feat: add support for Ubuntu Chisel package scanning (#718)

feat: add support for Ubuntu Chisel package scanning

Adds detection and parsing of Chisel manifest files to scan Ubuntu container images created with Canonical's Chisel tool.

Chisel creates minimal images by installing specific "slices" of Debian packages rather than full packages. The manifest.wall file is a zstd-compressed NDJSON file that records all installed packages and slices.

Changes:
- Parse /var/lib/chisel/manifest.wall to extract package information
- Add zstd buffer decompression utility for manifest processing
- Treat Chisel packages as Debian packages for vulnerability scanning
- Detect Chisel images that lack standard OS release files

The analyzer extracts only package entries from the manifest (ignoring
slice, path, and content entries) and converts them to the standard
AnalyzedPackage format. Dependencies aren't included since they're
pre-resolved by Chisel and not exposed in the manifest.

Author: parker-snyk

lib/analyzer/os-release/static.ts

@@ -1,4 +1,5 @@
 import * as Debug from "debug";
+import { normalize as normalizePath } from "path";
 
 import { DockerFileAnalysis } from "../../dockerfile/types";
 import { ExtractedLayers } from "../../extractor/types";
@@ -17,8 +18,22 @@ import {
 
 const debug = Debug("snyk");
 
+const CHISEL_MANIFEST_PATH = "/var/lib/chisel/manifest.wall";
+
 type OsReleaseHandler = (text: string) => Promise<OSRelease | null>;
 
+/**
+ * Checks if a Chisel manifest exists in the extracted layers.
+ * Chisel is Ubuntu's tool for creating minimal container images.
+ *
+ * @param extractedLayers - Layers extracted from the Docker image
+ * @returns true if Chisel manifest.wall file is present
+ */
+function hasChiselManifest(extractedLayers: ExtractedLayers): boolean {
+  const manifestPath = normalizePath(CHISEL_MANIFEST_PATH);
+  return manifestPath in extractedLayers;
+}
+
 const releaseDetectors: Record<OsReleaseFilePath, OsReleaseHandler> = {
   [OsReleaseFilePath.Linux]: tryOSRelease,
   // Fallback for the case where the same file exists in different location or is a symlink to the other location
@@ -71,7 +86,24 @@ export async function detect(
   }
 
   if (!osRelease) {
-    if (dockerfileAnalysis && dockerfileAnalysis.baseImage === "scratch") {
+    // Check if this is a Chisel image without OS release information
+    const isChiselImage = hasChiselManifest(extractedLayers);
+
+    if (isChiselImage) {
+      // Chisel images detected but OS version could not be determined
+      // This happens when ultra-minimal Chisel slices are used without base-files_release-info
+      debug(
+        `Chisel manifest found at ${CHISEL_MANIFEST_PATH} but no OS release files detected`,
+      );
+
+      // Set OS name to "chisel" so downstream systems can identify these images
+      // note we only do this to alert the user that they are missing release info
+      // when they have release info, we identify the image with that instead
+      osRelease = { name: "chisel", version: "0.0", prettyName: "" };
+    } else if (
+      dockerfileAnalysis &&
+      dockerfileAnalysis.baseImage === "scratch"
+    ) {
       // If the docker file was build from a scratch image
       // then we don't have a known OS
       osRelease = { name: "scratch", version: "0.0", prettyName: "" };

lib/analyzer/package-managers/chisel.ts

@@ -0,0 +1,43 @@
+import {
+  AnalysisType,
+  AnalyzedPackageWithVersion,
+  ChiselPackage,
+  ImagePackagesAnalysis,
+} from "../types";
+
+/**
+ * Analyzes Ubuntu Chisel packages from a Docker image.
+ *
+ * Chisel is Canonical's tool for creating ultra-minimal Ubuntu container images
+ * by installing only specific "slices" of Debian packages rather than full packages.
+ * Packages are converted to the standard AnalyzedPackage format and scanned for
+ * vulnerabilities as Debian packages.
+ *
+ * @param targetImage - The Docker image identifier being analyzed
+ * @param packages - Array of Chisel packages extracted from the manifest
+ * @returns Promise resolving to image package analysis results
+ *
+ * @see https://documentation.ubuntu.com/chisel/en/latest/
+ */
+export function analyze(
+  targetImage: string,
+  packages: ChiselPackage[],
+): Promise<ImagePackagesAnalysis> {
+  // Convert Chisel packages to standard analyzed package format
+  // Note: Chisel packages are treated as Debian packages for vulnerability scanning
+  // since they originate from Ubuntu/Debian package archives
+  const analysis: AnalyzedPackageWithVersion[] = packages.map((pkg) => ({
+    Name: pkg.name,
+    Version: pkg.version,
+    Source: undefined, // Source package info not available in Chisel manifest
+    Provides: [], // Virtual package provides not tracked in Chisel
+    Deps: {}, // Dependencies are pre-resolved by Chisel; not exposed in manifest
+    AutoInstalled: undefined, // Not applicable - all Chisel packages are explicitly installed
+  }));
+
+  return Promise.resolve({
+    Image: targetImage,
+    AnalyzeType: AnalysisType.Chisel,
+    Analysis: analysis,
+  });
+}

lib/analyzer/static-analyzer.ts

@@ -20,6 +20,10 @@ import {
   getNodeBinariesFileContentAction,
   getOpenJDKBinariesFileContentAction,
 } from "../inputs/binaries/static";
+import {
+  getChiselManifestAction,
+  getChiselManifestContent,
+} from "../inputs/chisel/static";
 import {
   getAptFiles,
   getDpkgPackageFileContentAction,
@@ -69,6 +73,7 @@ import {
   analyze as aptAnalyze,
   analyzeDistroless as aptDistrolessAnalyze,
 } from "./package-managers/apt";
+import { analyze as chiselAnalyze } from "./package-managers/chisel";
 import {
   analyze as rpmAnalyze,
   mapRpmSqlitePackages,
@@ -96,6 +101,7 @@ export async function analyze(
     getRpmDbFileContentAction,
     getRpmSqliteDbFileContentAction,
     getRpmNdbFileContentAction,
+    getChiselManifestAction,
     ...getOsReleaseActions,
     getNodeBinariesFileContentAction,
     getOpenJDKBinariesFileContentAction,
@@ -167,12 +173,14 @@ export async function analyze(
     rpmDbFileContent,
     rpmSqliteDbFileContent,
     rpmNdbFileContent,
+    chiselPackages,
   ] = await Promise.all([
     getApkDbFileContent(extractedLayers),
     getAptDbFileContent(extractedLayers),
     getRpmDbFileContent(extractedLayers),
     getRpmSqliteDbFileContent(extractedLayers),
     getRpmNdbFileContent(extractedLayers),
+    getChiselManifestContent(extractedLayers),
   ]);
 
   const distrolessAptFiles = getAptFiles(extractedLayers);
@@ -215,6 +223,7 @@ export async function analyze(
         osRelease,
       ),
       aptDistrolessAnalyze(targetImage, distrolessAptFiles, osRelease),
+      chiselAnalyze(targetImage, chiselPackages),
     ]);
   } catch (err) {
     debug(`Could not detect installed OS packages: ${err.message}`);

lib/analyzer/types.ts

@@ -40,6 +40,7 @@ export enum AnalysisType {
   Apk = "Apk",
   Apt = "Apt",
   Rpm = "Rpm",
+  Chisel = "Chisel",
   Binaries = "binaries",
   Linux = "linux", // default/unknown/tech-debt
 }
@@ -109,3 +110,11 @@ export interface SourcePackage {
   version: string;
   release: string;
 }
+
+export interface ChiselPackage {
+  kind: "package";
+  name: string;
+  version: string;
+  sha256: string;
+  arch: string;
+}

lib/compression-utils.ts

@@ -0,0 +1,31 @@
+import { Decompress as ZstdDecompress } from "fzstd";
+
+/**
+ * Decompresses zstd-compressed data from a buffer.
+ *
+ * This is a synchronous buffer-to-buffer decompression utility.
+ * For streaming zstd decompression, use the decompressMaybe transform stream.
+ *
+ * @param compressed Buffer containing zstd-compressed data
+ * @returns Decompressed data as a Buffer
+ * @throws Error if decompression fails
+ */
+export function decompressZstd(compressed: Buffer): Buffer {
+  const chunks: Buffer[] = [];
+
+  try {
+    const decompressor = new ZstdDecompress((data: Uint8Array) => {
+      chunks.push(Buffer.from(data));
+    });
+
+    decompressor.push(new Uint8Array(compressed), true);
+
+    return Buffer.concat(chunks);
+  } catch (error) {
+    throw new Error(
+      `Zstd decompression failed: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    );
+  }
+}

lib/inputs/chisel/static.ts

@@ -0,0 +1,112 @@
+import * as Debug from "debug";
+import { normalize as normalizePath } from "path";
+import { ChiselPackage } from "../../analyzer/types";
+import { decompressZstd } from "../../compression-utils";
+import { getContentAsBuffer } from "../../extractor";
+import { ExtractAction, ExtractedLayers } from "../../extractor/types";
+import { streamToBuffer } from "../../stream-utils";
+
+const debug = Debug("snyk");
+
+/**
+ * Path to the Chisel manifest file within container images.
+ * This file contains package and slice information for Chisel-built images.
+ */
+const CHISEL_MANIFEST_PATH = "/var/lib/chisel/manifest.wall";
+
+/**
+ * Extract action for Ubuntu Chisel manifest files.
+ *
+ * Chisel is Ubuntu's tool for creating minimal container images by installing
+ * only specific "slices" of Debian packages. The manifest.wall file is a
+ * zstd-compressed NDJSON (newline-delimited JSON) file that records all
+ * installed packages, slices, and files for integrity verification and SBOM generation.
+ *
+ * See: https://documentation.ubuntu.com/chisel/en/latest/reference/manifest/
+ */
+export const getChiselManifestAction: ExtractAction = {
+  actionName: "chisel-manifest",
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(CHISEL_MANIFEST_PATH),
+  callback: streamToBuffer,
+};
+
+/**
+ * Extracts and parses Chisel package information from Docker image layers.
+ *
+ * Searches for the Chisel manifest file (/var/lib/chisel/manifest.wall), decompresses it,
+ * and extracts package entries. The manifest uses NDJSON format where each line is a
+ * separate JSON object with a "kind" field indicating the entry type.
+ *
+ * @param extractedLayers - Layers extracted from the Docker image
+ * @returns Array of Chisel packages found in the manifest, or empty array if not found
+ */
+export function getChiselManifestContent(
+  extractedLayers: ExtractedLayers,
+): ChiselPackage[] {
+  const compressedManifest = getContentAsBuffer(
+    extractedLayers,
+    getChiselManifestAction,
+  );
+
+  if (!compressedManifest) {
+    return [];
+  }
+
+  try {
+    const decompressed = decompressZstd(compressedManifest);
+    const manifestText = decompressed.toString("utf8");
+
+    const packages: ChiselPackage[] = [];
+    const lines = manifestText.split("\n");
+
+    for (const line of lines) {
+      if (!line.trim()) {
+        continue;
+      }
+
+      try {
+        const entry = JSON.parse(line);
+        // Only extract package entries; manifest also contains "slice", "path", and "content" entries
+        if (entry.kind === "package") {
+          // Validate required fields exist before creating package object
+          if (!entry.name || !entry.version || !entry.sha256 || !entry.arch) {
+            debug(
+              `Skipping package entry with missing required fields: ${JSON.stringify(
+                entry,
+              )}`,
+            );
+            continue;
+          }
+          packages.push({
+            kind: entry.kind,
+            name: entry.name,
+            version: entry.version,
+            sha256: entry.sha256,
+            arch: entry.arch,
+          });
+        }
+      } catch (parseError) {
+        // Skip malformed JSON lines - manifest may be corrupted or have trailing newlines
+        debug(
+          `Failed to parse Chisel manifest line: ${
+            parseError instanceof Error
+              ? parseError.message
+              : String(parseError)
+          }`,
+        );
+        continue;
+      }
+    }
+
+    debug(`Found ${packages.length} Chisel packages in manifest`);
+    return packages;
+  } catch (error) {
+    debug(
+      `Failed to process Chisel manifest: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    );
+    return [];
+  }
+}

lib/parser/index.ts

@@ -34,7 +34,8 @@ export function parseAnalysisResults(
 
   let packageFormat: string;
   switch (analysisResult.AnalyzeType) {
-    case AnalysisType.Apt: {
+    case AnalysisType.Apt:
+    case AnalysisType.Chisel: {
       packageFormat = "deb";
       break;
     }