Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Retain tag when remediating unpinned docker images. #2595

Merged

Conversation

spencerschrock
Copy link
Member

Signed-off-by: Spencer Schrock sschrock@google.com

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

Tagged and unpinned images are detected, but the remediation suggestion discards the tag which is problematic for reasons pointed out in #2581.

What is the new behavior (if this is a feature change)?**

The Docker remediation code now maintains the tag, based on whatever is in the PinnedAt field of the checker.Dependency struct.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #2581

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Suggested remediations for unpinned Docker images now maintain any tags that were present.

Signed-off-by: Spencer Schrock <sschrock@google.com>
@codecov
Copy link

codecov bot commented Jan 11, 2023

Codecov Report

Merging #2595 (a91bbb7) into main (3e4dca5) will increase coverage by 0.19%.
The diff coverage is 82.35%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2595      +/-   ##
==========================================
+ Coverage   40.20%   40.40%   +0.19%     
==========================================
  Files         122      122              
  Lines        9896     9908      +12     
==========================================
+ Hits         3979     4003      +24     
+ Misses       5636     5624      -12     
  Partials      281      281              

Copy link
Member

@naveensrinivasan naveensrinivasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@github-actions
Copy link

Integration tests success for
[a91bbb7]
(https://github.com/ossf/scorecard/actions/runs/3896306653)

@spencerschrock spencerschrock merged commit 47be523 into ossf:main Jan 11, 2023
@spencerschrock spencerschrock deleted the feat/tagged-docker-remediation branch January 11, 2023 20:59
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Apr 4, 2023
Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remediation for pinning Docker image by hash should include version number too.
2 participants