Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all: account for language package overwrites #1275

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

all: account for language package overwrites #1275

wants to merge 1 commit into from

Conversation

RTann
Copy link
Contributor

@RTann RTann commented Feb 27, 2024

This was originally discovered in StackRox Scanner V2: stackrox/stackrox#7033

StackRox now offers a Scanner based on ClairCore, which also has this same problem. The issue is that ClairCore does not consider the fact that the image build system may decide to overwrite the language package instead of deleting and recreating it.

This was demonstrated in the OCI image namloc2001/nodesem:a.

@RTann RTann requested review from hdonnay and crozzy February 27, 2024 01:21
@RTann RTann requested a review from a team as a code owner February 27, 2024 01:21
@codecov Codecov
Copy link

codecov bot commented Feb 27, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 72.72727% with 12 lines in your changes missing coverage. Please review.

Project coverage is 55.55%. Comparing base (4011b96) to head (1e193fa).

Files with missing lines Patch % Lines
gobin/coalescer.go 0.00% 9 Missing ⚠️
language/coalescer.go 93.33% 2 Missing ⚠️
java/ecosystem.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1275      +/-   ##
==========================================
+ Coverage   55.37%   55.55%   +0.18%     
==========================================
  Files         282      279       -3     
  Lines       17836    17784      -52     
==========================================
+ Hits         9876     9880       +4     
+ Misses       6927     6869      -58     
- Partials     1033     1035       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@RTann RTann force-pushed the language-pkg-overwrite branch 4 times, most recently from 3637e69 to d10aeed Compare May 8, 2024 17:46
@RTann
Copy link
Contributor Author

RTann commented May 31, 2024

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

hdonnay
hdonnay requested changes May 31, 2024
View reviewed changes
language/coalescer.go
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs documentation on package and exports.

gobin/coalescer.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be copy-pasted; why?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rest were definite copy/pastes of each other. This one is slightly unique, so I copied over the related change, but kept the fact this is still mildly different from the rest. Do you think this coalescer should just match the rest?

language/coalescer.go Outdated
Comment on lines 26 to 31
// For langauge packages, it is possible the
// packageDB is overwritten.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this package needs to document this assumption, and we need to check that the uses actually work that way.

  • gobin
  • java
  • nodejs
  • python
  • ruby

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just curious why gobin is already checked

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I read through it to see what it did.

@hdonnay
Copy link
Member

hdonnay commented May 31, 2024

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

Yeah, needs the version changed in every indexer that's moving to it.

@RTann RTann requested a review from hdonnay June 3, 2024 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crozzy crozzy Awaiting requested review from crozzy

@hdonnay hdonnay Awaiting requested review from hdonnay

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RTann @hdonnay