Skip to content

Conversation

dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Aug 20, 2025

Adds a copy of the repository-to-cpe.json file to root of the diff and offline bundles to address an issue where newer Central instances are not returning repository-to-cpe.json from the bundles rhelv2/ dir.

Testing

Verified via the PR's CI artifacts that the copy of the file exists in both locations:

$ cd offline-dump/scanner-vuln-updates/scanner-defs 
$ find . -iname "repository-to-cpe*" -exec ls -l {} \;
-rw-r--r--@ 1 dcaravel  staff  1429794 Aug 20 19:49 ./repository-to-cpe.json
-rw-r--r--@ 1 dcaravel  staff  1429794 Aug 20 19:49 ./rhelv2/repository-to-cpe.json

$ cd diff-dumps-inspect
$ find . -iname "repository-to-cpe*" -exec ls -l {} \;
-rw-r--r--@ 1 dcaravel  staff  1429794 Aug 21 01:47 ./repository-to-cpe.json
-rw-r--r--@ 1 dcaravel  staff  1429794 Aug 21 01:47 ./rhelv2/repository-to-cpe.json

Also deployed ACS in offline mode with a remote secured cluster. Uploaded the offline-dump from this PR's CI run (roxctl scanner upload-db ...) and then observed scanner successfully pulling the file.

Also sent requests directly to the Central API to verify the same:

$ curl -ksS -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_ENDPOINT/api/extensions/scannerdefinitions?uuid=5e26731f-a57e-454a-89af-12417096cd75&file=rhelv2/repository-to-cpe.json"

{"data":{"3scale-amp-2-for-rhel-8-ppc64le-debug-rpms":{"cpes"...

For sanity, also uploaded the live offline bundle from roxctl scanner download-db ... and observed errors in scanner logs and when hitting the API directly:

{"Event":"definition not found: https://sensor.stackrox.svc/scanner/definitions?file=rhelv2%2Frepository-to-cpe.json\u0026uuid=5e26731f-a57e-454a-89af-12417096cd75","Level":"warning","Location":"fetcher.go:45","Time":"2025-08-21 19:39:25.733634"}
curl -ksS -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_ENDPOINT/api/extensions/scannerdefinitions?uuid=5e26731f-a57e-454a-89af-12417096cd75&file=rhelv2/repository-to-cpe.json" -i

HTTP/2 404 
vary: Accept-Encoding
content-type: text/plain; charset=utf-8
content-length: 28
date: Thu, 21 Aug 2025 19:31:09 GMT

No scanner definitions found

Was unable to test online mode because the URL is hardcoded in Central.

@dcaravel dcaravel added generate-dumps-on-pr Generates the image based on dumps from the PR and removed do-not-merge/work-in-progress labels Aug 20, 2025
@dcaravel dcaravel marked this pull request as ready for review August 21, 2025 19:51
@dcaravel dcaravel requested a review from a team as a code owner August 21, 2025 19:51
@stackrox stackrox deleted a comment from openshift-ci bot Aug 21, 2025
@dcaravel
Copy link
Contributor Author

/retest scanner-db-slim-on-push-rd224

Copy link

openshift-ci bot commented Aug 25, 2025

@dcaravel: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests
/test slim-e2e-tests

Use /test all to run all jobs.

In response to this:

/retest scanner-db-slim-on-push-rd224

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link

openshift-ci bot commented Aug 25, 2025

@dcaravel: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/slim-e2e-tests 4ee64fd link false /test slim-e2e-tests
ci/prow/e2e-tests 4ee64fd link false /test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@dcaravel
Copy link
Contributor Author

/retest scanner-db-slim-on-push

Copy link

openshift-ci bot commented Aug 26, 2025

@dcaravel: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests
/test slim-e2e-tests

Use /test all to run all jobs.

In response to this:

/retest scanner-db-slim-on-push

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link
Contributor

@jvdm jvdm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will start publishing the updated bundles even though image builds are failing (example). We won't have E2E tests for now, but your manual changes as described in the PR covered the fix so I am OK merging this.

@dcaravel dcaravel merged commit b715f77 into master Aug 26, 2025
82 of 92 checks passed
@dcaravel dcaravel deleted the dc/repo2cpe-copy branch August 26, 2025 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants