[Scan][Auth] It doesn't block scanning when using incorrect credential #320
Replies: 9 comments 2 replies
-
|
The registry you're using is a public one. All the registry libraries use authentication only when it's actually needed. In this case, your wrong credentials are never used. You should repeat the test using a registry that has authentication turned on. Also, the title of this discussion is "It doesn't block scanning when using incorrect cert" but it's wrong. This is about the credentials (username/password) used to authenticate. TLS certificates are nowhere involved. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @flavio , |
Beta Was this translation helpful? Give feedback.
-
|
Hi @xingzhang-suse , I think we can NOT directly use the Registry Secret created by Storage/Secrets page for testing scan. You could refer to my steps. After creating Registry Secret created by Storage/Secrets page, it will show in backend like: If we decode that ${token} and we will find its format is like: However, according to https://github.com/kubewarden/sbomscanner/blob/main/docs/user-guide/private-registries.md , So, if I use the format of registry secret created by Storage/Secrets page and do the scan testing below.
I can say that the above result doesn't recognize the secret so it's like scanning without secret... And, if I manually create the format of registry secret (followed by the backend's doc above) and do the scan testing below.
The above result makes sense. (It can recognize the secret and scan with the secret) Could you kindly check and let me know? Thanks. Hi @flavio, |
Beta Was this translation helpful? Give feedback.
-
|
The problem is with the contents of the secret created by the UI For some reason which baffles me, Docker HUB wants to be addressed with the |
Beta Was this translation helpful? Give feedback.
-
|
Hi @xingzhang-suse , |
Beta Was this translation helpful? Give feedback.
-
|
Hi @williamshen9999 , The workflow in the backend is to user the secret name from registry configuration to get the secret from secret's k8s resource.
(Please refer the documentation below, it show how the secret set to the CRD) |
Beta Was this translation helpful? Give feedback.
-
|
I found that this problem can be solved by using "Custom" secret in Rancher UI. |
Beta Was this translation helpful? Give feedback.
-
|
Let me provide a quick summary. For docker hub, In Rancher UI, when trying to use "DockerHub" secret -> then the secret will NOT take effect for Sbomscanner (coz the Registry Domain Name will be set as "index.docker.io/v1/" ; it lacks prefix "https://" ) however, you can use "Custom" secret (and manually specify "https://index.docker.io/v1/") -> then the secret will take effect for Sbomscanner In the future, if someone met this problem by using "DockerHub" secret in Rancher UI, then he/she can be suggested to use "Custom" secret. Let me know if it's okay? Thanks. :) |
Beta Was this translation helpful? Give feedback.
-
|
I think @xingzhang-suse has a point in reaching out to the Rancher team. That's because the Rancher UI is creating a secret that is wrong for interacting with the Docker Hub. A user might rely on that secret to pull a container image from a private repository on Docker Hub. Now, if you do a "auths": {
"dp.apps.rancher.io": {},
"ghcr.io": {},
"https://index.docker.io/v1/": {}
}Notice how Docker Hub is the only registry that has the Sure, using the custom secret can be a workaround, but there's a problem here. |
Beta Was this translation helpful? Give feedback.



Uh oh!
There was an error while loading. Please reload this page.
-
Steps:
Expected behavior:
It should show error message and block the scanning when using incorrect cert.
Beta Was this translation helpful? Give feedback.
All reactions