Skip to content

Commit

Permalink
docs: Add doc for scanners that report individual layers (#803)
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>
  • Loading branch information
ritazh and sozercan authored Oct 9, 2024
1 parent 68e61c0 commit d8de178
Show file tree
Hide file tree
Showing 9 changed files with 36 additions and 0 deletions.
4 changes: 4 additions & 0 deletions website/docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ RPM: All RPM-based images will use `mcr.microsoft.com/cbl-mariner/base/core:2.0`

APK: APK-based images never use a tooling image, as Copa does not patch distroless alpine images.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.

## Can I replace the package repositories in the image with my own?

:::caution
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.1.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,7 @@ Copa is capable of patching "OS level" vulnerabilities. This includes packages (
Copa is not capable of patching vulnerabilities for compiled languages, like Go, at the "application level", for instance, Go modules. If your application uses a vulnerable version of the `golang.org/x/net` module, Copa will be unable to patch it. This is because Copa doesn't have access to the application's source code or the knowledge of how to build it, such as compiler flags, preventing it from patching vulnerabilities at the application level.

To patch vulnerabilities for applications, you can package these applications and consume them from package repositories, like `http://archive.ubuntu.com/ubuntu/` for Ubuntu, and ensure Trivy can scan and report vulnerabilities for these packages. This way, Copa can patch the applications as a whole, though it cannot patch specific modules within the applications.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.2.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,7 @@ Copa is capable of patching "OS level" vulnerabilities. This includes packages (
Copa is not capable of patching vulnerabilities for compiled languages, like Go, at the "application level", for instance, Go modules. If your application uses a vulnerable version of the `golang.org/x/net` module, Copa will be unable to patch it. This is because Copa doesn't have access to the application's source code or the knowledge of how to build it, such as compiler flags, preventing it from patching vulnerabilities at the application level.

To patch vulnerabilities for applications, you can package these applications and consume them from package repositories, like `http://archive.ubuntu.com/ubuntu/` for Ubuntu, and ensure Trivy can scan and report vulnerabilities for these packages. This way, Copa can patch the applications as a whole, though it cannot patch specific modules within the applications.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.3.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,7 @@ Copa is capable of patching "OS level" vulnerabilities. This includes packages (
Copa is not capable of patching vulnerabilities for compiled languages, like Go, at the "application level", for instance, Go modules. If your application uses a vulnerable version of the `golang.org/x/net` module, Copa will be unable to patch it. This is because Copa doesn't have access to the application's source code or the knowledge of how to build it, such as compiler flags, preventing it from patching vulnerabilities at the application level.

To patch vulnerabilities for applications, you can package these applications and consume them from package repositories, like `http://archive.ubuntu.com/ubuntu/` for Ubuntu, and ensure Trivy can scan and report vulnerabilities for these packages. This way, Copa can patch the applications as a whole, though it cannot patch specific modules within the applications.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.4.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,7 @@ Copa is capable of patching "OS level" vulnerabilities. This includes packages (
Copa is not capable of patching vulnerabilities for compiled languages, like Go, at the "application level", for instance, Go modules. If your application uses a vulnerable version of the `golang.org/x/net` module, Copa will be unable to patch it. This is because Copa doesn't have access to the application's source code or the knowledge of how to build it, such as compiler flags, preventing it from patching vulnerabilities at the application level.

To patch vulnerabilities for applications, you can package these applications and consume them from package repositories, like `http://archive.ubuntu.com/ubuntu/` for Ubuntu, and ensure Trivy can scan and report vulnerabilities for these packages. This way, Copa can patch the applications as a whole, though it cannot patch specific modules within the applications.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.5.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ Copa is not capable of patching vulnerabilities for compiled languages, like Go,

To patch vulnerabilities for applications, you can package these applications and consume them from package repositories, like `http://archive.ubuntu.com/ubuntu/` for Ubuntu, and ensure Trivy can scan and report vulnerabilities for these packages. This way, Copa can patch the applications as a whole, though it cannot patch specific modules within the applications.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.

## Can I replace the package repositories in the image with my own?

:::caution
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.6.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ Copa is not capable of patching vulnerabilities for compiled languages, like Go,

To patch vulnerabilities for applications, you can package these applications and consume them from package repositories, like `http://archive.ubuntu.com/ubuntu/` for Ubuntu, and ensure Trivy can scan and report vulnerabilities for these packages. This way, Copa can patch the applications as a whole, though it cannot patch specific modules within the applications.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.

## Can I replace the package repositories in the image with my own?

:::caution
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.7.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ To patch vulnerabilities for applications, you can package these applications an

If you find that your storage is rapidly being taken up after working with Copa, run `docker system prune`. This will prune all unused images, containers and caches.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.

## Can I replace the package repositories in the image with my own?

:::caution
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v0.8.x/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ RPM: All RPM-based images will use `mcr.microsoft.com/cbl-mariner/base/core:2.0`

APK: APK-based images never use a tooling image, as Copa does not patch distroless alpine images.

## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?

After scanning the patched image, if you’re still seeing vulnerabilities that have already been addressed in the patch layer, it could be due to the scanner reporting issues on each individual layer. Please reach out to your scanner vendor for assistance in resolving this.

## Can I replace the package repositories in the image with my own?

:::caution
Expand Down

0 comments on commit d8de178

Please sign in to comment.