-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include latest v4 vulnerability #1400
Conversation
9059ec2
to
f4609b8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to be careful here to not 'break' the current latest bundle if this job runs and there is a bug.
I'd expect the output of this job to include updates to all the versioned v4 offline bundles and the latest offline bundle, would expect the following to be uploaded:
scanner-support-public/offline/v1/scanner-vuln-updates.zip
scanner-support-public/offline/v1/4.4/scanner-vulns-4.4.zip
As of this initial release would expect scanner-vuln-updates.zip
to be updated and to be created/updated 4.4/scanner-vulns-4.4.zip
and both contain the same data (will diverge in the future as more versioned bundles are created)
I haven't decided how to generate scanner-vuln-[version].zip because I am hesitating to use loop to iterate all scanner-defs-[version].zip in this script at this moment as you said that might introduce bugs to this workflow. Since scanner-vuln-update.zip only contains latest v4 defs, so it makes sense to change this bash function. I'll make another PR for the v4 offline bundles. |
OK, we may be introducing more variance between latest and the versioned bundles by separating these workflows (since the versioned bundles need the Scanner V2 data produced by this job). If the jobs are separated it will be possible that (for example) FWIW, there are ways to have functions / commands in bash fail without breaking the whole script (if you change your mind). |
Yeah, that's true. I will take that into consideration but possibly build on top of this PR. Do you think this PR/change make sense? |
aae0001
to
12470c4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more nit.
LGTM, approving because believe it will achieve the desired outcome, however because it will modify scanner-vuln-updates.zip
which is a 'live' file, HOLD OFF
on the merge until others approve and are aware that the change is being made.
Also recommend before merging to test uploading this 'combo' file to older supported versions of Central and ensure nothing breaks (I don't expect things to break, but let's be sure - ie: because we're adding another 300MiB it's possible the default timeouts may need to be adjusted, and we need to be extra sure that older Centrals will ignore the extra V4 files in the bundle)
831fc9b
to
0174fc7
Compare
4525922
to
a804c67
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you provide your testing steps?
- Scanner V4 works.
- Scanner V2 works.
That makes sense. I will add steps for testing new scanner-vuln-update.zip working with Scanner V2 but probably I can't test the bundles working with Scanner V4 since stackrox/stackrox#9409 and ROX-21981 are not done yet. @jvdm |
99c76ee
to
bb691ee
Compare
@daynewlee can I download a sample ZIP to look at? |
I believe https://storage.googleapis.com/scanner-support-public/offline/v1/scanner-vuln-updates.zip is overwritten by CI now. |
de69440
to
2b3c1c6
Compare
2b3c1c6
to
02ae178
Compare
4e28888
to
be5a87a
Compare
7da6ce4
to
f9965e1
Compare
Co-authored-by: J. Victor Martins <[email protected]>
02b56a0
to
8ce7f26
Compare
Generate scanner-vuln-update including v4 vulnerability of latest version
Currently I can only verify scanner v2 work with new scanner-vuln-updates.zip, more V4 related tests will be done in ROX-21981
Test