Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

all: account for language package overwrites #1275

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

RTann
Copy link
Contributor

@RTann RTann commented Feb 27, 2024

This was originally discovered in StackRox Scanner V2: stackrox/stackrox#7033

StackRox now offers a Scanner based on ClairCore, which also has this same problem. The issue is that ClairCore does not consider the fact that the image build system may decide to overwrite the language package instead of deleting and recreating it.

This was demonstrated in the OCI image namloc2001/nodesem:a.

Each language's package scanner implements DefaultRepoScanner, which means there is only a single (related) repository per layer, and it only exists if the layer has (related) packages. Each language's coalescer is also more-or-less the same (Go's was unique, but the unique parts of it are unnecessary, as those checks will definitely hold true based on how to Ecosystem is set up), so I decided to make a single, shared coalescer for the languages.

@RTann RTann requested review from hdonnay and crozzy February 27, 2024 01:21
@RTann RTann requested a review from a team as a code owner February 27, 2024 01:21
Copy link

codecov bot commented Feb 27, 2024

Codecov Report

Attention: Patch coverage is 88.88889% with 4 lines in your changes missing coverage. Please review.

Project coverage is 55.73%. Comparing base (7088f7b) to head (221025b).

Files with missing lines Patch % Lines
language/coalescer.go 93.33% 2 Missing ⚠️
gobin/ecosystem.go 0.00% 1 Missing ⚠️
java/ecosystem.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1275      +/-   ##
==========================================
+ Coverage   55.41%   55.73%   +0.32%     
==========================================
  Files         282      278       -4     
  Lines       17890    17806      -84     
==========================================
+ Hits         9914     9925      +11     
+ Misses       6934     6839      -95     
  Partials     1042     1042              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@RTann RTann force-pushed the language-pkg-overwrite branch 4 times, most recently from 3637e69 to d10aeed Compare May 8, 2024 17:46
@RTann
Copy link
Contributor Author

RTann commented May 31, 2024

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

language/coalescer.go Show resolved Hide resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be copy-pasted; why?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rest were definite copy/pastes of each other. This one is slightly unique, so I copied over the related change, but kept the fact this is still mildly different from the rest. Do you think this coalescer should just match the rest?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated it to also move this into the language-agnostic coalescer. The parts of this which were unique were not very necessary (I think)

Comment on lines 26 to 31
// For langauge packages, it is possible the
// packageDB is overwritten.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this package needs to document this assumption, and we need to check that the uses actually work that way.

  • gobin
  • java
  • nodejs
  • python
  • ruby

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just curious why gobin is already checked

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I read through it to see what it did.

@hdonnay
Copy link
Member

hdonnay commented May 31, 2024

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

Yeah, needs the version changed in every indexer that's moving to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants