I am running Lifecycle scans on Docker images that are tarballed for Lifecycle to scan. It seems from the documentation here (Containers in IQ Server - Sonatype Guides) that there are many layer.tar created to facilitate the scanning. However, these layer.tar are always found as an Unknown-Component in our scans. Unknown-Components is still a policy we would like to know about, however seeing many layer.tar alerts can definitely cause some fatigue. Is there a supported workaround for this?
Thanks!
Hi @dickinson.joey,
Thank you for posting your question. Sorry for the delay. I came across your post while searching for a similar topic.
The way that Nexus IQ Server performs scans is that it recursively looks at archive files and extracts them and repeats the analysis on each file contained within the archive. The challenge with making this nice is that some ecosystems (i.e. java) have open source components that are themselves archives. Thus, you do not want to completely ignore the *.tar files in your scan. On the other hand, as you note, this causes some noise when scanning a container due to the intermediate layer.tar files.
The solution that I have found that works best is to configure IQ Server to treat the layer.tar as a proprietary file.
This has the downside that any file named layer.tar will be identified as proprietary even if it is truly an open source component file.
If not already done do, your Component-Unknown policy should be configured to ignore proprietary components.
