feat: langmgr and python #1091
feat: langmgr and python #1091
Conversation
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1091 +/- ##
==========================================
+ Coverage 48.80% 49.45% +0.64%
==========================================
Files 35 38 +3
Lines 4143 5136 +993
==========================================
+ Hits 2022 2540 +518
- Misses 1985 2433 +448
- Partials 136 163 +27 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
…trieval functionality Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
…und for buildx v0.25.0 bug Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
…nutes Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
There was a problem hiding this comment.
Pull Request Overview
This PR introduces experimental app-level patching support for Python packages, extending Copa's patching capabilities beyond OS packages to include application-level dependencies. The feature is gated behind the COPA_EXPERIMENTAL=1 environment variable and introduces new flags for package type filtering and library patch level control.
- Adds scaffolding for experimental app-level patching with initial Python support
- Introduces package type filtering (
--pkg-types) to separate OS and library patching - Implements patch level control (
--library-patch-level) for conservative version upgrades
Reviewed Changes
Copilot reviewed 38 out of 39 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| website/sidebars.js | Adds navigation entry for app-level patching documentation |
| website/docs/app-level-patching.md | Comprehensive documentation for the new app-level patching feature |
| pkg/types/unversioned/types.go | Updates manifest structure to separate OS and language updates |
| pkg/report/trivy.go | Implements version selection logic and Python package parsing |
| pkg/langmgr/python.go | Core Python package manager implementation |
| pkg/patch/cmd.go | Adds experimental CLI flags for package types and patch levels |
| pkg/patch/core.go | Integrates language managers into the core patching workflow |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
| @@ -0,0 +1,176 @@ | |||
| --- | |||
There was a problem hiding this comment.
should we also update website/docs/scanner-plugins.md since the interface UpdatedManifest will change?
There was a problem hiding this comment.
i missed this, good point! introduced v1alpha2 to support app patching flow, kept v1alpha1 for now
| version := strings.TrimSpace(parts[1]) | ||
| installedPkgs[pkgName] = version | ||
| } else { | ||
| // Handle other formats that might be encountered in pip freeze output |
There was a problem hiding this comment.
is this a TODO or will this be a limitation of the python library patching?
There was a problem hiding this comment.
@robert-cronin let's do a follow up on this when/if we encounter any that's not ==
| type UpdateMap map[string]*UpdatePackageInfo | ||
|
|
||
| func GetValidatedUpdatesMap( | ||
| updates unversioned.LangUpdatePackages, |
There was a problem hiding this comment.
since the functionality for validating updates and version comparing is similar with what we do for pkgmgr, maybe we could combine this into a helper folder to share the code?
There was a problem hiding this comment.
can we do a follow up for this one
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
b4706cd to
b5bceba
Compare
| OSUpdates UpdatePackages `json:"osupdates"` | ||
| LangUpdates LangUpdatePackages `json:"langupdates"` |
There was a problem hiding this comment.
can both OSUpdates and LangUpdates be of type UpdatePackages?
There was a problem hiding this comment.
I wanted to keep these separately so we can define a boundary between OS and Lang updates
| idxBytes, desc, err := resolver.Combine(ctx, srcRefs, annotations, false) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to combine sources into manifest list: %w", err) | ||
| } | ||
|
|
||
| // Workaround for buildx v0.25.0 bug: manually inject index-level annotations into manifest bytes | ||
| // TODO: fixed in buildx v0.26.0+ so remove after upgrading |
There was a problem hiding this comment.
I think were close to solving this TODO, just flagging it here
There was a problem hiding this comment.
can we open a new pr for this
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
fd420f3 to
ca7aedf
Compare
Signed-off-by: Sertac Ozercan sozercan@gmail.com
Part of #147
Hold merge after current release
Describe the changes in this pull request using active verbs such as Add, Remove, Replace ...
Adds experimental app-level patching support with Python language manager
This PR introduces scaffolding for experimental support for patching application-level dependencies (libraries/packages) in addition to OS packages, with initial Python support.
Key Features
🔬 Experimental Feature
COPA_EXPERIMENTAL=1environment variable📦 Package Type Filtering
--pkg-typesflag with values:os,library,os,libraryos(maintains backward compatibility)🎯 Patch Level Control
--library-patch-levelflag with values:patch,minor,majorpatchfor conservative updates🐍 Python Support
pip-managed Python packages. Other package managers are not considered for this initial PR.certifi(always latest version)Example Usage