.cli.temp.-1678164570-3034012285
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌────────────┬──────────────────────────┬────────────┬──────────────────────────┬─────────────────────────┬──────────┬────────┬──────────────────┐
│ SEVERITY   │ DIRECT                   │ DIRECT     │ IMPACTED                 │ IMPACTED                │ FIXED    │ TYPE   │ CVE              │
│            │ DEPENDENCY               │ DEPENDENCY │ DEPENDENCY               │ DEPENDENCY              │ VERSIONS │        │                  │
│            │                          │ VERSION    │ NAME                     │ VERSION                 │          │        │                  │
├────────────┼──────────────────────────┼────────────┼──────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__650abce4b096b06a │            │ debian:bullseye:libdb5.3 │ 5.3.28+dfsg1-0.8        │          │ Debian │ CVE-2019-8457    │
│            │ c8bec2046d821d66d801af34 │            │                          │                         │          │        │                  │
│            │ f1f1d4c5e272ad030c7873db │            │                          │                         │          │        │                  │
│            │ .tar                     │            │                          │                         │          │        │                  │
│            │                          │            │                          │                         │          │        │                  │
├────────────┼──────────────────────────┼────────────┼──────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__650abce4b096b06a │            │ debian:bullseye:libc-bin │ 2.31-13+deb11u5         │          │ Debian │ CVE-2023-0687    │
│            │ c8bec2046d821d66d801af34 │            │                          │                         │          │        │                  │
│            │ f1f1d4c5e272ad030c7873db │            │                          │                         │          │        │                  │
│            │ .tar                     │            │                          │                         │          │        │                  │
│            │                          │            │                          │                         │          │        │      

JFrog CLI version

2.34.6

Operating system type and version

Circleci machine: ubuntu-2204:2022.04.2

JFrog Artifactory version

7.x

JFrog Xray version

3.x

[sverdlov93]

Hi @j1an5 ,
Thanks for reporting this issue.
Can you add the environment variable NO_COLOR=true and see if that helps?

[j1an5]

Hi @j1an5 , Thanks for reporting this issue. Can you add the environment variable NO_COLOR=true and see if that helps?

Add export issue NO_COLOR=true, the issue still appears.

#!/bin/bash -eo pipefail
export NO_COLOR=true && jf docker scan nginx:latest --format=table
10:18:10 [Info] Creating image archive...
10:18:12 [Info] JFrog Xray version is: 3.67.9
10:18:12 [Info] JFrog Xray Indexer 3.67.9 is not cached locally. Downloading it now...
10:18:28 [Info] The downloaded Xray Indexer version is 3.67.9
10:18:29 [Info] [Thread 0] Indexing file: /tmp/jfrog.cli.temp.-1678184290-3320271284/image.tar
10:18:37 [Info] 2023-03-07T10:18:35.761240627Z [jfxia] [ERROR] [] [archive_mgr:226               ] [main                ] failed to check file /tmp/jfrog.cli.temp.-1678184309-3333665264/45a14b20-42f5-49f3-6d66-8f695718c117/167818431576049778/tzdata.zi, with err: No zip file found
2023-03-07T10:18:35.761298445Z [jfxia] [WARN ] [] [archive_mgr:631               ] [main                ] Failed to extract file tzdata.zi (root path: /tmp/jfrog.cli.temp.-1678184309-3333665264/45a14b20-42f5-49f3-6d66-8f695718c117/167818431038085631/). Would be treated as generic. err : No zip file found
2023-03-07T10:18:35.761741656Z [jfxia] [WARN ] [] [archive_mgr:631               ] [main                ] Failed to extract file builtins.7.gz (root path: /tmp/jfrog.cli.temp.-1678184309-3333665264/45a14b20-42f5-49f3-6d66-8f695718c117/167818431038085631/). Would be treated as generic. err : failed to decompress file: /tmp/jfrog.cli.temp.-1678184309-3333665264/45a14b20-42f5-49f3-6d66-8f695718c117/167818431576162258/builtins.7.gz
 --- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/decompressor.go:23 (Decompressor.DeepArchiveScan) ---
Caused by: Archive extractor error, gzip: invalid header
2023-03-07T10:18:35.845808929Z [jfxia] [INFO ] [] [/usr/local/go/src/sync/once:74] [main                ] SPDX license IDs from licenses.json and exceptions.json were loaded successfully
2023-03-07T10:18:37.060092998Z [jfxia] [INFO ] [] [tar:101                       ] [main                ] Finished indexing layers of docker /tmp/jfrog.cli.temp.-1678184309-3333665264/45a14b20-42f5-49f3-6d66-8f695718c117/167818431038085631/ (sha256:f81892e554a57f93b139c39df24e7aa7d0d81bc1921dde11fd11e50dc1bbebfc)

10:18:38 [Info] Waiting for scan to complete...
The full scan results are available here: /tmp/jfrog.cli.temp.-1678184327-1139556941
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌──────────┬──────────────────────────────────────────────────────────────────────────────┬────────────┬───────────────────────────────────┬─────────────────────────┬──────────┬────────┬──────────────────┐
│          │                                                                              │            │                                   │                         │          │        │                  │
├──────────┼──────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│          │                                                                              │            │                                   │                         │          │        │                  │
├──────────┼──────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│          │                                                                              │            │                                   │                         │          │        │                  │
├──────────┼──────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────────────────────┼─────────────────────────┼──────────┼────────┼──────────────────┤
│ 

[j1an5]

same issue on Circleci machine with the command "jf audit --use-wrapper"

The full scan results are available here: /tmp/jfrog.cli.temp.-1678184341-1997924198
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌────────────┬──────────────────────────────────┬────────────┬──────────────────────────────────┬────────────┬──────────────────┬───────┬──────────────────┐
│            │                                  │            │                                  │            │                  │       │                  │
├────────────┼──────────────────────────────────┼────────────┼──────────────────────────────────┼────────────┼──────────────────┼───────┼──────────────────┤
│            │                                  │            │                                  │            │                  │       │                  │
├────────────┼──────────────────────────────────┼────────────┼──────────────────────────────────┼────────────┼──────────────────┼───────┼──────────────────┤
│            │                                  │            │                                  │            │                  │       │                  │
├─

[sverdlov93]

@j1an5
Did it work on previous JFrog CLI versions?

BTW, you can use --url=http://xx:xx instead of --artifactory-url=http://xx:xx/artifactory --xray-url=http://xx:xx/xray

[j1an5]

@j1an5 Did it work on previous JFrog CLI versions?

BTW, you can use --url=http://xx:xx instead of --artifactory-url=http://xx:xx/artifactory --xray-url=http://xx:xx/xray

1. “jf version 2.11.0” working well with --fortmat=table, hope it will helpful to you
2. ”CLI: 2.34.6 with --url=xx“ serve no purpose

[sverdlov93]

It looks like CircleCi terminal has an issue with the cli table format view. can you see vulnerabilities with --format=simple-json which is a JSON version of the table view?

[j1an5]

@sverdlov93 The issue is a regression. on CLI: 2.11.0, it working well with --format=table.

[bmanuel]

@sverdlov93 are there any updates on this?

[sverdlov93]

Hi @bmanuel @j1an5 ,
We couldn't reproduce that issue on Ubuntu machines.
Can you please try again with the latest JFrog CLI version and with JFROG_CLI_LOG_LEVEL=DEBUG environment variable?

[bmanuel]

I was able to reproduce on Circle CI with cli version 2.39.1 using the following job spec (very similar to the original reproduction steps):

  validate_cli_issue:
    docker:
      - image: cimg/base:current
    steps:
      - setup_remote_docker:
          docker_layer_caching: true
      - run:
          name: install cli
          command: curl -fL https://install-cli.jfrog.io | sh
      - run:
          name: cli config
          command: jf config add prod [REDACTED]
      - run:
          name: docker pull
          command: docker pull nginx:latest
      - run:
          name: docker scan
          command: jf docker scan nginx:latest --format=table

[bmanuel]

I ran through all of the versions of the CLI from 2.11.0 through current and found that the issue started with 2.32.0.

[bmanuel]

@sverdlov93 Are there any updates on this issue?

[attiasas]

Hello @bmanuel / @j1an5,

Apologies for the delayed response. I've identified the change that caused the issue:
Upgrading the version of github.com/jedib0t/go-pretty/v6 from v6.4.0 to v6.4.1.
I've raised an issue to notify them of this problem, so we can work on fixing it.

Until the issue is resolved, I'll downgrade this package to v6.4.0, which should temporarily resolve the issue. You can track the progress of the fix in this PR.

Thank you for your understanding and for reporting this.

[bmanuel]

@attiasas when can we expect a release with the update?

[attiasas]

Hi @bmanuel / @j1an5
Jfrog CLI v2.52.1 has been released. This version includes the fix for this issue.
We'd appreciate your feedback on that.