Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: google distroless patching for libssl1.1 #41

Merged
merged 1 commit into from
Feb 21, 2023
Merged

fix: google distroless patching for libssl1.1 #41

merged 1 commit into from
Feb 21, 2023

Conversation

CodeMonkeyLeet
Copy link
Contributor

  • Match naming of libssl1.1 status.d control file to match libssl1 as provided by the distroless base image. This implementation truncates all package file names to the first period, which does not affect other existing packages in the base images seen in the distroless images test set, but may need to be revisited if that behavior changes.
  • Add test case for distroless libssl1.1 patching.
  • Fix failure to copy unpacked update files to target image if the tooling image already has the latest versions of the files. dpkg.go now unpacks the update files to a separate root and copies those into a layer for merge into the target image instead of relying of a diff layer after unpacking the update files into the tooling image.
  • Clarify in comments for rpm.go why the distroless patching behavior differs from dpkg.go.

Closes #37

@CodeMonkeyLeet
fix: google distroless patching for libssl1.1
534f291 
- Match naming of libssl1.1 status.d control file to match libssl1 as
  provided by the distroless base image. This implementation truncates
  all package file names to the first period, which does not affect
  other existing packages in the base images seen in the distroless
  images test set, but may need to be revisited if that behavior
  changes.
- Add test case for libssl1.1 patching.
- Fix failure to copy unpacked update files to target image if the
  tooling image already has the latest versions of the files. dpkg.go
  now unpacks the update files to a separate root and copies those
  into a layer for merge into the target image instead of relying of
  a diff layer after unpacking the update files into the tooling image.
- Clarify in comments for rpm.go why the distroless patching behavior
  differs from dpkg.go.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
@codecov-commenter
Copy link

codecov-commenter commented Feb 17, 2023
edited

Codecov Report

Base: 100.00% // Head: 100.00% // No change to project coverage 👍

Coverage data is based on head (534f291) compared to base (e28c02d).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main       #41   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines           27        27           
=========================================
  Hits            27        27

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

sozercan
sozercan approved these changes Feb 21, 2023
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sozercan sozercan merged commit 4c5b92c into project-copacetic:main Feb 21, 2023
CodeMonkeyLeet pushed a commit to CodeMonkeyLeet/copacetic that referenced this pull request Feb 21, 2023
fix: remove unneeded image push from unpackAndMergeUpdates
404bcc2 
Remove debug image creation introduced in project-copacetic#41.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
@CodeMonkeyLeet CodeMonkeyLeet mentioned this pull request Feb 21, 2023
Merged
sozercan pushed a commit to sozercan/copacetic that referenced this pull request Mar 14, 2023
@CodeMonkeyLeet @sozercan
fix: google distroless patching for libssl1.1 (project-copacetic#41)
3914782
sozercan pushed a commit to sozercan/copacetic that referenced this pull request Mar 14, 2023
@sozercan
fix: remove unneeded image push from unpackAndMergeUpdates
652416e 
Remove debug image creation introduced in project-copacetic#41.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
sozercan pushed a commit to sozercan/copacetic that referenced this pull request Mar 14, 2023
@sozercan
fix: remove unneeded image push from unpackAndMergeUpdates
9d378e2 
Remove debug image creation introduced in project-copacetic#41.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
@sozercan sozercan mentioned this pull request Mar 14, 2023
Merged
sozercan added a commit that referenced this pull request Mar 15, 2023
@sozercan
fix: cherry pick #41 #44 #60 (#69)
bf073e5 
Co-authored-by: Simon Leet <simon.leet@microsoft.com>
ashnamehrotra pushed a commit to ashnamehrotra/copacetic that referenced this pull request Aug 25, 2023
@CodeMonkeyLeet @ashnamehrotra
fix: google distroless patching for libssl1.1 (project-copacetic#41)
41967bb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan approved these changes

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard jeremyrickard is a code owner

@salaxander salaxander Awaiting requested review from salaxander

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] remaining libssl vulnerability after patching
3 participants
@CodeMonkeyLeet @codecov-commenter @sozercan