Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-26604: Add layer lineage to RHEL v2 data model #1720

Merged
merged 6 commits into from
Jan 14, 2025
Merged

ROX-26604: Add layer lineage to RHEL v2 data model #1720

merged 6 commits into from
Jan 14, 2025

Conversation

dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Nov 27, 2024
edited
Loading

Description

Fixes an edge case that could cause discrepancies in scan versions, packages, etc. when images have a common layer but with different parent layers.

Testing

Unit and e2e tests added. Test image details at stackrox/stackrox#13558

Also manually tested. The test images below have the same top/bottom layers but different middle layers, also they have tags that represent the version of the openjdk packages within the image for comparison.

Before fix:
Wrong version returned for 2nd scan:

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.11.0.9-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64
$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.12.0.7-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64

After fix:
Correct versions returned for both scans

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.11.0.9-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64
$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.12.0.7-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.12.0.7-2.el8.x86_64

Also using a custom go app that dumps + compares scans from two different ACS instances. I compared the scan results from a default OCP installation with one cluster that had the fix and another cluster without. Initially the testing was yielding different vulnerability detections, that seemed to change as the vuln loads progressed (as well as after they were fully loaded).

To rule out this being related to this fix, I created a new image based off scanner:4.6.0-rc2 but added the scanner binary built in this PR (so that the embedded vulns stayed the same):

FROM quay.io/rhacs-eng/scanner:2.35.x-22-g7ecfa77951 AS withfix

# ^^ image produced by this PR

FROM quay.io/rhacs-eng/scanner:4.6.0-rc.2

COPY --from=withfix /scanner /scanner

After initialization complete and latest vulns loaded, re-ran all scans in both ACS instances and the result were identical except for the specific image tested above ^^ - these differences were expected because that is what this PR is fixing.

@dcaravel dcaravel changed the title [WIP DO NOT MERGE] ROX-26604: Add layer lineage to RHEL v2 data model ROX-26604: Add layer lineage to RHEL v2 data model Dec 5, 2024
@dcaravel dcaravel mentioned this pull request Dec 10, 2024
Merged
4 tasks
@dcaravel dcaravel marked this pull request as ready for review December 10, 2024 00:19
@stackrox stackrox deleted a comment from openshift-ci bot Dec 10, 2024
@dcaravel dcaravel requested review from a team, jvdm, BradLugo, daynewlee and RTann December 11, 2024 03:20
@dcaravel
Copy link
Contributor Author

Current CI failures will be fixed by #1737 - once merged will rebase this PR.

@dcaravel
Copy link
Contributor Author

Reviewers - please share your thoughts if we should add an env variable to switch this capability off (in case unforeseen issues)

@RTann
Copy link
Collaborator

RTann commented Dec 18, 2024

Reviewers - please share your thoughts if we should add an env variable to switch this capability off (in case unforeseen issues)

Yeah I'm cool with adding an env var

@dcaravel
Copy link
Contributor Author

/test e2e-tests

@dcaravel
Copy link
Contributor Author

New CI failure - also saw same failure in latest commit in master indicating its not related to this change.

RTann
RTann reviewed Jan 6, 2025
View reviewed changes
database/pgsql/migrations/00021_rhel_layer_lineage.go Show resolved Hide resolved
database/pgsql/migrations/00021_rhel_layer_lineage.go Show resolved Hide resolved
database/pgsql/rhelv2_layer_test.go Outdated Show resolved Hide resolved
database/pgsql/queries.go Show resolved Hide resolved
database/pgsql/rhelv2_layer_test.go Show resolved Hide resolved
database/pgsql/rhelv2_layer_test.go Show resolved Hide resolved
@dcaravel dcaravel requested a review from RTann January 7, 2025 02:14
@dcaravel dcaravel mentioned this pull request Jan 14, 2025
Merged
@dcaravel dcaravel merged commit 111f6f5 into master Jan 14, 2025
29 checks passed
@dcaravel dcaravel deleted the dc/lineage-fix branch January 14, 2025 03:06
dcaravel added a commit that referenced this pull request Jan 14, 2025
@dcaravel
ROX-26604: Add layer lineage to RHEL v2 data model (#1720)
2691013
@dcaravel dcaravel mentioned this pull request Jan 14, 2025
Merged
dcaravel added a commit that referenced this pull request Jan 15, 2025
@dcaravel
ROX-26604: Add layer lineage to RHEL v2 data model (#1720)
3931238
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RTann RTann RTann approved these changes

@jvdm jvdm Awaiting requested review from jvdm

@BradLugo BradLugo Awaiting requested review from BradLugo

@daynewlee daynewlee Awaiting requested review from daynewlee

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dcaravel @RTann