rhcc: account for labels.json file

TODO(crozzy): Proper commit message.

Signed-off-by: crozzy <[email protected]>

Author: crozzy

pkg/rhctag/version_test.go

@@ -118,6 +118,16 @@ func TestSimple(t *testing.T) {
 				Original: "4-22",
 			},
 		},
+		{
+			Name: "tester",
+			In:   "1742843776",
+			Err:  false,
+			Want: Version{
+				Major:    1742843776,
+				Minor:    0,
+				Original: "1742843776",
+			},
+		},
 	}
 
 	for _, tc := range tt {

rhel/matcher.go

@@ -48,7 +48,7 @@ func (m *Matcher) Query() []driver.MatchConstraint {
 // added "ANY" attributes from the pattern.
 //
 // TODO(crozzy) Remove once RH VEX data updates CPEs with standard matching expressions.
-func isCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
+func IsCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
 	return strings.HasPrefix(recordCPE.String(), strings.TrimRight(vulnCPE.String(), ":*"))
 }
 
@@ -75,7 +75,7 @@ func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord,
 			Msg("unable to unbind repo CPE")
 		return false, nil
 	}
-	if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !isCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+	if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
 		return false, nil
 	}
 

rhel/matcher_test.go

@@ -288,7 +288,7 @@ func TestIsCPEStringSubsetMatch(t *testing.T) {
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
 			tt := tc
-			matched := isCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
+			matched := IsCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
 			if matched != tt.match {
 				t.Errorf("unexpected matching %s and %s", tt.recordCPE, tt.vulnCPE)
 			}

rhel/rhcc/coalescer.go

@@ -15,13 +15,16 @@ func (c *coalescer) Coalesce(ctx context.Context, ls []*indexer.LayerArtifacts)
 	if ctx.Err() != nil {
 		return nil, ctx.Err()
 	}
+
 	ir := &claircore.IndexReport{
 		Environments: map[string][]*claircore.Environment{},
 		Packages:     map[string]*claircore.Package{},
 		Repositories: map[string]*claircore.Repository{},
 	}
 
-	for _, l := range ls {
+	// We need to find the last layer that has rhcc content.
+	for i := len(ls) - 1; i >= 0; i-- {
+		l := ls[i]
 		if len(l.Repos) == 0 {
 			continue
 		}
@@ -43,6 +46,7 @@ func (c *coalescer) Coalesce(ctx context.Context, ls []*indexer.LayerArtifacts)
 				},
 			}
 		}
+		break
 	}
 	return ir, nil
 }

rhel/rhcc/coalescer_test.go

@@ -2,7 +2,6 @@ package rhcc
 
 import (
 	"context"
-	"strconv"
 	"testing"
 
 	"github.com/quay/zlog"
@@ -16,60 +15,84 @@ func TestCoalescer(t *testing.T) {
 	t.Parallel()
 	ctx := zlog.Test(context.Background(), t)
 	coalescer := &coalescer{}
-	pkgs := test.GenUniquePackages(6)
-	for _, p := range pkgs {
-		// Mark them as if they came from this package's package scanner
-		p.RepositoryHint = `rhcc`
-	}
 	repo := []*claircore.Repository{&GoldRepo}
+	repo[0].ID = "1" // Assign it an ID and check it later.
 	layerArtifacts := []*indexer.LayerArtifacts{
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs[:1],
 		},
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs[:2],
 		},
 		{
-			Hash:  test.RandomSHA256Digest(t),
-			Pkgs:  pkgs[:3],
+			Hash: test.RandomSHA256Digest(t),
+			Pkgs: []*claircore.Package{
+				{
+					ID:             "1",
+					Name:           "ubi8",
+					Version:        "8.4",
+					RepositoryHint: "rhcc",
+					Kind:           claircore.BINARY,
+					Arch:           "x86_64",
+					PackageDB:      "Dockerfile-rhacm",
+					Source: &claircore.Package{
+						ID:        "3",
+						Name:      "ubi8-container",
+						Version:   "8.10-1088",
+						Kind:      claircore.SOURCE,
+						Arch:      "x86_64",
+						PackageDB: "Dockerfile-rhacm",
+					},
+				},
+			},
 			Repos: repo,
 		},
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs[:4],
 		},
 		{
-			Hash:  test.RandomSHA256Digest(t),
-			Pkgs:  pkgs[:5],
+			Hash: test.RandomSHA256Digest(t),
+			Pkgs: []*claircore.Package{
+				{
+					ID:             "2",
+					Name:           "rhacm2/acm-grafana-rhel8",
+					Version:        "v2.9.5-8",
+					RepositoryHint: "rhcc",
+					Kind:           claircore.BINARY,
+					Arch:           "x86_64",
+					PackageDB:      "Dockerfile-rhacm",
+					Source: &claircore.Package{
+						ID:        "4",
+						Name:      "acm-grafana-container",
+						Version:   "v2.9.5-8",
+						Kind:      claircore.SOURCE,
+						Arch:      "x86_64",
+						PackageDB: "Dockerfile-rhacm",
+					},
+				},
+			},
 			Repos: repo,
 		},
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs,
 		},
 	}
 	ir, err := coalescer.Coalesce(ctx, layerArtifacts)
 	if err != nil {
 		t.Fatalf("received error from coalesce method: %v", err)
 	}
-	// Expect 0-5 to have gotten associated with the repository.
-	for i := range pkgs {
-		es, ok := ir.Environments[strconv.Itoa(i)]
-		if !ok && i == 5 {
-			// Left out the last package.
-			continue
-		}
-		e := es[0]
-		if len(e.RepositoryIDs) == 0 {
-			t.Error("expected some repositories")
-		}
-		for _, id := range e.RepositoryIDs {
-			r := ir.Repositories[id]
-			if got, want := r.Name, GoldRepo.Name; got != want {
-				t.Errorf("got: %q, want: %q", got, want)
-			}
-		}
+	// Check that index report only has the package found in the last layer
+	// that has rhcc content.
+	if len(ir.Packages) != 1 {
+		t.Errorf("expected 1 package, got %d", len(ir.Packages))
+	}
+	if len(ir.Environments["2"]) != 1 {
+		t.Errorf("expected 1 environment, got %d", len(ir.Environments["2"]))
+	}
+	if len(ir.Environments["2"][0].RepositoryIDs) != 1 {
+		t.Errorf("expected 1 repository, got %d", len(ir.Environments["2"][0].RepositoryIDs))
+	}
+	if ir.Environments["2"][0].RepositoryIDs[0] != "1" {
+		t.Errorf("expected repository ID 1, got %s", ir.Environments["2"][0].RepositoryIDs[0])
 	}
 }

rhel/rhcc/matcher.go

@@ -8,6 +8,8 @@ import (
 
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/rhel"
+	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
 // Matcher is an instance of the rhcc matcher. It's exported so it can be used
@@ -26,16 +28,31 @@ func (*matcher) Name() string { return "rhel-container-matcher" }
 // Filter implements [driver.Matcher].
 func (*matcher) Filter(r *claircore.IndexRecord) bool {
 	return r.Repository != nil &&
-		r.Repository.Name == GoldRepo.Name
+		r.Repository.Key == RepositoryKey
 }
 
 // Query implements [driver.Matcher].
 func (*matcher) Query() []driver.MatchConstraint {
-	return []driver.MatchConstraint{driver.RepositoryName}
+	return []driver.MatchConstraint{driver.RepositoryKey}
 }
 
 // Vulnerable implements [driver.Matcher].
 func (*matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+	var err error
+	if record.Repository.Name != GoldRepo.Name {
+		// This is not a gold repo record, so we need to check if the CPE matches.
+		vuln.Repo.CPE, err = cpe.Unbind(vuln.Repo.Name)
+		if err != nil {
+			zlog.Warn(ctx).
+				Str("vulnerability name", vuln.Name).
+				Err(err).
+				Msg("unable to unbind repo CPE")
+			return false, nil
+		}
+		if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !rhel.IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+			return false, nil
+		}
+	}
 	pkgVer, fixedInVer := rpmVersion.NewVersion(record.Package.Version), rpmVersion.NewVersion(vuln.FixedInVersion)
 	zlog.Debug(ctx).
 		Str("record", record.Package.Version).

rhel/rhcc/rhcc.go

@@ -8,9 +8,12 @@ import (
 	"github.com/quay/claircore"
 )
 
+const RepositoryKey = "rhcc-container-repository"
+
 // GoldRepo is the claircore.Repository that every RHCC index record is associated with.
 // It is also the claircore.Repository that is associated with OCI VEX vulnerabilities.
 var GoldRepo = claircore.Repository{
 	Name: "Red Hat Container Catalog",
 	URI:  `https://catalog.redhat.com/software/containers/explore`,
+	Key:  RepositoryKey,
 }

rhel/rhcc/scanner.go

@@ -19,6 +19,7 @@ import (
 	"github.com/quay/claircore/pkg/rhctag"
 	"github.com/quay/claircore/rhel/dockerfile"
 	"github.com/quay/claircore/rhel/internal/common"
+	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
 var (
@@ -105,7 +106,7 @@ func (s *scanner) Configure(ctx context.Context, f indexer.ConfigDeserializer, c
 func (s *scanner) Name() string { return "rhel_containerscanner" }
 
 // Version implements [indexer.VersionedScanner].
-func (s *scanner) Version() string { return "1" }
+func (s *scanner) Version() string { return "2" }
 
 // Kind implements [indexer.VersionedScanner].
 func (s *scanner) Kind() string { return "package" }
@@ -130,11 +131,19 @@ func (s *scanner) Scan(ctx context.Context, l *claircore.Layer) ([]*claircore.Pa
 	}
 
 	// add source package from component label
-	labels, p, err := findLabels(ctx, sys)
+	labels, p, err := findDockerfileLabels(ctx, sys)
 	switch {
 	case errors.Is(err, nil):
 	case errors.Is(err, errNotFound):
-		return nil, nil
+		// try and find the labels from labels.json
+		labels, p, err = findJSONLabels(ctx, sys)
+		switch {
+		case errors.Is(err, nil):
+		case errors.Is(err, errNotFound):
+			return nil, nil
+		default:
+			return nil, err
+		}
 	default:
 		return nil, err
 	}
@@ -219,7 +228,26 @@ type mappingFile struct {
 	Data map[string][]string `json:"data"`
 }
 
-func findLabels(ctx context.Context, sys fs.FS) (map[string]string, string, error) {
+func findJSONLabels(ctx context.Context, sys fs.FS) (map[string]string, string, error) {
+	labels := make(map[string]string)
+	l, err := fs.ReadFile(sys, "root/buildinfo/labels.json")
+	switch {
+	case errors.Is(err, nil):
+	case errors.Is(err, fs.ErrNotExist):
+		zlog.Debug(ctx).
+			Msg("labels.json file doesn't exist")
+		return nil, "", errNotFound
+	default:
+		return nil, "", err
+	}
+	err = json.Unmarshal(l, &labels)
+	if err != nil {
+		return nil, "", err
+	}
+	return labels, "", nil
+}
+
+func findDockerfileLabels(ctx context.Context, sys fs.FS) (map[string]string, string, error) {
 	ms, err := fs.Glob(sys, "root/buildinfo/Dockerfile-*")
 	if err != nil { // Can only return ErrBadPattern.
 		panic("progammer error: " + err.Error())
@@ -278,7 +306,7 @@ var _ indexer.RepositoryScanner = (*reposcanner)(nil)
 func (s *reposcanner) Name() string { return "rhel_containerscanner" }
 
 // Version implements [indexer.VersionedScanner].
-func (s *reposcanner) Version() string { return "1" }
+func (s *reposcanner) Version() string { return "2" }
 
 // Kind implements [indexer.VersionedScanner].
 func (s *reposcanner) Kind() string { return "repository" }
@@ -294,10 +322,33 @@ func (s *reposcanner) Scan(ctx context.Context, l *claircore.Layer) ([]*claircor
 	if err != nil { // Can only return ErrBadPattern.
 		panic("progammer error")
 	}
-	if len(ms) == 0 {
+	if len(ms) > 0 {
+		zlog.Debug(ctx).
+			Msg("found buildinfo Dockerfile")
+		return []*claircore.Repository{&GoldRepo}, nil
+	}
+
+	// We didn't get a Dockerfile, so check for labels.json.
+	labels, _, err := findJSONLabels(ctx, sys)
+	switch {
+	case errors.Is(err, nil):
+	case errors.Is(err, errNotFound):
 		return nil, nil
+	default:
+		return nil, err
 	}
-	zlog.Debug(ctx).
-		Msg("found buildinfo Dockerfile")
-	return []*claircore.Repository{&GoldRepo}, nil
+	if c, ok := labels["cpe"]; ok {
+		wfn, err := cpe.Unbind(c)
+		if err != nil {
+			return nil, err
+		}
+		return []*claircore.Repository{
+			{
+				CPE:  wfn,
+				Name: wfn.String(),
+				Key:  RepositoryKey,
+			},
+		}, nil
+	}
+	return []*claircore.Repository{}, nil
 }