Trivy not detecting hard link and soft link files.

[manojkrishnanomula]

Description

I installed conda over an alpine base image, whenever conda is installed it copies the hardlinks in the pkgs folder.
When scanned an image with trivy it is not detecting the files which were inside the /pkgs/ folder as they are considered as the hardlinks.
But hardlinks also can be vulnerable so it should detect the files, Attacks can occur from the hardlinks as well

Desired Behavior

Hardlinks should be detected in an image.

Actual Behavior

Hardlinks are not getting detected in the image.

Reproduction Steps

1.Scan this image rayproject/ray:2.5.1-py39
2.You can see the hardlinks are skipped.

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

None

Debug Output

Didn't run

Operating System

Ubuntu

Version

43.0.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

duplicate of #5356

[knqyf263]

@manojkrishnanomula First of all, I don't find /pkgs/ you mentioned.

$ docker run --rm -it docker.io/rayproject/ray:2.5.1-py39 ls /pkgs/
ls: cannot access '/pkgs/': No such file or directory

Do you mean /home/ray/anaconda3/pkgs/?

And I tested hard links.

$ mkdir /tmp/hard_test
$ touch /tmp/hard_test/foo
$ ln /tmp/hard_test/foo /tmp/hard_test/bar
$ ls -al /tmp/hard_test
total 0
drwxr-xr-x  4 teppei 128 10 18 15:00 ./
drwxrwxrwt 10 root   320 10 18 15:00 ../
-rw-r--r--  2 teppei   0 10 18 15:00 bar
-rw-r--r--  2 teppei   0 10 18 15:00 foo
$ stat /tmp/hard_test/foo
  File: /tmp/hard_test/foo
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 1,17    Inode: 1701921     Links: 2
Access: (0644/-rw-r--r--)  Uid: (  501/  teppei)   Gid: (    0/   wheel)
Access: 2023-10-18 15:00:43.457250000 +0900
Modify: 2023-10-18 15:00:43.457250000 +0900
Change: 2023-10-18 15:00:51.147475590 +0900
 Birth: 2023-10-18 15:00:43.457153021 +0900
$ stat /tmp/hard_test/bar
  File: /tmp/hard_test/bar
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 1,17    Inode: 1701921     Links: 2
Access: (0644/-rw-r--r--)  Uid: (  501/  teppei)   Gid: (    0/   wheel)
Access: 2023-10-18 15:00:43.457250000 +0900
Modify: 2023-10-18 15:00:43.457250000 +0900
Change: 2023-10-18 15:00:51.147475590 +0900
 Birth: 2023-10-18 15:00:43.457153021 +0900

They are regular files.

$ cat main.go
package main

import (
	"fmt"
	"io/fs"
	"path/filepath"
)

func main() {
	err := filepath.Walk("/tmp/hard_test", func(path string, info fs.FileInfo, err error) error {
		fmt.Println(path, info.Mode().IsRegular())
		return nil
	})
	if err != nil {
		panic(err)
	}
}

$ go run main.go
/tmp/hard_test false
/tmp/hard_test/bar true
/tmp/hard_test/foo true

Trivy just skips directories and irregular files.
https://github.com/aquasecurity/trivy/blob/3be5e6b24271a21f5aa700bab7cc32d1549b8199/pkg/fanal/walker/fs.go#L54-L63Lo

Looks like Trivy doesn't skip hard links, but I might be missing something. @manojkrishnanomula Could you explain how hard links are skipped in Trivy?

[manojkrishnanomula]

@knqyf263 when I mean pkgs folder I meant "/home/ray/anaconda3/pkgs" in this path we've many files which are like "/home/ray/anaconda3/pkgs/certifi-2023.5.7-py39h06a4308_0/lib/python3.9/site-packages/certifi-2023.5.7.dist-info" inside these path contains the METADATA file

When these files are getting scanned these are getting under hardlinks from the code in tar.go

trivy/pkg/fanal/walker/tar.go

Line 79 in 3be5e6b

// symlinks and hardlinks have no content in reader, skip them

we're doing image scan it is not file system scan(fs) if we do fs scan we're identifying these files and reporting the packages, but when scanned as image they're getting skipped.
Earlier it is working fine for the images also, changes are made as part of this commit 390c256