Syft failed to parse Singularity image

[saromleang]

What happened:

When running syft on a Singularity image containing an installation of Intel OneAPI the following error is encountered:

2022/08/08 17:13:25 error during command execution: 1 error occurred:
    * failed to construct source from user input "singularity:OneAPI.sif": could not fetch image "OneAPI.sif": could not read image: failed to walk layer="sha256:6f94ef31c47150aff2dcf150eb358b8bf4d0729c7ec9cf700c4cef5da2e71f2b": open opt/intel/oneapi/compiler/2022.1.0/linux/lib/oclfpga/host/linux64/bin/perl/lib/5.30.3/pod/perlpod.pod: unexpected EOF

What you expected to happen:

I expected syft to parse the image and catalog the packages within the image.

How to reproduce it (as minimally and precisely as possible):

singularity build --fakeroot OneAPI.sif docker://intel/oneapi-hpckit:latest
syft packages singularity:OneAPI.sif 

Anything else we need to know?:

This is encountered even when Intel OneAPI is installed manually in a Singularity container or installed through the package manager in a Singularity container. The reproducer above uses the official Intel OneAPI image from DockerHub.

However, taking the same approach but using Docker instead of Singularity, syft is able to load and parse the image and catalog the 680 packages.

docker pull intel/oneapi-hpckit
syft packages docker:intel/oneapi-hpckit

Environment:

• Output of syft version: 0.53.4
• OS (e.g: cat /etc/os-release or similar):

NAME="SLES"
VERSION="15-SP2"
VERSION_ID="15.2"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP2"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp2"

• Output of singularity --version: singularity version 3.7.1-1

[tgerla]

Hi @saromleang, thanks for the report, and sorry for the delay responding! We are fairly backed up right now but we will take a look at your issue as soon as we can, and let you know if we need more information. Thanks again for your patience.

[tri-adam]

Thanks for the detail in the bug report @saromleang !

@tgerla I'm happy to take a look at this if it helps. Looks related to anchore/stereoscope#125.

[tgerla]

@tri-adam thanks for the ping, and for the patches!

@saromleang, Singularity support has been added to Syft as of version 0.53.1. I'll go ahead and close this issue, but if you have any more trouble just let us know. Thanks!

[tgerla]

Hi @saromleang, sorry, I am re-opening this issue because I noticed you reported this issue with Syft version 0.53.4. Can you please try the latest version, and maybe @tri-adam has some suggestions?

[tri-adam]

I'm able to reproduce the issue described, even with the latest versions of SingularityCE and Syft, specifically:

$ singularity --version
singularity-ce version 3.10.2
$ syft --version
syft 0.54.0

The exact error I'm getting is the same as @saromleang reported:

$ syft packages singularity:OneAPI.sif
 ⠇ Parsing image            ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 
2022/08/24 14:50:31 error during command execution: 1 error occurred:
        * failed to construct source from user input "singularity:OneAPI.sif": could not fetch image "OneAPI.sif": could not read image: failed to walk layer="sha256:cc643462bc5962310c796fdfb2907c11674b1cad372e6b223076bed8e5ef50ac": open opt/intel/oneapi/compiler/2022.1.0/linux/lib/oclfpga/host/linux64/bin/perl/lib/5.30.3/pod/perlpod.pod: unexpected EOF

Haven't figured out the root cause of this yet. Will report back when I know more!

[saromleang]

@tri-adam could it have something to do with the path being parsed? I notice that in the error message the path is missing a forward-slash before opt:

open opt/intel/oneapi/compiler/2022.1.0/linux/lib/oclfpga/host/linux64/bin/perl/lib/5.30.3/pod/perlpod.pod: unexpected EOF

[tri-adam]

@saromleang that's expected, as the stereoscope code is using "unrooted" path names as required by the io/fs module (see https://pkg.go.dev/io/fs#ValidPath if you're interested!)

At this point, I am fairly confident the bug is with reading inodes that reference a fragment block within the SquashFS filesystem. I'll report back once I've researched the issue further and (hopefully) have a fix ready to go for the appropriate repo(s).

Thanks for your patience!

[tri-adam]

Just to update with the latest, the underlying cause is described in CalebQ42/squashfs#14. A patch for that is now available.

anchore/stereoscope#141 has patched the issue in stereoscope, and #1181 should fix the issue in syft.

[spiffcs]

Closing this with the fix now being in the latest release! If anyone still has an issue just comment here and I can reopen.