all: account for language package overwrites

[RTann]

This was originally discovered in StackRox Scanner V2: stackrox/stackrox#7033

StackRox now offers a Scanner based on ClairCore, which also has this same problem. The issue is that ClairCore does not consider the fact that the image build system may decide to overwrite the language package instead of deleting and recreating it.

This was demonstrated in the OCI image namloc2001/nodesem:a.

Each language's package scanner implements DefaultRepoScanner, which means there is only a single (related) repository per layer, and it only exists if the layer has (related) packages. Each language's coalescer is also more-or-less the same (Go's was unique, but the unique parts of it are unnecessary, as those checks will definitely hold true based on how to Ecosystem is set up), so I decided to make a single, shared coalescer for the languages.

[codecov]

Codecov Report

Attention: Patch coverage is 88.88889% with 4 lines in your changes missing coverage. Please review.

Project coverage is 55.73%. Comparing base (7088f7b) to head (221025b).

Files with missing lines	Patch %	Lines
language/coalescer.go	93.33%	2 Missing ⚠️
gobin/ecosystem.go	0.00%	1 Missing ⚠️
java/ecosystem.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1275      +/-   ##
==========================================
+ Coverage   55.41%   55.73%   +0.32%     
==========================================
  Files         282      278       -4     
  Lines       17890    17806      -84     
==========================================
+ Hits         9914     9925      +11     
+ Misses       6934     6839      -95     
  Partials     1042     1042              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[RTann]

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

[hdonnay]

This seems to be copy-pasted; why?

[RTann]

The rest were definite copy/pastes of each other. This one is slightly unique, so I copied over the related change, but kept the fact this is still mildly different from the rest. Do you think this coalescer should just match the rest?

[RTann]

I updated it to also move this into the language-agnostic coalescer. The parts of this which were unique were not very necessary (I think)

[hdonnay]

Yeah this package needs to document this assumption, and we need to check that the uses actually work that way.

• gobin
• java
• nodejs
• python
• ruby

[RTann]

just curious why gobin is already checked

[hdonnay]

I read through it to see what it did.

[crozzy]

@RTann was this checked?

[RTann]

I think I'd need more clarity on the exact ask. Depending on the image builder, the file may either be updated or deleted and recreated. The changes I made attempts to account for both. Not sure if that's what the question is asking about or something else

[hdonnay]

Though this does not explicitly touch package scanners, this still may merit a reindex. Thoughts?

Yeah, needs the version changed in every indexer that's moving to it.

[crozzy]

Looks like it's in good shape, a few comments.

[RTann]

@hdonnay @crozzy can you take a look at this when you get the chance? Thanks

[BradLugo]

LGTM. I think there are improvements we can make to the code we're moving over (clarify comments, add obvious error in test), but we can save it for a future cleanup. lmk if you want to post those reviews (I ended up deleting them after realizing I was commenting on code that was being moved)

[RTann]

LGTM. I think there are improvements we can make to the code we're moving over (clarify comments, add obvious error in test), but we can save it for a future cleanup. lmk if you want to post those reviews (I ended up deleting them after realizing I was commenting on code that was being moved)

@BradLugo please leave any comments you have!

[crozzy]

LGTM

[hdonnay]

SGTM

[RTann]

/fast-forward