Skip to content

Bug: Vulnerability scanner fails when the updated docker image has the same number of vulnerabilities as the old version #770

New issue
New issue
Closed
#772
Closed
Bug: Vulnerability scanner fails when the updated docker image has the same number of vulnerabilities as the old version#770
#772
Assignees
jormundur00
Labels
bugSomething isn't working
@jormundur00

Description

@jormundur00
jormundur00
opened on Nov 13, 2025

Describe the bug

In the current implementation of the Vulnerability scanner, org.graalvm.internal.tck.GrypeTask#scanChangedImages throws a IllegalStateException when the number of vulnerabilities for the newer docker image version is equal to the number of vulnerabilities on the current version. In this case, we should allow the version upgrade and not fail the task.

Also, org.graalvm.internal.tck.GrypeTask#getAllowedImagesFromMaster always fails when its called in the GitHub actions CI, as the action-fetched repository only contains the origin/master branch, while the method looks for a non-existent master branch.

Steps to reproduce

Both issues are discovered in the CI by the attempt to bump up the version of the `postgres` docker image from `16-alpine` to `18-alpine`.

The non-existent `master` branch issue hides the vulnerability equality issue, with the workflow producing this build:

https://github.com/oracle/graalvm-reachability-metadata/actions/runs/19335156151/job/55307954645#step:5:66

While when replacing the `master` check with `origin/master` in the scanner, we can get the original issue:

https://github.com/oracle/graalvm-reachability-metadata/actions/runs/19333907567/job/55303630330#step:5:78

Expected behavior

The Vulnerability scanner should only fail if the updated version of the docker image contains strictly more vulnerabilities than the current version. We should accept version bumps that have an equal amount of vulnerabilities as the current version.

Logs and error messages

Issue 1:

Run ./gradlew checkAllowedDockerImages --baseCommit=5a4e6a97fc87b2bedde4aeab07abe1d4ffe06ce9 --newCommit=74456c386b5eec7dec5de2a41ac054846e506744
Downloading https://services.gradle.org/distributions/gradle-9.1.0-bin.zip
............10%.............20%.............30%.............40%.............50%............60%.............70%.............80%.............90%.............100%

Welcome to Gradle 9.1.0!

Here are the highlights of this release:
 - Full Java 25 support
 - Native task graph visualization
 - Enhanced console output

For more details see https://docs.gradle.org/9.1.0/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)
> Task :tck-build-logic:extractPluginRequests
> Task :tck-build-logic:generatePluginAdapters
> Task :tck-build-logic:compileJava
> Task :tck-build-logic:compileGroovy
> Task :tck-build-logic:compileGroovyPlugins
> Task :tck-build-logic:pluginDescriptors
> Task :tck-build-logic:processResources
> Task :tck-build-logic:classes
> Task :tck-build-logic:jar

> Configure project :
GraalVM Reachability Metadata TCK
---------------------------------

> Task :checkAllowedDockerImages
Generating info for docker image: nats:2.12.1
Generating info for docker image: postgres:18-alpine
Generating info for docker image: testcontainers/ryuk:0.14.0
Generating info for docker image: container-registry.oracle.com/mysql/community-server:9.5.0
Before fail: /allowed-docker-images/Dockerfile-testcontainers_ryuk
Before fail: /allowed-docker-images/Dockerfile-postgres
Before fail: /allowed-docker-images/Dockerfile-opengauss_opengauss
Before fail: /allowed-docker-images/Dockerfile-nginx
Before fail: /allowed-docker-images/Dockerfile-nats
Before fail: /allowed-docker-images/Dockerfile-mysql_mysql-server
Before fail: /allowed-docker-images/Dockerfile-mssql_server
Before fail: /allowed-docker-images/Dockerfile-mariadb
Before fail: /allowed-docker-images/Dockerfile-greenmail_standalone
Before fail: /allowed-docker-images/Dockerfile-eclipse-mosquitto
Image: postgres:18-alpine contains 0 critical and 4 high vulnerabilities
Generating info for docker image: postgres:16-alpine
Image: postgres:16-alpine contains 0 critical and 4 high vulnerabilities

> Task :checkAllowedDockerImages FAILED

[Incubating] Problems report is available at: file:///home/runner/work/graalvm-reachability-metadata/graalvm-reachability-metadata/build/reports/problems/problems-report.html

Deprecated Gradle features were used in this build, making it incompatible with Gradle 10.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/9.1.0/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
9 actionable tasks: 9 executed

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':checkAllowedDockerImages'.
> Highly vulnerable images found. Please check the list of vulnerable images provided above.


Issue 2:

Run ./gradlew checkAllowedDockerImages --baseCommit=5a4e6a97fc87b2bedde4aeab07abe1d4ffe06ce9 --newCommit=4adad54b318b3d6a0a847ed4d7fef72c68ea073b
  ./gradlew checkAllowedDockerImages --baseCommit=5a4e6a97fc87b2bedde4aeab07abe1d4ffe06ce9 --newCommit=4adad54b318b3d6a0a847ed4d7fef72c68ea073b
  shell: /usr/bin/bash -e {0}
  env:
    GRAALVM_HOME: /opt/hostedtoolcache/graalvm-jdk-17.0.12_linux-x64_bin/17.0.12/x64/graalvm-jdk-17.0.12+8.1
    JAVA_HOME: /opt/hostedtoolcache/graalvm-jdk-17.0.12_linux-x64_bin/17.0.12/x64/graalvm-jdk-17.0.12+8.1
Downloading https://services.gradle.org/distributions/gradle-9.1.0-bin.zip
............10%.............20%.............30%.............40%.............50%............60%.............70%.............80%.............90%.............100%

Welcome to Gradle 9.1.0!

Here are the highlights of this release:
 - Full Java 25 support
 - Native task graph visualization
 - Enhanced console output

For more details see https://docs.gradle.org/9.1.0/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)
> Task :tck-build-logic:extractPluginRequests
> Task :tck-build-logic:generatePluginAdapters
> Task :tck-build-logic:compileJava
> Task :tck-build-logic:compileGroovy
> Task :tck-build-logic:compileGroovyPlugins
> Task :tck-build-logic:pluginDescriptors
> Task :tck-build-logic:processResources
> Task :tck-build-logic:classes
> Task :tck-build-logic:jar

> Configure project :
GraalVM Reachability Metadata TCK
---------------------------------

> Task :checkAllowedDockerImages
Generating info for docker image: nats:2.12.1
Generating info for docker image: postgres:18-alpine
Generating info for docker image: testcontainers/ryuk:0.14.0
Generating info for docker image: container-registry.oracle.com/mysql/community-server:9.5.0
fatal: invalid object name 'master'.

> Task :checkAllowedDockerImages FAILED

FAILURE: Build failed with an exception.

Reproducer (optional)

#767

Additional context

No response

GraalVM version

Not a Graal issue

Operating system

Linux

CPU architecture

AMD64 (x86-64)

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions