feat: Use lockfile scalibr interface #1330
Conversation
|
This PR is ready for review, but the snapshots tests will be updated to the updated version to make the test pass once google/osv-scalibr#241 is merged. We also currently use a pseudo version of osv-scalibr until a release is made with all the latest changes. |
internal/image/scan.go
Outdated
| // causing artifact extractors to double extract elements here. | ||
| // So let's skip all these directories for now. | ||
| // See (b/364536788) | ||
| if strings.HasPrefix(file.virtualPath, "/usr/local/") { |
There was a problem hiding this comment.
why skip scanning if /usr/local/ ?
/usr/local generally has stuff not installed by OS package managers right? it's everything else under /usr that's problematic wrt double scanning?
There was a problem hiding this comment.
I think we found a lot of OS packages get installed here. @hogo6002 IIRC you found a lot of go compiler binaries here?
There was a problem hiding this comment.
Yes, we found a lot of go compiler binaries there
Update: not usr/local, it was usr/lib
There was a problem hiding this comment.
Example:
GO-2023-2375 has been found in the actual project binary.
But it also shows 20 times in /usr/lib
There was a problem hiding this comment.
Ah gotcha, I'll update this path. I think I found some npm packages in /usr/local though. I'll double check
There was a problem hiding this comment.
Checking https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
It looks like we should ignore the entire /usr directory. I think everything in there is written by os package managers, since it is suppose to be read only.
another-rex
force-pushed
the
use-lockfile-scalibr-interface
branch
from
cb55375 to
60daa0c
Compare
There was a problem hiding this comment.
awesome! I won't pretend that I understand all of it, but it's exciting to see 😄
Scalibr Python requirements.txt extractor currently doesn't support packages without versions, so added some version strings to the test files
that defeats the point of those test fixtures, and makes this a breaking change (oh wait, we're already doing one of those 🙈)
I'm guessing it's not an easy fix, but it'd nice if we could note somewhere that ideally these should be removed once support is added
I'm not sure if there's anything else like that - if there is, maybe would it be useful if we created like a "post v2 follow-up" issue where we could just chuck this stuff into so we don't forget, and then we can come back after the majors out to properly split/link things with proper issues? (probably not worth it though if this is the only one)
| "github.com/google/osv-scalibr/extractor" | ||
| "github.com/google/osv-scalibr/extractor/filesystem/os/apk" | ||
| "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" | ||
| scalibrosv "github.com/google/osv-scalibr/extractor/filesystem/osv" |
Co-authored-by: Gareth Jones <[email protected]>
| // TODO: Currently osv-scalibr does not correctly annotate OS packages | ||
| // causing artifact extractors to double extract elements here. | ||
| // So let's skip all these directories for now. | ||
| // See (b/364536788) |
There was a problem hiding this comment.
I think this bug number should be removed?
There was a problem hiding this comment.
I think this is just reference for us to keep track.
Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Xueqin Cui <[email protected]> Co-authored-by: Michael Kedar <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Resolves google#1316 Update the --docker flag to: - Only accept one image to scan at a time (to make displaying results easier) - Call new image scanning function internally. - Acts like a convenience function for ``` docker save <image-name> > img-name.tar && osv-scanner --experimental-oci-image=img.name.tar ``` TODO: - [x] Add an ACCEPTANCE test which uses docker to pull down a stable image. - [x] Include a docker pull first, as docker save only saves images already on device and does not pull images online.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## v2 #1330 +/- ##
==========================================
- Coverage 68.72% 68.68% -0.05%
==========================================
Files 187 188 +1
Lines 17884 18075 +191
==========================================
+ Hits 12290 12414 +124
- Misses 4917 4977 +60
- Partials 677 684 +7 ☔ View full report in Codecov by Sentry. |
This PR contains all the code required to move to osv-scalibr while making the existing code compile and pass all tests (container tests not passing because of a bug in the scalibr alpine extractor). Changes not mentioned in the following list will be split off in separate PRs which should land before this PR. Those are: - [x] #1337 - [x] #1331 - [x] #1338 - [x] #1341 - [x] #1345 Changes in this PR: - Fixture changes: - Scalibr Python requirements.txt extractor currently doesn't support packages without versions, so added some version strings to the test files - Image package required quite a bit of reworking to successfully update. - Add the ability to iterate through a directory via the pathtree library - Support scalibr FS interface for Layers - Add conversion code to convert inventories from osv-scalibr back to v1's lockfile and Inventory - This is done to minimize snapshot changes. Followup PRs should remove this conversion - Add `internal/lockfilescalibr` package: - `errors.go` adds common extraction errors we want to translate. - `translation.go` adds helper functions and translation logic between osv-scanner v1 extractor names, and osv-scalibr extractor names. Changes in followup PRs: - Delete lockfiles package and migrate everything to use osv-scalibr extractors - Remove conversion code in image --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: Xueqin Cui <[email protected]> Co-authored-by: Michael Kedar <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR contains all the code required to move to osv-scalibr while making the existing code compile and pass all tests (container tests not passing because of a bug in the scalibr alpine extractor).
Changes not mentioned in the following list will be split off in separate PRs which should land before this PR.
Those are:
Changes in this PR:
internal/lockfilescalibrpackage:errors.goadds common extraction errors we want to translate.translation.goadds helper functions and translation logic between osv-scanner v1 extractor names, and osv-scalibr extractor names.Changes in followup PRs: