fix: openvex report oci id bug #928
Conversation
robert-cronin
requested review from
jeremyrickard,
sozercan and
ashnamehrotra
as code owners
robert-cronin
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #928 +/- ##
==========================================
+ Coverage 48.12% 48.25% +0.13%
==========================================
Files 18 18
Lines 2261 2292 +31
==========================================
+ Hits 1088 1106 +18
- Misses 1114 1126 +12
- Partials 59 60 +1 ☔ View full report in Codecov by Sentry. |
|
i think linter failure is due to incompat between go 1.24 and golang-ci lint version. opened #930 to bump linter |
There was a problem hiding this comment.
PR Overview
This PR addresses the openvex report OCI ID bug by adding logic to qualify the patched image’s SHA and use the correct image format for generating the report.
- Added logic to determine the repository name with digest using a new helper function.
- Updated vex document generation to use the qualified image name.
- Modified the error handling in patchWithContext to explicitly capture and return errors.
Reviewed Changes
| File | Description |
|---|---|
| pkg/patch/patch.go | Introduces a new helper (getRepoNameWithDigest) to derive image names with digest and updates usage in vex report generation. |
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
pkg/patch/patch.go:403
- [nitpick] Consider adding tests for the new getRepoNameWithDigest function to verify its behavior in both success and failure cases.
// e.g. "docker.io/library/nginx:1.21.6-patched"
3bef974 to
21cc964
Compare
Signed-off-by: robert-cronin <[email protected]>
robert-cronin
force-pushed
the
fix/openvex-report-oci-id
branch
from
21cc964 to
d9c1031
Compare
|
|
||
| // e.g. "docker.io/library/nginx:1.21.6-patched". | ||
| func getRepoNameWithDigest(ctx context.Context, patchedImageName string) (string, error) { | ||
| cmd := execCommandContext(ctx, "docker", "image", "inspect", |
There was a problem hiding this comment.
can we do this without docker cli?
There was a problem hiding this comment.
I’m wondering if we could make use of the BuildKit exporter response, since it should include the digest of the patched image. The challenge is that this information only becomes available once we’ve finished generating the VEX report, because everything happens within the same build command. I’d really appreciate any tips or guidance on how to make that work!
Summary of changes
Adds logic to qualify the actual SHA of the patched image
Changes patch.go to uses the correct pURL format (e.g. nginx@sha256:...) for the namespace for oci container names
Falls back to patchedImageName if digest not found.
Fixes #667
Validation
Vex report output from a test run on nginx, the tail of the generated vex report:
