-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
all: account for language package overwrites #1275
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1275 +/- ##
==========================================
+ Coverage 55.37% 55.55% +0.18%
==========================================
Files 282 279 -3
Lines 17836 17784 -52
==========================================
+ Hits 9876 9880 +4
+ Misses 6927 6869 -58
- Partials 1033 1035 +2 ☔ View full report in Codecov by Sentry. |
fda8981
to
a0430f0
Compare
a0430f0
to
6af0edd
Compare
3637e69
to
d10aeed
Compare
Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs documentation on package and exports.
gobin/coalescer.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be copy-pasted; why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rest were definite copy/pastes of each other. This one is slightly unique, so I copied over the related change, but kept the fact this is still mildly different from the rest. Do you think this coalescer should just match the rest?
language/coalescer.go
Outdated
// For langauge packages, it is possible the | ||
// packageDB is overwritten. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this package needs to document this assumption, and we need to check that the uses actually work that way.
- gobin
- java
- nodejs
- python
- ruby
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just curious why gobin
is already checked
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read through it to see what it did.
Yeah, needs the version changed in every indexer that's moving to it. |
d10aeed
to
6ed00e5
Compare
Signed-off-by: RTann <[email protected]>
6ed00e5
to
1e193fa
Compare
This was originally discovered in StackRox Scanner V2: stackrox/stackrox#7033
StackRox now offers a Scanner based on ClairCore, which also has this same problem. The issue is that ClairCore does not consider the fact that the image build system may decide to overwrite the language package instead of deleting and recreating it.
This was demonstrated in the OCI image
namloc2001/nodesem:a
.