ROX-12238: Add node analysis package

[jvdm]

This PR is built on top of #904 (please filter commits in the diff for a narrowed view of the changes).

Add Analyze() to pkg/analyzer/nodes, including related changes to allow external packages (in particular, Compliance) to consume it. node.Analyze is built on the recently introduced interfaces added to pkg/analyzer, and re-uses clair.DetectContentFromFile().

Other marginal changes:

• Move file size limits to the analyzer package.
• Add metrics for node scanning.

Tests

UTs.

Local validation, here's the code (omitting imports):

func main() {
	components, err := nodes.Analyze("localhost", "/", true)
	if err != nil {
		panic(err)
	}

	s, err := json.MarshalIndent(components, "", "    ")
	if err != nil {
		panic(err)
	}
	fmt.Println(string(s))
}

Next steps: E2E.

[ghost]

Images are ready for the commit at 0ab82fb.

To use the images, use the tag 2.25.0-87-g0ab82fb88b.

[c-du]

This PR is built on top of https://github.com/stackrox/scanner/pull/904 (please filter commits in the diff for a narrowed view of the changes).

You can generate the diff by changing the merge into branch from master to 'jvdm/ROX-12238/1/pull' in this case.

[c-du]

I am curious in case of error, why not returning (nil, err)?

[jvdm]

No reason. Happy to change if there is an exact concern on returning an empty struct.

[c-du]

In that case, it is recommended to use nil.

[jvdm]

Could you please share a reference of why this is the recommendation?

I've found https://github.com/golang/go/wiki/CodeReviewComments#declaring-empty-slices but that is for slices, which are treated as empty when nil. Could not find something specific for structs in general.

[c-du]

nit: ... during failed analysis...

[jvdm]

👍

[c-du]

Is 50 too small as error count histogram?

[jvdm]

Same as above.

[c-du]

The errorcount is only for filesIsNotAccessible error? If so, is it good to specify it in the context of the error for the reader of the metrics?

[jvdm]

Not sure if I follow. Are you suggesting we should modify the metric to make it more clear that it is tracking only inaccessible files, or something entirely different?

Notice that on every other error we fail the scan entirely.

[c-du]

The metrics by themselves suggest that it is the error count. Even if we fail the scan, the metrics readers are not in the context of the scan. You could either count all the errors or make it clear with either name or help of the metrics.

[jvdm]

👍 Thanks for clarifying.

[c-du]

Can you explain more the function of Get function?

[jvdm]

The details are explained in the documentation of analyzer.Files. If you have a better way of linking them together let me know.

[jvdm]

This PR is built on top of #904 (please filter commits in the diff for a narrowed view of the changes).

You can generate the diff by changing the merge into branch from master to 'jvdm/ROX-12238/1/pull' in this case.

If I target the PR into jvdm/ROX-12238/1/pull I won't trigger CI checks. Also, once 1/pull is merged, its commit will change (squash or rebased), and the target of this PR becomes obsolete.

[jvdm]

/retest

[openshift-ci]

@jvdm: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests	0ab82fb	link	false	/test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[RTann]

if provided they are annotated with certified RHEL dependencies

Not sure I follow

[jvdm]

Language components are not detected by this function, rather they are detected by the analyzers embedded in the matcher. But we pass components here so that the certified RHEL path will annotate the components with package info.

Personally, I would leave that piece out of the detector, arguing that it should be its responsibility to annotate language components. But OK the way it is.

[RTann]

if m == nil, then this will segfault

[jvdm]

+1

[RTann]

Is this also a regular file?

[jvdm]

Yes.

[RTann]

can we add a line

var _ analyzer.Files = (*filesMap)(nil)

See https://github.com/uber-go/guide/blob/master/style.md#verify-interface-compliance

[jvdm]

+1

[RTann]

who calls this?

[jvdm]

Just after clair.DetectFromFiles() (now clair.DetectComponents()), to verify if there was any error when reading files during detection.

[RTann]

nit: than instead of then

[RTann]

how does this happen?

[jvdm]

Between extraction and reading the file might have moved, was deleted, changed permission or something else happened to the underlying filesystem (e.g. failures).

[RTann]

nit: DetectFromFiles

[jvdm]

+1