Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-26604: Add layer lineage to RHEL v2 data model #1720

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

ROX-26604: Add layer lineage to RHEL v2 data model #1720

wants to merge 5 commits into from
+232 −47

Conversation

dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Nov 27, 2024
edited
Loading

Description

Fixes an edge case that could cause discrepancies in scan versions, packages, etc. when images have a common layer but with different parent layers.

Testing

Unit and e2e tests added. Test image details at stackrox/stackrox#13558

Also manually tested. The test images below have the same top/bottom layers but different middle layers, also they have tags that represent the version of the openjdk packages within the image for comparison.

Before fix:
Wrong version returned for 2nd scan:

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.11.0.9-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64
$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.12.0.7-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64

After fix:
Correct versions returned for both scans

$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.11.0.9-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.11.0.9-2.el8.x86_64
$ rctl image scan -f --image=quay.io/dcaravel/temp:jdk-17.0.12.0.7-2.el8.x86_64 2>/dev/null | jq -r '.scan.components[] | select (.name == "java-17-openjdk-headless") | .name,.version'

java-17-openjdk-headless
1:17.0.12.0.7-2.el8.x86_64

Also using a custom go app that dumps + compares scans from two different ACS instances. I compared the scan results from a default OCP installation with one cluster that had the fix and another cluster without. Initially the testing was yielding different vulnerability detections, that seemed to change as the vuln loads progressed (as well as after they were fully loaded).

To rule out this being related to this fix, I created a new image based off scanner:4.6.0-rc2 but added the scanner binary built in this PR (so that the embedded vulns stayed the same):

FROM quay.io/rhacs-eng/scanner:2.35.x-22-g7ecfa77951 AS withfix

# ^^ image produced by this PR

FROM quay.io/rhacs-eng/scanner:4.6.0-rc.2

COPY --from=withfix /scanner /scanner

After initialization complete and latest vulns loaded, re-ran all scans in both ACS instances and the result were identical except for the specific image tested above ^^ - these differences were expected because that is what this PR is fixing.

@dcaravel dcaravel changed the title [WIP DO NOT MERGE] ROX-26604: Add layer lineage to RHEL v2 data model ROX-26604: Add layer lineage to RHEL v2 data model Dec 5, 2024
@dcaravel dcaravel mentioned this pull request Dec 10, 2024
Merged
4 tasks
@dcaravel dcaravel marked this pull request as ready for review December 10, 2024 00:19
@stackrox stackrox deleted a comment from openshift-ci bot Dec 10, 2024
@dcaravel dcaravel requested review from a team, jvdm, BradLugo, daynewlee and RTann December 11, 2024 03:20
@dcaravel
Copy link
Contributor Author

Current CI failures will be fixed by #1737 - once merged will rebase this PR.

@dcaravel
Copy link
Contributor Author

Reviewers - please share your thoughts if we should add an env variable to switch this capability off (in case unforeseen issues)

@RTann
Copy link
Collaborator

RTann commented Dec 18, 2024

Reviewers - please share your thoughts if we should add an env variable to switch this capability off (in case unforeseen issues)

Yeah I'm cool with adding an env var

@dcaravel
Copy link
Contributor Author

/test e2e-tests

@dcaravel
Copy link
Contributor Author

New CI failure - also saw same failure in latest commit in master indicating its not related to this change.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Dec 19, 2024

@dcaravel: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-tests f530567 link false /test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvdm jvdm Awaiting requested review from jvdm

@BradLugo BradLugo Awaiting requested review from BradLugo

@daynewlee daynewlee Awaiting requested review from daynewlee

@RTann RTann Awaiting requested review from RTann

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dcaravel @RTann