Xray cannot scan docker images with SBOM attestationΒ #658
Description
Describe the bug
Adding SBOM layers to docker images breaks the Xray scanner.
Current behavior
Log file from scans with sbom:
10:41:21 [Debug] JFrog CLI version: 2.90.0
10:41:21 [Debug] OS/Arch: linux/amd64
10:41:21 [Debug] There is no GitHub token, please set GitHub token to avoid anonymous rate limits
10:41:21 [Debug] Sending HTTP GET request to: https://api.github.com/repos/jfrog/jfrog-cli/releases/latest
10:41:21 [Debug] failed while trying to check latest JFrog CLI version: json: unknown field "url"
10:41:21 [π Warn] failed while trying to check latest JFrog CLI version: json: unknown field "url"
10:41:21 [Debug] Trace ID for JFrog Platform logs: 17cf805d0a9ed6b6
10:41:21 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/system/version
10:41:22 [Debug] Xray version: 3.131.27
10:41:22 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/xsc/system/version
10:41:22 [Debug] XSC version: 3.999.999
10:41:22 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/entitlements/feature/contextual_analysis
10:41:22 [Debug] Sending HTTP GET request to: https://redacted/artifactory/api/system/version
10:41:22 [Debug] Artifactory response: 200
10:41:22 [Debug] Artifactory Call Home: Sending info...
10:41:22 [Debug] Sending HTTP POST request to: https://redacted/artifactory/api/system/usage
10:41:22 [Debug] Sending HTTP POST request to: https://redacted/jfconnect/api/v1/backoffice/metrics/log
10:41:22 [Debug] Advanced Security scans were not initiated, so Advanced Security scans were skipped...
10:41:22 [Debug] Creating lock in: /root/.jfrog/locks/xray-indexer
10:41:22 [π΅Info] JFrog Xray Indexer 3.131.27 is not cached locally. Downloading it now...
10:41:22 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/indexer-resources/download/linux/amd64
2026/02/06 10:41:35 maxprocs: Leaving GOMAXPROCS=28: CPU quota undefined
10:41:35 [π΅Info] The downloaded Xray Indexer version is 3.131.27
10:41:35 [Debug] Releasing lock: /root/.jfrog/locks/xray-indexer/jfrog-cli.conf.lck.1.1770374482393574862
10:41:35 [π΅Info] [Thread 2] Indexing file: sbom.tar
10:41:38 [π΅Info] 2026/02/06 10:41:35 maxprocs: Leaving GOMAXPROCS=28: CPU quota undefined
2026-02-06T10:41:35.886Z [jfxia] [DEBUG] [] [filter:144 ] [BackgroundContext ] Initializing filtering service
2026-02-06T10:41:38.149Z [jfxia] [DEBUG] [] [archive_mgr:124 ] [BackgroundContext ] Indexing standalone file sbom.tar using artifactory folder /tmp/jfrog.cli.temp.-1770374495-4029541605
2026-02-06T10:41:38.150Z [jfxia] [DEBUG] [] [archive_mgr:168 ] [UnnamedContext ] Local path: /tmp/jfrog.cli.temp.-1770374495-4029541605/4e714316-e3ef-4fd7-82b9-610118ccb9c8/177037449815079970/sbom.tar
2026-02-06T10:41:38.150Z [jfxia] [DEBUG] [] [archive_mgr:173 ] [UnnamedContext ] Scanning file from Artifactory with mimetype 'application/x-gzip'
2026-02-06T10:41:38.174Z [jfxia] [DEBUG] [] [archive_mgr:255 ] [UnnamedContext ] Found archive file. Performing deep scan for file /tmp/jfrog.cli.temp.-1770374495-4029541605/4e714316-e3ef-4fd7-82b9-610118ccb9c8/177037449815079970/sbom.tar
2026-02-06T10:41:38.175Z [jfxia] [WARN ] [] [oci_tar:259 ] [UnnamedContext ] Failed to index tar file as container image: no layers found. Continue to generic tar indexer
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/1494307a8b363179c461972661a879d1f7ee1b375222c04473a0a8bbd201e907
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/1494307a8b363179c461972661a879d1f7ee1b375222c04473a0a8bbd201e907
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/98e56f455b73e4670d7dedb2a696c7ff266b30103e3aec800d4dee8e3e05b5d9
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/98e56f455b73e4670d7dedb2a696c7ff266b30103e3aec800d4dee8e3e05b5d9
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/a40c03cbb81c59bfb0e0887ab0b1859727075da7b9cc576a1cec2c771f38c5fb
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/a40c03cbb81c59bfb0e0887ab0b1859727075da7b9cc576a1cec2c771f38c5fb
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/a5a51aa08e4b670e132478073a80d1a4581f4dd2e7df4bbb97ca9afb3b360311
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/a5a51aa08e4b670e132478073a80d1a4581f4dd2e7df4bbb97ca9afb3b360311
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/acce69a501601612afda6da41d0e31677ba8565c0c5740a4a683173c32648e5d
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/acce69a501601612afda6da41d0e31677ba8565c0c5740a4a683173c32648e5d
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable blobs/sha256/b5e1a763c0e930ba3975bd44c26127b2e6e6a028efb33eacb6d5b421cadf3dc3
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: blobs/sha256/b5e1a763c0e930ba3975bd44c26127b2e6e6a028efb33eacb6d5b421cadf3dc3
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable oci-layout
2026-02-06T10:41:38.175Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: oci-layout
2026-02-06T10:41:38.213Z [jfxia] [INFO ] [] [archive_helper:62 ] [BackgroundContext ] SPDX license IDs from licenses.json and exceptions.json were loaded successfully
2026-02-06T10:41:38.213Z [jfxia] [DEBUG] [] [os_version:149 ] [UnnamedContext ] Creating OS packages child files
2026-02-06T10:41:38.213Z [jfxia] [DEBUG] [] [archive_mgr:602 ] [UnnamedContext ] No classification found for sbom.tar, classified as generic
2026-02-06T10:41:38.213Z [jfxia] [DEBUG] [] [archive_mgr:608 ] [UnnamedContext ] sbom.tar was classified as Generic
2026-02-06T10:41:38.213Z [jfxia] [DEBUG] [] [utils:428 ] [UnnamedContext ] total running time for indexing tree construction of sbom.tar: 4.5524e-05 seconds
2026-02-06T10:41:38.213Z [jfxia] [DEBUG] [] [utils:428 ] [UnnamedContext ] total running time for indexing sbom.tar: 0.039247202 seconds
10:41:38 [Debug] Sending HTTP POST request to: https://redacted/xray/api/v1/scan/graph?scan_type=binary
10:41:38 [π΅Info] Waiting for scan to complete on JFrog Xray...
10:41:38 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/scan/graph/aac0720c-39f6-4f44-9f5f-acc49a1f2164?include_vulnerabilities=true
10:41:38 [Debug] No information to print
Vulnerable Components
βββββββββββββββββββββββββββββββββββββββββββββ
β β¨ No vulnerable components were found β¨ β
βββββββββββββββββββββββββββββββββββββββββββββ
10:41:38 [π΅Info] Scan completed successfully.
If we don't have a sbom, then we get:
10:40:39 [Debug] JFrog CLI version: 2.90.0
10:40:39 [Debug] OS/Arch: linux/amd64
10:40:39 [Debug] There is no GitHub token, please set GitHub token to avoid anonymous rate limits
10:40:39 [Debug] Sending HTTP GET request to: https://api.github.com/repos/jfrog/jfrog-cli/releases/latest
10:40:39 [Debug] failed while trying to check latest JFrog CLI version: json: unknown field "url"
10:40:39 [π Warn] failed while trying to check latest JFrog CLI version: json: unknown field "url"
10:40:39 [Debug] Trace ID for JFrog Platform logs: c16708beb9055af6
10:40:39 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/system/version
10:40:39 [Debug] Xray version: 3.131.27
10:40:39 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/xsc/system/version
10:40:39 [Debug] XSC version: 3.999.999
10:40:39 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/entitlements/feature/contextual_analysis
10:40:39 [Debug] Sending HTTP GET request to: https://redacted/artifactory/api/system/version
10:40:39 [Debug] Artifactory response: 200
10:40:39 [Debug] Artifactory Call Home: Sending info...
10:40:39 [Debug] Sending HTTP POST request to: https://redacted/jfconnect/api/v1/backoffice/metrics/log
10:40:39 [Debug] Sending HTTP POST request to: https://redacted/artifactory/api/system/usage
10:40:39 [Debug] Advanced Security scans were not initiated, so Advanced Security scans were skipped...
10:40:39 [Debug] Creating lock in: /root/.jfrog/locks/xray-indexer
10:40:39 [π΅Info] JFrog Xray Indexer 3.131.27 is not cached locally. Downloading it now...
10:40:39 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/indexer-resources/download/linux/amd64
2026/02/06 10:40:52 maxprocs: Leaving GOMAXPROCS=28: CPU quota undefined
10:40:52 [π΅Info] The downloaded Xray Indexer version is 3.131.27
10:40:52 [Debug] Releasing lock: /root/.jfrog/locks/xray-indexer/jfrog-cli.conf.lck.1.1770374439877192562
10:40:52 [π΅Info] [Thread 0] Indexing file: nosbom.tar
10:40:57 [π΅Info] 2026/02/06 10:40:52 maxprocs: Leaving GOMAXPROCS=28: CPU quota undefined
2026-02-06T10:40:53.066Z [jfxia] [DEBUG] [] [filter:144 ] [BackgroundContext ] Initializing filtering service
2026-02-06T10:40:55.266Z [jfxia] [DEBUG] [] [archive_mgr:124 ] [BackgroundContext ] Indexing standalone file nosbom.tar using artifactory folder /tmp/jfrog.cli.temp.-1770374452-3722531446
2026-02-06T10:40:55.267Z [jfxia] [DEBUG] [] [archive_mgr:168 ] [UnnamedContext ] Local path: /tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445526749754/nosbom.tar
2026-02-06T10:40:55.267Z [jfxia] [DEBUG] [] [archive_mgr:173 ] [UnnamedContext ] Scanning file from Artifactory with mimetype 'application/x-gzip'
2026-02-06T10:40:55.291Z [jfxia] [DEBUG] [] [archive_mgr:255 ] [UnnamedContext ] Found archive file. Performing deep scan for file /tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445526749754/nosbom.tar
2026-02-06T10:40:55.301Z [jfxia] [DEBUG] [] [docker_multiarch:39 ] [UnnamedContext ] Docker multiarch image manifest scanning /nosbom/latest/manifest.json
2026-02-06T10:40:55.301Z [jfxia] [DEBUG] [] [docker_multiarch:45 ] [UnnamedContext ] Docker multiarch opener received message for normal docker image
2026-02-06T10:40:55.301Z [jfxia] [DEBUG] [] [docker:47 ] [UnnamedContext ] Docker image manifest scanning File: [Id=6627969732312353077, name=/nosbom/latest/manifest.json, path=/tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445530145666/, mime=application/x-docker, sha256=221ff4c6a97fc2756c3f57f243e6a5f9313cd61fcdfbf876ff51d7b18f95b020, parent=221ff4c6a97fc2756c3f57f243e6a5f9313cd61fcdfbf876ff51d7b18f95b020, childrens=0]
2026-02-06T10:40:55.302Z [jfxia] [DEBUG] [] [docker:55 ] [UnnamedContext ] docker layers on message {"messageId":"5f805be3-9f79-409c-8e81-1fddc2d71779","eventType":"","downloadUrl":"onDemand","artifactoryId":"","repoKey":"","repoPkgType":"","path":"/nosbom/latest/manifest.json","checksums":{"md5":"ee122da0dadd25ce22e4b1723bd02b5b","sha1":"ef8f5ba0b37d40c75f9602f680e3a8dc79b2d854","sha256":"221ff4c6a97fc2756c3f57f243e6a5f9313cd61fcdfbf876ff51d7b18f95b020"},"archivePath":"/tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445530145666/manifest.json","eventTime":0,"arriveAtXrayTime":0} (docker)
2026-02-06T10:40:55.302Z [jfxia] [DEBUG] [] [docker:121 ] [UnnamedContext ] Check if Docker exist url onDemand and Downloaded bigger than 0 (docker)
2026-02-06T10:40:55.302Z [jfxia] [DEBUG] [] [docker:135 ] [UnnamedContext ] Add downloaded Docker layer 589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153 to map for url onDemand (docker)
2026-02-06T10:40:55.302Z [jfxia] [DEBUG] [] [docker:71 ] [UnnamedContext ] Layers of the image during index stage: [{Size:3861821 Digest:sha256:589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153 MediaType:application/vnd.docker.image.rootfs.diff.tar URLs:[]}]
2026-02-06T10:40:55.302Z [jfxia] [DEBUG] [] [docker:170 ] [UnnamedContext ] Scanning docker layer 'sha256__589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153.tar'
2026-02-06T10:40:55.310Z [jfxia] [DEBUG] [] [archive_mgr:757 ] [UnnamedContext ] Found archive file. Performing deep scan for file /tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445530215286/sha256__589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153.tar
2026-02-06T10:40:55.310Z [jfxia] [DEBUG] [] [docker_layer_tar:80 ] [UnnamedContext ] Extract data from layer based on package manager files
2026-02-06T10:40:55.348Z [jfxia] [DEBUG] [] [docker_layer_tar:275 ] [UnnamedContext ] Analyzing OS file: alpine-release, path: etc/alpine-release
2026-02-06T10:40:55.348Z [jfxia] [INFO ] [] [extractor:229 ] [UnnamedContext ] Encountered release info file 'etc/alpine-release'
2026-02-06T10:40:55.348Z [jfxia] [DEBUG] [] [extractor:270 ] [UnnamedContext ] Alpine release is 3.23
2026-02-06T10:40:55.350Z [jfxia] [DEBUG] [] [docker_layer_tar:275 ] [UnnamedContext ] Analyzing OS file: installed, path: lib/apk/db/installed
2026-02-06T10:40:55.490Z [jfxia] [DEBUG] [] [docker_layer_tar:275 ] [UnnamedContext ] Analyzing OS file: os-release, path: usr/lib/os-release
2026-02-06T10:40:55.490Z [jfxia] [DEBUG] [] [extractor:312 ] [UnnamedContext ]
OS Version Info:
ID: alpine
Distribution:
Version: 3.23.3
2026-02-06T10:40:55.549Z [jfxia] [INFO ] [] [archive_helper:62 ] [BackgroundContext ] SPDX license IDs from licenses.json and exceptions.json were loaded successfully
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:149 ] [UnnamedContext ] Creating OS packages child files
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [extractor:506 ] [UnnamedContext ] Building OS packages components
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:alpine-baselayout:3.7.1-r8: Name: alpine-baselayout
Version: 3.7.1-r8
Release:
Epoch: (none)
RpmModule: (none)
MD5: d9b0b32fedbccd970e8edf1d2bed4d60
SHA1: 753b7cb2a8b5ff939045d7d309f4c689d599f8ac
SHA256: bba533dcf9fdf5ba7441dae8f433c6f0276bd97a1f48002aaf1de1dc57af8ca8
Package Name: 3.23:alpine-baselayout:3.7.1-r8
ComponentId: alpine://3.23:alpine-baselayout:3.7.1-r8
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:alpine-baselayout-data:3.7.1-r8: Name: alpine-baselayout-data
Version: 3.7.1-r8
Release:
Epoch: (none)
RpmModule: (none)
MD5: f3e6dfc2f3373c23d4dada0d61956a79
SHA1: e9e0df1c536daa427feb5ee1ecae823de6ee2c92
SHA256: 25513437c1bf6f25030e06a06594ab9eb0fa38a449a3f3eedc7a39e30e04db8e
Package Name: 3.23:alpine-baselayout-data:3.7.1-r8
ComponentId: alpine://3.23:alpine-baselayout-data:3.7.1-r8
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:alpine-keys:2.6-r0: Name: alpine-keys
Version: 2.6-r0
Release:
Epoch: (none)
RpmModule: (none)
MD5: 1d329de07f742f9f97a90ab28bb50ece
SHA1: 261f5ee73481af4f39570754702960932ee302de
SHA256: 9e3de79fe3c721ff463bc10e7db2bf7459bbcc6115dd3b36d734ed3583511c31
Package Name: 3.23:alpine-keys:2.6-r0
ComponentId: alpine://3.23:alpine-keys:2.6-r0
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:alpine-release:3.23.3-r0: Name: alpine-release
Version: 3.23.3-r0
Release:
Epoch: (none)
RpmModule: (none)
MD5: c476a8c4b5fdeb6b0c10443517ecbc5e
SHA1: d85cd996adf3063efb3cd390d3ea3d47a690897c
SHA256: 0f8c649cd474adb1bdbb0f87af5789ac8f15df03ddac5ba1c04bb2551fb64163
Package Name: 3.23:alpine-release:3.23.3-r0
ComponentId: alpine://3.23:alpine-release:3.23.3-r0
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:apk-tools:3.0.3-r1: Name: apk-tools
Version: 3.0.3-r1
Release:
Epoch: (none)
RpmModule: (none)
MD5: c6d109e54d6b7d10ed70856bc268ae44
SHA1: 4db515813fe8fcff3622bb12d9004b26a4dc3520
SHA256: c5019ab834b3e93f0d5759df2ab0b77e265f69c81e98a3ef57eff9a69b0ee918
Package Name: 3.23:apk-tools:3.0.3-r1
ComponentId: alpine://3.23:apk-tools:3.0.3-r1
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:busybox:1.37.0-r30: Name: busybox
Version: 1.37.0-r30
Release:
Epoch: (none)
RpmModule: (none)
MD5: 3ff55d10ad2212a1a49657c962b98dee
SHA1: d7beb270c103f4852f2b51087f07804cdad66f20
SHA256: eaad8843dc1eaeae1d49ac3de7e5da304cb11ec73628ba5a4de75aca62096a92
Package Name: 3.23:busybox:1.37.0-r30
ComponentId: alpine://3.23:busybox:1.37.0-r30
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:busybox-binsh:1.37.0-r30: Name: busybox-binsh
Version: 1.37.0-r30
Release:
Epoch: (none)
RpmModule: (none)
MD5: 52bbd1984765c2ef34ecbb2e4ff2acfd
SHA1: 9266afbb8edf76966256c62564ac890aa2c6eeef
SHA256: c508f90cc512c1ff857b034474c2227d9bafa8b84a2a1ab4b7777561d53f6902
Package Name: 3.23:busybox-binsh:1.37.0-r30
ComponentId: alpine://3.23:busybox-binsh:1.37.0-r30
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:ca-certificates-bundle:20251003-r0: Name: ca-certificates-bundle
Version: 20251003-r0
Release:
Epoch: (none)
RpmModule: (none)
MD5: 622ebc7cc6a19d83f93b179df01b0a5e
SHA1: 1432412d6929247a42c5b20ca6677f91f7892f95
SHA256: 7136212010f3d7db95132508fd5124a5f2f21266611572d63bb606a7c08ebfdf
Package Name: 3.23:ca-certificates-bundle:20251003-r0
ComponentId: alpine://3.23:ca-certificates-bundle:20251003-r0
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:libapk:3.0.3-r1: Name: libapk
Version: 3.0.3-r1
Release:
Epoch: (none)
RpmModule: (none)
MD5: 613276a45eb345b1936c29ebbf9e83a6
SHA1: ca2c64a0f44022468409acaed5408ef502d1b058
SHA256: 9deea22616cfa34e26f4d3a98701a6794046c48e025c20b7f924fdb726f5185b
Package Name: 3.23:libapk:3.0.3-r1
ComponentId: alpine://3.23:libapk:3.0.3-r1
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:libcrypto3:3.5.5-r0: Name: libcrypto3
Version: 3.5.5-r0
Release:
Epoch: (none)
RpmModule: (none)
MD5: 3a438b5a4ba2ea1d93b178ad874b4ee4
SHA1: 9b0cf4e67d3d9d6bf6059b468208a17dcf955b68
SHA256: f84f762caf130b5d3ab6801777f6b44462df5ecac09db6222ef0dd0c18753c46
Package Name: 3.23:libcrypto3:3.5.5-r0
ComponentId: alpine://3.23:libcrypto3:3.5.5-r0
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:libssl3:3.5.5-r0: Name: libssl3
Version: 3.5.5-r0
Release:
Epoch: (none)
RpmModule: (none)
MD5: 664af0b3f70361fd2b15f224192aff81
SHA1: 0919934c7baf1d189b683672a4f74665ff2d90c4
SHA256: 4ac32f5c5972665c57a3209268e9b42443aca558945729dcd0ac1d9076e8c01a
Package Name: 3.23:libssl3:3.5.5-r0
ComponentId: alpine://3.23:libssl3:3.5.5-r0
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:musl:1.2.5-r21: Name: musl
Version: 1.2.5-r21
Release:
Epoch: (none)
RpmModule: (none)
MD5: 70363ff0c4365a78f380d15081483427
SHA1: 4c7e5cfc2c5aba6f350c3b0cded95d547080971f
SHA256: 647ce124cba5b6c33d00ca61e94f522c4ec74bc83ccc14d5318aa6e3b47fbd29
Package Name: 3.23:musl:1.2.5-r21
ComponentId: alpine://3.23:musl:1.2.5-r21
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:musl-utils:1.2.5-r21: Name: musl-utils
Version: 1.2.5-r21
Release:
Epoch: (none)
RpmModule: (none)
MD5: 336b57d1ddd1b5068d3a466429f00dab
SHA1: 97bd50d42b69fbcc6f3471389951df4424079036
SHA256: 5225abd49bd3bcd9512c25a9a9467c6cdf6fef1628d078b0ca11015ba66a0c29
Package Name: 3.23:musl-utils:1.2.5-r21
ComponentId: alpine://3.23:musl-utils:1.2.5-r21
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:scanelf:1.3.8-r2: Name: scanelf
Version: 1.3.8-r2
Release:
Epoch: (none)
RpmModule: (none)
MD5: 6f2aaaa4ad3f54f8e64ef3279bbbd3f6
SHA1: 244cfcb224cd59b35f9c987df425a05a7480aa0c
SHA256: a55e61a548d7da1844af8303c7a3ff5466c5c830e3c1f1d1c8ce39729fbacdcf
Package Name: 3.23:scanelf:1.3.8-r2
ComponentId: alpine://3.23:scanelf:1.3.8-r2
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:ssl_client:1.37.0-r30: Name: ssl_client
Version: 1.37.0-r30
Release:
Epoch: (none)
RpmModule: (none)
MD5: b3a47090e0a82347c20d35afd23eb939
SHA1: 83d1e8586d557e45a409787b0386b128e02f5616
SHA256: ddc1ae541ad9636b51440f85a7f096985ab069ebfc68f1b2945b82671889b188
Package Name: 3.23:ssl_client:1.37.0-r30
ComponentId: alpine://3.23:ssl_client:1.37.0-r30
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [os_version:162 ] [UnnamedContext ] Indexing OS package component alpine://3.23:zlib:1.3.1-r2: Name: zlib
Version: 1.3.1-r2
Release:
Epoch: (none)
RpmModule: (none)
MD5: 7438d69399ab944598432ed933a381ec
SHA1: 9f52d92a9e57af69102503efc481c718711e9057
SHA256: a2e1bd4a72675fd9c60881d0c95bfca01e21bd60e29f6123e5bafd93cff30403
Package Name: 3.23:zlib:1.3.1-r2
ComponentId: alpine://3.23:zlib:1.3.1-r2
MimeType: application/x-alpine
PkgType: Alpine
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [docker_layer_tar:116 ] [UnnamedContext ] Extract data from layer based on artifact extraction
2026-02-06T10:40:55.549Z [jfxia] [DEBUG] [] [extractor:506 ] [UnnamedContext ] Building OS packages components
2026-02-06T10:40:55.584Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable bin/busybox
2026-02-06T10:40:55.589Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/alpine-release
2026-02-06T10:40:55.589Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/alpine-release
2026-02-06T10:40:55.589Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/apk/arch
2026-02-06T10:40:55.589Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/apk/arch
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/apk/repositories
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/apk/repositories
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/apk/world
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/apk/world
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/busybox-paths.d/busybox
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/busybox-paths.d/busybox
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/crontabs/root
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/crontabs/root
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/fstab
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/fstab
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/group
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/group
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/hostname
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/hostname
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/hosts
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/hosts
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/inittab
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/inittab
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/issue
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/issue
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/logrotate.d/acpid
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/logrotate.d/acpid
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/modules
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/modules
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/motd
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/motd
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/network/if-up.d/dad
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/network/if-up.d/dad
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/passwd
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/passwd
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/profile
2026-02-06T10:40:55.590Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/profile
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/protocols
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/protocols
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/secfixes.d/alpine
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/secfixes.d/alpine
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/securetty
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/securetty
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/services
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/services
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/shadow
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/shadow
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/shells
2026-02-06T10:40:57.279Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/shells
2026-02-06T10:40:57.280Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable lib/apk/db/installed
2026-02-06T10:40:57.280Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: lib/apk/db/installed
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [archive_mgr:757 ] [UnnamedContext ] Found archive file. Performing deep scan for file /tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445728080134/scripts.tar.gz
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [os_version:149 ] [UnnamedContext ] Creating OS packages child files
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [archive_mgr:602 ] [UnnamedContext ] No classification found for scripts.tar.gz, classified as generic
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [archive_mgr:608 ] [UnnamedContext ] scripts.tar.gz was classified as Generic
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [utils:428 ] [UnnamedContext ] total running time for indexing tree construction of scripts.tar.gz: 5.7132e-05 seconds
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable lib/apk/db/triggers
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: lib/apk/db/triggers
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable lib/ld-musl-x86_64.so.1
2026-02-06T10:40:57.281Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary lib/ld-musl-x86_64.so.1 due to small size 666216
2026-02-06T10:40:57.285Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable lib/libc.musl-x86_64.so.1
2026-02-06T10:40:57.285Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: lib/libc.musl-x86_64.so.1
2026-02-06T10:40:57.285Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable sbin/apk
2026-02-06T10:40:57.285Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary sbin/apk due to small size 115096
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable sbin/ldconfig
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: sbin/ldconfig
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/bin/getconf
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/bin/getconf due to small size 22344
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/bin/getent
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/bin/getent due to small size 18480
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/bin/iconv
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/bin/iconv due to small size 14152
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/bin/ldd
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: usr/bin/ldd
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/bin/scanelf
2026-02-06T10:40:57.286Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/bin/scanelf due to small size 67504
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/bin/ssl_client
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/bin/ssl_client due to small size 14384
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/engines-3/afalg.so
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/engines-3/afalg.so due to small size 18504
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/engines-3/capi.so
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/engines-3/capi.so due to small size 13864
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/engines-3/loader_attic.so
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/engines-3/loader_attic.so due to small size 47608
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/engines-3/padlock.so
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/engines-3/padlock.so due to small size 22360
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/libapk.so.3.0.0
2026-02-06T10:40:57.287Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/libapk.so.3.0.0 due to small size 277184
2026-02-06T10:40:57.289Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/libcrypto.so.3
2026-02-06T10:40:57.309Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/libssl.so.3
2026-02-06T10:40:57.314Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/libz.so.1.3.1
2026-02-06T10:40:57.314Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/libz.so.1.3.1 due to small size 104280
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/libz.so.1
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: usr/lib/libz.so.1
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/os-release
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: usr/lib/os-release
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable etc/os-release
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [binary_utils:64 ] [UnnamedContext ] Binary is not supported by magic bytes with path: etc/os-release
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [fileutil:148 ] [UnnamedContext ] checking if the file is supported executable usr/lib/ossl-modules/legacy.so
2026-02-06T10:40:57.315Z [jfxia] [DEBUG] [] [binary_utils:74 ] [UnnamedContext ] skipping Go/Rust check on binary usr/lib/ossl-modules/legacy.so due to small size 100184
2026-02-06T10:40:57.317Z [jfxia] [DEBUG] [] [archive_mgr:602 ] [UnnamedContext ] No classification found for sha256__589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153.tar, classified as generic
2026-02-06T10:40:57.317Z [jfxia] [DEBUG] [] [archive_mgr:608 ] [UnnamedContext ] sha256__589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153.tar was classified as Generic
2026-02-06T10:40:57.317Z [jfxia] [DEBUG] [] [utils:428 ] [UnnamedContext ] total running time for indexing tree construction of sha256__589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153.tar: 6.3637e-05 seconds
2026-02-06T10:40:57.317Z [jfxia] [DEBUG] [] [docker:212 ] [UnnamedContext ] Updating OS packages components of layer 'sha256__589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153.tar'
2026-02-06T10:40:57.317Z [jfxia] [DEBUG] [] [docker:264 ] [UnnamedContext ] No accumulated OS packages from previous layers
2026-02-06T10:40:57.317Z [jfxia] [INFO ] [] [docker:108 ] [UnnamedContext ] Finished indexing layers of docker /tmp/jfrog.cli.temp.-1770374452-3722531446/5f805be3-9f79-409c-8e81-1fddc2d71779/177037445530145666/ (sha256:221ff4c6a97fc2756c3f57f243e6a5f9313cd61fcdfbf876ff51d7b18f95b020)
2026-02-06T10:40:57.318Z [jfxia] [DEBUG] [] [archive_mgr:602 ] [UnnamedContext ] No classification found for /nosbom/latest/manifest.json, classified as generic
2026-02-06T10:40:57.318Z [jfxia] [DEBUG] [] [archive_mgr:608 ] [UnnamedContext ] /nosbom/latest/manifest.json was classified as Docker
2026-02-06T10:40:57.318Z [jfxia] [DEBUG] [] [utils:428 ] [UnnamedContext ] total running time for indexing tree construction of /nosbom/latest/manifest.json: 4.3923e-05 seconds
2026-02-06T10:40:57.318Z [jfxia] [DEBUG] [] [utils:428 ] [UnnamedContext ] total running time for indexing nosbom.tar: 2.026274661 seconds
10:40:57 [Debug] Sending HTTP POST request to: https://redacted/xray/api/v1/scan/graph?scan_type=binary
10:40:57 [π΅Info] Waiting for scan to complete on JFrog Xray...
10:40:57 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/scan/graph/b2c4d85d-8b04-434e-9491-278d7fba8ffd?include_vulnerabilities=true
10:40:57 [Debug] Get Dependencies Scan results... (Attempt 1)
10:41:02 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/scan/graph/b2c4d85d-8b04-434e-9491-278d7fba8ffd?include_vulnerabilities=true
10:41:03 [Debug] Get Dependencies Scan results... (Attempt 2)
10:41:08 [Debug] Sending HTTP GET request to: https://redacted/xray/api/v1/scan/graph/b2c4d85d-8b04-434e-9491-278d7fba8ffd?include_vulnerabilities=true
Vulnerable Components
ββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββββ¬ββββββββββ¬ββββββββββββ¬ββββββββββββ¬βββββββββββ¬βββββββββ
β CVE β SEVERITY β DIRECT β DIRECT β AFFECTED β AFFECTED β FIXED β TYPE β
β β β PACKAGE β PACKAGE β COMPONENT β COMPONENT β VERSIONS β β
β β β β VERSION β NAME β VERSION β β β
ββββββββββββββββββΌβββββββββββββΌββββββββββββββββββββββββββΌββββββββββΌββββββββββββΌββββββββββββΌβββββββββββΌβββββββββ€
β CVE-2026-22184 β πCritical β sha256__589002ba0eaed12 β β 3.23:zlib β 1.3.1-r2 β β Alpine β
β β β 1a1dbf42f6648f29e5be55d β β β β β β
β β β 5c8a6ee0f8eaa0285cc21ac β β β β β β
β β β 153.tar β β β β β β
β β β β β β β β β
ββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββββ΄ββββββββββ΄ββββββββββββ΄ββββββββββββ΄βββββββββββ΄βββββββββ
10:41:08 [π΅Info] Scan completed successfully.
Reproduction steps
Create a Dockerfile with:
FROM alpine:latest
Start latest version of buildkit with the following command:
docker run -v .:/data -w /data --privileged --name=buildkit -d -t moby/buildkit:buildx-stable-1
Enter into the container to run the build tar commands:
docker exec -it buildkit sh
Generate the following tar file without SBOM (inside the buildkit container):
buildctl-daemonless.sh build --frontend dockerfile.v0 --local context=. --local dockerfile=/data/ --opt image-resolve-mode=pull --output type=docker,dest=/data/nosbom.tar,name=nosbom
Generate the following tar file with SBOM to compare (inside the buildkit container)::
buildctl-daemonless.sh build --frontend dockerfile.v0 --local context=. --local dockerfile=/data/ --opt image-resolve-mode=pull --opt attest:sbom=generator=docker/buildkit-syft-scanner:1.10.0 --output type=docker,dest=/data/sbom.tar,name=sbom
Exit the container shell and run the following tests:
No SBOM test:
docker run -v .:/data -w /data --entrypoint bash -it releases-docker.jfrog.io/jfrog/jfrog-cli-v2-jf -c "JFROG_CLI_LOG_LEVEL=DEBUG jf s nosbom.tar --url '<your_artifactory_url>' --user '<your_username>' --password='<your_password>'"
With SBOM test:
docker run -v .:/data -w /data --entrypoint bash -it releases-docker.jfrog.io/jfrog/jfrog-cli-v2-jf -c "JFROG_CLI_LOG_LEVEL=DEBUG jf s sbom.tar --url '<your_artifactory_url>' --user '<your_username>' --password='<your_password>'
Expected behavior
Be able to do jf scan on the sbom.tar like we do with the nosbom.tar.
JFrog CLI-Security version
1.26.0
JFrog CLI version (if applicable)
2.90.0
Operating system type and version
Windows 11 with Docker version 29.1.3, build f52814d
JFrog Xray version
3.131.27