Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix empty licenses for dpkg if package dir is symlink (filesystem sca… #8424

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix empty licenses for dpkg if package dir is symlink (filesystem sca… #8424

wants to merge 1 commit into from

Conversation

albe19029
Copy link

Currently trivy don't support symlinks as they can create loops and that is why filepath.WalkDir skips them.

When we skip symlink directories in /usr/share/doc - packages with the same directory name don't have licenses.

It is hard to sync symlinks if they located on different layers, but for local filesystem we have only one layer. So we don't need to sync anything. In case we know exact path of license path (and for dpkg packages we know) and we have access to filesystem we can resolve this symlinks by just reading file. As we read it by full path, and there are no iterations by directories it is safe.

So in this fix we produce dpkg analyzer with access to local filesystem to read files from there. The same action with file read can be done with other analyzers.

After this change if we scan trivy with filesystem scan all dkpg packages which has symlink directory will be resolved.

Image scan will work as before, as it is impossible for now to fix it:

  • symlink can be on layer1, and real dir can be on layer0. So layer1 has no access to data on layer0.
  • if original file in symlink directory will be changes, this also must be synced with symlink content.

This all requires a lot of changes in cache.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

aliaksei.belavus seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

aliaksei.belavus seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

DmitriyLewen
DmitriyLewen reviewed Feb 21, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @albe19029
I'm focused on other tasks right now. I'll take a look later.

Can you add tests in the meantime to see if your logic works?

@albe19029
Copy link
Author

Well, for now have one idea how to fix both filesystem and image scan for copyright.
After prototyping will create one more PR and will decide which is better.
Is it ok?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@albe19029 @CLAassistant @DmitriyLewen