Parse Source package from package information databases #638
Conversation
Feature now has a pointer to parent feature. If a vulnerability affects a parent feature, this child feature will be affected.
KeyboardNerd
force-pushed
the
featureTree
branch
from
49714ec
to
9ca970f
Compare
| // will also affect this feature. | ||
| // | ||
| // e.g. A source package is the parent feature of a binary package. | ||
| Parent *Feature |
There was a problem hiding this comment.
Should we use Parent or have Children list?
The problem with using Children list is that lots of places in the code base requires Feature to be Hashable.
There was a problem hiding this comment.
Is that just because we're using it as the key in a map? If so, it's not too hard to implement String() on this type and use that as the key.
edit: oh, it's also because of the use of sets now, too?
There was a problem hiding this comment.
mapset uses map internally to store elements
There was a problem hiding this comment.
OK, I'm wrong. I assumed that when comparing pointers, mapset checks the internal structure. This is not true. Yes, we'll need a pre-hash function for the Feature type.
ext/featurefmt/dpkg/dpkg.go
Outdated
| @@ -20,6 +20,8 @@ import ( | |||
| "regexp" | |||
| "strings" | |||
|
|
|||
| "github.com/deckarep/golang-set" | |||
|
|
|||
ext/featurefmt/dpkg/dpkg.go
Outdated
| @@ -36,33 +38,87 @@ var ( | |||
|
|
|||
| type lister struct{} | |||
|
|
|||
| // dpkgPackageMetadata stores the direct parsed objects from the dpkg database. | |||
ext/featurefmt/dpkg/dpkg.go
Outdated
| return p.PackageVersion | ||
| } | ||
|
|
||
| func convertToFeatures(pkgs mapset.Set) []database.Feature { |
There was a problem hiding this comment.
it makes me think that we should have Feature to be an interface (ADT) having
GetName(), GetVersionFormat(),...
so that we don't have to copy everything
There was a problem hiding this comment.
I think that overcomplicates things. These lists aren't that big and each struct is only going to be marginally larger than an the struct that backs interfaces in the Go runtime.
I would like the deduplicate this code across formats, though.
ext/featurefmt/dpkg/dpkg.go
Outdated
| pkg.Name = "" | ||
| pkg.Version = "" | ||
| } | ||
| if pkg.Valid() { |
| "github.com/stretchr/testify/require" | ||
|
|
||
| "github.com/coreos/clair/ext/featurefmt" | ||
|
|
|
|
||
| "github.com/coreos/clair/database" | ||
| "github.com/coreos/clair/pkg/tarutil" | ||
| "github.com/stretchr/testify/assert" |
| "github.com/stretchr/testify/assert" | ||
| ) | ||
|
|
||
| // TestData represents the data used to test an implementation of Lister. |
There was a problem hiding this comment.
either we'll keep this for small instances of package information testing, or we migrate to the new way of testing, which I prefer for larger sample.
| // | ||
| // The CSV File Must have all extractable packages from the package installation | ||
| // source file. | ||
| func LoadExpectedResult(relativeFilePath string) []ExpectedPackage { |
KeyboardNerd
force-pushed
the
featureTree
branch
2 times, most recently
from
d6cad0e
to
532a40b
Compare
KeyboardNerd
changed the title
|
These commits should be all for this PR. I found a problem with using versionfmt as the hint for associating the namespace. If there are multiple namespaces, we can just determine the namespace based on the package installer type. I suggest to have: Package manager has the version format to parse the feature, which is found under the package manager. Maybe, we can remodel the database to have: Ancestry -> Layer/NamespacedFeature |
jzelinskie
added
kind/design
| // will also affect this feature. | ||
| // | ||
| // e.g. A source package is the parent feature of a binary package. | ||
| Parent *Feature |
There was a problem hiding this comment.
Is that just because we're using it as the key in a map? If so, it's not too hard to implement String() on this type and use that as the key.
edit: oh, it's also because of the use of sets now, too?
| apk-tools,2.6.7-r0,, | ||
| scanelf,1.1.6-r0,pax-utils,1.1.6-r0 | ||
| musl-utils,1.1.14-r10,musl,1.1.14-r10 | ||
| libc-utils,0.7-r0,libc-dev,0.7-r0 |
There was a problem hiding this comment.
I kinda dislike testdata directories like this. We can keep this in CSV format if you'd like but we should store it in the same package like this:
var testData = `
musl,1.1.14-r10,,
busybox,1.24.2-r9,,
alpine-baselayout,3.0.3-r0,,
alpine-keys,1.1-r0,,
zlib,1.2.8-r2,,
libcrypto1.0,1.0.2h-r1,openssl,1.0.2h-r1
libssl1.0,1.0.2h-r1,openssl,1.0.2h-r1
apk-tools,2.6.7-r0,,
scanelf,1.1.6-r0,pax-utils,1.1.6-r0
musl-utils,1.1.14-r10,musl,1.1.14-r10
libc-utils,0.7-r0,libc-dev,0.7-r0
`There was a problem hiding this comment.
why is that? it's easier to manipulate the expected output CSV file if it's directly stored as a file. Both dpkg and rpm, which support formatting, can easily generate CSV output. I think it's just extra effort to put these inside a go file.
There was a problem hiding this comment.
To avoid complicating the tests with code that loads test files.
I've noticed that in the standard library, they only use testdata directories for benchmarks.
I don't feel super strong about it though, since we already do this for a bunch of other tests.
There was a problem hiding this comment.
Well, in std not very true https://github.com/golang/go/blob/a0d6420d8be2ae7164797051ec74fa2a2df466a1/src/net/interface_linux_test.go#L93
in this case, it loads the test file for testing the parser. Basically the same usage as ours.
Yes, you're right that loading test file will involve extra code complexity.
There was a problem hiding this comment.
Good find. I think we should play things by ear. If there are many test files or they're in a format that's a pain to edit without tools, we should use a testdata directory with files. If it isn't much of a pain to keep things in the test package in Go source files, we should do that.
I leave the decision up to you.
ext/featurefmt/dpkg/dpkg.go
Outdated
| return p.PackageVersion | ||
| } | ||
|
|
||
| func convertToFeatures(pkgs mapset.Set) []database.Feature { |
There was a problem hiding this comment.
I think that overcomplicates things. These lists aren't that big and each struct is only going to be marginally larger than an the struct that backs interfaces in the Go runtime.
I would like the deduplicate this code across formats, though.
KeyboardNerd
force-pushed
the
featureTree
branch
3 times, most recently
from
fe53af1
to
51e3793
Compare
1. Featurefmt testing code is moved to featurefmttest package. 2. Featurefmt now can be tested against a csv file, which contains the expected package information result.
The source package metadata is extracted from the source line instead of forcing the binary package to have source package information.
Source package is now extracted from the RPM database by using
${SourceRPM} option in the rpm --qf argument.
"o" field is used to extract the Package Origin from the APK database.
KeyboardNerd
force-pushed
the
featureTree
branch
from
51e3793
to
2cc61f9
Compare
|
addressed comments |
In order to resolve the source package problem, the first step is to extract the source package from the package information files.
This PR contains the following as first step: