From 1cd9abe8ad5966ab9b03e6ba0c7d6b7de172edda Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 09:16:25 -0700 Subject: [PATCH 01/12] chore: bump github.com/docker/cli from 27.0.3+incompatible to 27.1.0+incompatible (#708) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 68fb1259..584a0af3 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/cpuguy83/go-docker v0.3.0 github.com/distribution/reference v0.6.0 github.com/docker/buildx v0.16.0 - github.com/docker/cli v27.0.3+incompatible + github.com/docker/cli v27.1.0+incompatible github.com/google/go-containerregistry v0.19.2 github.com/hashicorp/go-multierror v1.1.1 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f diff --git a/go.sum b/go.sum index 33d22c10..f06e58ec 100644 --- a/go.sum +++ b/go.sum @@ -92,8 +92,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/buildx v0.16.0 h1:LurEflyb6BBoLtDwJY1dw9dLHKzEgGvCjAz67QI0xO0= github.com/docker/buildx v0.16.0/go.mod h1:4xduW7BOJ2B11AyORKZFDKjF6Vcb4EgTYnV2nunxv9I= -github.com/docker/cli v27.0.3+incompatible h1:usGs0/BoBW8MWxGeEtqPMkzOY56jZ6kYlSN5BLDioCQ= -github.com/docker/cli v27.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.0+incompatible h1:P0KSYmPtNbmx59wHZvG6+rjivhKDRA1BvvWM0f5DgHc= +github.com/docker/cli v27.1.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= From 75b8bac1b18444e0cfcbde776600b970c9f078d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:23:54 -0700 Subject: [PATCH 02/12] chore: bump k8s.io/apimachinery from 0.30.2 to 0.30.3 (#709) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 584a0af3..a0e0f0f2 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 golang.org/x/sync v0.7.0 google.golang.org/grpc v1.65.0 - k8s.io/apimachinery v0.30.2 + k8s.io/apimachinery v0.30.3 ) require ( diff --git a/go.sum b/go.sum index f06e58ec..b7412d9a 100644 --- a/go.sum +++ b/go.sum @@ -612,8 +612,8 @@ gotest.tools/v3 v3.3.0 h1:MfDY1b1/0xN1CyMlQDac0ziEy9zJQd9CXBRRDHw2jJo= gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A= k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= -k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg= -k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= From f730aa9e6bc9a3ce9b7aa3e95d01f8849bca0318 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:19:54 -0700 Subject: [PATCH 03/12] chore: bump github.com/google/go-containerregistry from 0.19.2 to 0.20.1 (#710) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a0e0f0f2..3dce7e29 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/distribution/reference v0.6.0 github.com/docker/buildx v0.16.0 github.com/docker/cli v27.1.0+incompatible - github.com/google/go-containerregistry v0.19.2 + github.com/google/go-containerregistry v0.20.1 github.com/hashicorp/go-multierror v1.1.1 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422 diff --git a/go.sum b/go.sum index b7412d9a..247c818b 100644 --- a/go.sum +++ b/go.sum @@ -177,8 +177,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w= -github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0= +github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= From 6d914463e6a0d960486bdd6066dd7509f7448b43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:35:31 -0700 Subject: [PATCH 04/12] chore: bump the all group with 6 updates (#711) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 12 ++++++------ .github/workflows/codeql.yml | 8 ++++---- .github/workflows/dependency-review.yml | 2 +- .github/workflows/deploy-docs.yaml | 2 +- .github/workflows/golangci-lint.yml | 2 +- .github/workflows/release-docs.yml | 2 +- .github/workflows/release.yml | 8 ++++---- .github/workflows/scorecards.yml | 4 ++-- 8 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 240dcdca..be768d41 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: permissions: read-all steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit - name: Check out code @@ -68,7 +68,7 @@ jobs: os: [ubuntu-latest] steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -127,7 +127,7 @@ jobs: tar xzf copa_edge_linux_amd64.tar.gz ./copa --version - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Run functional test shell: bash run: | @@ -169,7 +169,7 @@ jobs: tar xzf copa_edge_linux_amd64.tar.gz ./copa --version - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Run functional test shell: bash run: | @@ -185,7 +185,7 @@ jobs: permissions: read-all steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit - name: Check out code @@ -213,7 +213,7 @@ jobs: tar xzf copa_edge_linux_amd64.tar.gz ./copa --version - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Run e2e tests shell: bash run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a23c2d37..ba4dcdba 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,7 +44,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit @@ -58,7 +58,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,6 +85,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1a4cc9de..2b45d2dc 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit diff --git a/.github/workflows/deploy-docs.yaml b/.github/workflows/deploy-docs.yaml index 41836c03..15c8a3cd 100644 --- a/.github/workflows/deploy-docs.yaml +++ b/.github/workflows/deploy-docs.yaml @@ -30,7 +30,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c with: egress-policy: audit diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index ef8ca33f..cc544d38 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit diff --git a/.github/workflows/release-docs.yml b/.github/workflows/release-docs.yml index 873b0daf..147b518a 100644 --- a/.github/workflows/release-docs.yml +++ b/.github/workflows/release-docs.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6b79fdbf..1710dd4c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit @@ -29,7 +29,7 @@ jobs: go-version: "1.22" check-latest: true - - uses: anchore/sbom-action/download-syft@95b086ac308035dc0850b3853be5b7ab108236a8 # v0.16.1 + - uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - name: Run goreleaser uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 @@ -46,10 +46,10 @@ jobs: ref: main - name: Set up Docker - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 - name: Login to ghcr - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 4c01dc00..1abd3b1f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.3.1 + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.3.1 with: egress-policy: audit @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: sarif_file: results.sarif From beb8c86673a80a5269280c8533adc3c675a3d5ed Mon Sep 17 00:00:00 2001 From: Miaha <143584635+MiahaCybersec@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:11:47 -0600 Subject: [PATCH 05/12] fix: docker repository format checks (#707) Signed-off-by: Miaha Cybersec Co-authored-by: Ashna Mehrotra --- pkg/patch/patch.go | 12 ++++++------ website/docs/quick-start.md | 14 ++++++++++---- .../versioned_docs/version-v0.7.x/quick-start.md | 2 +- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/pkg/patch/patch.go b/pkg/patch/patch.go index 38d839de..24f69a80 100644 --- a/pkg/patch/patch.go +++ b/pkg/patch/patch.go @@ -83,13 +83,13 @@ func patchWithContext(ctx context.Context, ch chan error, image, reportFile, pat log.Warnf("Image name has no tag or digest, using latest as tag") imageName = reference.TagNameOnly(imageName) } + var tag string taggedName, ok := imageName.(reference.Tagged) - if !ok { - err := errors.New("Unrecognized docker repository format. Please use one of the following: image-registry/imagename:imageversion or image-registry/imagename:imageversion@indexdigest") - log.Error(err) - return err + if ok { + tag = taggedName.Tag() + } else { + log.Warnf("Image name has no tag") } - tag := taggedName.Tag() if patchedTag == "" { if tag == "" { log.Warnf("No output tag specified for digest-referenced image, defaulting to `%s`", defaultPatchedTagSuffix) @@ -327,7 +327,7 @@ func getOSType(ctx context.Context, osreleaseBytes []byte) (string, error) { case strings.Contains(osType, "rocky"): return "rocky", nil default: - log.Error("unsupported osType", osType) + log.Error("unsupported osType ", osType) return "", errors.ErrUnsupported } } diff --git a/website/docs/quick-start.md b/website/docs/quick-start.md index 1f344754..efb4aed5 100644 --- a/website/docs/quick-start.md +++ b/website/docs/quick-start.md @@ -49,14 +49,20 @@ This guide illustrates how to patch outdated containers with `copa`. copa patch -i $IMAGE ``` - :::tip - If you want to patch an image using the digest, run the following command instead: - + :::tip + If you want to patch an image using the digest, run the following command instead: + + ```bash + export IMAGE=docker.io/library/nginx@sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 + copa patch -i $IMAGE + ``` + Or if you want to patch an image using the tag and digest, run the following command instead: + ```bash export IMAGE=docker.io/library/nginx:1.21.6@sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 copa patch -i $IMAGE ``` - ::: + ::: 2. Update only targeted packages Alternatively, you can chose to have a targeted patching of your image by providing an optional vulnerability report. In the following commands, we are only updating packages marked vulnerable by Trivy: diff --git a/website/versioned_docs/version-v0.7.x/quick-start.md b/website/versioned_docs/version-v0.7.x/quick-start.md index 1f344754..db8ecd71 100644 --- a/website/versioned_docs/version-v0.7.x/quick-start.md +++ b/website/versioned_docs/version-v0.7.x/quick-start.md @@ -51,7 +51,7 @@ This guide illustrates how to patch outdated containers with `copa`. :::tip If you want to patch an image using the digest, run the following command instead: - + ```bash export IMAGE=docker.io/library/nginx:1.21.6@sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 copa patch -i $IMAGE From da8fe8e55521c7d35d178ccd9724c45cc61af66d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 09:13:26 -0700 Subject: [PATCH 06/12] chore: bump github.com/docker/cli from 27.1.0+incompatible to 27.1.1+incompatible (#716) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3dce7e29..4f71122f 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/cpuguy83/go-docker v0.3.0 github.com/distribution/reference v0.6.0 github.com/docker/buildx v0.16.0 - github.com/docker/cli v27.1.0+incompatible + github.com/docker/cli v27.1.1+incompatible github.com/google/go-containerregistry v0.20.1 github.com/hashicorp/go-multierror v1.1.1 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f diff --git a/go.sum b/go.sum index 247c818b..08d1905a 100644 --- a/go.sum +++ b/go.sum @@ -92,8 +92,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/buildx v0.16.0 h1:LurEflyb6BBoLtDwJY1dw9dLHKzEgGvCjAz67QI0xO0= github.com/docker/buildx v0.16.0/go.mod h1:4xduW7BOJ2B11AyORKZFDKjF6Vcb4EgTYnV2nunxv9I= -github.com/docker/cli v27.1.0+incompatible h1:P0KSYmPtNbmx59wHZvG6+rjivhKDRA1BvvWM0f5DgHc= -github.com/docker/cli v27.1.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= From f696308dfcf94836748a8dbf74a615ced3b230dd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 10:40:32 -0700 Subject: [PATCH 07/12] chore: bump github.com/docker/buildx from 0.16.0 to 0.16.2 (#717) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 4f71122f..523a3a3f 100644 --- a/go.mod +++ b/go.mod @@ -10,14 +10,14 @@ require ( github.com/cpuguy83/dockercfg v0.3.1 github.com/cpuguy83/go-docker v0.3.0 github.com/distribution/reference v0.6.0 - github.com/docker/buildx v0.16.0 + github.com/docker/buildx v0.16.2 github.com/docker/cli v27.1.1+incompatible github.com/google/go-containerregistry v0.20.1 github.com/hashicorp/go-multierror v1.1.1 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422 github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 - github.com/moby/buildkit v0.15.0 + github.com/moby/buildkit v0.15.1 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/openvex/go-vex v0.2.5 @@ -63,7 +63,7 @@ require ( github.com/fvbommel/sortorder v1.0.1 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/gofrs/flock v0.12.0 // indirect + github.com/gofrs/flock v0.12.1 // indirect github.com/gogo/googleapis v1.4.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/mock v1.6.0 // indirect @@ -143,7 +143,7 @@ require ( golang.org/x/mod v0.17.0 // indirect golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.20.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/sys v0.22.0 // indirect golang.org/x/term v0.20.0 // indirect golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.5.0 // indirect diff --git a/go.sum b/go.sum index 08d1905a..5f3b32bd 100644 --- a/go.sum +++ b/go.sum @@ -90,8 +90,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/buildx v0.16.0 h1:LurEflyb6BBoLtDwJY1dw9dLHKzEgGvCjAz67QI0xO0= -github.com/docker/buildx v0.16.0/go.mod h1:4xduW7BOJ2B11AyORKZFDKjF6Vcb4EgTYnV2nunxv9I= +github.com/docker/buildx v0.16.2 h1:SPcyEiiCZEntJQ+V0lJI8ZudUrki2v1qUqmC/NqxDDs= +github.com/docker/buildx v0.16.2/go.mod h1:by+CuE4Q+2NvECkIhNcWe89jjbHADCrDlzS9MRgbv2k= github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -146,8 +146,8 @@ github.com/go-sql-driver/mysql v1.3.0 h1:pgwjLi/dvffoP9aabwkT3AKpXQM93QARkjFhDDq github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/flock v0.12.0 h1:xHW8t8GPAiGtqz7KxiSqfOEXwpOaqhpYZrTE2MQBgXY= -github.com/gofrs/flock v0.12.0/go.mod h1:FirDy1Ing0mI2+kB6wk+vyyAH+e6xiE+EYA0jnzV9jc= +github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= +github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0= github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4= github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -286,8 +286,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/buildkit v0.15.0 h1:vnZLThPr9JU6SvItctKoa6NfgPZ8oUApg/TCOaa/SVs= -github.com/moby/buildkit v0.15.0/go.mod h1:oN9S+8I7wF26vrqn9NuAF6dFSyGTfXvtiu9o1NlnnH4= +github.com/moby/buildkit v0.15.1 h1:J6wrew7hphKqlq1wuu6yaUb/1Ra7gEzDAovylGztAKM= +github.com/moby/buildkit v0.15.1/go.mod h1:Yis8ZMUJTHX9XhH9zVyK2igqSHV3sxi3UN0uztZocZk= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -544,8 +544,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= From bbffa2931f8ec3d3170c0259ec3135d72ff6e0ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:30:44 -0700 Subject: [PATCH 08/12] chore: bump typescript from 5.5.3 to 5.5.4 in /website in the all group (#719) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- website/package.json | 2 +- website/yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/website/package.json b/website/package.json index fe45d46f..c0bdd296 100644 --- a/website/package.json +++ b/website/package.json @@ -26,7 +26,7 @@ "devDependencies": { "@docusaurus/module-type-aliases": "3.4.0", "@tsconfig/docusaurus": "^2.0.3", - "typescript": "^5.5.3" + "typescript": "^5.5.4" }, "browserslist": { "production": [ diff --git a/website/yarn.lock b/website/yarn.lock index 9dd465df..9056cbbb 100644 --- a/website/yarn.lock +++ b/website/yarn.lock @@ -8216,10 +8216,10 @@ typedarray-to-buffer@^3.1.5: dependencies: is-typedarray "^1.0.0" -typescript@^5.5.3: - version "5.5.3" - resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.5.3.tgz#e1b0a3c394190838a0b168e771b0ad56a0af0faa" - integrity sha512-/hreyEujaB0w76zKo6717l3L0o/qEUtRgdvUBvlkhoWeOVMjMuHNHk0BRBzikzuGDqNmPQbg5ifMEqsHLiIUcQ== +typescript@^5.5.4: + version "5.5.4" + resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.5.4.tgz#d9852d6c82bad2d2eda4fd74a5762a8f5909e9ba" + integrity sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q== unicode-canonical-property-names-ecmascript@^2.0.0: version "2.0.0" From da9015247ce57ac40e9bdf345503fda95e654a6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:46:31 -0700 Subject: [PATCH 09/12] chore: bump the all group across 1 directory with 3 updates (#722) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/release.yml | 2 +- .github/workflows/scorecards.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ba4dcdba..964ed17d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,7 +58,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,6 +85,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1710dd4c..29885473 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,7 +46,7 @@ jobs: ref: main - name: Set up Docker - uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Login to ghcr uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 1abd3b1f..ef35ee05 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -41,7 +41,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: sarif_file: results.sarif From 473202f1ad4c93eba899480dd96b7716ab0cd9cb Mon Sep 17 00:00:00 2001 From: Miaha <143584635+MiahaCybersec@users.noreply.github.com> Date: Mon, 29 Jul 2024 14:17:21 -0600 Subject: [PATCH 10/12] fix: microdnf update (#721) Signed-off-by: Miaha Cybersec Co-authored-by: Ashna Mehrotra --- integration/fixtures/test-images.json | 7 +++++++ pkg/pkgmgr/rpm.go | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/integration/fixtures/test-images.json b/integration/fixtures/test-images.json index b7eb9013..239c4ecd 100644 --- a/integration/fixtures/test-images.json +++ b/integration/fixtures/test-images.json @@ -130,6 +130,13 @@ "description": "Valid rpm DB, yum present", "ignoreErrors": false }, + { + "image": "docker.io/redhat/ubi9-minimal", + "tag": "9.4-949", + "digest": "sha256:9607229894026ebecade4623038fce35bb75bf9371aca7b08ca11b08d103d2ab", + "distro": "Redhat", + "description": "Valid microdnf, no yum/dnf/rpm" + }, { "image": "docker.io/grafana/grafana-image-renderer", "tag" : "3.4.0", diff --git a/pkg/pkgmgr/rpm.go b/pkg/pkgmgr/rpm.go index 139787fd..62d0c5fd 100644 --- a/pkg/pkgmgr/rpm.go +++ b/pkg/pkgmgr/rpm.go @@ -422,7 +422,7 @@ func (rm *rpmManager) installUpdates(ctx context.Context, updates unversioned.Up return nil, nil, fmt.Errorf("no patchable packages found") } - const microdnfInstallTemplate = `sh -c '%[1]s update %[2]s && %[1]s clean all'` + const microdnfInstallTemplate = `sh -c '%[1]s update %[2]s -y && %[1]s clean all'` installCmd = fmt.Sprintf(microdnfInstallTemplate, rm.rpmTools["microdnf"], pkgs) default: err := errors.New("unexpected: no package manager tools were found for patching") From 0d0f2f357219425f50371e4628acf56e02df5d46 Mon Sep 17 00:00:00 2001 From: Miaha <143584635+MiahaCybersec@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:12:53 -0600 Subject: [PATCH 11/12] docs: clarify copa does not support wolfi-based images (#724) Signed-off-by: Miaha Cybersec --- website/docs/introduction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/introduction.md b/website/docs/introduction.md index 0fe5ada6..6d767464 100644 --- a/website/docs/introduction.md +++ b/website/docs/introduction.md @@ -37,6 +37,7 @@ This approach is motivated by the core principles of making direct container pat - **Copa supports patching _existing_ container images**. - Devs don't need to build their images using specific tools or modify them in some way just to support container patching. - **Copa supports containers without package managers _including_ distroless containers** + - Copa does not support Chainguard's wolfi-based images - **Copa works with the existing vulnerability scanning and mitigation ecosystems**. - Image publishers don't need to create new workflows for container patching since Copa supports patching container images using the security update packages already being published today. - Consumers do not need to migrate to a new and potentially more limited support ecosystem for custom distros or change their container vulnerability scanning pipelines to include remediation, since Copa can be integrated seamlessly as an extra step to patch containers based on those scanning reports. From 358a7ff52aaa5ee2ba022c39b03e73650b560481 Mon Sep 17 00:00:00 2001 From: Miaha <143584635+MiahaCybersec@users.noreply.github.com> Date: Mon, 29 Jul 2024 17:27:14 -0600 Subject: [PATCH 12/12] feat: add oracle support (#706) Signed-off-by: Miaha Cybersec Signed-off-by: Miaha <143584635+MiahaCybersec@users.noreply.github.com> Co-authored-by: Ashna Mehrotra --- integration/fixtures/test-images.json | 16 ++++++++++ integration/patch_test.go | 22 ++++++++++---- pkg/patch/patch.go | 2 ++ pkg/patch/patch_test.go | 43 +++++++++++++++++++++++++++ pkg/pkgmgr/pkgmgr.go | 2 +- pkg/pkgmgr/rpm.go | 7 +++++ website/docs/troubleshooting.md | 17 +++++++++++ 7 files changed, 103 insertions(+), 6 deletions(-) diff --git a/integration/fixtures/test-images.json b/integration/fixtures/test-images.json index 239c4ecd..e2640189 100644 --- a/integration/fixtures/test-images.json +++ b/integration/fixtures/test-images.json @@ -122,6 +122,22 @@ "description": "Valid rpm DB, yum present", "ignoreErrors": false }, + { + "image": "docker.io/library/oraclelinux", + "tag": "7.9", + "digest": "sha256:ba39a0daabd2df95ed5f374d016e87513f8e579ecc5a1599d7cf94679a281a34", + "distro": "Oracle Linux 7.9", + "description": "Valid rpm DB, yum present", + "ignoreErrors": false + }, + { + "image": "docker.io/library/oraclelinux", + "tag": "8.9", + "digest": "sha256:67c889172b07b1f4067050abf4bcf7fce2febd280664df261fe17fa82501a498", + "distro": "Oracle Linux 8.9", + "description": "Valid rpm DB, yum present", + "ignoreErrors": true + }, { "image": "docker.io/library/rockylinux", "tag": "8.9.20231119", diff --git a/integration/patch_test.go b/integration/patch_test.go index 2776e81f..973b81e3 100644 --- a/integration/patch_test.go +++ b/integration/patch_test.go @@ -48,7 +48,9 @@ func TestPatch(t *testing.T) { for _, img := range images { img := img - if !reportFile { + // Oracle tends to throw false positives with Trivy + // See https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400 + if !reportFile && !strings.Contains(img.Image, "oracle") { img.IgnoreErrors = false } @@ -92,7 +94,10 @@ func TestPatch(t *testing.T) { t.Log("patching image") patch(t, ref, tagPatched, dir, img.IgnoreErrors, reportFile) - if reportFile { + switch { + case strings.Contains(img.Image, "oracle"): + t.Log("Oracle image detected. Skipping Trivy scan.") + case reportFile: t.Log("scanning patched image") scanner(). withIgnoreFile(ignoreFile). @@ -100,7 +105,7 @@ func TestPatch(t *testing.T) { // here we want a non-zero exit code because we are expecting no vulnerabilities. withExitCode(1). scan(t, patchedRef, img.IgnoreErrors) - } else { + default: t.Log("scanning patched image") scanner(). withIgnoreFile(ignoreFile). @@ -110,7 +115,7 @@ func TestPatch(t *testing.T) { } // currently validation is only present when patching with a scan report - if reportFile { + if reportFile && !strings.Contains(img.Image, "oracle") { t.Log("verifying the vex output") validVEXJSON(t, dir) } @@ -207,7 +212,13 @@ func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool, report cmd.Env = append(cmd.Env, dockerDINDAddress.env()...) out, err := cmd.CombinedOutput() - require.NoError(t, err, string(out)) + + if strings.Contains(ref, "oracle") && reportFile && !ignoreErrors { + assert.Contains(t, string(out), "Error: Detected Oracle image passed in\n"+ + "Please read https://project-copacetic.github.io/copacetic/website/troubleshooting before patching your Oracle image") + } else { + require.NoError(t, err, string(out)) + } } func scanner() *scannerCmd { @@ -248,6 +259,7 @@ func (s *scannerCmd) scan(t *testing.T, ref string, ignoreErrors bool) { cmd.Env = append(cmd.Env, os.Environ()...) cmd.Env = append(cmd.Env, dockerDINDAddress.env()...) out, err := cmd.CombinedOutput() + assert.NoError(t, err, string(out)) } diff --git a/pkg/patch/patch.go b/pkg/patch/patch.go index 24f69a80..5e887774 100644 --- a/pkg/patch/patch.go +++ b/pkg/patch/patch.go @@ -326,6 +326,8 @@ func getOSType(ctx context.Context, osreleaseBytes []byte) (string, error) { return "redhat", nil case strings.Contains(osType, "rocky"): return "rocky", nil + case strings.Contains(osType, "oracle"): + return "oracle", nil default: log.Error("unsupported osType ", osType) return "", errors.ErrUnsupported diff --git a/pkg/patch/patch_test.go b/pkg/patch/patch_test.go index ad54c34b..359969a3 100644 --- a/pkg/patch/patch_test.go +++ b/pkg/patch/patch_test.go @@ -186,6 +186,49 @@ func TestGetOSType(t *testing.T) { err: nil, expectedOSType: "rocky", }, + { + osRelease: []byte(`NAME="Oracle Linux Server" + VERSION="7.9" + ID="ol" + ID_LIKE="fedora" + VARIANT="Server" + VARIANT_ID="server" + VERSION_ID="7.9" + PRETTY_NAME="Oracle Linux Server 7.9" + ANSI_COLOR="0;31" + CPE_NAME="cpe:/o:oracle:linux:7:9:server" + HOME_URL="https://linux.oracle.com/" + BUG_REPORT_URL="https://github.com/oracle/oracle-linux" + + ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7" + ORACLE_BUGZILLA_PRODUCT_VERSION=7.9 + ORACLE_SUPPORT_PRODUCT="Oracle Linux" + ORACLE_SUPPORT_PRODUCT_VERSION=7.9`), + err: nil, + expectedOSType: "oracle", + }, + { + osRelease: []byte(`NAME="Oracle Linux Server" + VERSION="8.9" + ID="ol" + ID_LIKE="fedora" + VARIANT="Server" + VARIANT_ID="server" + VERSION_ID="8.9" + PLATFORM_ID="platform:el8" + PRETTY_NAME="Oracle Linux Server 8.9" + ANSI_COLOR="0;31" + CPE_NAME="cpe:/o:oracle:linux:8:9:server" + HOME_URL="https://linux.oracle.com/" + BUG_REPORT_URL="https://github.com/oracle/oracle-linux" + + ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8" + ORACLE_BUGZILLA_PRODUCT_VERSION=8.9 + ORACLE_SUPPORT_PRODUCT="Oracle Linux" + ORACLE_SUPPORT_PRODUCT_VERSION=8.9`), + err: nil, + expectedOSType: "oracle", + }, { osRelease: nil, err: errors.ErrUnsupported, diff --git a/pkg/pkgmgr/pkgmgr.go b/pkg/pkgmgr/pkgmgr.go index 37796c38..15fe6c68 100644 --- a/pkg/pkgmgr/pkgmgr.go +++ b/pkg/pkgmgr/pkgmgr.go @@ -33,7 +33,7 @@ func GetPackageManager(osType string, osVersion string, config *buildkit.Config, return &apkManager{config: config, workingFolder: workingFolder}, nil case "debian", "ubuntu": return &dpkgManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil - case "cbl-mariner", "centos", "redhat", "rocky", "amazon": + case "cbl-mariner", "centos", "oracle", "redhat", "rocky", "amazon": return &rpmManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil default: return nil, fmt.Errorf("unsupported osType %s specified", osType) diff --git a/pkg/pkgmgr/rpm.go b/pkg/pkgmgr/rpm.go index 62d0c5fd..f01da934 100644 --- a/pkg/pkgmgr/rpm.go +++ b/pkg/pkgmgr/rpm.go @@ -191,7 +191,14 @@ func (rm *rpmManager) InstallUpdates(ctx context.Context, manifest *unversioned. var updates unversioned.UpdatePackages var rpmComparer VersionComparer var err error + if manifest != nil { + if manifest.Metadata.OS.Type == "oracle" && !ignoreErrors { + err = errors.New("Detected Oracle image passed in\n" + + "Please read https://project-copacetic.github.io/copacetic/website/troubleshooting before patching your Oracle image") + return &rm.config.ImageState, nil, err + } + rpmComparer = VersionComparer{isValidRPMVersion, isLessThanRPMVersion} updates, err = GetUniqueLatestUpdates(manifest.Updates, rpmComparer, ignoreErrors) if err != nil { diff --git a/website/docs/troubleshooting.md b/website/docs/troubleshooting.md index 66beb1a6..58638e48 100644 --- a/website/docs/troubleshooting.md +++ b/website/docs/troubleshooting.md @@ -2,6 +2,23 @@ title: Troubleshooting --- +## Copa and Trivy throw errors when Oracle Linux is passed in + +Copa supports patching Oracle Linux in two ways: + +With a vulnerability scan, `--ignore-errors` must be passed in. This will patch all CVEs aside from false positives reported by Trivy: + +```bash +copa patch -r /oracle-7.9-vulns.json -i docker.io/library/oraclelinux:7.9 --ignore-errors +``` + +Without a vulnerability scan, Copa will update all packages in the image: + +```bash +copa patch -i docker.io/library/oraclelinux:7.9 +``` + +Oracle reports CVEs in a way that causes Trivy to report false positives that Copa will be unable to patch. To patch the entire image, use the Copa `--ignore-errors` flag or omit the vulnerability scan report to upgrade all outdated packages. See [this GitHub issue](https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400) for more information. ## Filtering Vulnerabilities You might want to filter/ignore some of the vulnerabilities while patching. To do so, you need to first filter those undesired vulnerabilities from your scanner output.