Skip to content

Commit

Permalink
docs: update tradeoffs section to reflect scanner independence (#818)
Browse files Browse the repository at this point in the history
  • Loading branch information
pradhans0906 committed Dec 6, 2024
1 parent e1d8351 commit 9b8c508
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 12 deletions.
20 changes: 16 additions & 4 deletions website/versioned_docs/version-v0.7.x/design.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,19 @@ type PackageManager interface {

## Tradeoffs

- The core architectural choice of relying on packages as the unit of patching creates a couple of constraints:
- By relying on existing vulnerability scanner behavior that only detects vulnerabilities via presence/absence of vulnerable packages, copa is limited in the kinds of vulnerabilities it can address and false positive/negatives from scanners flow downstream to copa.
- copa depends on individual package manager adapters to correctly deploy patches to the target images, but there is a long tail of compatibility issues that arise depending on the target image itself (e.g. outdated package manager config/keys, invalid/missing package graph, etc.). Overall, the maintenance cost of the project is expected to be non-trivial to address this.
- No support for windows containers given the dependency on buildkit.
The core architectural choice of using packages as the unit of patching creates several constraints:

1. **Package-Based Update Model**:
- While Copa can work with or without vulnerability scanner reports, its patching capability is fundamentally based on os-level package updates
- When using scanner reports to perform a targeted patching of packages, false positives/negatives from scanners flow downstream to Copa

2. **Package Manager Dependencies**:
- Copa depends on individual package manager adapters to correctly deploy patches to target images
- There is a long tail of compatibility issues that arise depending on the target image itself:
- Outdated package manager config/keys
- Invalid/missing package graph
- Repository configuration issues
- Overall, the maintenance cost of the project is expected to be non-trivial to address these package manager complexities

3. **Platform Limitations**:
- No support for Windows containers given the dependency on buildkit
20 changes: 16 additions & 4 deletions website/versioned_docs/version-v0.8.x/design.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,19 @@ type PackageManager interface {

## Tradeoffs

- The core architectural choice of relying on packages as the unit of patching creates a couple of constraints:
- By relying on existing vulnerability scanner behavior that only detects vulnerabilities via presence/absence of vulnerable packages, copa is limited in the kinds of vulnerabilities it can address and false positive/negatives from scanners flow downstream to copa.
- copa depends on individual package manager adapters to correctly deploy patches to the target images, but there is a long tail of compatibility issues that arise depending on the target image itself (e.g. outdated package manager config/keys, invalid/missing package graph, etc.). Overall, the maintenance cost of the project is expected to be non-trivial to address this.
- No support for windows containers given the dependency on buildkit.
The core architectural choice of using packages as the unit of patching creates several constraints:

1. **Package-Based Update Model**:
- While Copa can work with or without vulnerability scanner reports, its patching capability is fundamentally based on os-level package updates
- When using scanner reports to perform a targeted patching of packages, false positives/negatives from scanners flow downstream to Copa

2. **Package Manager Dependencies**:
- Copa depends on individual package manager adapters to correctly deploy patches to target images
- There is a long tail of compatibility issues that arise depending on the target image itself:
- Outdated package manager config/keys
- Invalid/missing package graph
- Repository configuration issues
- Overall, the maintenance cost of the project is expected to be non-trivial to address these package manager complexities

3. **Platform Limitations**:
- No support for Windows containers given the dependency on buildkit
20 changes: 16 additions & 4 deletions website/versioned_docs/version-v0.9.x/design.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,19 @@ type PackageManager interface {

## Tradeoffs

- The core architectural choice of relying on packages as the unit of patching creates a couple of constraints:
- By relying on existing vulnerability scanner behavior that only detects vulnerabilities via presence/absence of vulnerable packages, copa is limited in the kinds of vulnerabilities it can address and false positive/negatives from scanners flow downstream to copa.
- copa depends on individual package manager adapters to correctly deploy patches to the target images, but there is a long tail of compatibility issues that arise depending on the target image itself (e.g. outdated package manager config/keys, invalid/missing package graph, etc.). Overall, the maintenance cost of the project is expected to be non-trivial to address this.
- No support for windows containers given the dependency on buildkit.
The core architectural choice of using packages as the unit of patching creates several constraints:

1. **Package-Based Update Model**:
- While Copa can work with or without vulnerability scanner reports, its patching capability is fundamentally based on os-level package updates
- When using scanner reports to perform a targeted patching of packages, false positives/negatives from scanners flow downstream to Copa

2. **Package Manager Dependencies**:
- Copa depends on individual package manager adapters to correctly deploy patches to target images
- There is a long tail of compatibility issues that arise depending on the target image itself:
- Outdated package manager config/keys
- Invalid/missing package graph
- Repository configuration issues
- Overall, the maintenance cost of the project is expected to be non-trivial to address these package manager complexities

3. **Platform Limitations**:
- No support for Windows containers given the dependency on buildkit

0 comments on commit 9b8c508

Please sign in to comment.