remotematcher: Implement RemoteMatcher for CRDA #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RemoteMatcher is an additional interface that a Matcher can implement. When called the interface should call the remote matcher using the RESTful API to fetch new vulnerabilites associated with the given IndexRecords. The information retrived from this interface will not be persisted into ClairCore database.
* matcher: Add preliminary support for Remote Matcher RemoteMatcher is an additional interface that a Matcher can implement. When called the interface can invoke the remote matcher using the RESTful API to fetch new vulnerabilities associated with the given IndexRecords. The information retrieved from this interface **won't be persisted** into ClairCore database. * Update internal/matcher/controller.go Co-authored-by: Louis DeLosSantos <louis.delos@gmail.com> * remotematcher: Add a realistic deadline for QueryRemoteMatcher call * remotematcher: Change deadline to 60s according to review comments Co-authored-by: Louis DeLosSantos <louis.delos@gmail.com>
4 tasks
…r/claircore into crda-remotematcher-impl
When package is associated with multiple repositories a database query returns duplicated vulnerability. The map is used as a set to determine whether vulnerability is already present in slice.
…t) (quay#204) * Add support for embedded content-sets Content manifest file is stored in image layer and contain information about used content-sets. Content-sets are translated using mapping file provided by Red Hat's product security team. Mapping file is update every N hours. * Allow embedded content-sets in RHEL repo scanner Rhel repository scanner gets content manifest from layer and translates it to CPEs using mapping file. * Pull dependencies when spinning podman environment This avoid situation when local dependencies are outdated. * RHEL Matcher: translate content-sets to CPEs Translation of content-sets to CPEs happens in Matching part now instead of in indexing part. This should prevent situation when mapping is is missing some data when image is indexed. * Remove updates from request path, make concurrent safe This commit changes the LocalUpdateJob in such a way that updating the MappingFile will not occur during ClairCore matching process. It also adapts the LocaUpdateJob to be concurrent safe and allows the RHEL matcher to be shared between goroutines. Signed-off-by: ldelossa <ldelossa@redhat.com> * Revert line breaks in md doc The line break are needed for html rendering. * Increase update interval to 10 minutes 30 seconds is too low value and it could cause a traffic to Red Hat ProdSec endpoints. Co-authored-by: ldelossa <ldelossa@redhat.com>
For integration testing purposes we should be able to point claircore to different oval stream using env var.
* consistent conainter names * etc: update podman.yaml.in Co-authored-by: Hank Donnay <hdonnay@redhat.com>
* Add Repository key to RHEL oval parser The key identifies Red Hat repositories. * Add binary kind to oval parser Packages in oval are binary packages and its type should be stored in database to be able differentiate whether it affects all sub-binary package or just binary package. * Use and fetch cpe mapping in indexer Previous implementation of cpe mapping in matcher has lot of corner cases. So we decided to put a mapping code into indexer instead. * use do once to ensure single updater job this commit adds a sync.once to the Updater constructor to ensure only a single UpdaterJob is created on constructions. Signed-off-by: ldelossa <ldelossa@redhat.com> Co-authored-by: ldelossa <ldelossa@redhat.com>
Ensures all vuln's have an updater field and ensures all vulns provide a package.Kind for their affected packages. Currently all sec databases only provide vulnerabilities for BINARY packages. Support for a security database to provide vulnerabilities for SOURCE packages still exists. Signed-off-by: ldelossa <ldelossa@redhat.com>
By adding package kind to database vulnerability query we query only real affected packages. Without this code Clair produce false negatives in case source package and binary package has same name. When vulnerability is issued with source package all binary package that have come from same source are marked as vulnerable.
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
This PR implements correct OVAL parsing for debian and ubuntu moving away from incorrect regex parsing of the oval data. goval-parser is bumped to obtain the necessary datastructures. Signed-off-by: ldelossa <ldelossa@redhat.com>
This function is needed to access some internal packages when importing updates from an artifact produced by the offline updater. Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: ldelossa <ldelossa@redhat.com>
this commit overhauls md book with new content and images. Signed-off-by: Louis Delossantos <ldelossa.ld@gmail.com>
this commit fixes all issues with prose via peer review Co-authored-by: Hank Donnay <hdonnay@redhat.com> Signed-off-by: ldelossa <ldelossa@redhat.com>
Signed-off-by: ldelossa <ldelossa@redhat.com>
Signed-off-by: ldelossa <ldelossa@redhat.com>
this commit introduces automated change log generation and github workflows to support it Signed-off-by: ldelossa <ldelossa@redhat.com>
this commit introduces automated change log generation and github workflows to support it Signed-off-by: ldelossa <ldelossa@redhat.com>
Previously, this table could grow without bound, which is suboptimal. Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a WIP PR to supplement quay#202. This is not ready for formal review.