Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: prevent scanning oversized container images #8176

Open
knqyf263 opened this issue Dec 25, 2024 · 2 comments · May be fixed by #8178
Open

feat: prevent scanning oversized container images #8176

knqyf263 opened this issue Dec 25, 2024 · 2 comments · May be fixed by #8178
Assignees
Milestone

Comments

@knqyf263
Copy link
Collaborator

Background

We need to prevent scanning container images that are too large, which can cause resource issues. While we can get the compressed size of an image easily, determining the uncompressed size before pulling all layers is challenging.

Current Limitations

  1. No reliable way to determine uncompressed size without pulling layers

    • Manifests provide compressed size
    • But uncompressed size is not available via API
  2. Investigated alternatives:

    • gzip trailer information:
      • Contains uncompressed size
      • Limited to 4GB (32-bit unsigned int)
      • Not suitable for our use case with larger images
    • Other compression metadata:
      • No reliable source for accurate size information
      • Varies by compression method

Proposal

Since there's no reliable way to get the uncompressed size without pulling layers, implement a size check by:

  1. Add --max-image-size flag
  2. When the flag is specified:
    • Pull all layers first before scanning
    • Calculate the total uncompressed size
    • Stop if the size exceeds the threshold
    • Open the stored tarballs if exists
    • Clean up pulled layers after scan (or on error)

Implementation Details

  1. Size verification process:

    [Registry] -> Pull all layers -> Calculate size -> Compare with threshold
                      |                                       |
                      v                                       v
                  Store temporarily                    Exceed: Error & cleanup
                                                      Within: Proceed with scan
    
  2. Error handling:

    • Clear error message when the size exceeds the threshold
    • Clean up temporary files
    • Appropriate exit code

Example Usage

# Error if uncompressed size exceeds 10GB
$ trivy image --max-image-size=10GB myapp:latest

# Error output example
Error: Uncompressed image size (15GB) exceeds maximum allowed size (10GB)

Initial Implementation

Start with basic implementation:

  1. Pull and store layers in the local filesystem temporarily
  2. Calculate the exact uncompressed size
  3. Clean up after scan completion or on error
  4. No persistent caching in the first iteration

Future Considerations

  • Add persistent layer caching
  • Add expiration or cap to the filesystem cache
@knqyf263 knqyf263 added this to the v0.59.0 milestone Dec 25, 2024
@nikpivkin
Copy link
Contributor

Clear error message when the size exceeds the threshold

So we should clear the error stack completely and report only the image oversize?

@nikpivkin nikpivkin linked a pull request Dec 25, 2024 that will close this issue
6 tasks
@knqyf263
Copy link
Collaborator Author

So we should clear the error stack completely and report only the image oversize?

If the image size had been calculated correctly, then no other errors would have occurred, so I thought it would have been sufficient to display only the oversize error. Am I missing something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

2 participants