feat(output): display base image info on HTML output#1499
feat(output): display base image info on HTML output#1499hogo6002 wants to merge 22 commits intogoogle:base-image-queriesfrom
Conversation
|
|
||
| packageFixedVersion := calculatePackageFixedVersion(vulnPkg.Package.Ecosystem, regularVulnList) | ||
|
|
||
| binaryNames := []string{vulnPkg.Package.OSPackageName} |
There was a problem hiding this comment.
This can probably just be placed inline
| var sourceResult SourceResult | ||
| packages := make([]PackageResult, 0) | ||
| packageSet := make(map[string]struct{}) | ||
| packageMap := make(map[string]PackageResult) |
There was a problem hiding this comment.
Can you add some descriptions/comments to this function to explain what this is doing? It's not clear to me why we need a packageMap.
There was a problem hiding this comment.
yep, added. This map is used to deduplicate same packages with the same source name but different OSPackageName
|
|
||
| // Build the final result | ||
| return buildResult(ecosystemMap, resultCount) | ||
| outputResult := populateResult(ecosystemMap, resultCount, vulnResult.ImageMetadata) |
There was a problem hiding this comment.
nit: can just be one line.
| // This filtering should be handled by the container scanning process. | ||
| // TODO(gongh@): Revisit this once container scanning can distinguish these cases. | ||
| if strings.HasPrefix(packageSource.Source.Path, "usr/lib/") { | ||
| if strings.HasPrefix(packageSource.Source.Path, "usr/") { |
There was a problem hiding this comment.
We can update this to check the annotation instead now.
| // buildResult builds the final Result object from the ecosystem map and total vulnerability count. | ||
| func buildResult(ecosystemMap map[string][]SourceResult, resultCount VulnCount) Result { | ||
| // populateResult builds the final Result object from the ecosystem map and total vulnerability count. | ||
| func populateResult(ecosystemMap map[string][]SourceResult, resultCount VulnCount, imageMetadata *models.ImageMetadata) Result { |
There was a problem hiding this comment.
nit: why is this renamed to populateResult? It looks like the result is what is being returned, so I think buildResult is still more appropriate.
|
|
||
| // populateImageMetadata modifies the result by adding image metadata to it. | ||
| // It uses a pointer receiver (*Result) to modify the original result in place. | ||
| func populateImageMetadata(result *Result, imageMetadata models.ImageMetadata) { |
There was a problem hiding this comment.
nit: populateResultWithImageMetadata.
|
|
||
| } | ||
|
|
||
| func getAllBaseImages(baseImages [][]models.BaseImageDetails) []BaseImageGroupInfo { |
There was a problem hiding this comment.
nit: can these functions be named something like build?
| allLayers := getAllLayers(imageMetadata.LayerMetadata) | ||
| allBaseImages := getAllBaseImages(imageMetadata.BaseImages) | ||
|
|
||
| layerCount := make(map[int]VulnCount) |
There was a problem hiding this comment.
Two suggestions here:
- Use an array instead of a map, as there should be no gaps between the layers.
- Set the VulnCount type to *VulnCount.
This way you don't need to do the whole save to a variable, call .Add, then reassign on lines 255+, you can just call Add directly.
Actually I'm not sure 2 is even necessary, you might be able to do that directly, needs some testing.
There was a problem hiding this comment.
changed to use array. I can just modify the array element.
| } | ||
| } | ||
|
|
||
| baseImageMap := make(map[int][]LayerInfo) |
There was a problem hiding this comment.
Same here, use an array instead of a map.
This PR fully removes the image package in osv-scanner, and switches to use osv-scalibr to perform image scanning. Also includes: - Implementing base image identification, along with the baseimagematcher interface and implementation - Some temporary placeholder values in output_result.go to allow it to compile. This is resolved in #1499 - Adds image metadata types to show image metadata in the output. - Minor refactors in osvscanner.go - determineReturnErr is an extracted function for the very end of DoScan - Move container scanning support out of DoScan, and into it's own DoContainerScan function - Move the helper methods that help pull docker images into it's own package - Support checking if docker image exists locally. - Support local paths with the docker flag. --------- Co-authored-by: Holly Gong <39108850+hogo6002@users.noreply.github.com> Co-authored-by: Holly Gong <gongh@google.com>
|
comments will be resolved in #1513 |
Resolves #1410
Adding detailed base image and layer data for HTML output: https://hogo6002.github.io/mvp/
TODO:
Follow-up PR: