Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use "github.com/knqyf263/go-apk-version" to sort the versions for advisory validate #696

Merged
merged 1 commit into from Mar 13, 2024
Merged

use "github.com/knqyf263/go-apk-version" to sort the versions for advisory validate #696

merged 1 commit into from Mar 13, 2024

Conversation

cpanato
Copy link
Member

@cpanato cpanato commented Mar 13, 2024
edited

this changes the sort versions to use the "github.com/knqyf263/go-apk-version" lib

we have an issue in the advisory validation when having package revisions that are missing r0, r1, for example, and have only r8, r9, r10 for instance that was getting sorted wrong with the r10 in the first

so we expected 1.0.0-r8, 1.0.0-r9,1.0.0-r10 for example and we were getting 1.0.0-r10, 1.0.0-r8, 1.0.0-r9

real use case:

before the fix:

$ wolfictl adv validate -v --skip-alias
time=2024-03-13T14:51:33.590+01:00 level=INFO msg="detected distro" name=Chainguard
time=2024-03-13T14:51:36.924+01:00 level=INFO msg="validating index diff" diffIsZero=true
time=2024-03-13T14:51:36.924+01:00 level=INFO msg="validating fixed versions"
time=2024-03-13T14:51:36.942+01:00 level=INFO msg="skipping validation of alias set completeness, no alias finder provided"
❌ advisory data is not valid.

fixed version validation failure(s):
    kubernetes-csi-external-attacher-fips-4.3:
        CVE-2023-45289:
            event 2 (type: fixed):
                "4.3.0-r10" is the first version of the package listed in the APKINDEX, so it cannot be used as a fixed-version (consider switching type to "false-positive-determination")
        CVE-2023-45290:
            event 2 (type: fixed):
                "4.3.0-r10" is the first version of the package listed in the APKINDEX, so it cannot be used as a fixed-version (consider switching type to "false-positive-determination")
        CVE-2024-24783:
            event 2 (type: fixed):
                "4.3.0-r10" is the first version of the package listed in the APKINDEX, so it cannot be used as a fixed-version (consider switching type to "false-positive-determination")
        CVE-2024-24784:
            event 2 (type: fixed):
                "4.3.0-r10" is the first version of the package listed in the APKINDEX, so it cannot be used as a fixed-version (consider switching type to "false-positive-determination")
        CVE-2024-24785:
            event 2 (type: fixed):
                "4.3.0-r10" is the first version of the package listed in the APKINDEX, so it cannot be used as a fixed-version (consider switching type to "false-positive-determination")

after

$ wolfictl adv validate -v --skip-alias
time=2024-03-13T14:50:32.346+01:00 level=INFO msg="detected distro" name=Chainguard
time=2024-03-13T14:50:35.546+01:00 level=INFO msg="validating index diff" diffIsZero=true
time=2024-03-13T14:50:35.546+01:00 level=INFO msg="validating fixed versions"
time=2024-03-13T14:50:35.565+01:00 level=INFO msg="skipping validation of alias set completeness, no alias finder provided"
✅ advisory data is valid.

@cpanato cpanato requested a review from rawlingsj March 13, 2024 13:50
@cpanato cpanato merged commit a9341ec into main Mar 13, 2024
3 checks passed
@cpanato cpanato deleted the update-validate branch March 13, 2024 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rawlingsj rawlingsj rawlingsj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cpanato @rawlingsj