vex: account for package module when parsing VEX #1416
Conversation
crozzy
force-pushed
the
account-for-module-vex
branch
3 times, most recently
from
6aac3ad
to
e4b64e8
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1416 +/- ##
==========================================
+ Coverage 55.41% 55.43% +0.01%
==========================================
Files 282 282
Lines 17890 17934 +44
==========================================
+ Hits 9914 9941 +27
- Misses 6934 6948 +14
- Partials 1042 1045 +3 ☔ View full report in Codecov by Sentry. |
crozzy
force-pushed
the
account-for-module-vex
branch
2 times, most recently
from
5e7886d
to
033b09c
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
from
033b09c
to
d25a2af
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
from
d25a2af
to
dba3d1b
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
from
dba3d1b
to
4a9ec4c
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
2 times, most recently
from
3e77536
to
b34a500
Compare
rhel/vex/parser.go
Outdated
| } | ||
| if version, _, found := strings.Cut(purl.Version, ":"); found { | ||
| modName = purl.Name + ":" + version | ||
| } else { |
There was a problem hiding this comment.
@RTann adding this clause as some of the PURLs don't conform to a standard format and will be potentially updated:
Conventional: pkg:rpmmod/redhat/postgresql@13:8080020231114105206:63b34585
Unconventional: pkg:rpmmod/redhat/postgresql:15/postgresql
Possible update for unconventional format: pkg:rpmmod/redhat/postgresql@15
This is being looked at by RH prodsec.
There was a problem hiding this comment.
Based on https://go.dev/play/p/PamAwGzH8r0 I think you can just do
version, _, _ := strings.Cut(purl.Version, ":")
return purl.Name + ":" + version, nil
There was a problem hiding this comment.
This is being looked at by RH prodsec.
Is this blocked, then?
There was a problem hiding this comment.
I'm not sure there is a point in editing it until we get a reply about whether this is:
- A bug and will be fixed
- A bug and won't be immediately fixed
- Not a but and won't be changed
If we don't get that answer soon I think we just account for the conventional way and possibly modify in the future.
There was a problem hiding this comment.
It's been a couple of days with no reply, going to change to just account for conventional rpmmod PURLs
crozzy
force-pushed
the
account-for-module-vex
branch
3 times, most recently
from
59434dd
to
a3c2044
Compare
rhel/vex/parser.go
Outdated
| } | ||
| if version, _, found := strings.Cut(purl.Version, ":"); found { | ||
| modName = purl.Name + ":" + version | ||
| } else { |
There was a problem hiding this comment.
Based on https://go.dev/play/p/PamAwGzH8r0 I think you can just do
version, _, _ := strings.Cut(purl.Version, ":")
return purl.Name + ":" + version, nil
rhel/vex/parser.go
Outdated
| } | ||
| if version, _, found := strings.Cut(purl.Version, ":"); found { | ||
| modName = purl.Name + ":" + version | ||
| } else { |
There was a problem hiding this comment.
This is being looked at by RH prodsec.
Is this blocked, then?
crozzy
force-pushed
the
account-for-module-vex
branch
from
a3c2044
to
c5325eb
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
2 times, most recently
from
dc451f0
to
1114dae
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
from
1114dae
to
a97deb9
Compare
crozzy
force-pushed
the
account-for-module-vex
branch
from
a97deb9
to
5df9794
Compare
Previously, we'd made the decision to ignore the package module and rely on the repo and package for matching but now that the VEX data has the package module data and it helps filter the results on the DB side, it seems best to add the package module information and keep the matcher constraints as it is. Signed-off-by: crozzy <[email protected]>
crozzy
force-pushed
the
account-for-module-vex
branch
from
5df9794
to
54959d6
Compare
|
/fast-forward |
Previously, we'd made the decision to ignore the package module and rely on the repo and package for matching but now that the VEX data has the package module data and it helps filter the results on the DB side, it seems best to add the package module information and keep the matcher constraints as it is. Without this we'd need change the RHEL matcher to remove the
PackageModuleconstraint.