rhel: deprecate updater in favor of VEX updater

We can extract vulnerability information about containers from the VEX data. This negates the need to look for it in the cvemap.xml file. This change modifies the VEX updater to allow for ingesting vulnerabilities in a way that can be matched my the RHCC matcher. Signed-off-by: crozzy <[email protected]>
quay · Oct 14, 2024 · 2d919d7 · 2d919d7
1 parent b037b25
commit 2d919d7
Show file tree

Hide file tree

Showing 22 changed files with 3,857 additions and 913 deletions.
diff --git a/datastore/postgres/migrations/matcher/14-delete-rhcc-vulns.sql b/datastore/postgres/migrations/matcher/14-delete-rhcc-vulns.sql
@@ -0,0 +1,4 @@
+-- The rhel-vex updater will now be responsible for RHCC advisories so we have
+-- to delete the existing RHCC vulnerabilities.
+DELETE FROM update_operation WHERE updater = 'rhel-container-updater';
+DELETE FROM vuln where updater = 'rhel-container-updater';
diff --git a/datastore/postgres/migrations/migrations.go b/datastore/postgres/migrations/migrations.go
@@ -112,4 +112,8 @@ var MatcherMigrations = []migrate.Migration{
 		ID: 13,
 		Up: runFile("matcher/13-delete-rhel-oval.sql"),
 	},
+	{
+		ID: 14,
+		Up: runFile("matcher/14-delete-rhcc-vulns.sql"),
+	},
 }
diff --git a/pkg/rhctag/version_test.go b/pkg/rhctag/version_test.go
@@ -172,3 +172,54 @@ func TestOrdering(t *testing.T) {
 		t.Run(tc.Name, tc.Run)
 	}
 }
+
+type renderTestcase struct {
+	name                  string
+	versionIn             string
+	min                   bool
+	expectedVersionString string
+}
+
+func (tc renderTestcase) Run(t *testing.T) {
+	v, err := Parse(tc.versionIn)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ccVer := v.Version(tc.min)
+	rv := &ccVer
+	if rv.String() != tc.expectedVersionString {
+		t.Errorf("unexpected version %s but expected %s", rv.String(), tc.expectedVersionString)
+	}
+}
+
+func TestRendering(t *testing.T) {
+	testcases := []renderTestcase{
+		{
+			name:                  "no_min",
+			min:                   false,
+			versionIn:             "1.9.0-9",
+			expectedVersionString: "1!9.2147483647",
+		},
+		{
+			name:                  "with_min",
+			min:                   true,
+			versionIn:             "1.9.0-9",
+			expectedVersionString: "1!9",
+		},
+		{
+			name:                  "with_v",
+			min:                   true,
+			versionIn:             "v3.4.0-2",
+			expectedVersionString: "3!4",
+		},
+		{
+			name:                  "check_minor",
+			min:                   true,
+			versionIn:             "v3.5.7-8",
+			expectedVersionString: "3!5",
+		},
+	}
+	for _, tc := range testcases {
+		t.Run(tc.name, tc.Run)
+	}
+}
diff --git a/rhel/rhcc/coalescer_test.go b/rhel/rhcc/coalescer_test.go
@@ -21,7 +21,7 @@ func TestCoalescer(t *testing.T) {
 		// Mark them as if they came from this package's package scanner
 		p.RepositoryHint = `rhcc`
 	}
-	repo := []*claircore.Repository{&goldRepo}
+	repo := []*claircore.Repository{&GoldRepo}
 	layerArtifacts := []*indexer.LayerArtifacts{
 		{
 			Hash: test.RandomSHA256Digest(t),
@@ -67,7 +67,7 @@ func TestCoalescer(t *testing.T) {
 		}
 		for _, id := range e.RepositoryIDs {
 			r := ir.Repositories[id]
-			if got, want := r.Name, goldRepo.Name; got != want {
+			if got, want := r.Name, GoldRepo.Name; got != want {
 				t.Errorf("got: %q, want: %q", got, want)
 			}
 		}

diff --git a/rhel/rhcc/fetcher_test.go b/rhel/rhcc/fetcher_test.go
diff --git a/rhel/rhcc/matcher.go b/rhel/rhcc/matcher.go
@@ -26,7 +26,7 @@ func (*matcher) Name() string { return "rhel-container-matcher" }
 // Filter implements [driver.Matcher].
 func (*matcher) Filter(r *claircore.IndexRecord) bool {
 	return r.Repository != nil &&
-		r.Repository.Name == goldRepo.Name
+		r.Repository.Name == GoldRepo.Name
 }
 
 // Query implements [driver.Matcher].