fix(xray): Add gzip decompression for OCI image layers #168
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Many Docker/OCI images use gzip-compressed layers with media types like: - application/vnd.docker.image.rootfs.diff.tar.gzip - application/vnd.oci.image.layer.v1.tar+gzip Previously, LoadPackage would fail with "archive/tar: invalid tar header" or "unexpected EOF" when processing these layers because it tried to read the gzip-compressed data directly as a tar archive. This fix: 1. Checks OCI manifest media type for gzip indication 2. Attempts gzip decompression using gzip.NewReader() which validates the gzip header automatically 3. Falls back to raw tar reading if the data is not gzip-compressed 4. Properly reports errors when media type indicates gzip but decompression fails Fixes processing of standard Docker Hub images that use compressed layers. Signed-off-by: Technophobe01 <pkjarvis01@gmail.com>
… archives This adds a new --target-image-archive flag to the xray command that allows analyzing a pre-saved Docker image tar archive directly, without requiring access to the Docker daemon. Use case: When orchestrating multiple xray invocations (e.g., for initial analysis followed by file extraction), the image archive from the first invocation can be reused directly in subsequent invocations without re-pulling from registry. Changes: - Add FlagTargetImageArchive to cliflags.go - Register flag in xray command (cli.go) - Add GetArchiveInfo() helper to extract image ID from archive manifest - Add archive-based analysis path in handler.go Signed-off-by: Technophobe01 <pkjarvis01@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
When running
xrayon Docker images with gzip-compressed layers (which is the default for most Docker Hub images), the command fails with errors like:or
This happens because
LoadPackageinpkg/docker/dockerimage/dockerimage.gotries to read gzip-compressed layer blobs directly as tar archives without decompressing them first.Root Cause
OCI/Docker images typically use gzip-compressed layers with media types like:
application/vnd.docker.image.rootfs.diff.tar.gzipapplication/vnd.oci.image.layer.v1.tar+gzipThe existing code at line ~1133 passes the raw stream to
tar.NewReader():There's also a TODO comment at line 926 acknowledging this:
// todo: add support for oci.MediaTypeImageLayerGzip and oci.MediaTypeImageLayerZstdSolution
This PR adds gzip decompression support by:
nonLayerFileNamesfor gzip indicationgzip.NewReader()which validates the gzip magic headerTesting
Tested with various Docker Hub images that use gzip-compressed layers:
autonomousplane/chatgpt-clone:latest(Python)autonomousplane/carbon.now.sh:latest(Node.js)alpine,node,pythonimagesBefore fix:
archive/tar: invalid tar headererrorAfter fix:
xraycompletes successfully withstate=doneChecklist