Consider RedHat EUS fix information when matching #2787
Conversation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
67b1058 to
307d604
Compare
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
cf250f5 to
93500f2
Compare
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
1268101 to
16a2aeb
Compare
There was a problem hiding this comment.
The biggest question to me to answer stems around API configuration: having a way to specify "default everything to auto/enabled/disabled". In this PR, I think it will take either hardcoding each channel in code (which might make sense anyway, we might have specific code blocks for specific channels) or executing a query to get the full set of channels, and I don't know if we should be querying the db before executing grype itself just to get configurations. But it could work, too.
| // TODO: in the future we may want to support more channels, as well as have a default-apply value here that can be overridden within each channel configuration | ||
|
|
||
| // EUS is the Extended Update Support channel for RHEL | ||
| RedHatEUS FixChannel `yaml:"redhat-eus" json:"redhat-eus" mapstructure:"redhat-eus"` |
There was a problem hiding this comment.
I wonder if this would be easy to make a map by channel name, e.g.:
fix-channels:
apply: none
channels:
eus:
apply: auto
version: > 9
Where this configuration is more-or-less what gets sent to the matchers, e.g.:
type FixChannels struct {
Apply FixChannelEnabled
Channels map[string]FixChannel
}
... in some future state where a matcher does something like:
for channel in select_applicable_channels() {
if fixChannels.enabled(channel) {
// select some things from the special channel records
}
}
... or should the initial configuration not even have redhat, only a global apply option?
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
| ID string | ||
|
|
||
| // Vulnerabilities is a set of vulnerabilities that were discovered from the search. | ||
| Vulnerabilities []vulnerability.Vulnerability |
There was a problem hiding this comment.
I think we agreed that each Result should reference a single Vulnerability to avoid cases where there are different match details that get merged together, is that right?
There was a problem hiding this comment.
we did agree, but the main bug was to ensure that the merge function correctly reasoned about these details (which was fixed). I held off incorporating the data shape changes for a few of reasons:
- this has been tested to show it's working as we'd expect
- further changes to the Result struct should probably be guided by what we want to do with match details and if we want criteria to take their place in the result struct
- I though you suggested to hold off on incorporating changes to the Result object based on your prototyping (maybe I misunderstood?)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This adds support for considering Extended Updated Support (EUS) fix information for RedHat distros when matching.
Closes #2446
Changes
result.Resultobject for being able to organize returned vulnerability objects from a provider into pseudo prototype matches, allowing for merging of sets with control over how the merge is done. This enables more flexibility for matchers to combine results (as is needed with EUS)TODO