ROX-26604: Add layer lineage to RHEL v2 data model

[dcaravel]

Description

Fixes an edge case that could cause discrepancies in scan versions, packages, etc. when images have a common layer but with different parent layers.

Testing

Unit and e2e tests added. Test image details at stackrox/stackrox#13558

Also manually tested. The test images below have the same top/bottom layers but different middle layers, also they have tags that represent the version of the openjdk packages within the image for comparison.

Before fix:
Wrong version returned for 2nd scan:

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.11.0.9-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.12.0.7-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64

After fix:
Correct versions returned for both scans

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.11.0.9-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.12.0.7-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.12.0.7-2.el8.x86_64

Also using a custom go app that dumps + compares scans from two different ACS instances. I compared the scan results from a default OCP installation with one cluster that had the fix and another cluster without. Initially the testing was yielding different vulnerability detections, that seemed to change as the vuln loads progressed (as well as after they were fully loaded).

To rule out this being related to this fix, I created a new image based off scanner:4.6.0-rc2 but added the scanner binary built in this PR (so that the embedded vulns stayed the same):

FROM quay.io/rhacs-eng/scanner:2.35.x-22-g7ecfa77951 AS withfix

# ^^ image produced by this PR

FROM quay.io/rhacs-eng/scanner:4.6.0-rc.2

COPY --from=withfix /scanner /scanner

After initialization complete and latest vulns loaded, re-ran all scans in both ACS instances and the result were identical except for the specific image tested above ^^ - these differences were expected because that is what this PR is fixing.

[dcaravel]

Current CI failures will be fixed by #1737 - once merged will rebase this PR.

[dcaravel]

Reviewers - please share your thoughts if we should add an env variable to switch this capability off (in case unforeseen issues)

[RTann]

Reviewers - please share your thoughts if we should add an env variable to switch this capability off (in case unforeseen issues)

Yeah I'm cool with adding an env var

[dcaravel]

/test e2e-tests

[dcaravel]

New CI failure - also saw same failure in latest commit in master indicating its not related to this change.

[openshift-ci]

@dcaravel: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests	f530567	link	false	/test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.