private registry and password with special chars

[2autunni]

What happened:
access to a private registry (nexus) with this password WL[cC-<sN#K(zk~NVspmw.PL)3K?v
result on grype fails with this error

[0001] ERROR failed to catalog: could not fetch image redacted': pull failed: Error response from daemon: Get redacted: no basic auth credentials

What you expected to happen:
grype scans the image

How to reproduce it (as minimally and precisely as possible):

docker login private_repo
Username: dockerusertest
Password: WL[cC-<sN#K(zk~NVspmw.PL)3K?v

docker pull myimage:tag

this works

docker rmi myimage

_ delete from local pc the image so gyrpe will try to download it again_

/usr/local/bin/grype myimage:tag
this fails

if I change the password and retry the procedure grype works

Anything else we need to know?:
I don't have found a pattern for password which are triggering this error, some pwd with special chars are working some no

Environment:
Various linux distro
Sonatype nexus

• Output of grype version:
  Application: grype
  Version: 0.8.0
  BuildDate: 2021-03-17T18:52:17Z
  GitCommit: ec1f11f
  GitTreeState: clean
  Platform: linux/amd64
  GoVersion: go1.14.15
  Compiler: gc
  Supported DB Schema: 1

• OS (e.g: cat /etc/os-release or similar):
  NAME="Amazon Linux"
  VERSION="2"
  ID="amzn"
  ID_LIKE="centos rhel fedora"
  VERSION_ID="2"
  PRETTY_NAME="Amazon Linux 2"
  ANSI_COLOR="0;33"
  CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
  HOME_URL="https://amazonlinux.com/"

uname -a
Linux localhost 4.14.219-164.354.amzn2.x86_64 #1 SMP Mon Feb 22 21:18:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[wagoodman]

Thanks for reporting @2autunni , we'll have this out in release v0.10.0

[whitespots]

@wagoodman How to use authentication?

[wagoodman]

Hey @whitespots ! If you have the docker daemon installed and it is already auth'd then you shouldn't need to do anything --grype will let docker authenticate against the remote registry when pulling images. If you are using the registry: scheme or don't have docker available locally than you can configure credentials for direct registry access:

# options when pulling directly from a registry via the "registry:" scheme
registry:
  # skip TLS verification when communicating with the registry
  # GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
  insecure-skip-tls-verify: false

  # credentials for specific registries
  auth:
    - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
      # GRYPE_REGISTRY_AUTH_AUTHORITY env var
      authority: ""
      # GRYPE_REGISTRY_AUTH_USERNAME env var
      username: ""
      # GRYPE_REGISTRY_AUTH_PASSWORD env var
      password: ""
      # note: token and username/password are mutually exclusive
      # GRYPE_REGISTRY_AUTH_TOKEN env var
      token: ""
    - ... # note, more credentials can be provided via config file only

For example:

registry:
  auth:
    - username: "dockerhub-username"
       password: "dockerhub-password"

    - authority: "quay.io"
       username: "quay-username" 
       password: "quay-password"

Or you can specify the equivalent env vars:

export GRYPE_REGISTRY_AUTH_AUTHORITY=...
export GRYPE_REGISTRY_AUTH_USERNAME=...
export GRYPE_REGISTRY_AUTH_PASSWORD=...

Note: "authority" is optional; it is used to select which host the credentials are valid for. If "authority" is not provided then the provided credentials are used for authentication against any registry.