-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(rocky): add multi-arch support #321
fix(rocky): add multi-arch support #321
Conversation
pkg/types/types.go
Outdated
@@ -116,6 +116,9 @@ type Advisory struct { | |||
FixedVersion string `json:",omitempty"` | |||
AffectedVersion string `json:",omitempty"` // Only for Arch Linux | |||
|
|||
// Advisory can contain different fixed versions for different architectures | |||
FixedVersions FixedVersions `json:",omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Entries
is better to get aligned with Red Hat. I'm not sure if it is a good name, though.
trivy-db/pkg/vulnsrc/redhat-oval/types.go
Lines 160 to 162 in c76cb31
type Advisory struct { | |
Entries []Entry `json:",omitempty"` | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about it and couldn't find good name.
But you are right. We use Enties
in RedHat, let's also use Entries
here.
Done in 14b1e69
pkg/vulnsrc/rocky/rocky.go
Outdated
// if the advisory for this package and CVE have been kept - just add the new architecture | ||
if adv, ok := input.Advisories[pkg.Name]; ok { | ||
// don't include duplicates | ||
if !adv.FixedVersions.IsDuplicate(fixedVersion) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess slices.Contains
works.
if !adv.FixedVersions.IsDuplicate(fixedVersion) { | |
if !slices.Contains(adv.FixedVersions, fixedVersion) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea!
Changed in 14b1e69
During reviewing your PR, I came up with another idea. What if using vendor id as the bucket key instead of CVE-ID? Line 98 in d500e5f
Then, we add CVE-IDs into VendorIDs. The field name doesn't fit, though. We will probably rename it to
The bucket will be like
We already did the similar thing in Red Hat. |
I see 1 case why we can't do that ( but i didn't see example for Rocky linux, but OracleLinux contains this case): Also i have 1 thought for new struct: |
…ed-versions-with-arch-struct
2a66c5b
to
6915173
Compare
…ed-versions-with-arch-struct
Description
Rocky Linux
supportsaarch64
.These are cases when fixed version for
x86_64
!=aarch64
or there is no fixed version forx86_64
architecture.We need to add advisories for
aarch64
and separate architectures.I add
Advisory.FixedVersions
struct for this case.It will be used to separate architectures, versions, vendorIDs.
Advisory.FixedVersion
field is still used for backwards compatibility.db size before - 361.0 Mb
db size after - 361.1Mb
buckets struct before:
buckets after after:
Related Issues