Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(scanner): parsing apt cache policy for nvidia-container-toolkit #1786

Merged
merged 2 commits into from
Nov 13, 2023
Merged

fix(scanner): parsing apt cache policy for nvidia-container-toolkit #1786

merged 2 commits into from
Nov 13, 2023

Conversation

kl-sinclair
Copy link
Collaborator

@kl-sinclair kl-sinclair commented Nov 7, 2023
edited
Loading

What did you implement:

The repository for NVIDIA Container Toolkit has a different format for apt-cache policy.

$ LANGUAGE=en_US.UTF-8 apt-cache policy wget
wget:
  Installed: 1.20.3-1ubuntu1
  Candidate: 1.20.3-1ubuntu2
  Version table:
     1.20.3-1ubuntu2 500
        500 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
 *** 1.20.3-1ubuntu1 500
        500 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status

All other packages have 5 fields separated by whitespace.

$ LANGUAGE=en_US.UTF-8 apt-cache policy nvidia-container-toolkit
nvidia-container-toolkit:
  Installed: 1.14.3-1
  Candidate: 1.14.3-1
  Version table:
 *** 1.14.3-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
        100 /var/lib/dpkg/status
     1.14.2-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.1-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.0-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages

But the nvidia-container-toolkit has 4 fields, including a blank repo (maybe)

If the nvidia-container-toolkit is installed and updatable for a new version, when you scan with fast-root mode, the following will happen:

# vuls scan

...

ERROR [localhost] Failed to scan installed packages: Failed to fill candidate versions. err: Failed to parse Unknown Format: nvidia-container-toolkit:
  Installed: 1.13.4-1
  Candidate: 1.14.3-1
  Version table:
     1.14.3-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.2-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.1-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.0-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.13.5-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
 *** 1.13.4-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
        100 /var/lib/dpkg/status

...

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  • Install nvidia-container-toolkit with an older version
$ distribution=$(. /etc/os-release;echo $ID$VERSION_ID) \
      && curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
      && curl -s -L https://nvidia.github.io/libnvidia-container/$distribution/libnvidia-container.list | \
            sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
            sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list \
      && sudo apt-get update

$ sudo apt-get install -y nvidia-container-toolkit=1.13.4-1
  • Check nvidia-container-tookit is updatable
$ LANGUAGE=en_US.UTF-8 apt-cache policy nvidia-container-toolkit
nvidia-container-toolkit:
  Installed: 1.13.4-1
  Candidate: 1.14.3-1
  Version table:
     1.14.3-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.2-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.1-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.14.0-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages
     1.13.5-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
 *** 1.13.4-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
        100 /var/lib/dpkg/status
     1.13.3-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
     1.13.2-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
     1.13.1-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages
     1.13.0-1 500
        500 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64  Packages

...
  • Scan localhost with fast-root mode
# vuls scan

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@kl-sinclair kl-sinclair self-assigned this Nov 7, 2023
@kl-sinclair kl-sinclair marked this pull request as ready for review November 10, 2023 15:09
@kotakanbe kotakanbe merged commit bced16f into future-architect:master Nov 13, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@kl-sinclair kl-sinclair

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kl-sinclair @kotakanbe