rhcc: account for labels.json file #1544
Conversation
crozzy
force-pushed
the
support-new-rhcc-logic
branch
3 times, most recently
from
ddb6eba to
9046b95
Compare
crozzy
force-pushed
the
support-new-rhcc-logic
branch
4 times, most recently
from
4a14fe9 to
fec74b7
Compare
crozzy
force-pushed
the
support-new-rhcc-logic
branch
5 times, most recently
from
41234fa to
f884855
Compare
|
This should be ready for a once over |
hdonnay
left a comment
hdonnay
left a comment
There was a problem hiding this comment.
This looks good to me for the approach. I think the commit could be split into a few to make it easier to digest.
| if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !rhel.IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) { | ||
| return false, nil | ||
| } |
There was a problem hiding this comment.
This smells backwards, but I guess it's not: If this isn't a superset and isn't a Red Hat substring, then it's not relevant. The arguments being swapped also is odd but makes sense after thinking about it.
crozzy
force-pushed
the
support-new-rhcc-logic
branch
2 times, most recently
from
09b9a69 to
f8528c4
Compare
Now split into 3 commits pertaining to indexing, updating and matching. |
crozzy
force-pushed
the
support-new-rhcc-logic
branch
2 times, most recently
from
21d70d2 to
2612655
Compare
crozzy
force-pushed
the
support-new-rhcc-logic
branch
from
2612655 to
8aa9f41
Compare
hdonnay
left a comment
hdonnay
left a comment
There was a problem hiding this comment.
Some suggestions, but nothing worth holding this up over.
crozzy
force-pushed
the
support-new-rhcc-logic
branch
from
8aa9f41 to
5fafc0b
Compare
crozzy
force-pushed
the
support-new-rhcc-logic
branch
from
5fafc0b to
6a4aeb2
Compare
|
I think there is a race condition in the tests that is triggered when a fixture is pulled from the cache (or reused in testing) https://github.com/quay/claircore/actions/runs/16357519449/job/46219135496 |
Red Hat's new container image builder system does not include a dockerfile at a known path in the image, this is replaces with a file called labels.json file at a known location that contains the information that the rhcc package and repository scanners need. This change adds another rhcc package and repository scanner that read this labels.json file. The dockerfile versions still exist but will be eventually deprecated and removed. Signed-off-by: crozzy <[email protected]>
Previously all OCI advisories in VEX were given the same rhcc.GoldRepo and the package version information was used to infer product information. With the addition of a labels.json file and a timestamp version for containers we need to take into account the product CPE that the VEX surfaces during the matching process. Signed-off-by: crozzy <[email protected]>
With the introduction on the labels.json file to identify RH produced container images Clair needs to start accounting for the CPE surfaced in the labels.json file and the VEX data. Care is taken here to ensure the original Dockerfile parsing process still works as expected (although, dockerfile images will require a re-index to include needed metadata). Signed-off-by: crozzy <[email protected]>
crozzy
force-pushed
the
support-new-rhcc-logic
branch
from
6a4aeb2 to
7b8950e
Compare
I think the issue here was that subtests (from different Test functions but from the same file) had the same name, so the fixture cache path was the same, causing a race condition |
|
/fast-forward |
2 participants
Red Hat's new container image builder system does not include a
dockerfile at a known path in the image, this is replaces with a file
called labels.json file at a known location that contains the
information that the rhcc package and repository scanners need. This
change adds another rhcc package and repository scanner that read this
labels.json file. The dockerfile versions still exist but will be
eventually deprecated and removed.