-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enricher: add RHCC enricher #1057
base: main
Are you sure you want to change the base?
Conversation
da2ddd0
to
91db57a
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1057 +/- ##
==========================================
+ Coverage 56.25% 56.31% +0.05%
==========================================
Files 266 267 +1
Lines 16812 16828 +16
==========================================
+ Hits 9458 9477 +19
+ Misses 6391 6388 -3
Partials 963 963 ☔ View full report in Codecov by Sentry. |
5aca24a
to
a6881c2
Compare
27eb16c
to
9c10c91
Compare
The result is something like this: {
"message/vnd.clair.map.layer; enricher=clair.rhcc": [
{
"2": "sha256:013d2d7b1d1f8a94ffb762e6960fb5f483c60e38bd8740b1ec1f1a557d3d1bbf",
"4": "sha256:013d2d7b1d1f8a94ffb762e6960fb5f483c60e38bd8740b1ec1f1a557d3d1bbf",
"6": "sha256:d93e847446533e9af99b246c8cebea2527bf3e9db82e45fb59e3d9f1443a7d2c",
"8": "sha256:d93e847446533e9af99b246c8cebea2527bf3e9db82e45fb59e3d9f1443a7d2c"
}
]
} There are a couple of ways to do this, it could also be technically reversed. In that case we'd have to just consider binary packages (at the moment each RHCC layer has a source and a binary package describing it). I'm not sure what consumers of Clair would prefer. |
eb59bba
to
90a888a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question about the approach
f7156cc
to
c538f76
Compare
enricher/rhcc/rhcc.go
Outdated
func (e *Enricher) Enrich(ctx context.Context, g driver.EnrichmentGetter, r *claircore.VulnerabilityReport) (string, []json.RawMessage, error) { | ||
problematicPkgs := make(map[string]string) | ||
for id, _ := range r.Packages { | ||
if envs, ok := r.Environments[id]; ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just do binary packages
This change introduces a new enricher that reports where rhcc packages exist (if at all), it allows callers to discount vulnerabilities / packages that come from the same layers. This approach helps to keep the index report unchanged and therefore state is less of an issue, it also builds on existing machinary. Signed-off-by: crozzy <[email protected]>
This change introduces an enricher who's purpose is to scope down the vulnerability report for layers that have RHCC packages. This approach helps to keep the index report unchanged and therefore state is less of an issue, it also builds on existing machinary.