-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(crawler): find sha1 by filename instead of using versions from metadata #29
fix(crawler): find sha1 by filename instead of using versions from metadata #29
Conversation
…rsions from metadata
5c43c4c
to
f1ab72e
Compare
509b105
to
103569c
Compare
01fa0f7
to
edab71e
Compare
if len(c.wrongSHA1Values) > 0 { | ||
log.Println("Wrong sha1 files:") | ||
for _, wrongSHA1 := range c.wrongSHA1Values { | ||
log.Println(wrongSHA1) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An idea to better track wrong files:
we can add a file to this repo with a list of wrong sha1 files found.
If we find a new wrong file, we will return an error.
If the file already contains an wrong sha1 file, simply skip this sha1 file.
ab625ee
to
c10d096
Compare
c070fad
to
4b4ea82
Compare
742eac7
to
3ed9e32
Compare
bc6986b
to
37e4c01
Compare
9eacca0
to
c42ce41
Compare
.github/workflows/cron.yml
Outdated
# `oras push` fails if repository contains uppercase characters | ||
# required for testing in forks | ||
- name: GH repo to lower case | ||
id: github-repo-lower-case | ||
uses: ASzc/change-string-case-action@v6 | ||
with: | ||
string: ${{ github.repository }} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not a required change. But it will help me (and other contributors with capital letters in their names) work with the changes from the fork.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if using bash? To reduce the risk of supply chain attacks, I want to avoid introducing third-party actions unless it's truly necessary.
lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no problem. changed in 2dddbfb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now, we don't need this step and can merge it into the uploading step.
- name: Upload assets to GHCR
run: |
lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')"
oras version
oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
ghcr.io/${lowercase_repo}:${DB_VERSION} \
javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right! Thanks!
Changed b358571
Test run - https://github.com/DmitriyLewen/trivy-java-db/actions/runs/8794956548
5e95a39
to
1d2eefc
Compare
0ef4a2d
to
15a97b1
Compare
15a97b1
to
b358571
Compare
Description
Find
sha1
by filename instead of using versions from metadata.This is required to avoid cases when
metadata
file doesn't contains all version.Also currently
href
is used if the file/directory name is too long.Some examples from maven repository:
href
andtext
)cudf-0.14-cuda10-1.jar.sha1
andcudf-0.14.jar.sha1
)test run:
test image:
DB changes:
Related Issues:
metadata.xml
files to get list of version #28