Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(crawler): find sha1 by filename instead of using versions from metadata #29

Merged
merged 24 commits into from
Apr 24, 2024
Merged

fix(crawler): find sha1 by filename instead of using versions from metadata #29

merged 24 commits into from
Apr 24, 2024

Conversation

DmitriyLewen
Copy link
Collaborator

@DmitriyLewen DmitriyLewen commented Mar 5, 2024
edited
Loading

Description

Find sha1 by filename instead of using versions from metadata.
This is required to avoid cases when metadata file doesn't contains all version.

Also currently href is used if the file/directory name is too long.

Some examples from maven repository:

test run:

test image:

DB changes:

old new
number of indexes 9443336 10790262
build time (crawler + build) (6m - 11m) + (22m - 23m) 18m + 26m
db size before compress 535MB 589MB

Related Issues:

@DmitriyLewen DmitriyLewen self-assigned this Mar 5, 2024
DmitriyLewen
DmitriyLewen commented Mar 6, 2024
View reviewed changes
pkg/crawler/crawler.go
Comment on lines +121 to +126
if len(c.wrongSHA1Values) > 0 {
log.Println("Wrong sha1 files:")
for _, wrongSHA1 := range c.wrongSHA1Values {
log.Println(wrongSHA1)
}
}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An idea to better track wrong files:
we can add a file to this repo with a list of wrong sha1 files found.
If we find a new wrong file, we will return an error.
If the file already contains an wrong sha1 file, simply skip this sha1 file.

@DmitriyLewen DmitriyLewen force-pushed the fix/crawl-by-jar.sha1-files branch 2 times, most recently from ab625ee to c10d096 Compare March 6, 2024 07:51
DmitriyLewen
DmitriyLewen commented Mar 12, 2024
View reviewed changes
.github/workflows/cron.yml Outdated
Comment on lines 49 to 56
# `oras push` fails if repository contains uppercase characters
# required for testing in forks
- name: GH repo to lower case
id: github-repo-lower-case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ github.repository }}

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a required change. But it will help me (and other contributors with capital letters in their names) work with the changes from the fork.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if using bash? To reduce the risk of supply chain attacks, I want to avoid introducing third-party actions unless it's truly necessary.

      lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')

Copy link
Collaborator Author

@DmitriyLewen DmitriyLewen Apr 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no problem. changed in 2dddbfb

Copy link
Collaborator

@knqyf263 knqyf263 Apr 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now, we don't need this step and can merge it into the uploading step.

      - name: Upload assets to GHCR
        run: |
          lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')"
          oras version
          oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
          ghcr.io/${lowercase_repo}:${DB_VERSION} \
          javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right! Thanks!
Changed b358571
Test run - https://github.com/DmitriyLewen/trivy-java-db/actions/runs/8794956548

@DmitriyLewen DmitriyLewen marked this pull request as ready for review March 12, 2024 09:22
@knqyf263 knqyf263 merged commit ab39d06 into aquasecurity:main Apr 24, 2024
3 checks passed
@DmitriyLewen DmitriyLewen deleted the fix/crawl-by-jar.sha1-files branch April 25, 2024 03:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(crawler): don't use metadata.xml files to get list of version
2 participants
@DmitriyLewen @knqyf263