8000 TC-1609 Improve package's qualifiers management by mrizzi · Pull Request #86 · trustification/guac · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

TC-1609 Improve package's qualifiers management #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 1, 2024
Merged

TC-1609 Improve package's qualifiers management #86

merged 1 commit into from
Jul 1, 2024

Conversation

mrizzi
Copy link
Collaborator
@mrizzi mrizzi commented Jul 1, 2024
edited
Loading

Description of the PR

The issue happens when:

  1. package pkg:maven/io.github.crac/org-crac@0.1.1.redhat-00002?repository_url=https://maven.repository.redhat.com/ga/&type=jar is ingested from Quarkus SBOM
  2. package pkg:maven/io.github.crac/org-crac@0.1.1.redhat-00002?type=jar is ingested from SBOM "B": this ingestion fails with the error 
    ingestBulkHasMetadata failed with error: HasMetadataPkgs - specific version failed with error: input: ingestBulkHasMetadata IngestBulkHasMetadata failed with element #42 {Type:maven Namespace:0xc00120e2c0 Name:org-crac Version:0xc00120e2f0 Qualifiers:[0xc001315f80] Subpath:0xc00120e340} with err: failed to execute IngestHasMetadata :: failed to retrieve subject package version :: ent: package_version not singular

It's due to the fact that, when adding an HasMetadata node, there's a uniqueness check for the package specs to identify a single package. In the scenario described above, both packages pkg:maven/io.github.crac/org-crac@0.1.1.redhat-00002?repository_url=https://maven.repository.redhat.com/ga/&type=jar and pkg:maven/io.github.crac/org-crac@0.1.1.redhat-00002?type=jar have been already ingested and the QualifiersMatch method checks for the provided qualifiers into the DB, i.e. type=jar, hence finding both the packages that satisfy this condition and hence generating the error.

The fix adds a further check that, after having checked all of input package spec qualifiers are available, it also checks the size of the array of the qualifiers to ensure package with a superset of the input qualifiers, e.g. repository_url=https://maven.repository.redhat.com/ga/, aren't considered as a valid matching package.

I've added a further integration test that loads the SBOM "B" for reproducing this issue with a query to check the HasMetadata info is available.

Fixes https://issues.redhat.com/browse/TC-1609

"Bonus fix": the log entry IngestBulkHasMetadata failed with element was erroneously using i instead of index

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

@mrizzi
TC-1609 Improve package's qualifiers management
4c7135b 
Signed-off-by: mrizzi <mrizzi@redhat.com>
@mrizzi mrizzi requested a review from dejanb July 1, 2024 12:02
@dejanb dejanb merged commit f068819 into trustification:trustification-main Jul 1, 2024
1 check passed
@mrizzi mrizzi deleted the TC-1609 branch July 1, 2024 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dejanb dejanb dejanb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mrizzi @dejanb
0