Failure while reading containerd-sourced images

[inquinity]

Describe the bug

Docker desktop has two options for pulling and storing images internally: the default container and containerd.

jf cli cannot scan images or tar files created using containerd.

Current behavior

JFrog Xray version is: 3.86.11

command: jf scan mariadb-latest-containerd.tar

[jfxia] [WARN ] [] [docker_tar:74 ] [UnnamedContext ] Failed to index tar file as container image, continue to generic tar indexer. Error: failed to analyze OCI tar archive
--- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/docker_tar.go:144 (DockerTarOpener.analyzeTarAsContainer) ---
Caused by: failed to parse and validate manifests list: index.json
--- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:53 (DockerTarOpener.handleIndexFile) ---
Caused by: manifest unexpected media type: application/vnd.oci.image.index.v1+json
--- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:95 (DockerTarOpener.parseAndValidateManifestsList) ---

Reproduction steps

I used mariadb:lateset as an example, since it is easily available. It is NOT necessary to export files to tar, but doing so makes it easier to demonstrate the error.

1. Check that "Use containerd for pulling and storing images" option in Docker Desktop is disabled. This is "control" test.

2. Download the image if needed:
   docker pull mariadb:latest

3. Save image to tar file:
   docker save mariadb:latest -o mariadb-latest-default.tar

4. Enable "Use containerd for pulling and storing images" option in Docker Desktop. (Docker will restart)

5. Download the image if needed:
   docker pull mariadb:latest

6. Save image to tar file:
   docker save mariadb:latest -o mariadb-latest-containerd.tar

7. Scan the images:
   jf scan mariadb-latest-default.tar
jf scan mariadb-latest-containerd.tar

Expected behavior

jf scan mariadb-latest-default.tar
Will produce a viable security scan.

jf scan mariadb-latest-containerd.tar
Will fail to scan with the following error:

Failed to index tar file as container image, continue to generic tar indexer. Error: failed to analyze OCI tar archive
--- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/docker_tar.go:144 (DockerTarOpener.analyzeTarAsContainer) ---
Caused by: failed to parse and validate manifests list: index.json
--- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:53 (DockerTarOpener.handleIndexFile) ---
Caused by: manifest unexpected media type: application/vnd.oci.image.index.v1+json
--- at /go/src/jfrog.com/xray/backend/indexer/indexer_core/oci_tar.go:95 (DockerTarOpener.parseAndValidateManifestsList) ---

jf will continue despite the failure and fail to find any vulnerabilities

Vulnerable Components
┌───────────────────────────────────────────┐
│ ✨ No vulnerable components were found ✨ │
└───────────────────────────────────────────┘

JFrog CLI version

jf version 2.59.1

Operating system type and version

Mac OS 14.5, Docker Desktop 4.3.1.0

JFrog Artifactory version

No response

JFrog Xray version

JFrog Xray version is: 3.86.11

[bmanuel]

This behavior is still present in the CLI. The containerd storage option is now the default in Docker Desktop, so this is only going to become a bigger issue.