Skip to content

ROX-13435: fix RHELv2 updates #1012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2022
Merged

ROX-13435: fix RHELv2 updates #1012

merged 1 commit into from
Nov 10, 2022

Conversation

RTann
Copy link
Collaborator

@RTann RTann commented Nov 10, 2022
edited
Loading

The changes relating to the diff step in #928 caused RHELv2 updates to not work properly with older Scanner versions.

Older Scanner versions rely on PackageInfos to be populated. Genesis dumps no longer populate this field, and the diff converted each base dump's PackageInfos to Packages. Instead, we should have converted the new Packages to the old PackageInfos so older scanners would understand them properly.

Local Testing Steps:

  1. Run make build-updater
  2. Run ./bin/updater generate-dump --out-file test.zip. This will generate the latest genesis dump with the latest vulnerabilities
  3. Run ./test.sh where test.sh is defined below
  4. Confirm PackageInfos are populated the correct data. For example, you can unzip /tmp/diff-dumps/dump0/diff.zip and look at rhelv2/vulns/RHEL9-rhel-9-including-unpatched.json and verify "RHSA-2022:7288" has all the fields populated as expected

test.sh:

mkdir -p /tmp/diff-dumps
idx=-1
while IFS=$'\t' read -r dumploc timestamp config; do
    idx=$((idx+1))
    dump_file_name="${dumploc##*/}"
    echo "Pulling genesis dump from ${dumploc}"
    gsutil cp "${dumploc}" .
    timestamp_in_zip="$(unzip -p "${dump_file_name}" manifest.json | jq -r '.until')"
    echo "Got timestamps -- from zip: ${timestamp_in_zip}; from manifest: ${timestamp}"
    [[ "${timestamp_in_zip}" == "${timestamp}" ]] # Assertion on the manifest contents
    # $ROOT/bin/updater is from the generate-genesis image in OpenShift CI.
    ./bin/updater diff-dumps --base-dump "${dump_file_name}" --head-dump test.zip --config "${config}" --out-file "/tmp/diff-dumps/dump${idx}/diff.zip"
done < <(jq -r '.knownGenesisDumps | .[]| [.dumpLocationInGS, .timestamp, (.config // empty | tostring)] | @tsv' < test.json)
du -d 2 -kh "/tmp/diff-dumps"

test.json:

{
  "knownGenesisDumps": [
    {
      "dumpLocationInGS": "gs://stackrox-scanner-ci-vuln-dump/genesis-20220908183429.zip",
      "timestamp": "2022-09-08T18:34:29.343211144Z",
      "uuid": "f81dbc6b-5899-433b-bc86-9127219a9d89",
      "config": {
        "useLegacyRHELv2PackageInfos": true,
        "ignoreIstioVulns": true
      }
    }
  ]
}

@RTann RTann added the generate-dumps-on-pr Generates the image based on dumps from the PR label Nov 10, 2022
@RTann RTann requested review from daynewlee and c-du November 10, 2022 22:24
@ghost
Copy link

ghost commented Nov 10, 2022

Images are ready for the commit at c19904a.

To use the images, use the tag 2.26.x-24-gc19904ac62.

@RTann RTann merged commit 99a32a0 into master Nov 10, 2022
@RTann RTann deleted the ROX-13435 branch November 10, 2022 23:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daynewlee daynewlee daynewlee approved these changes

@c-du c-du Awaiting requested review from c-du

Assignees
No one assigned
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RTann @daynewlee