Skip to content

fix: Trivy fails with "invalid tar header" when scanning Copa-patched images #1359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 28, 2025
Merged

fix: Trivy fails with "invalid tar header" when scanning Copa-patched images #1359

merged 2 commits into from
Oct 28, 2025

Conversation

@robert-cronin
Copy link
Contributor

@robert-cronin robert-cronin commented Oct 28, 2025

Changes:

  • Add compression=uncompressed for non-push exports
  • Add force-compression=true to ensure attribute is applied

Closes #1358

@robert-cronin
fix: add uncompressed layer export for local builds to resolve Trivy …
fa32f4b 
…scanning issues

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
@robert-cronin robert-cronin self-assigned this Oct 28, 2025
@robert-cronin robert-cronin added the bug Something isn't working label Oct 28, 2025
Copilot AI review requested due to automatic review settings October 28, 2025 06:48
Copilot AI reviewed Oct 28, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a Trivy scanning issue (#1358) where Copa-patched images fail with "invalid tar header" errors. The fix ensures that locally exported images use uncompressed layers, which resolves hash mismatches that occur when diff_id and blob digest differ due to compression.

Key changes:

  • Added compression=uncompressed attribute to BuildKit export configuration for non-push (local) exports
  • Added force-compression=true to ensure the compression attribute is applied

pkg/patch/build.go
Comment on lines +60 to +61
// Use uncompressed layers for local export to ensure diff_id == blob digest
// This fixes Trivy scanning issues where compressed layers have mismatched hashes
Copy link

Copilot AI Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment explains the purpose of uncompressed layers but doesn't clarify why force-compression=true is needed alongside compression=uncompressed. Consider expanding the comment to explain that force-compression ensures the compression setting is applied even when BuildKit might otherwise use defaults.

Suggested change
// Use uncompressed layers for local export to ensure diff_id == blob digest
// This fixes Trivy scanning issues where compressed layers have mismatched hashes
// Use uncompressed layers for local export to ensure diff_id == blob digest.
// This fixes Trivy scanning issues where compressed layers have mismatched hashes.
// Note: BuildKit may ignore the 'compression' setting and use its default unless 'force-compression' is set to 'true'.
// Setting both ensures that the compression setting is always applied as intended.

Copilot uses AI. Check for mistakes.
@codecov
Copy link

codecov bot commented Oct 28, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 39.51%. Comparing base (4bee93a) to head (1ed73a4).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
pkg/patch/build.go 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1359      +/-   ##
==========================================
+ Coverage   39.49%   39.51%   +0.02%     
==========================================
  Files          42       42              
  Lines        5879     5881       +2     
==========================================
+ Hits         2322     2324       +2     
  Misses       3361     3361              
  Partials      196      196

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@robert-cronin
fix: linting issue
1ed73a4 
Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
ashnamehrotra
ashnamehrotra approved these changes Oct 28, 2025
View reviewed changes
Copy link
Contributor

@ashnamehrotra ashnamehrotra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ashnamehrotra ashnamehrotra merged commit 599e0ac into project-copacetic:main Oct 28, 2025
60 of 61 checks passed
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Copacetic Workboard Oct 28, 2025
robert-cronin added a commit that referenced this pull request Oct 29, 2025
@robert-cronin
fix: Trivy fails with "invalid tar header" when scanning Copa-patched…
07feee8 
… images (#1359)

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
@robert-cronin robert-cronin mentioned this pull request Oct 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ashnamehrotra ashnamehrotra ashnamehrotra approved these changes

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard jeremyrickard is a code owner

@sozercan sozercan Awaiting requested review from sozercan sozercan is a code owner

Assignees

@robert-cronin robert-cronin

Labels

bug Something isn't working

Projects

Copacetic Workboard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Trivy fails with "invalid tar header" when scanning Copa-patched images

2 participants

@robert-cronin @ashnamehrotra