Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Squashed all layers #3138

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Squashed all layers #3138

wants to merge 2 commits into from

Conversation

tomersein
Copy link
Contributor

@tomersein tomersein commented Aug 20, 2024
edited
Loading

This PR tries to solve the squash-with-all-layer resolver issue, aligned to the newest version of syft.
Please let me know how to proceed further, I guess the solution here is not perfect, but it does knows how to handle deleted packages.

part of - #15

@tomersein tomersein mentioned this pull request Aug 20, 2024
Open
@dbrugman
Copy link

@tomersein - I know very little about the Syft internals, and I'm trying to understand this PR. From the code and comments I understand that the new option will catalog packages from all layers, but then only include packages that are visible in the squashed file-system. How is that different from the regular squashed scope (or, I could probably rephrase this to: what is the difference between 'cataloging' and 'including')?

My main concern is whether this would (eventually) help to fix issue #1818

Many thanks!

@tomersein
Copy link
Contributor Author

hi @dbrugman ,
In this PR I am trying to display only packages which exists in the squashed layer, and in case they are, to include all of the layers they exist in so we can track down in which layer they were added.

@dbrugman
Copy link

Got it, thanks @tomersein

This was referenced Aug 20, 2024
Draft
Open
@kzantow
Copy link
Contributor

kzantow commented Aug 29, 2024

Hi @tomersein -- thanks for the contribution. I don't think we would want to merge this as-is, though. I wonder if there are any other things we may be able to do in order for you to accomplish what you're hoping to achieve.

So I understand correctly: the use case is to be able to find the layer which introduced a package, right?

@tomersein
Copy link
Contributor Author

tomersein commented Aug 29, 2024
edited
Loading

yes correct @kzantow , let me know what are the gaps so I can push some fixes \ improvements.
I want to add some more information according to your meeting yesterday:

  • the advantage in this solution that you need to scan only once. When an end user wants to see vulnerabilities in his container, all-layers can make him confuse since some of them doesn't exist anymore.
  • This solution can help users to fix their vulnerabilities by updating the relevant layer the vulnerability started from.

@kzantow - please see my notes after the meeting yesterday
@wagoodman I am available to do some fixes in case needed, just let me know :)

@TimBrown1611
Copy link

any update? :) @wagoodman

@tomersein tomersein mentioned this pull request Sep 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wagoodman wagoodman

Labels
None yet
Projects
OSS
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tomersein @dbrugman @kzantow @TimBrown1611 @wagoodman