-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vex: account for package module when parsing VEX #1416
Conversation
6aac3ad
to
e4b64e8
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1416 +/- ##
==========================================
+ Coverage 55.41% 55.43% +0.01%
==========================================
Files 282 282
Lines 17890 17934 +44
==========================================
+ Hits 9914 9941 +27
- Misses 6934 6948 +14
- Partials 1042 1045 +3 ☔ View full report in Codecov by Sentry. |
5e7886d
to
033b09c
Compare
033b09c
to
d25a2af
Compare
d25a2af
to
dba3d1b
Compare
dba3d1b
to
4a9ec4c
Compare
3e77536
to
b34a500
Compare
rhel/vex/parser.go
Outdated
} | ||
if version, _, found := strings.Cut(purl.Version, ":"); found { | ||
modName = purl.Name + ":" + version | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RTann adding this clause as some of the PURLs don't conform to a standard format and will be potentially updated:
Conventional: pkg:rpmmod/redhat/postgresql@13:8080020231114105206:63b34585
Unconventional: pkg:rpmmod/redhat/postgresql:15/postgresql
Possible update for unconventional format: pkg:rpmmod/redhat/postgresql@15
This is being looked at by RH prodsec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on https://go.dev/play/p/PamAwGzH8r0 I think you can just do
version, _, _ := strings.Cut(purl.Version, ":")
return purl.Name + ":" + version, nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is being looked at by RH prodsec.
Is this blocked, then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure there is a point in editing it until we get a reply about whether this is:
- A bug and will be fixed
- A bug and won't be immediately fixed
- Not a but and won't be changed
If we don't get that answer soon I think we just account for the conventional way and possibly modify in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's been a couple of days with no reply, going to change to just account for conventional rpmmod
PURLs
59434dd
to
a3c2044
Compare
rhel/vex/parser.go
Outdated
} | ||
if version, _, found := strings.Cut(purl.Version, ":"); found { | ||
modName = purl.Name + ":" + version | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on https://go.dev/play/p/PamAwGzH8r0 I think you can just do
version, _, _ := strings.Cut(purl.Version, ":")
return purl.Name + ":" + version, nil
rhel/vex/parser.go
Outdated
} | ||
if version, _, found := strings.Cut(purl.Version, ":"); found { | ||
modName = purl.Name + ":" + version | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is being looked at by RH prodsec.
Is this blocked, then?
a3c2044
to
c5325eb
Compare
dc451f0
to
1114dae
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one minor nit otherwise LGTM
1114dae
to
a97deb9
Compare
a97deb9
to
5df9794
Compare
Previously, we'd made the decision to ignore the package module and rely on the repo and package for matching but now that the VEX data has the package module data and it helps filter the results on the DB side, it seems best to add the package module information and keep the matcher constraints as it is. Signed-off-by: crozzy <[email protected]>
5df9794
to
54959d6
Compare
/fast-forward |
Previously, we'd made the decision to ignore the package module and rely on the repo and package for matching but now that the VEX data has the package module data and it helps filter the results on the DB side, it seems best to add the package module information and keep the matcher constraints as it is. Without this we'd need change the RHEL matcher to remove the
PackageModule
constraint.