Deepfactor provides multiple ways to scan your software artifacts (container images/file systems) such as
1. Deepfactor CLI: You can scan your artifacts using the dfctl scan command. More details can be found in the following article
2. Deepfactor K8s scan pod: When you install the Deepfactor helm chart in your K8s cluster, you can optionally also install the K8s scan pod which is responsible for scanning container images used by pods in your K8s workloads.
Scan Errors #
The following table describes a few common possible reasons of failure to scan your container images. or file system directories. If the scan fails, the status will be shown on the portal UI along with the error log.
| No. | Sample error log | Description | Resolution |
| 1 | [image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred: * unable to inspect the image (deepqa/sca:juiceshop-alpine3.14): Error: No such image: deepqa/sca:juiceshop-alpine3.14 * unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory * failed to get deepqa/sca:juiceshop-alpine3.14: image “docker.io/deepqa/sca:juiceshop-alpine3.14“: not found * GET https://auth.docker.io/token?scope=repository%3Adeepqa%2Fsca%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {“details”:”incorrect username or password”}
|
Deepfactor can scan container images from private registries as well. However, you will need to specify the credentials so Deepfactor scanner can access the image manifest.
This error occurs when either credentials are not supplied or wrong credentials are supplied. |
Please validate the image name and registry.
Please refer to image scanning in private registry to understand how to specify credentials for scanning images from private image registries.
|
| 2 | image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred: * unable to inspect the image (deepqa/sca:juiceshop-alpine3.14): Error: No such image: deepqa/sca:juiceshop-alpine3.14 * unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory * failed to get deepqa/sca:juiceshop-alpine3.14: image “docker.io/deepqa/sca:juiceshop-alpine3.14“: not found * GET https://index.docker.io/v2/deepqa/sca/manifests/juiceshop-alpine3.14: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:deepqa/sca Type:repository]] – Invalid image.
|
This error occurs if the image specified does not exist or the image is present in a private registry and correct credentials have not been specified | Please validate the image name and registry.
Please refer to image scanning in private registry to understand how to specify credentials for scanning images from private image registries. |
| 3 | [image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred: * unable to inspect the image (deepfactor/vulnapps:spring-core-rce-2022-03-292): Error: No such image: deepfactor/vulnapps:spring-core-rce-2022-03-292 * unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory * failed to get deepfactor/vulnapps:spring-core-rce-2022-03-292: image “docker.io/deepfactor/vulnapps:spring-core-rce-2022-03-292“: not found * GET https://index.docker.io/v2/deepfactor/vulnapps/manifests/spring-core-rce-2022-03-292: MANIFEST_UNKNOWN: manifest unknown; unknown tag=spring-core-rce-2022-03-292 |
This error occurs if the image specified does not exist or the image is present in a private registry and correct credentials have not been specified |
Please validate the image name and registry.
Please refer to image scanning in private registry to understand how to specify credentials for scanning images from private image registries. |
| 4 | [image.RegisterCreateScan] Image Metadata Error:scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:6c51f9e77a53c2c9f9dcd2fb03988ee48b228d9a2ca7bc2f166d1434eb23e5ed : unable to get uncompressed layer sha256:6c51f9e77a53c2c9f9dcd2fb03988ee48b228d9a2ca7bc2f166d1434eb23e5ed: failed to get the layer (sha256:6c51f9e77a53c2c9f9dcd2fb03988ee48b228d9a2ca7bc2f166d1434eb23e5ed): unable to populate: unable to open: failed to copy the image: write /tmp/fanal-371905441: no space left on device | Deepfactor scanner uses some storage on the local filesystem to store scanned artifact data, vulnerability database and other temporary scan metadata.
This error occurs if enough space is not available on the local filesystem |
Please free up some space on the filesystem and retry the scan. |
| 5 | [image.RegisterCreateScan] Image Metadata Error:scan error: unable to initialize a scanner: unable to initialize a docker scanner: failed to parse the image name: could not parse reference: |
This error occurs when one tries to perform a filesystem scan without specifying the scan type explicitly.
|
Please pass -s fs to dfctl scan command. Please refer to Deepfactor CLI Reference
to know the different CLI options. |
| 6 | [image.RegisterCreateScan] Image Metadata Error:scan error: scan failed: failed analysis: analyze error: timeout: context deadline exceeded
OR [image.RegisterCreateScan] Image Metadata Error:[GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: semaphore acquire: context deadline exceeded |
This error occurs when the scan times out, generally due to large image/filesystem, network issues, resource constraints, etc. |
Deepfactor scans have a default timeout of 15 minutes. You can specify a different timeout by passing the -u option. Try rescanning the image with a larger timeout value. |
| 7 | [ImageScanFlow] {“error”: “[image.PerformScan] [image.SendResourceEvent] [events.SendResourceEvent] resource event export failed. Eventsvc POST request failure. Error:Post \”https://prateek.portal.deepfactor.io/events/v2/static-scans/event/resource\“: context deadline exceeded (Client.Timeout exceeded while awaiting headers)”} | This error occurs when Deepfactor scanner is not able to send the scan results over to the Deepfactor portal backend. This is generally due to network connectivity issues between the Deepfactor scanner and the portal backend. | Please make sure there is network connectivity between the host on which the scan is being performed and Deepfactor backend.
Retry the scan once the network connection stabilizes. |
| 8 | [filesystem.RegisterCreateScan] Filesystem Metadata Error:scan error: scan failed: failed analysis: walk filesystem: walk error: lstat /home/mk: no such file or directory | This error occurs when an invalid path is provided for filesystem scan | Ensure the file path is valid and accessible. |
| 9 | [GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:eb6ee5b9581f8e84de2e1969953594b7cc976d142c426f8e989d49d9c95f63f5 : walk error: failed to extract the archive: unexpected EOF
OR [GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:42cdd22adca74143bab2cc1a764c7b5d80eafb95ec7b772ffae614487f4a159d : walk error: failed to process the file: failed to analyze file: failed to analyze home/pinot/plugins/pinot-input-format/pinot-orc/pinot-orc-0.13.0-ST.21-shaded.jar: unable to open home/pinot/plugins/pinot-input-format/pinot-orc/pinot-orc-0.13.0-ST.21-shaded.jar: failed to open: unable to read the file: unexpected EOF OR [image.RegisterCreateScan] Image Metadata Error:[GetImageScanMetadata] scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:d3e76c9d00efb1797cb10c90f40cc9d2a986f1c50903651ed0bab59b349d5f40 : walk error: failed to process the file: failed to analyze file: failed to analyze usr/bin/cmake: unable to open usr/bin/cmake: failed to open: unable to read the file: stream error: stream ID 43; INTERNAL_ERROR; received from peer OR [GetImageScanMetadata] : scan error: scan failed: failed analysis: analyze error: failed to analyze layer: sha256:798bd473b38c175a1fe70189684b440a16fa4d144ad8e466c62ce7da8d9475a5 : walk error: failed to process the file: failed to analyze file: failed to analyze opt/bitnami/kafka/libs/javax.ws.rs-api-2.1.1.jar: unable to open opt/bitnami/kafka/libs/javax.ws.rs-api-2.1.1.jar: failed to open: unable to read the file: stream error: stream ID 3; PROTOCOL_ERROR; received from peer” |
This error occurs when Deepfactor scanner cannot parse a package or lookup GAV (GroupID, ArtifactID. version) for java packages | Deepfactor scanner will automatically kick of an offline scan when it encounters such errors. This will result in higher scan time. Also, while Deepfactor will generate the full SBOM, it may not be able to find vulnerabilities for some packages. We recommend retrying the scan after some time in such cases. Please refer to the following article to know more about offline scans Offline scans |
Scan warnings #
Under certain circumstances, while Deepfactor is successfully able to scan your artifact, results maybe incomplete or in some cases inaccurate due to missing information in the artifact. Deepfactor highlights such warnings on the artifact results page and provides guidance to remediate the warning. The possible warnings are listed here for reference.
| No | Sample warning log | Description | Solution |
|---|---|---|---|
| 1 | GroupID was determined heuristically. Refer https://www.deepfactor.io/docs/deepfactor-scan-errors#scan-warnings. Resource Name: io.github.jglrxavpok.hephaistos:antlr, Version: 2.7.7, Filepath: app/libs/antlr-2.7.7.jar | This warning is generated when the groupID of a Java dependency, jar cannot be determined by looking at the package manifest/MANIFEST.MF file. In such cases, Deepfactor determines the groupID in a heuristic fashion based on the count of references in the maven repository. | Add groupID information to the manifest file of the jar or the package manifest file (pom.xml, gradle file) |