claircore icon indicating copy to clipboard operation
claircore copied to clipboard

Published 20 hours ago verified publisher icon quay

all: account for language package overwrites

Open RTann opened this issue 11 months ago • 3 comments

This was originally discovered in StackRox Scanner V2: https://github.com/stackrox/stackrox/issues/7033

StackRox now offers a Scanner based on ClairCore, which also has this same problem. The issue is that ClairCore does not consider the fact that the image build system may decide to overwrite the language package instead of deleting and recreating it.

This was demonstrated in the OCI image namloc2001/nodesem:a.

Each language's package scanner implements DefaultRepoScanner, which means there is only a single (related) repository per layer, and it only exists if the layer has (related) packages. Each language's coalescer is also more-or-less the same (Go's was unique, but the unique parts of it are unnecessary, as those checks will definitely hold true based on how to Ecosystem is set up), so I decided to make a single, shared coalescer for the languages.

RTann avatar Feb 27 '24 01:02 RTann

Codecov Report

Attention: Patch coverage is 88.88889% with 4 lines in your changes missing coverage. Please review.

Project coverage is 55.73%. Comparing base (7088f7b) to head (221025b).

Files with missing lines Patch % Lines
language/coalescer.go 93.33% 2 Missing :warning:
gobin/ecosystem.go 0.00% 1 Missing :warning:
java/ecosystem.go 0.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1275      +/-   ##
==========================================
+ Coverage   55.41%   55.73%   +0.32%     
==========================================
  Files         282      278       -4     
  Lines       17890    17806      -84     
==========================================
+ Hits         9914     9925      +11     
+ Misses       6934     6839      -95     
  Partials     1042     1042

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Feb 27 '24 01:02 codecov[bot]

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

RTann avatar May 31 '24 19:05 RTann

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

Yeah, needs the version changed in every indexer that's moving to it.

hdonnay avatar May 31 '24 20:05 hdonnay