feat: support update all for multi platform patching (#1141)

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>

Author: ashnamehrotra

integration/singlearch/fixtures/test-images.json

@@ -5,7 +5,8 @@
         "digest": "sha256:42d3e6bc186572245aded5a0be381012adba6d89355fa9486dd81b0c634695b5",
         "distro": "Alpine",
         "description": "Valid apk/db, apk present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "docker.io/grafana/grafana",
@@ -14,15 +15,17 @@
         "digest": "sha256:42d3e6bc186572245aded5a0be381012adba6d89355fa9486dd81b0c634695b5",
         "distro": "Alpine",
         "description": "Valid apk/db, apk present, locally tagged with fully-qualified name",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "docker.io/library/nginx",
         "tag": "1.21.6",
         "digest": "sha256:2bcabc23b45489fb0885d69a06ba1d648aeda973fae7bb981bafbb884165e514",
         "distro": "Debian",
         "description": "Valid dpkg/status, apt present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "docker.io/library/nginx",
@@ -31,39 +34,44 @@
         "localName": "local/image:tag",
         "distro": "Debian",
         "description": "Valid dpkg/status, apt present, locally tagged with repo and image name",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "registry.k8s.io/kube-proxy",
         "tag": "v1.23.4",
         "digest": "sha256:30116c7218264d95623d3918a50da703675755cae866cd4c324586611fcd50ea",
         "distro": "Debian",
         "description": "Valid dpkg/status, apt present, custom network config",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "registry.k8s.io/kube-proxy",
         "tag": "v1.27.2",
         "digest": "sha256:1e4f13f5f5c215813fb9c9c6f56da1c0354363f2a69bd12732658f79d585864f",
         "distro": "Custom Google Distroless",
         "description": "Custom dpkg/status.d with text names, no apt, libssl1.1",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "registry.k8s.io/kube-proxy",
         "tag": "v1.26.1",
         "digest": "sha256:1e4f13f5f5c215813fb9c9c6f56da1c0354363f2a69bd12732658f79d585864f",
         "distro": "Custom Google Distroless",
         "description": "Custom dpkg/status.d with text names, with both libssl1.1 and libssl1",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "docker.io/fluent/fluent-bit",
         "tag": "1.8.4",
         "digest": "sha256:2d80c13c2e7e06aa6a2e54a1825c6adbb3829c8a133ff617a0a61790bd61c53d",
         "distro": "Google Distroless",
         "description": "Custom dpkg/status.d with base64 names",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "docker.io/fluent/fluent-bit",
@@ -72,133 +80,150 @@
         "localName": "localimage:tag",
         "distro": "Google Distroless",
         "description": "Custom dpkg/status.d with base64 names, locally tagged with image name only",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "docker.io/openpolicyagent/opa",
         "tag": "0.46.0",
         "digest": "sha256:c4b11c9b86eaba41276ae682bb6875332316242010b7523efe30f365ad0c3cb8",
         "distro": "Google Distroless",
         "description": "Custom dpkg/status.d with text names, no apt, libssl1",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "quay.io/calico/cni",
         "tag": "v3.15.1",
         "digest": "sha256:a925b445c2688fc9c149b20ea04faabd40610d3304a6efda68e5dada7a41b813",
         "distro": "Redhat",
         "description": "Valid rpm DB, microdnf & rpm present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "mcr.microsoft.com/cbl-mariner/base/core",
         "tag": "2.0.20240112",
         "digest": "sha256:60323975ec3aabe1840920a65237950a54c5fef6ffc811a5d26bb6bd130f1cc3",
         "distro": "Mariner",
         "description": "Valid rpm DB, tdnf, yum & rpm present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "mcr.microsoft.com/cbl-mariner/base/core",
         "tag": "2.0.20240112-arm64",
         "digest": "sha256:c85680df0ddccfd5bf0cd60ff7d0c07b0ea783bcee9ce5dc748b68c0d36e280a",
         "distro": "Mariner",
         "description": "Valid rpm DB, tdnf, yum & rpm present, arm64 cross-arch",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "mcr.microsoft.com/cbl-mariner/distroless/base",
         "tag": "2.0.20220527",
         "digest": "sha256:f550c5428df17b145851ad75983aca6d613ad4b51ca7983b2a83e67d0ac91a5d",
         "distro": "Mariner Distroless",
         "description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "mcr.microsoft.com/azurelinux/base/core",
         "tag": "3.0.20240727",
         "digest": "sha256:02004412d6133fba772fd88dd45ea99b61258722bfc796c156937df4a5d75c6c",
         "distro": "Azure Linux",
         "description": "Valid rpm DB, tdnf & rpm present, no dnf or yum",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "mcr.microsoft.com/azurelinux/base/core",
         "tag": "3.0.20240727-arm64",
         "digest": "sha256:5975d2ba45e7d256d4eb4e2b3df3aefbaddf25f14fa300fa126fb93b9f082d33",
         "distro": "Azure Linux",
         "description": "Valid rpm DB, tdnf & rpm present, no dnf or yum, arm64 cross-arch",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "mcr.microsoft.com/azurelinux/distroless/base",
         "tag": "3.0.20240727",
         "digest": "sha256:50c24841324cdb36a268bb1288dd6f8bd5bcf19055c24f6aaa750a740a8be62d",
         "distro": "Azure Linux Distroless",
         "description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "docker.io/library/amazonlinux",
         "tag": "2.0.20210326.0",
         "digest": "sha256:06380711d6a8ac0b6989f7e2a4419e560796791d9c7c843753a719c73552dc30",
         "distro": "Amazon Linux",
         "description": "Valid rpm DB, yum present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "docker.io/library/oraclelinux",
         "tag": "7.9",
         "digest": "sha256:ba39a0daabd2df95ed5f374d016e87513f8e579ecc5a1599d7cf94679a281a34",
         "distro": "Oracle Linux 7.9",
         "description": "Valid rpm DB, yum present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "docker.io/library/oraclelinux",
         "tag": "8.9",
         "digest": "sha256:67c889172b07b1f4067050abf4bcf7fce2febd280664df261fe17fa82501a498",
         "distro": "Oracle Linux 8.9",
         "description": "Valid rpm DB, yum present",
-        "ignoreErrors": true
+        "ignoreErrors": true,
+        "isManifestList": true
     },
     {
         "image": "docker.io/library/rockylinux",
         "tag": "8.9.20231119",
         "digest": "sha256:69cecc7163282ad83e27b739fe8473b7c56e280e83827dcda60e5d37102457f1",
         "distro": "Rocky Linux",
         "description": "Valid rpm DB, yum present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "docker.io/redhat/ubi9-minimal",
         "tag": "9.4-949",
         "digest": "sha256:9607229894026ebecade4623038fce35bb75bf9371aca7b08ca11b08d103d2ab",
         "distro": "Redhat",
-        "description": "Valid microdnf, no yum/dnf/rpm"
+        "description": "Valid microdnf, no yum/dnf/rpm",
+        "isManifestList": false
     },
     {
         "image": "docker.io/almalinux",
         "tag": "9.4-20240923",
         "digest": "sha256:1c718a4cd7bab3bdb069ddbbd1eb593a390e6932d51d0048a2f6556303bafba7",
         "distro": "AlmaLinux",
         "description": "Valid rpm DB, microdnf & rpm present",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": true
     },
     {
         "image": "ghcr.io/project-copacetic/copacetic/test/openssl",
         "tag": "test-rpm",
         "digest": "sha256:a3ce5460b21cefef782ffd5f8b751c18d6b15b96e81da26248bfab032b4db742",
         "distro": "Mariner Distroless",
         "description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm, custom openssl.cnf",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     },
     {
         "image": "ghcr.io/project-copacetic/copacetic/test/openssl",
         "tag": "test-debian",
         "digest": "sha256:453ce8b732afa551d2e8772d131d8b060b765a4532b33c1fc1e7a90569fb2fbb",
         "distro": "Google Distroless",
         "description": "Custom dpkg/status.d with text names, no apt, libssl1, custom openssl.cnf",
-        "ignoreErrors": false
+        "ignoreErrors": false,
+        "isManifestList": false
     }
 ]

integration/singlearch/patch_test.go

@@ -24,13 +24,14 @@ import (
 var testImages []byte
 
 type testImage struct {
-	Image        string        `json:"image"`
-	Tag          string        `json:"tag"`
-	LocalName    string        `json:"localName,omitempty"`
-	Distro       string        `json:"distro"`
-	Digest       digest.Digest `json:"digest"`
-	Description  string        `json:"description"`
-	IgnoreErrors bool          `json:"ignoreErrors"`
+	Image          string        `json:"image"`
+	Tag            string        `json:"tag"`
+	LocalName      string        `json:"localName,omitempty"`
+	Distro         string        `json:"distro"`
+	Digest         digest.Digest `json:"digest"`
+	Description    string        `json:"description"`
+	IgnoreErrors   bool          `json:"ignoreErrors"`
+	IsManifestList bool          `json:"isManifestList"`
 }
 
 func TestPatch(t *testing.T) {
@@ -93,7 +94,6 @@ func TestPatch(t *testing.T) {
 			require.NoError(t, err, err)
 
 			tagPatched := img.Tag + "-patched"
-			patchedRef := fmt.Sprintf("%s:%s", r.Name(), tagPatched)
 
 			patchedMediaType, err := utils.GetMediaType(imageRef, imageloader.Docker)
 			require.NoError(t, err)
@@ -107,6 +107,14 @@ func TestPatch(t *testing.T) {
 			t.Log("patching image")
 			patch(t, ref, tagPatched, dir, img.IgnoreErrors, reportFile)
 
+			// For no-report tests with manifest images, Copa creates platform-specific tags like "-patched-amd64"
+			// The scanning should look for the tag that Copa actually created
+			scanTag := tagPatched
+			if !reportFile && img.IsManifestList {
+				scanTag += "-amd64"
+			}
+			patchedRef := fmt.Sprintf("%s:%s", r.Name(), scanTag)
+
 			switch {
 			case strings.Contains(img.Image, "oracle"):
 				t.Log("Oracle image detected. Skipping Trivy scan.")
@@ -176,6 +184,11 @@ func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool, report
 		reportPath = "-r=" + path + "/scan.json"
 	}
 
+	var platformFlag string
+	if !reportFile {
+		platformFlag = "--platform=linux/amd64"
+	}
+
 	//#nosec G204
 	cmd := exec.Command(
 		copaPath,
@@ -186,6 +199,7 @@ func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool, report
 		"-s="+scannerPlugin,
 		"--timeout=30m",
 		addrFl,
+		platformFlag,
 		"--ignore-errors="+strconv.FormatBool(ignoreErrors),
 		"--output="+path+"/vex.json",
 		"--debug",

pkg/buildkit/buildkit.go

@@ -133,7 +133,8 @@ func DiscoverPlatformsFromReport(reportDir, scanner string) ([]types.PatchPlatfo
 				Architecture: report.Metadata.Config.Arch,
 				Variant:      report.Metadata.Config.Variant,
 			},
-			ReportFile: filePath,
+			ReportFile:     filePath,
+			ShouldPreserve: false, // This platform has a report, so it should be patched
 		}
 
 		if platform.Architecture == arm64 && platform.Variant == "v8" {
@@ -198,6 +199,8 @@ func DiscoverPlatformsFromReference(manifestRef string) ([]types.PatchPlatform,
 					OSVersion:    m.Platform.OSVersion,
 					OSFeatures:   m.Platform.OSFeatures,
 				},
+				ReportFile:     "",    // No report file for platforms discovered from reference
+				ShouldPreserve: false, // Default to false, will be set appropriately later
 			}
 			if m.Platform.Architecture == arm64 && m.Platform.Variant == "v8" {
 				// some scanners may not add v8 to arm64 reports, so we
@@ -256,11 +259,13 @@ func DiscoverPlatforms(manifestRef, reportDir, scanner string) ([]types.PatchPla
 			if rp, ok := reportSet[PlatformKey(pl.Platform)]; ok {
 				// Platform has a report - will be patched
 				pl.ReportFile = rp
+				pl.ShouldPreserve = false
 				platforms = append(platforms, pl)
 			} else {
 				// Platform has no report - preserve original without patching
 				log.Debugf("No report found for platform %s, preserving original", PlatformKey(pl.Platform))
 				pl.ReportFile = ""
+				pl.ShouldPreserve = true
 				platforms = append(platforms, pl)
 			}
 		}

pkg/patch/cmd.go

@@ -28,6 +28,7 @@ type patchArgs struct {
 	output        string
 	bkOpts        buildkit.Opts
 	push          bool
+	platform      []string
 	loader        string
 }
 
@@ -57,6 +58,7 @@ func NewPatchCmd() *cobra.Command {
 				ua.loader,
 				ua.ignoreError,
 				ua.push,
+				ua.platform,
 				bkopts)
 		},
 	}
@@ -76,6 +78,10 @@ func NewPatchCmd() *cobra.Command {
 	flags.StringVarP(&ua.format, "format", "f", "openvex", "Output format, defaults to 'openvex'")
 	flags.StringVarP(&ua.output, "output", "o", "", "Output file path")
 	flags.BoolVarP(&ua.push, "push", "p", false, "Push patched image to destination registry")
+	flags.StringSliceVar(&ua.platform, "platform", nil,
+		"Target platform(s) for multi-arch images when no report directory is provided (e.g., linux/amd64,linux/arm64). "+
+			"Valid platforms: linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6. "+
+			"If platform flag is used, only specified platforms are patched and the rest are preserved. If not specified, all platforms present in the image are patched.")
 	flags.StringVarP(&ua.loader, "loader", "l", "", "Loader to use for loading images. Options: 'docker', 'podman', or empty for auto-detection based on buildkit address")
 
 	if err := patchCmd.MarkFlagRequired("image"); err != nil {