deepfence
[WIP] (fix) scan compare between diff registry account
There was a problem comparing scan. Even if the scan results were same, the diff would show the result.
Problem was same image from different registry will result in different neo4j Secret, Malware, etc.
Change the way we match, for example instead of matching scan{basescan} -> secret and comparing with scan{compare_to_scan} -> secret, now we are taking secretrule (in case of secret) into account, i.e.
matching scan{basescan} -> secret -> secretrule and comparing with scan{compare_to_scan} -> secret -> secretrule Since the rule is going to be same.
Using the Rule is not the right solution, Rules are too generic and we cannot rely on them for comparison. For instance, a rule that matches all .passwd files, it makes no sense to say having a /etc/nginx/.passwd is the same as /etc/systemd/.passwd
If we want to support comparison between images across different registries, we need to change the secret node_id to account for that so the Secret/... nodes can be shared across scans.
This is something we changed recently actually - @ibreakthecloud is that a recent issue?
Using the Rule is not the right solution, Rules are too generic and we cannot rely on them for comparison. For instance, a rule that matches all .passwd files, it makes no sense to say having a
/etc/nginx/.passwdis the same as/etc/systemd/.passwdIf we want to support comparison between images across different registries, we need to change the secret
node_idto account for that so the Secret/... nodes can be shared across scans.This is something we changed recently actually - @ibreakthecloud is that a recent issue?
Not sure if the issue is occurring now, but sure that's the problem. Since the node_id has registry appended in it, comparison fails for same image if scanned from two different sources.