fix: Trivy fails with "invalid tar header" when scanning Copa-patched images (#1359)

robert-cronin · web-flow · commit 599e0acd5e3c · 2025-10-28T11:30:54.000-04:00
Signed-off-by: robert-cronin &lt;robert.owen.cronin@gmail.com&gt;
diff --git a/pkg/patch/build.go b/pkg/patch/build.go
@@ -15,6 +15,10 @@ import (
 	sourcepolicy "github.com/moby/buildkit/sourcepolicy/pb"
 )
 
+const (
+	attrValueTrue = "true"
+)
+
 // BuildConfig holds configuration for building and exporting images.
 type BuildConfig struct {
 	SolveOpt        client.SolveOpt
@@ -45,18 +49,23 @@ func createBuildConfig(
 		"annotation." + copaAnnotationKeyPrefix + ".image.patched": time.Now().UTC().Format(time.RFC3339),
 	}
 	if shouldExportOCI {
-		attrs["oci-mediatypes"] = "true"
+		attrs["oci-mediatypes"] = attrValueTrue
 	}
 
 	if push {
-		attrs["push"] = "true"
+		attrs["push"] = attrValueTrue
 		solveOpt.Exports = []client.ExportEntry{
 			{
 				Type:  client.ExporterImage,
 				Attrs: attrs,
 			},
 		}
 	} else {
+		// Use uncompressed layers for local export to ensure diff_id == blob digest
+		// This fixes Trivy scanning issues where compressed layers have mismatched hashes
+		attrs["compression"] = "uncompressed"
+		attrs["force-compression"] = attrValueTrue
+
 		solveOpt.Exports = []client.ExportEntry{
 			{
 				Type:  client.ExporterDocker,

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,10 @@ import (`
`15`	`15`	`sourcepolicy "github.com/moby/buildkit/sourcepolicy/pb"`
`16`	`16`	`)`
`17`	`17`
	`18`	`+const (`
	`19`	`+ attrValueTrue = "true"`
	`20`	`+)`
	`21`	`+`
`18`	`22`	`// BuildConfig holds configuration for building and exporting images.`
`19`	`23`	`type BuildConfig struct {`
`20`	`24`	`SolveOpt client.SolveOpt`
`@@ -45,18 +49,23 @@ func createBuildConfig(`
`45`	`49`	`"annotation." + copaAnnotationKeyPrefix + ".image.patched": time.Now().UTC().Format(time.RFC3339),`
`46`	`50`	`}`
`47`	`51`	`if shouldExportOCI {`
`48`		`- attrs["oci-mediatypes"] = "true"`
	`52`	`+ attrs["oci-mediatypes"] = attrValueTrue`
`49`	`53`	`}`
`50`	`54`
`51`	`55`	`if push {`
`52`		`- attrs["push"] = "true"`
	`56`	`+ attrs["push"] = attrValueTrue`
`53`	`57`	`solveOpt.Exports = []client.ExportEntry{`
`54`	`58`	`{`
`55`	`59`	`Type: client.ExporterImage,`
`56`	`60`	`Attrs: attrs,`
`57`	`61`	`},`
`58`	`62`	`}`
`59`	`63`	`} else {`
	`64`	`+ // Use uncompressed layers for local export to ensure diff_id == blob digest`
	`65`	`+ // This fixes Trivy scanning issues where compressed layers have mismatched hashes`
	`66`	`+ attrs["compression"] = "uncompressed"`
	`67`	`+ attrs["force-compression"] = attrValueTrue`
	`68`	`+`
`60`	`69`	`solveOpt.Exports = []client.ExportEntry{`
`61`	`70`	`{`
`62`	`71`	`Type: client.ExporterDocker,`