search

chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
445 stars 31 forks source link

Replace live OCI image pull with crane export #438

Closed egibs closed 2 months ago

egibs commented 2 months ago

Closes: #428

This PR removes our dependency on a non-deterministic image source with a static tarball created via crane export.

While this won't engage the if c.OCI logic, this is what that functionality does anyway: https://github.com/chainguard-dev/bincapz/blob/d3d7a6bb7fc13a4dfeeb26711c5617e4c4496a8d/pkg/action/oci.go#L15-L40

The scan results are the same (sans the base path which has been updated).

For future reference, the command I ran to create the tarball was:

cd pkg/action/testdata; crane export cgr.dev/chainguard/static:latest static.tar
tstromberg commented 2 months ago

Would this test still work if the sample was compressed to a .tar.xz? If so, let's do that.

egibs commented 2 months ago

Would this test still work if the sample was compressed to a .tar.xz? If so, let's do that.

It does -- updated in 7bf82eb (#438).