Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] (fix) scan compare between diff registry account #1851

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[WIP] (fix) scan compare between diff registry account #1851

wants to merge 2 commits into from

Conversation

ibreakthecloud
Copy link
Member

There was a problem comparing scan. Even if the scan results were same, the diff would show the result.
Problem was same image from different registry will result in different neo4j Secret, Malware, etc.

Change the way we match, for example instead of matching scan{basescan} -> secret and comparing with scan{compare_to_scan} -> secret, now we are taking secretrule (in case of secret) into account, i.e.

matching scan{basescan} -> secret -> secretrule and comparing with scan{compare_to_scan} -> secret -> secretrule
Since the rule is going to be same.

@noboruma
Copy link
Collaborator

Using the Rule is not the right solution, Rules are too generic and we cannot rely on them for comparison. For instance, a rule that matches all .passwd files, it makes no sense to say having a /etc/nginx/.passwd is the same as /etc/systemd/.passwd

If we want to support comparison between images across different registries, we need to change the secret node_id to account for that so the Secret/... nodes can be shared across scans.

This is something we changed recently actually - @ibreakthecloud is that a recent issue?

@ibreakthecloud
Copy link
Member Author

Using the Rule is not the right solution, Rules are too generic and we cannot rely on them for comparison. For instance, a rule that matches all .passwd files, it makes no sense to say having a /etc/nginx/.passwd is the same as /etc/systemd/.passwd

If we want to support comparison between images across different registries, we need to change the secret node_id to account for that so the Secret/... nodes can be shared across scans.

This is something we changed recently actually - @ibreakthecloud is that a recent issue?

Not sure if the issue is occurring now, but sure that's the problem. Since the node_id has registry appended in it, comparison fails for same image if scanned from two different sources.

@ibreakthecloud ibreakthecloud changed the title (fix) scan compare between diff registry account [WIP] (fix) scan compare between diff registry account Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramanan-ravi ramanan-ravi ramanan-ravi approved these changes

@noboruma noboruma Awaiting requested review from noboruma

@gnmahanth gnmahanth Awaiting requested review from gnmahanth

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ibreakthecloud @noboruma @ramanan-ravi