copacetic icon indicating copy to clipboard operation
copacetic copied to clipboard

Published 20 hours ago • verified publisher icon project-copacetic

[REQ] add guardrails for parsing OS version

Open sozercan opened this issue 1 year ago • 7 comments

What kind of request is this?

Improvement of existing experience

What is your request or suggestion?

For example, for ubuntu if a scanner return X.Y.Z, copa tries to pull in the ubuntu:X.Y.Z image which doesn't exist

related to #437

Are you willing to submit PRs to contribute to this feature request?

  • [X] Yes, I am willing to implement it.

sozercan avatar Dec 08 '23 23:12 sozercan

Hii @sozercan I am interested in this issue. Can you assign it to me. Also Can you explain me what we actually want through this. Do we need to throw error as per this for ubuntu if a scanner return X.Y.Z, copa tries to pull in the ubuntu:X.Y.Z image which doesn't exist that image doesn't exist or check availability of the Docker image corresponding to the reported OS version before attempting to pull it

h4l0gen avatar May 10 '24 17:05 h4l0gen

On first looking, I got this idea We can change like this

   case strings.Contains(osType, "ubuntu"):
        // For Ubuntu, extract the major and minor version (e.g., 22.04)
        versionParts := strings.Split(osVersion, ".")
        if len(versionParts) >= 2 {
            osVersion = strings.Join(versionParts[:2], ".")
        } else {
            return "", "", fmt.Errorf("invalid Ubuntu version format: %s", osVersion)
        }
        return "ubuntu", osVersion, nil

here. By defining osVersion := osData["VERSION_ID"] in getOSType function. This can easily remove this issue. WDYT @sozercan @ashnamehrotra

h4l0gen avatar May 10 '24 19:05 h4l0gen

Most of work on this issue with this approach is complete, If you all agree then i would like to raise a PR.

h4l0gen avatar May 10 '24 20:05 h4l0gen

Hi @h4l0gen, that sounds good. We recently merged a getOSVersion() function in #570, which can be used here.

ashnamehrotra avatar May 10 '24 21:05 ashnamehrotra

/assign

h4l0gen avatar May 11 '24 05:05 h4l0gen

Hii @ashnamehrotra I have used getOSVersion() function as you suggested and raised a PR, PTAL whenever you find time :)

h4l0gen avatar May 12 '24 13:05 h4l0gen

In semantic versioning terms, if major.minor.patch is being passed in, are we only wanting to return major.minor and discarding the patch versioning?

For example, if we pass in Alpine 3.17.5, we discard the patch versioning and return 3.17?

MiahaCybersec avatar Aug 09 '24 21:08 MiahaCybersec

@MiahaCybersec yes, for the tooling images as described in #437 this is what we want to follow.

ashnamehrotra avatar Aug 15 '24 14:08 ashnamehrotra

After rather extensive testing I think we already have this implemented.

With Debian, if I pass in 12.6, 11.1, etc. we always use major-slim.

With Ubuntu, all images I pass in return major.minor as the tooling image as expected.

With RPM images, including when we pass Mariner in to be patched, we always use 2.0 and patch is always discarded.

MiahaCybersec avatar Aug 15 '24 19:08 MiahaCybersec

closing with #736

ashnamehrotra avatar Aug 22 '24 18:08 ashnamehrotra