Skip to content

[ane-2575] scan all layers for os info #1566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jul 23, 2025
Merged

[ane-2575] scan all layers for os info #1566

merged 10 commits into from
Jul 23, 2025

Conversation

jagonalez
Copy link
Contributor

Overview

  • change to scan all layers (the "squashed" layers first, then base layer) for os information. This change could technically cause os information to be different between previous scans, we previously only checked the base layer. A layer further down the chain could update the os information. If someone feel strongly we should only check for os info after none is found in the base layer - I'm happy to make the change, this feels more accurate though.

Acceptance criteria

  • os info is retrieved even if it exists in another layer

Testing plan

  • download the tarballs from the ANE on call ticket, specifically 1.52.0, then an analysis on it and dependencies are reported.
  • try it on cgr.dev/chainguard/glibc-dynamic:latest-dev and dependencies are also reported

Risks

  • I highlighted it in my overview but this change could cause os-information to change between the previous container scans.

Metrics

n/a

References

https://fossa.atlassian.net/browse/ANE-2575

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@jagonalez jagonalez requested a review from csasarak July 23, 2025 19:50
@jagonalez jagonalez marked this pull request as ready for review July 23, 2025 19:50
@jagonalez jagonalez requested a review from a team as a code owner July 23, 2025 19:50
csasarak
csasarak approved these changes Jul 23, 2025
View reviewed changes
Copy link
Contributor

@csasarak csasarak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

@jagonalez jagonalez merged commit db46e95 into master Jul 23, 2025
19 of 20 checks passed
@jagonalez jagonalez deleted the jg/ane-2575 branch July 23, 2025 22:12
james-fossa added a commit that referenced this pull request Aug 7, 2025
@james-fossa @jagonalez
[ANE-2484][ANE-2503] Actually call Ficus, use --x-snippet-scan as a…
727bf26 
… flag. (#1573)

* gradle: exclude constraints when retrieving dependencies (#1563)

* [ane-2575] scan all layers for os info (#1566)

* scan all layers for os info

* add test

* lint

* accidently on purposed

* whitespace

* typo

* update changelog

* no need to log

* prepare for release

* WIP

* WIP

* Get ficus wired in and at least vaguely tested. More to do to get tests to be coherent.

Now we're cooking with gas:
```
Running Ficus analysis on /Users/jclemer/wam/
[DEBUG] Executing ficus
[DEBUG] Ficus returned 4 errors, 0 debug messages, 1 findings
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/index",
      },
  )
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.idx",
      },
  )
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.pack",
      },
  )
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.rev",
      },
  )
FINDING fingerprint: {"analysis_id":15}
Ficus analysis completed successfully with analysis ID: 15
```

* Fixing up formatting

* [ANE-2484] Add ficus to extra-source files

* Fix FICUS_ASSET_POSTFIX to match changed release

* Fix Windows postfix for changed release

* Change themis arch in suffix

---------

Co-authored-by: Jeremy Gonzalez <jeremy@fossa.com>
james-fossa added a commit that referenced this pull request Aug 11, 2025
@james-fossa @jagonalez
[ANE-2484] Download ficus in vendor_download.sh (#1565)
1d7368f 
* [ANE-2484] Download ficus in vendor_download.sh

* [ANE-2484] Listen to shellcheck's wisdom

* [ANE-2484][ANE-2503] Actually call Ficus, use `--x-snippet-scan` as a flag. (#1573)

* gradle: exclude constraints when retrieving dependencies (#1563)

* [ane-2575] scan all layers for os info (#1566)

* scan all layers for os info

* add test

* lint

* accidently on purposed

* whitespace

* typo

* update changelog

* no need to log

* prepare for release

* WIP

* WIP

* Get ficus wired in and at least vaguely tested. More to do to get tests to be coherent.

Now we're cooking with gas:
```
Running Ficus analysis on /Users/jclemer/wam/
[DEBUG] Executing ficus
[DEBUG] Ficus returned 4 errors, 0 debug messages, 1 findings
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/index",
      },
  )
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.idx",
      },
  )
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.pack",
      },
  )
[WARN] ERROR fingerprint: Read(
      Custom {
          kind: InvalidData,
          error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.rev",
      },
  )
FINDING fingerprint: {"analysis_id":15}
Ficus analysis completed successfully with analysis ID: 15
```

* Fixing up formatting

* [ANE-2484] Add ficus to extra-source files

* Fix FICUS_ASSET_POSTFIX to match changed release

* Fix Windows postfix for changed release

* Change themis arch in suffix

---------

Co-authored-by: Jeremy Gonzalez <jeremy@fossa.com>

* Caveperson debug vendor_download

---------

Co-authored-by: Jeremy Gonzalez <jeremy@fossa.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@csasarak csasarak csasarak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jagonalez @csasarak