Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: Implement versioned provides/depends for shared libraries #1871

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Draft: Implement versioned provides/depends for shared libraries #1871

wants to merge 8 commits into from

Conversation

sergiodj
Copy link
Contributor

This PR implements versioned provides/depends for shared libraries.

I've had to plumb some things around to make everything work, so I'd love to have another pair of eyes go through the changes to double check I didn't mess anything up.

The implementation for versioned provides is somewhat simple: we already have the package version being analyzed during SCA, and we just need to use it when generating the provides = so:... line.

Versioned depends is more involved. The general idea (kudos to @jonjohnsonjr for the invaluable input!) is the following:

  • First, we have to acquire a PkgResolver from apko. We do that during buildGuest, where we can access the current APK being built. This PkgResolver becomes an attribute of the Build struct.
  • After that, we have to plumb this PkgResolver into SCAHandle so that we can access it during SCA.
  • During SCA, while analyzing the program(s) to determine which shared libraries it depends on, we need to:
    • Ask PkgResolver to return the list of packages that satisfy the query so:<ShlibName>.
    • Verify whether any of the packages returned is listed as being installed in the build environment. The package and its version need to match.
    • If there's a match, verify whether the package has a versioned provides for the shared library. If it doesn't, then we can't (yet) use versioned depends.

The idea is that the algorithm works with and without versioned provides for shared libraries, so that we won't need to rebuild the whole archive after deploying it.

This code requires the changes implemented in chainguard-dev/apko@620f808.

Functional Changes

  • This change can build all of Wolfi without errors (describe results in notes)

Notes:

SCA Changes

  • Examining several representative APKs show no regression / the desired effect (details in notes)

Notes:

@sergiodj sergiodj requested a review from jonjohnsonjr March 26, 2025 03:02
@sergiodj sergiodj marked this pull request as draft March 26, 2025 03:03
@sergiodj sergiodj force-pushed the versioned-shlib-depends-provides branch from facb128 to 89fa5a5 Compare March 26, 2025 03:07
@dannf
Copy link
Contributor

dannf commented Mar 27, 2025

I went through each commit and they all are clearly described and make sense to me. I've been learning golang this week, and I feel like I even understood all of the code!

sergiodj added 7 commits March 28, 2025 17:56
@sergiodj
Implement versioned "provides" for shared libraries
d2f2709 
"provides" statements should be pinned to the full (sub)package
version, so that we can later generate versioned "depends" for shared
libraries.

Fixes: chainguard-dev#1621

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj
build.go: Add PkgResolver field to Build struct
3d52a8c 
This field stores a pointer to the current PkgResolver related to the
build being analyzed.  It's useful later during SCA when we will need
to determine which package provides a specific shared library.

PkgResolver is only applicable when there's a build context involved.
This means that "melange scan" won't be able to access it.

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj
SCA: Implement InstalledPackages and PkgResolver methods
ccbb362 
InstalledPackages returns a list of all installed packages in the
current build environment.  This includes the package and all the
subpackages being analyzed.

PkgResolver returns the pointer to the PkgResolver associated with the
build.

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj
SCA: Implement determineShlibVersion
d043591 
This function tries to determine the exact version of the package that
provides a specific shared library.  It does that by using PkgResolver
to generate a list of packages providing said library, and then
verifying which package version is installed in the build environment.

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj
SCA: Implement versioned shared library "depends:"
f61c775 
Whenever possible, SCA will generate versioned "depends" lines for
shared libraries.

Instead of:

  depend = so:libz.so.1

we shall see:

  depend = so:libz.so.1=1.3.1-r6

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj
melange_scan.md: Document limitation w.r.t. versioned shlib depends/p…
2f38b05 
…rovides

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj
sca_test.go: Implement InstalledPackages and PkgResolver methods
995c6c7 
For now these don't do anything.

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj sergiodj force-pushed the versioned-shlib-depends-provides branch 2 times, most recently from 7ab97e3 to d596bfe Compare March 28, 2025 22:01
@sergiodj
go.{mod,sum}: Update
9627d68 
We need the latest APKO to build melange.

Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj sergiodj force-pushed the versioned-shlib-depends-provides branch from d596bfe to 9627d68 Compare March 28, 2025 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergiodj @dannf