Internally version all detected content by extension

[KeyboardNerd]

Conceptual change:

• Detector now represents anything that extracts information from a layer blob. Detector has two different types for now: Namespace ( Detector to extract namespace) and Feature ( Detector to extract features )
• Processor and Lister are renamed to Detector

Changes in API:

• Add Detector message type, Namespace message type
• Add detector field to Feature/Namespace to indicate which detector finds a specific feature or namespace
• Change all scanned_* to be just detector

Changes in Database Model:

• Every features and namespaces are associated with the detectors that found them.
• Aggregated concepts:
  • Entities: objects relating the vulnerabilities and the ancestries as the result of Analysis.
  • Ancestries: layers and ancestries scanned with detectors with metadata (name/structure/relation to entities/detectors) saved in the database.
  • Vulnerabilities: vulns fetched by the updaters.
  • Notification: vulnerability notifications spawned by vulnerability changes.
  • UpdaterLock: lock and keyValue.

Changes in Behavior:

• Remove Clair side (dis)enable detectors in configuration. Now, every layer is scanned with every detectors.

Additional responsibility to Client:

• Client should filter out the features that are not necessary by filtering the detectors ( This responsibility maybe moved to API level on server side in the future )

[KeyboardNerd]

Please review clair.proto and models.go to confirm the expectation. Those are expected to not be changed in the following commits.

[KeyboardNerd]

Self comments

[KeyboardNerd]

New Table: Detectors

[KeyboardNerd]

Detector should contain all metadata information of all the extensions used to scan a layer.

[KeyboardNerd]

Entities are the real immutable content in the database.

On a higher level, Layer ( layer hash with layer content ) is not really immutable because a new extension can scan a layer and add new associated features.

[KeyboardNerd]

I will change Lister to detector in the following PRs.

[KeyboardNerd]

Please review this design to use string to represent the Detector Type.
I can also define FeatureDetector and NamespaceDetector struct types for the same purpose.

[KeyboardNerd]

Using Detector here maybe not valid. As the reason shows in the database, namespace/feature may be detected by two different detectors in two different layers.

[jzelinskie]

type is a keyword so I'm a little uneasy about using this name.
As a counter-point, the reflect standard library package does define their own type Type interface {...}

[KeyboardNerd]

https://github.com/coreos/clair/blob/master/database/database.go#L42 haha

[jzelinskie]

name, verison string

[jzelinskie]

name, version string

[jzelinskie]

Version -> version

[jzelinskie]

one line each

[jzelinskie]

copyright headers

and let's move this into database/psql/migrations

[KeyboardNerd]

DetectedFeatures -> Features

[KeyboardNerd]

The new map type introduces a lot more complexity. It makes the worker complicated and also the database implementation. Maybe, we don't want this map to organize since the map will at most contain around 1000 features.

[KeyboardNerd]

Flatten the map to be []DetectedNamespace, which contains Detector and Namespace.
This is for simplifying the data structure, we can then use pointers and a new data structure if we need to improve the performance.

[KeyboardNerd]

This name is a requirement by the prototool linter.

[KeyboardNerd]

nit: remove line

[KeyboardNerd]

nit: lower case

[KeyboardNerd]

update the comment

[KeyboardNerd]

re order

[KeyboardNerd]

TODO: I start to think that the abstraction on database layer is wrong. Somehow we need to figure out a way to get ride of the implicit database feature relationship.

[KeyboardNerd]

is this being used? remove

[KeyboardNerd]

Note to other PR reviewer
TODO means it's a thing for the future PR not this one
NIT means it's not blocking merging the PR
Not related means it's a old issue and can be not addressed in this PR
Otherwise it means blocking the PR.

[KeyboardNerd]

Rephrase: The detectors used to scan this Ancestry. It may not be the same set of detectors in the Clair instance.

[KeyboardNerd]

It's wasteful to find ancestry and all the features associated here. We should later consider to have this function on database interface.

[jzelinskie]

This is my first pass. I'm going to need to take a look much harder at the database changes.

[jzelinskie]

Wow this kinda sucks. I wonder if gogo protobuf generates something more ergonomic than this.

[jzelinskie]

Is there a reason to even use a string? Why not have an integer?

const (
  NamespaceDectectorType DetectorType = iota
  FeatureDetectorType
  ...
)

[KeyboardNerd]

because I want to store enum in the database. Well I can write a conversion to make this work anyway.

[jzelinskie]

Enums are most often just integers in the database that have special meaning for the application. You use enums because it makes the column more simple (thus easier to migrate, copy, compare values etc...)

[KeyboardNerd]

Yes, that's the point isn't it. DetectorType (Detector Enum) is just like Severity Enum. You can look up the database schema for that.

[jzelinskie]

We could put this in strutil if you change the function to be:

func StringifyList(xs []fmt.Stringer) (ys []string) {
  for _, x := range xs {
    ys = append(ys, x.String())
  }
  return
}

[KeyboardNerd]

ok, then it will require the type conversion from []database.Detector to []fmt.Stringer, which sucks

[jzelinskie]

Yeah. This is super unfortunate... It's because interfaces are different memory layouts and creating a list of them is O(N), so you have to explicitly make the copy yourself rather than having Go do it for you when you pass it into the function.

[KeyboardNerd]

It makes me think if this kind of design is wrong after all. I think we are thinking about functions using generics but interfaces are not generics.

[KeyboardNerd]

I think I should keep the original design for the serialization.

[jzelinskie]

👍

[jzelinskie]

This is comment also wrong. Hash is the sha256 digest of the manifest for a particular image.

[jzelinskie]

I think everything in here makes sense to just have in the database package rather than in a utility package.

[jzelinskie]

I think all of this is useful for only the database. I think this would also be fine being just in the database package.

Also, copyright header

[KeyboardNerd]

Yes, those are for comparing the database models but it's not only for the database tests. It's also used in the worker test and in the future updater test.

[jzelinskie]

I think the general approach for the database is good. We discussed it enough beforehand that it's pretty much exactly what I expected. I think that there were a bunch of things I noticed for database optimizations, but I don't think we should really spend time on that until we're positive it's the finalized schema.

some additional thoughts... i ran the codebase and sat pondering our current schema for a bit and came up with a few things that might not necessarily need to be done in this PR:

Get rid of namespaced_feature

ancestry_feature -> (id, ancestry_layer_id, feat_id, feat_detector_id, ns_id, ns_detector_id)

make kv table consistent

• rename fields to updater/$NAMESPACE
• prefix value to include the SCM: git-sha:hf92dk9

detector type

• rename column type -> dtype
• change column to this enum: CREATE TYPE detector_type AS ENUM ('feature', 'namespace');

debian:unstable ns needs to be mapped to a number

we should lstrip "v" off of the alpine namespace version numbers, no other namespaces do that

[jzelinskie]

I avoid using the word init to avoid confusion around the keyword.

[jzelinskie]

Do these have to be strings? I'd be nice to keep them as arrays in the JSON logs.
Also the detectors string is borderline unreadable:

{"Detectors":"DETECTOR_TYPE_FEATUREDetector/apk/1.0,DETECTOR_TYPE_FEATUREDetector/dpkg/1.0,DETECTOR_TYPE_FEATUREDetector/rpm/1.0,DETECTOR_TYPE_NAMESPACEDetector/alpine-release/1.0,DETECTOR_TYPE_NAMESPACEDetector/apt-sources/1.0,DETECTOR_TYPE_NAMESPACEDetector/lsb-release/1.0,DETECTOR_TYPE_NAMESPACEDetector/os-release/1.0,DETECTOR_TYPE_NAMESPACEDetector/redhat-release/1.0"}

[jzelinskie]

We should come up with a naming convention for the functions that are just wrapping calls in a transaction.

[jzelinskie]

copypasta?

[jzelinskie]

I comment on main, but yeah this is pretty verbose and hard to read

[jzelinskie]

👍

[jzelinskie]

Name is a globally unique value for a set of layers. This is often the sha256 digest of an OCI/Docker manifest.

[KeyboardNerd]

This is done:
detector type
rename column type -> dtype
change column to this enum: CREATE TYPE detector_type AS ENUM ('feature', 'namespace');