fix: openvex report oci id bug (#928)

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>

Author: robert-cronin

pkg/patch/patch.go

@@ -189,7 +189,25 @@ func patchWithContext(ctx context.Context, ch chan error, image, reportFile, pat
 	buildChannel := make(chan *client.SolveStatus)
 	eg, ctx := errgroup.WithContext(ctx)
 	eg.Go(func() error {
-		_, err := bkClient.Build(ctx, solveOpt, copaProduct, func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+		var pkgType string
+		var validatedManifest *unversioned.UpdateManifest
+		if updates != nil {
+			// create a new manifest with the successfully patched packages
+			validatedManifest = &unversioned.UpdateManifest{
+				Metadata: unversioned.Metadata{
+					OS: unversioned.OS{
+						Type:    updates.Metadata.OS.Type,
+						Version: updates.Metadata.OS.Version,
+					},
+					Config: unversioned.Config{
+						Arch: updates.Metadata.Config.Arch,
+					},
+				},
+				Updates: []unversioned.UpdatePackage{},
+			}
+		}
+
+		solveResponse, err := bkClient.Build(ctx, solveOpt, copaProduct, func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 			// Configure buildctl/client for use by package manager
 			config, err := buildkit.InitializeBuildkitConfig(ctx, c, imageName.String())
 			if err != nil {
@@ -263,38 +281,32 @@ func patchWithContext(ctx context.Context, ch chan error, image, reportFile, pat
 
 			res.AddMeta(exptypes.ExporterImageConfigKey, config.ConfigData)
 
-			// Currently can only validate updates if updating via scanner
-			if reportFile != "" {
-				// create a new manifest with the successfully patched packages
-				validatedManifest := &unversioned.UpdateManifest{
-					Metadata: unversioned.Metadata{
-						OS: unversioned.OS{
-							Type:    updates.Metadata.OS.Type,
-							Version: updates.Metadata.OS.Version,
-						},
-						Config: unversioned.Config{
-							Arch: updates.Metadata.Config.Arch,
-						},
-					},
-					Updates: []unversioned.UpdatePackage{},
-				}
+			// for the vex document, only include updates that were successfully applied
+			pkgType = manager.GetPackageType()
+			if validatedManifest != nil {
 				for _, update := range updates.Updates {
 					if !slices.Contains(errPkgs, update.Name) {
 						validatedManifest.Updates = append(validatedManifest.Updates, update)
 					}
 				}
-				// vex document must contain at least one statement
-				if output != "" && len(validatedManifest.Updates) > 0 {
-					if err := vex.TryOutputVexDocument(validatedManifest, manager, patchedImageName, format, output); err != nil {
-						ch <- err
-						return nil, err
-					}
-				}
 			}
 
 			return res, nil
 		}, buildChannel)
 
+		// Currently can only validate updates if updating via scanner
+		if reportFile != "" && validatedManifest != nil {
+			digest := solveResponse.ExporterResponse[exptypes.ExporterImageDigestKey]
+			nameDigestOrTag := getRepoNameWithDigest(patchedImageName, digest)
+			// vex document must contain at least one statement
+			if output != "" && len(validatedManifest.Updates) > 0 {
+				if err := vex.TryOutputVexDocument(validatedManifest, pkgType, nameDigestOrTag, format, output); err != nil {
+					ch <- err
+					return err
+				}
+			}
+		}
+
 		return err
 	})
 
@@ -320,7 +332,9 @@ func patchWithContext(ctx context.Context, ch chan error, image, reportFile, pat
 		return pipeR.Close()
 	})
 
-	return eg.Wait()
+	err = eg.Wait()
+
+	return err
 }
 
 func getOSType(ctx context.Context, osreleaseBytes []byte) (string, error) {
@@ -390,3 +404,14 @@ func dockerLoad(ctx context.Context, pipeR io.Reader) error {
 
 	return cmd.Run()
 }
+
+// e.g. "docker.io/library/nginx:1.21.6-patched".
+func getRepoNameWithDigest(patchedImageName, imageDigest string) string {
+	parts := strings.Split(patchedImageName, "/")
+	last := parts[len(parts)-1]
+	if idx := strings.IndexRune(last, ':'); idx >= 0 {
+		last = last[:idx]
+	}
+	nameWithDigest := fmt.Sprintf("%s@%s", last, imageDigest)
+	return nameWithDigest
+}

pkg/patch/patch_test.go

@@ -326,3 +326,10 @@ func TestGetOSVersion(t *testing.T) {
 		})
 	}
 }
+
+func TestGetRepoNameWithDigest(t *testing.T) {
+	result := getRepoNameWithDigest("docker.io/library/nginx:1.21.6-patched", "sha256:mocked-digest")
+	if result != "nginx@sha256:mocked-digest" {
+		t.Fatalf("unexpected result: %s", result)
+	}
+}

pkg/vex/openvex.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/openvex/go-vex/pkg/vex"
-	"github.com/project-copacetic/copacetic/pkg/pkgmgr"
 	"github.com/project-copacetic/copacetic/pkg/types/unversioned"
 )
 
@@ -29,7 +28,7 @@ type OpenVex struct{}
 func (o *OpenVex) CreateVEXDocument(
 	updates *unversioned.UpdateManifest,
 	patchedImageName string,
-	pkgmgr pkgmgr.PackageManager,
+	pkgType string,
 ) (string, error) {
 	t := now()
 	doc := v
@@ -53,7 +52,6 @@ func (o *OpenVex) CreateVEXDocument(
 		},
 	}
 
-	pkgType := pkgmgr.GetPackageType()
 	for _, u := range updates.Updates {
 		subComponent := vex.Subcomponent{
 			Component: vex.Component{

pkg/vex/openvex_test.go

@@ -173,7 +173,8 @@ func TestOpenVex_CreateVEXDocument(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			o := &OpenVex{}
-			got, err := o.CreateVEXDocument(tt.args.updates, tt.args.patchedImageName, tt.args.pkgmgr)
+			pkgType := tt.args.pkgmgr.GetPackageType()
+			got, err := o.CreateVEXDocument(tt.args.updates, tt.args.patchedImageName, pkgType)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("OpenVex.CreateVEXDocument() error = %v, wantErr %v", err, tt.wantErr)
 				return

pkg/vex/vex.go

@@ -12,14 +12,14 @@ type Vex interface {
 	CreateVEXDocument(updates *unversioned.UpdateManifest, patchedImageName string, pkgmgr pkgmgr.PackageManager) (string, error)
 }
 
-func TryOutputVexDocument(updates *unversioned.UpdateManifest, pkgmgr pkgmgr.PackageManager, patchedImageName, format, file string) error {
+func TryOutputVexDocument(updates *unversioned.UpdateManifest, pkgType, patchedImageName, format, file string) error {
 	var doc string
 	var err error
 
 	switch format {
 	case "openvex":
 		ov := &OpenVex{}
-		doc, err = ov.CreateVEXDocument(updates, patchedImageName, pkgmgr)
+		doc, err = ov.CreateVEXDocument(updates, patchedImageName, pkgType)
 		if err != nil {
 			return err
 		}

pkg/vex/vex_test.go

@@ -51,7 +51,11 @@ func TestTryOutputVexDocument(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := TryOutputVexDocument(tt.args.updates, tt.args.pkgmgr, tt.args.patchedImageName, tt.args.format, tt.args.file); (err != nil) != tt.wantErr {
+			var pkgType string
+			if tt.args.pkgmgr != nil {
+				pkgType = tt.args.pkgmgr.GetPackageType()
+			}
+			if err := TryOutputVexDocument(tt.args.updates, pkgType, tt.args.patchedImageName, tt.args.format, tt.args.file); (err != nil) != tt.wantErr {
 				t.Errorf("TryOutputVexDocument() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})