feat: langmgr and python (#1091)

Co-authored-by: Robbie Cronin <robert.owen.cronin@gmail.com>

Author: sozercan

.github/copilot-instructions.md

@@ -9,12 +9,13 @@ Copacetic (Copa) is a CLI tool that patches container image vulnerabilities usin
 ## Folder Structure
 - `pkg/patch/`: CLI commands and core patching logic
 - `pkg/buildkit/`: BuildKit integration and platform discovery
-- `pkg/pkgmgr/`: Package manager adapters (dpkg, rpm, apk)
+- `pkg/pkgmgr/`: OS package manager adapters (dpkg, rpm, apk)
+- `pkg/langmgr/`: Language (application/library) package managers (e.g. Python/pip)
 - `pkg/report/`: Vulnerability report parsing and scanner plugin interface
 - `pkg/imageloader/`: Container engine integration (Docker, Podman)
 - `pkg/types/`: Type definitions and configurations
 - `website/docs/`: Project documentation and user guides
-- `integration/`: Integration tests for multi-arch and single-arch scenarios
+- `integration/`: Integration tests for multi-arch and single-arch scenarios (OS + language flows)
 - `main.go`: Root CLI setup with Cobra framework
 
 ## Libraries and Frameworks
@@ -36,19 +37,63 @@ Copacetic (Copa) is a CLI tool that patches container image vulnerabilities usin
 ## Key Architecture Concepts
 - **Patching modes**: Targeted (with vulnerability reports) or comprehensive (all available updates)
 - **Multi-platform support**: Handles amd64, arm64, and other architectures with QEMU emulation
-- **Package managers**: Debian (apt/dpkg), RHEL (yum/rpm), Alpine (apk), Azure Linux (tdnf)
+- **OS package managers**: Debian (apt/dpkg), RHEL family (yum/rpm/dnf/microdnf/tdnf), Alpine (apk), Azure Linux / CBL-Mariner (tdnf)
+- **Language (application/library) patching**: Experimental support for upgrading vulnerable application dependencies (currently Python via pip) with semantic version / patch-level controls.
 - **BuildKit integration**: Uses LLB operations for image building and manipulation
 - **Scanner plugins**: Supports custom vulnerability scanners via `customParseScanReport` interface
+- **Selective package types**: User can choose to patch only OS, only library, or both via `--pkg-types`.
 
-## Supported Operating Systems & Package Managers
-- **Debian/Ubuntu**: Uses `dpkg` and `apt`
-- **RHEL/CentOS/Rocky/Alma/Oracle/Amazon**: Uses `rpm`, `yum`, and `dnf`
-- **Alpine**: Uses `apk`
-- **CBL-Mariner/Azure Linux**: Uses `rpm` and `tdnf`
+## Supported Targets
+### Operating Systems (OS package layer)
+- **Debian/Ubuntu**: `dpkg` + `apt`
+- **RHEL/CentOS/Rocky/Alma/Oracle/Amazon**: `rpm`, `yum`, `dnf`, `microdnf`, `tdnf` (as available)
+- **Alpine**: `apk`
+- **CBL-Mariner/Azure Linux**: `rpm` + `tdnf`
+
+### Language / Application Dependencies (Experimental)
+- **Python**: pip-based site-packages upgrades with version validation and patch-level selection.
+  - Controlled via `--pkg-types library` (or `os,library`) and `--library-patch-level`.
+  - Patch levels: `patch` (default), `minor`, `major`; influences chosen fixed version when multiple are available.
+  - Special per-package overrides supported (see `getSpecialPackagePatchLevels()` inside Python manager for curated exceptions).
 
 ## Key Functions
+
+### CLI / Orchestration
 - `Patch()`: Main entry point for patching operations
 - `patchSingleArchImage()` / `patchMultiPlatformImage()`: Core patching logic
 - `DiscoverPlatformsFromReference()` / `DiscoverPlatformsFromReport()`: Platform discovery
-- `InstallUpdates()`: Package manager interface for applying updates
 - `InitializeBuildkitConfig()`: Initializes BuildKit configuration for patching operations
+
+### OS Package Layer
+- `pkgmgr.GetPackageManager()` and concrete managers' `InstallUpdates()` methods
+- `GetUniqueLatestUpdates()` (OS) for deduplicating + selecting latest OS package versions
+
+### Language / Library Layer
+- `langmgr.GetLanguageManagers()` returns appropriate language managers based on manifest content
+- `pythonManager.InstallUpdates()` coordinates: selecting versions, performing pip upgrades, validating results
+- `langmgr.GetUniqueLatestUpdates()` (libraries) similar to OS but tolerant of empty sets & patch-level filtering
+- `FindOptimalFixedVersionWithPatchLevel()` (Trivy parsing path) chooses best fixed version under patch-level constraint
+
+### Report Parsing & Filtering
+- `report.TryParseScanReport()` / Trivy parser: builds unified UpdateManifest (OS + Lang)
+- Filtering by `--pkg-types` occurs early and again before build execution for safety.
+
+### Validation & VEX
+- `vex.TryOutputVexDocument()` generates optional VEX documents (only if report + updates applied)
+
+## Language Patching
+Language/library patching is gated behind `COPA_EXPERIMENTAL=1`.
+
+- `--pkg-types`: comma list of `os`, `library` (default `os`). Determines which sections of the UpdateManifest are acted upon.
+- `--library-patch-level`: one of `patch|minor|major` (default `patch`). Sets semantic version boundary for chosen upgrade version.
+- Behavior when report only has library vulns:
+  - If `--pkg-types` includes `library`, proceed (even if no OS updates). Empty OS set no longer triggers an error.
+  - If `--pkg-types os` only, library updates are ignored (manifest language section cleared early).
+
+## Library Patching Flow (Python)
+1. Trivy report parsed -> vulnerable Python packages aggregated with all candidate fixed versions.
+2. Patch level rule applied to select optimal fixed version per package (with per-package override map for exceptions).
+3. Upgrade executed in ephemeral tooling container (derives base Python image tag when possible; fallback tag `3-slim`).
+4. Post-upgrade validation via `pip freeze` subset matching: ensures requested versions actually installed.
+5. Failed installs or mismatches collected; errors either propagate or are logged based on `--ignore-errors`.
+6. Validated updates merged into final manifest fed to VEX generation.

.github/workflows/build.yml

@@ -33,7 +33,7 @@ permissions:
 jobs:
   unit-test:
     name: Unit Test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-16-cores
     timeout-minutes: 5
     steps:
       - name: Harden Runner
@@ -61,14 +61,11 @@ jobs:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   build:
     name: Build
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest-16-cores
     timeout-minutes: 5
     permissions:
       packages: write
       contents: read
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.3.1
@@ -104,7 +101,7 @@ jobs:
   test-patch-trivy:
     needs: build
     name: Test patch with trivy ${{ matrix.buildkit_mode }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-16-cores
     timeout-minutes: 30
     strategy:
       fail-fast: false
@@ -150,7 +147,7 @@ jobs:
   test-patch-no-report:
     needs: build
     name: Test patch no report ${{ matrix.buildkit_mode }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-16-cores
     timeout-minutes: 30
     strategy:
       fail-fast: false
@@ -202,11 +199,11 @@ jobs:
             if [[ -n "${COPA_BUILDKIT_ADDR}" && "${COPA_BUILDKIT_ADDR}" == docker://* ]]; then
                 export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}"
             fi
-      
+
             docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-rpm-patched /bin/sh
             tmp="$(mktemp)"
             docker cp test:/etc/pki/tls/openssl.cnf "${tmp}"
-            
+
             if ! grep -q foo "${tmp}"; then
                 echo "Error: openssl.cnf content replaced" >&2
                 rm "${tmp}"
@@ -256,11 +253,11 @@ jobs:
                 export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}"
                 trap '_cleanup' EXIT
             fi
-      
+
             docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-debian-patched /bin/sh
             tmp="$(mktemp)"
             docker cp test:/etc/ssl/openssl.cnf "${tmp}"
-            
+
             if ! grep -q foo "${tmp}"; then
                 echo "Error: openssl.cnf content replaced" >&2
                 rm "${tmp}"
@@ -274,7 +271,7 @@ jobs:
   test-plugin:
     needs: build
     name: Test plugin
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-16-cores
     timeout-minutes: 5
     steps:
       - name: Harden Runner
@@ -321,7 +318,7 @@ jobs:
   test-push:
     needs: build
     name: Test push
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-16-cores
     timeout-minutes: 5
     steps:
       - name: Check out code
@@ -364,12 +361,12 @@ jobs:
         with:
           paths: "test-results.xml"
 
-          
+
   test-patch-multiplatform:
     needs: build
     name: Test patch with multiplatform ${{ matrix.buildkit_mode }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
+    runs-on: ubuntu-latest-16-cores
+    timeout-minutes: 40
     strategy:
       fail-fast: false
       matrix:
@@ -434,15 +431,15 @@ jobs:
         shell: bash
         run: |
           set -eu -o pipefail
-          
+
           if [[ "${{ matrix.buildkit_mode }}" == "docker" ]]; then
             # For docker mode, use the default docker daemon
             export COPA_BUILDKIT_ADDR="docker://"
           else
             # For other modes, source the corresponding script in the same shell session
             . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode }}
           fi
-          
+
           gotestsum --format testname --junitfile test-results.xml -- ./integration/multiarch --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0
       - name: Test Summary
         uses: test-summary/action@v2
@@ -452,8 +449,8 @@ jobs:
   test-patch-multiplatform-plugin:
     needs: build
     name: Test multiplatform with plugin
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
+    runs-on: ubuntu-latest-16-cores
+    timeout-minutes: 50
     steps:
       - name: Change docker daemon config
         run: |

go.mod

@@ -3,6 +3,7 @@ module github.com/project-copacetic/copacetic
 go 1.24.4
 
 require (
+	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/aquasecurity/trivy v0.66.0
 	github.com/containerd/errdefs v1.0.0
 	github.com/containerd/platforms v1.0.0-rc.1
@@ -38,6 +39,7 @@ require (
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/aquasecurity/trivy-db v0.0.0-20250731052236-c7c831e2254d // indirect
 	github.com/aws/aws-sdk-go-v2 v1.38.3 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.31.6 // indirect

go.sum

@@ -12,6 +12,10 @@ github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
+github.com/aquasecurity/go-pep440-version v0.0.1 h1:8VKKQtH2aV61+0hovZS3T//rUF+6GDn18paFTVS0h0M=
+github.com/aquasecurity/go-pep440-version v0.0.1/go.mod h1:3naPe+Bp6wi3n4l5iBFCZgS0JG8vY6FT0H4NGhFJ+i4=
+github.com/aquasecurity/go-version v0.0.1 h1:4cNl516agK0TCn5F7mmYN+xVs1E3S45LkgZk3cbaW2E=
+github.com/aquasecurity/go-version v0.0.1/go.mod h1:s1UU6/v2hctXcOa3OLwfj5d9yoXHa3ahf+ipSwEvGT0=
 github.com/aquasecurity/trivy v0.66.0 h1:eU0M0PXQ6F0UxKYxMjI7b0ue07il3l1eqcBGTliE+tY=
 github.com/aquasecurity/trivy v0.66.0/go.mod h1:DFk2QdnR/ZXSfgy2xR7sPPWM/mJvmnVUzqtowsQJSVo=
 github.com/aquasecurity/trivy-db v0.0.0-20250731052236-c7c831e2254d h1:Lc+p2CLARivVF48o7uRoFPaahNCvNFyBfeby0JqAMXo=

integration/multiarch/fixtures/test-images.json

@@ -39,5 +39,59 @@
       "linux/arm/v7",
       "linux/arm64"
     ]
+  },
+  {
+    "originalImage": "quay.io/jupyter/base-notebook",
+    "localImage": "localhost:5000/jupyter-base-notebook",
+    "tag": "2025-01-27",
+    "distro": "ubuntu",
+    "description": "Multi-arch Jupyter base-notebook 2025-01-27, with push",
+    "ignoreErrors": false,
+    "push": true,
+    "skipAnnotations": true,
+    "platforms": [
+      "linux/amd64",
+      "linux/arm64"
+    ]
+  },
+  {
+    "originalImage": "quay.io/jupyter/base-notebook",
+    "localImage": "localhost:5000/jupyter-base-notebook",
+    "tag": "2025-01-27",
+    "distro": "ubuntu",
+    "description": "Multi-arch Jupyter base-notebook 2025-01-27, no push",
+    "ignoreErrors": false,
+    "push": false,
+    "platforms": [
+      "linux/amd64",
+      "linux/arm64"
+    ]
+  },
+  {
+    "originalImage": "mcr.microsoft.com/azure-cli",
+    "localImage": "localhost:5000/azure-cli",
+    "tag": "2.50.0",
+    "distro": "debian",
+    "description": "Multi-arch Azure CLI 2.50.0 for Python package testing, with push",
+    "ignoreErrors": false,
+    "push": true,
+    "skipAnnotations": true,
+    "platforms": [
+      "linux/amd64",
+      "linux/arm64"
+    ]
+  },
+  {
+    "originalImage": "mcr.microsoft.com/azure-cli",
+    "localImage": "localhost:5000/azure-cli",
+    "tag": "2.50.0",
+    "distro": "debian",
+    "description": "Multi-arch Azure CLI 2.50.0 for Python package testing, no push",
+    "ignoreErrors": false,
+    "push": false,
+    "platforms": [
+      "linux/amd64",
+      "linux/arm64"
+    ]
   }
 ]

pkg/buildkit/buildkit.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/project-copacetic/copacetic/pkg/report"
 	"github.com/project-copacetic/copacetic/pkg/types"
+	"github.com/project-copacetic/copacetic/pkg/utils"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -135,7 +136,7 @@ func DiscoverPlatformsFromReport(reportDir, scanner string) ([]types.PatchPlatfo
 		if file.IsDir() {
 			continue
 		}
-		report, err := report.TryParseScanReport(filePath, scanner)
+		report, err := report.TryParseScanReport(filePath, scanner, utils.PkgTypeOS, utils.PatchTypePatch)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing report %w", err)
 		}
@@ -168,7 +169,18 @@ func DiscoverPlatformsFromReport(reportDir, scanner string) ([]types.PatchPlatfo
 
 func isSupportedOsType(osType string) bool {
 	switch osType {
-	case "alpine", "debian", "ubuntu", "cbl-mariner", "azurelinux", "centos", "oracle", "redhat", "rocky", "amazon", "alma":
+	case utils.OSTypeAlpine,
+		utils.OSTypeDebian,
+		utils.OSTypeUbuntu,
+		utils.OSTypeCBLMariner,
+		utils.OSTypeAzureLinux,
+		utils.OSTypeCentOS,
+		utils.OSTypeOracle,
+		utils.OSTypeRedHat,
+		utils.OSTypeRocky,
+		utils.OSTypeAmazon,
+		utils.OSTypeAlma,
+		utils.OSTypeAlmaLinux:
 		return true
 	default:
 		return false

pkg/buildkit/buildkit_test.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/project-copacetic/copacetic/mocks"
 	"github.com/project-copacetic/copacetic/pkg/types"
+	"github.com/project-copacetic/copacetic/pkg/utils"
 
 	"github.com/stretchr/testify/mock"
 
@@ -96,7 +97,7 @@ func newMockBuildkitAPI(t *testing.T, caps ...apicaps.CapID) string {
 	var sockPath string
 	if runtime.GOOS == goosDarwin {
 		// On macOS, use /tmp directly for shorter paths to avoid socket path length limits
-		sockPath = filepath.Join("/tmp", fmt.Sprintf("bk-%d.sock", time.Now().UnixNano()))
+		sockPath = filepath.Join(utils.DefaultTempWorkingFolder, fmt.Sprintf("bk-%d.sock", time.Now().UnixNano()))
 	} else {
 		// On other platforms, use temp dir but with shorter name
 		tmp := t.TempDir()
@@ -445,7 +446,19 @@ func TestMapGoArch(t *testing.T) {
 }
 
 func TestIsSupportedOsType(t *testing.T) {
-	supported := []string{"alpine", "debian", "ubuntu", "cbl-mariner", "azurelinux", "centos", "oracle", "redhat", "rocky", "amazon", "alma"}
+	supported := []string{
+		utils.OSTypeAlpine,
+		utils.OSTypeDebian,
+		utils.OSTypeUbuntu,
+		utils.OSTypeCBLMariner,
+		utils.OSTypeAzureLinux,
+		utils.OSTypeCentOS,
+		utils.OSTypeOracle,
+		utils.OSTypeRedHat,
+		utils.OSTypeRocky,
+		utils.OSTypeAmazon,
+		utils.OSTypeAlma,
+	}
 	for _, os := range supported {
 		if !isSupportedOsType(os) {
 			t.Errorf("expected %s to be supported", os)