Tag advisory URLs for v6 references (#491)

* tag advisory URLs Signed-off-by: Alex Goodman <[email protected]> * bust cache Signed-off-by: Alex Goodman <[email protected]> * use go cache from install action Signed-off-by: Alex Goodman <[email protected]> * rework poetry install Signed-off-by: Alex Goodman <[email protected]> * ensure no side effects on cli env vars Signed-off-by: Alex Goodman <[email protected]> --------- Signed-off-by: Alex Goodman <[email protected]>
anchore · Feb 11, 2025 · d0fd9f7 · d0fd9f7
1 parent 4afd519
commit d0fd9f7
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 64 deletions.
diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml
@@ -32,11 +32,11 @@ inputs:
   cache-key-prefix:
     description: "Prefix all cache keys with this value"
     required: true
-    default: "831180ac26"
+    default: "311808ac26"
   build-cache-key-prefix:
     description: "Prefix build cache key with this value"
     required: true
-    default: "f8b6d31deb"
+    default: "6d31debf8b"
   tools:
     description: "whether to install tools"
     default: "true"
@@ -57,28 +57,25 @@ runs:
       with:
         python-version: ${{ inputs.python-version }}
 
-    - name: Install poetry
+    - name: Install Poetry
       if: inputs.python == 'true'
-      uses: abatilo/actions-poetry@3765cf608f2d4a72178a9fc5b918668e542b89b1 # v4.0.0
-      with:
-        poetry-version: ${{ inputs.poetry-version }}
+      shell: bash
+      run: |
+        pipx install poetry==${{ inputs.poetry-version }}
 
-    - name: Cache Poetry virtualenv
-      uses: actions/[email protected]
-      if: inputs.python == 'true' && inputs.use-poetry-cache == 'true'
-      id: cache
+    - name: Cache Poetry cache
+      uses: actions/cache@v4
+      if: inputs.python == 'true'
       with:
-        path: ~/.virtualenvs
-        key: ${{ inputs.cache-key-prefix }}-${{ hashFiles('poetry.lock') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-
+        path: ~/.cache/pypoetry
+        key: poetry-cache-${{ runner.os }}-${{ inputs.python-version }}-${{ inputs.poetry-version }}
 
-    - name: Setup Poetry config
+    - name: Cache Packages
+      uses: actions/cache@v4
       if: inputs.python == 'true'
-      shell: bash
-      run: |
-        poetry config virtualenvs.in-project false
-        poetry config virtualenvs.path ~/.virtualenvs
+      with:
+        path: ~/.local
+        key: poetry-local-${{ runner.os }}-${{ inputs.python-version }}-${{ hashFiles('**/poetry.lock') }}-${{ hashFiles('.github/workflows/*.yml') }}
 
     - name: Bootstrap python dependencies
       if: inputs.python == 'true'
@@ -93,35 +90,11 @@ runs:
         path: ${{ github.workspace }}/.tool
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
 
-    # note: we need to keep restoring the go mod cache before bootstrapping tools since `go install` is used in
-    # some installations of project tools.
-    - name: Restore go module cache
-      id: go-mod-cache
-      if: inputs.go == 'true' && inputs.use-go-cache == 'true'
-      uses: actions/[email protected]
-      with:
-        path: |
-          ~/go/pkg/mod
-        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-go-module-${{ inputs.go-version }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-${{ runner.os }}-go-module-${{ inputs.go-version }}-
-
     - name: (cache-miss) Bootstrap project tools
       shell: bash
       if: steps.tool-cache.outputs.cache-hit != 'true' && inputs.tools == 'true'
       run: make bootstrap-tools
 
-    - name: Restore go build cache
-      id: go-cache
-      if: inputs.go == 'true' && inputs.use-go-cache == 'true'
-      uses: actions/[email protected]
-      with:
-        path: |
-          ~/.cache/go-build
-        key: ${{ inputs.cache-key-prefix }}-${{ inputs.build-cache-key-prefix }}-${{ runner.os }}-go-build-${{ inputs.go-version }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-${{ inputs.build-cache-key-prefix }}-${{ runner.os }}-go-build-${{ inputs.go-version }}-
-
     - name: (cache-miss) Bootstrap go dependencies
       shell: bash
       if: inputs.go == 'true' && steps.go-mod-cache.outputs.cache-hit != 'true' && inputs.use-go-cache == 'true'

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.5.3
 	github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
-	github.com/anchore/grype v0.87.1-0.20250123191514-78db49c789cb
+	github.com/anchore/grype v0.87.1-0.20250211002517-d34edf67c1db
 	github.com/anchore/syft v1.19.0
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/dave/jennifer v1.7.1
@@ -92,7 +92,7 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/lipgloss v1.0.0 // indirect
-	github.com/charmbracelet/x/ansi v0.4.5 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
 	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
@@ -247,7 +247,7 @@ require (
 	golang.org/x/oauth2 v0.25.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/term v0.28.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	golang.org/x/tools v0.29.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.215.0 // indirect

diff --git a/go.sum b/go.sum
@@ -698,8 +698,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/grype v0.87.1-0.20250123191514-78db49c789cb h1:UPbQ5RwyFDbvCOjKjGYQy8PKB8kAZvnieH+qwSa8kvU=
-github.com/anchore/grype v0.87.1-0.20250123191514-78db49c789cb/go.mod h1:Od/OyAuPymfIn4zGzzkcxOvUumY9Ks27pMz5mlYdANM=
+github.com/anchore/grype v0.87.1-0.20250211002517-d34edf67c1db h1:uCOfKvxohajCSfS0dzlV3MkKRL6Gsg63KSauCXeUZbo=
+github.com/anchore/grype v0.87.1-0.20250211002517-d34edf67c1db/go.mod h1:yMGJFQbyqLXKsAW1MECUmce417HgwESVJ+2gVkQ8GTg=
 github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10 h1:zBedM9ZGYbs/61QC4ZOKxtChx5njXKHgHqDeHuUxrTw=
 github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
 github.com/anchore/stereoscope v0.0.13 h1:9Ivkh7k+vOeG3JHrt44jOg/8UdZrCvMsSjLQ7trHBig=
@@ -768,12 +768,12 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
 github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
-github.com/charmbracelet/bubbletea v1.2.4 h1:KN8aCViA0eps9SCOThb2/XPIlea3ANJLUkv3KnQRNCE=
-github.com/charmbracelet/bubbletea v1.2.4/go.mod h1:Qr6fVQw+wX7JkWWkVyXYk/ZUQ92a6XNekLXa3rR18MM=
+github.com/charmbracelet/bubbletea v1.3.0 h1:fPMyirm0u3Fou+flch7hlJN9krlnVURrkUVDwqXjoAc=
+github.com/charmbracelet/bubbletea v1.3.0/go.mod h1:eTaHfqbIwvBhFQM/nlT1NsGc4kp8jhF8LfUK67XiTDM=
 github.com/charmbracelet/lipgloss v1.0.0 h1:O7VkGDvqEdGi93X+DeqsQ7PKHDgtQfF8j8/O2qFMQNg=
 github.com/charmbracelet/lipgloss v1.0.0/go.mod h1:U5fy9Z+C38obMs+T+tJqst9VGzlOYGj4ri9reL3qUlo=
-github.com/charmbracelet/x/ansi v0.4.5 h1:LqK4vwBNaXw2AyGIICa5/29Sbdq58GbGdFngSexTdRM=
-github.com/charmbracelet/x/ansi v0.4.5/go.mod h1:dk73KoMTT5AX5BsX0KrqhsTqAnhZZoCBjs7dGWp4Ktw=
+github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
+github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
@@ -1930,8 +1930,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
+golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

diff --git a/manager/tests/cli/test_legacy_workflows.py b/manager/tests/cli/test_legacy_workflows.py
@@ -99,6 +99,8 @@ def test_workflow_3(cli_env, command, logger, tmp_path, grype):
     bin_dir = tmp_path / "bin"
     bin_dir.mkdir(parents=True, exist_ok=True)
 
+    # deep copy cli_env to avoid modifying the original
+    cli_env = cli_env.copy()
     cli_env.update(
         {
             "AWS_ACCESS_KEY_ID": "test",
@@ -162,6 +164,8 @@ def test_workflow_4(cli_env, command, logger, tmp_path, grype):
     bin_dir.mkdir(parents=True, exist_ok=True)
 
     schema_version = "5"
+    # deep copy cli_env to avoid modifying the original
+    cli_env = cli_env.copy()
     cli_env.update(
         {
             "AWS_ACCESS_KEY_ID": "test",

diff --git a/manager/tests/cli/test_workflows.py b/manager/tests/cli/test_workflows.py
@@ -15,6 +15,8 @@ def test_workflow_1(cli_env, command, logger, tmp_path, grype):
     bin_dir = tmp_path / "bin"
     bin_dir.mkdir(parents=True, exist_ok=True)
     schema_version = "6"
+    # deep copy cli_env to avoid modifying the original
+    cli_env = cli_env.copy()
     cli_env.update(
         {
             "AWS_ACCESS_KEY_ID": "test",
@@ -100,11 +102,12 @@ def test_workflow_2(cli_env, command, logger):
     cli_env["GOWORK"] = "off"
 
     # note: we add --force to ensure we're checking validations (even if it's disabled for the schema)
-    stdout, _ = command.run(
+    stdout, stderr = command.run(
         f"grype-db-manager -vv db validate {db_id} --skip-namespace-check --force --recapture",
         env=cli_env,
         expect_fail=True,
     )
+
     assert "current indeterminate matches % is greater than 10%" in stdout
 
     ## case 2: fail DB validation (missing providers) ###

diff --git a/pkg/process/v6/transformers/os/transform.go b/pkg/process/v6/transformers/os/transform.go
@@ -111,7 +111,8 @@ func getFix(fixedInEntry unmarshal.OSFixedIn) *grypeDB.Fix {
 	var refs []grypeDB.Reference
 	for _, l := range linkOrder {
 		refs = append(refs, grypeDB.Reference{
-			URL: l,
+			URL:  l,
+			Tags: []string{grypeDB.AdvisoryReferenceTag},
 		})
 	}
 

diff --git a/pkg/process/v6/transformers/os/transform_test.go b/pkg/process/v6/transformers/os/transform_test.go
@@ -925,7 +925,8 @@ func TestTransform(t *testing.T) {
 											Detail: &grypeDB.FixDetail{
 												References: []grypeDB.Reference{
 													{
-														URL: "https://access.redhat.com/errata/RHSA-2020:1341",
+														URL:  "https://access.redhat.com/errata/RHSA-2020:1341",
+														Tags: []string{grypeDB.AdvisoryReferenceTag},
 													},
 												},
 											},
@@ -950,7 +951,8 @@ func TestTransform(t *testing.T) {
 											Detail: &grypeDB.FixDetail{
 												References: []grypeDB.Reference{
 													{
-														URL: "https://access.redhat.com/errata/RHSA-2020:1495",
+														URL:  "https://access.redhat.com/errata/RHSA-2020:1495",
+														Tags: []string{grypeDB.AdvisoryReferenceTag},
 													},
 												},
 											},
@@ -1019,8 +1021,8 @@ func TestTransform(t *testing.T) {
 											Detail: &grypeDB.FixDetail{
 												References: []grypeDB.Reference{
 													{
-
-														URL: "https://access.redhat.com/errata/RHSA-2020:3669",
+														URL:  "https://access.redhat.com/errata/RHSA-2020:3669",
+														Tags: []string{grypeDB.AdvisoryReferenceTag},
 													},
 												},
 											},
@@ -1048,8 +1050,8 @@ func TestTransform(t *testing.T) {
 											Detail: &grypeDB.FixDetail{
 												References: []grypeDB.Reference{
 													{
-
-														URL: "https://access.redhat.com/errata/RHSA-2020:5620",
+														URL:  "https://access.redhat.com/errata/RHSA-2020:5620",
+														Tags: []string{grypeDB.AdvisoryReferenceTag},
 													},
 												},
 											},
@@ -1077,8 +1079,8 @@ func TestTransform(t *testing.T) {
 											Detail: &grypeDB.FixDetail{
 												References: []grypeDB.Reference{
 													{
-
-														URL: "https://access.redhat.com/errata/RHSA-2020:5619",
+														URL:  "https://access.redhat.com/errata/RHSA-2020:5619",
+														Tags: []string{grypeDB.AdvisoryReferenceTag},
 													},
 												},
 											},