[
{
"path": ".chglog/CHANGELOG.tpl.md",
"content": "{{ if .Versions -}}\n: \n\n\n\n\n```\n\nThe first line is the subject and should be no longer than 70 characters, the second line is always blank, and other lines should be wrapped at 80 characters.\nThis allows the message to be easier to read on GitHub as well as in various git tools.\n"
},
{
"path": ".github/ISSUE_TEMPLATE.md",
"content": "\n\n### Description of Problem / Feature Request\n\n\n\n### Expected Outcome\n\n\n\n### Actual Outcome\n\n\n\n\n### Environment\n\n\n\n- Clair version/image: \n- Clair client name/version: \n- Host OS: \n- Kernel (e.g. `uname -a`): \n- Kubernetes version (use `kubectl version`): \n- Network/Firewall setup: \n"
},
{
"path": ".github/actions/documentation/action.yml",
"content": "name: 'Documentation'\ndescription: 'build with mdBook and optionally push'\ninputs:\n publish:\n description: 'push resulting files to gh-pages'\n default: 'true'\n token:\n description: 'github token'\n default: ${{ github.token }}\nruns:\n using: 'composite'\n steps:\n - uses: peaceiris/actions-mdbook@v1\n with:\n mdbook-version: 'latest'\n - shell: sh\n run: |\n d=\"$(echo \"${GITHUB_REF#refs/tags/}\" | sed '/^refs\\/heads\\//d')\"\n if test -z \"$d\"; then\n exec mdbook build\n else\n exec mdbook build --dest-dir \"./book/${d}\"\n fi\n - if: ${{ inputs.publish == 'true' }}\n uses: peaceiris/actions-gh-pages@v3\n with:\n github_token: ${{ inputs.token }}\n publish_dir: ./book\n keep_files: true\n"
},
{
"path": ".github/actions/go-cache/action.yml",
"content": "name: 'Go cache'\ndescription: 'cache go modules, and build artifacts'\ninputs:\n go:\n description: 'Go version to use'\nruns:\n using: 'composite'\n steps:\n - uses: actions/cache@v4\n with:\n path: |\n ~/.cache/go-build\n ~/go/pkg/mod\n key: ${{ runner.os }}-go${{ inputs.go }}-${{ hashFiles('**/go.sum') }}\n restore-keys: |\n ${{ runner.os }}-go${{ inputs.go }}\n - shell: bash\n run: |\n find . -name go.mod -type f -printf '%h\\n' | while read dir; do\n cd \"$dir\"\n go mod download\n done\n"
},
{
"path": ".github/actions/go-tidy/action.yml",
"content": "name: 'Go tidy'\ndescription: 'check that all modules are tidy-clean'\ninputs:\n go:\n description: 'Go version to use'\n dir:\n description: 'module root directory'\n default: '.'\nruns:\n using: 'composite'\n steps:\n - uses: ./.github/actions/go-cache\n with:\n go: ${{ inputs.go }}\n - run: |\n cd \"${{ inputs.dir }}\"\n go mod tidy\n git diff --exit-code\n shell: bash\n"
},
{
"path": ".github/actions/set-image-expiration/action.yml",
"content": "name: 'Set Image Expiration'\ndescription: 'Use the Quay API to set an expiration time on an image'\ninputs:\n quay:\n description: 'Quay instance to issue calls to.'\n required: false\n default: 'quay.io'\n duration:\n description: 'Duration (in seconds) into the future to expire the image.'\n required: false\n default: '1209600'\n repo:\n description: 'Namespace & repository'\n required: true\n tag:\n description: 'image tag'\n required: true\n token:\n description: 'API token'\n required: true\nruns:\n using: 'composite'\n steps:\n - id: add-mask\n name: Add Mask\n shell: sh\n run: |\n printf '::add-mask::%s\\n' \"${{ inputs.token }}\"\n - id: write-script\n name: Prepare Request\n shell: sh\n run: |\n jq -n -c --argjson e \"$(($(date -u +%s) + ${{ inputs.duration }}))\" '{expiration: $e}' > \"${RUNNER_TEMP}/expiration.json\"\n cat <<. >\"${RUNNER_TEMP}/run\"\n #!/usr/bin/env -S curl -K\n silent\n show-error\n fail-with-body\n data-binary=\"@${RUNNER_TEMP}/expiration.json\"\n header=\"Authorization: Bearer ${{ inputs.token }}\"\n header=\"Content-Type: application/json\"\n header=\"Accept: application/json\"\n request=PUT\n url=\"https://${{ inputs.quay }}/api/v1/repository/${{ inputs.repo }}/tag/${{ inputs.tag }}\"\n .\n chmod +x \"${RUNNER_TEMP}/run\"\n - id: call\n name: Execute Request\n shell: sh\n run: '${RUNNER_TEMP}/run'\n"
},
{
"path": ".github/dependabot.yml",
"content": "version: 2\nupdates:\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n - package-ecosystem: \"gomod\"\n directory: \"/\"\n allow:\n - dependency-type: \"direct\"\n schedule:\n interval: \"weekly\"\n commit-message:\n prefix: \"chore\"\n include: \"scope\"\n groups:\n otel:\n patterns:\n - \"go.opentelemetry.io/otel/*\"\n golang-x:\n patterns:\n - \"golang.org/x/*\"\n - package-ecosystem: \"gomod\"\n directory: \"/config\"\n allow:\n - dependency-type: \"direct\"\n schedule:\n interval: \"weekly\"\n commit-message:\n prefix: \"chore\"\n include: \"scope\"\n groups:\n otel:\n patterns:\n - \"go.opentelemetry.io/otel/*\"\n golang-x:\n patterns:\n - \"golang.org/x/*\"\n"
},
{
"path": ".github/issue-close-app.yml",
"content": "comment: \"This issue is closed because it does not meet our issue template. Please read it.\"\nissueConfigs:\n- content:\n - \"### Environment\"\n"
},
{
"path": ".github/script/nightly-module.sh",
"content": "#!/bin/sh\nset -e\n: \"${CLAIRCORE_BRANCH:=main}\"\ncd \"$(git rev-parse --show-toplevel)\"\ntest -d vendor && rm -rf vendor\n\necho \"::group::Edits\"\ngo mod edit \\\n\t\"-replace=github.com/quay/claircore=github.com/quay/claircore@${CLAIRCORE_BRANCH}\"\ngo mod tidy\ngo mod download # Shouldn't be needed, but just to be safe...\necho \"::endgroup::\"\n\nclair_version=\"$(git describe --tags --always --dirty --match 'v4.*')\"\necho \"clair_version=${clair_version}\" >> \"$GITHUB_OUTPUT\"\n\ncat <<. >>\"$GITHUB_STEP_SUMMARY\"\n### Changes\n\n- **Go version:** $(go version)\n- **Clair version:** ${clair_version}\n.\n{\n\techo '```patch'\n\tgit diff\n\techo '```' \n} >>\"$GITHUB_STEP_SUMMARY\"\n"
},
{
"path": ".github/workflows/.gitignore",
"content": "yq\nyajsv\n*.json-schema\n"
},
{
"path": ".github/workflows/.yamllint",
"content": "---\nextends: default\nrules:\n line-length: false\n truthy:\n check-keys: false\n"
},
{
"path": ".github/workflows/Makefile",
"content": "check: github-workflow.json-schema yajsv yq\n\tfor f in *.yml; do ./yq -o json \"$$f\" > \"$${f%yml}json\"; done\n\t./yajsv -s $< *.json\n\trm *.json\n\tcommand -v yamllint >/dev/null 2>&1 && yamllint .\n\nclean:\n\trm -rf yq yajsv github-workflow.json-schema\n\n.PHONY: check clean\n\nyq:\n\tcd /tmp && GOBIN=$(PWD) go install github.com/mikefarah/yq/v4@latest\n\nyajsv:\n\tcd /tmp && GOBIN=$(PWD) go install github.com/neilpa/yajsv@latest\n\ngithub-workflow.json-schema:\n\tcurl -sSLf https://github.com/SchemaStore/schemastore/raw/master/src/schemas/json/github-workflow.json > $@\n"
},
{
"path": ".github/workflows/check-fast-forward.yml",
"content": "---\nname: Check Fast Forward\non:\n pull_request:\n types: [opened, reopened, synchronize]\njobs:\n check-fast-forward:\n runs-on: ubuntu-latest\n\n permissions:\n contents: read\n # We appear to need write permission for both pull-requests and\n # issues in order to post a comment to a pull request.\n pull-requests: write\n issues: write\n\n steps:\n - name: Checking if fast forwarding is possible\n uses: sequoia-pgp/fast-forward@v1\n with:\n merge: false\n comment: on-error\n"
},
{
"path": ".github/workflows/config-ci.yml",
"content": "---\nname: Config module CI\n\non:\n push:\n paths:\n - config/**\n branches:\n - main\n - release-4.*\n pull_request:\n paths:\n - config/**\n branches:\n - main\n - release-4.*\n\njobs:\n commit-check:\n name: Commit Check\n runs-on: ubuntu-latest\n steps:\n - name: Commit Check\n uses: gsactions/commit-message-checker@v2\n with:\n pattern: |\n ^[^:!]+: .+\\n\\n.*$\n error: 'Commit must begin with : '\n flags: 'gm'\n excludeTitle: true\n excludeDescription: true\n checkAllCommitMessages: true\n accessToken: ${{ secrets.GITHUB_TOKEN }}\n\n tidy:\n name: Tidy\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n id: checkout\n if: ${{ !cancelled() }}\n uses: actions/checkout@v6\n - name: Setup Go\n id: setupgo\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}\n uses: actions/setup-go@v6\n with:\n cache: false\n go-version-file: ./config/go.mod\n - name: Go Tidy\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' && steps.setupgo.conclusion == 'success' }}\n working-directory: ./config\n run: |\n trap 'echo \"::error file=go.mod,title=Tidy Check::Commit would leave go.mod untidy\"' ERR\n go mod tidy\n git diff --exit-code\n\n tests:\n name: Tests\n if: ${{ !cancelled() }}\n uses: ./.github/workflows/tests.yml\n with:\n cd: config\n package_expr: ./...\n qemu: false\n"
},
{
"path": ".github/workflows/cut-release.yml",
"content": "---\nname: Release\n\non:\n push:\n tags:\n - v4.*\n workflow_dispatch: {}\n\njobs:\n config:\n name: Config\n runs-on: 'ubuntu-latest'\n strategy:\n matrix:\n image: ['quay.io/projectquay/golang:1.25']\n container:\n image: ${{ matrix.image }}\n outputs:\n version: ${{ steps.setup.outputs.version }}\n tar_prefix: ${{ steps.setup.outputs.tar_prefix }}\n is_prerelease: ${{ startsWith(github.ref, 'refs/tags/') && (contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc')) }}\n image_tag: ${{ steps.setup.outputs.image_tag }}\n image_repo: ${{ steps.setup.outputs.image_repo }}\n build_image: ${{ steps.setup.outputs.build_image }}\n build_go_version: ${{ steps.setup.outputs.build_go_version }}\n build_cache_key: ${{ steps.setup.outputs.cache_key }}\n chglog_version: ${{ '0.15.1' }}\n steps:\n - name: Setup\n id: setup\n run: |\n : \"${tag:=\"$(basename \"${GITHUB_REF}\")\"}\"\n : \"${repo:=$GITHUB_REPOSITORY}\"\n test \"${GITHUB_REPOSITORY_OWNER}\" = quay && repo=\"projectquay/${GITHUB_REPOSITORY##*/}\" ||:\n cat <<. >>\"$GITHUB_OUTPUT\"\n version=$tag\n tar_prefix=clair-${tag}/\n image_tag=${tag#v}\n image_repo=${repo}\n build_image=${{ matrix.image }}\n build_go_version=$(go version | cut -f 3 -d ' ' | sed 's/^go//;s/\\.[0-9]\\+$//')\n cache_key=$(go version | md5sum - | cut -f 1 -d ' ')\n .\n\n release-archive:\n name: Create Release Archive\n runs-on: 'ubuntu-latest'\n needs: [config]\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n - uses: ./.github/actions/go-cache\n with:\n go: ${{ needs.config.outputs.build_go_version }}\n - name: Create Release Archive\n run: |\n # Fix the checkout action overwriting the tag: (see https://github.com/actions/checkout/issues/882)\n git fetch origin \"+${GITHUB_REF}:${GITHUB_REF}\"\n git archive --prefix '${{ needs.config.outputs.tar_prefix }}' -o clair.tar \"${GITHUB_REF}\"\n go mod vendor\n tar -rf clair.tar --transform 's,^,${{ needs.config.outputs.tar_prefix }},' vendor\n gzip clair.tar\n mv clair.tar.gz clair-${{ needs.config.outputs.version }}.tar.gz\n - name: Cache Changelog\n uses: actions/cache@v5\n id: chglog-cache\n if: github.event_name != 'workflow_dispatch'\n with:\n path: /usr/local/bin/git-chglog\n key: changelog-${{ needs.config.outputs.chglog_version }}\n - name: Fetch Changelog\n if: steps.chglog-cache.outputs.cache-hit != 'true' && github.event_name != 'workflow_dispatch'\n run: |\n cd \"$RUNNER_TEMP\"\n v=\"${{ needs.config.outputs.chglog_version }}\"\n f=\"git-chglog_${v}_linux_amd64.tar.gz\"\n curl -fsOSL \"https://github.com/git-chglog/git-chglog/releases/download/v${v}/${f}\"\n tar xvf \"${f}\"\n install git-chglog /usr/local/bin\n - name: Generate changelog\n shell: bash\n if: github.event_name != 'workflow_dispatch'\n run: |\n v=\"${{ needs.config.outputs.version }}\"\n echo \"creating change log for tag: ${v}\"\n git-chglog \"${v}\" > changelog\n - name: Fake changelog\n if: github.event_name == 'workflow_dispatch'\n run: touch changelog\n - name: Upload Release Archive\n uses: actions/upload-artifact@v7\n with:\n name: clair-release\n path: |\n clair-${{ needs.config.outputs.version }}.tar.gz\n changelog\n if-no-files-found: error\n\n release-binaries:\n name: Create Release Binaries\n runs-on: 'ubuntu-latest'\n container: ${{ needs.config.outputs.build_image }}\n needs: [config, release-archive]\n strategy:\n matrix:\n goarch: ['arm64', 'amd64', '386', 'ppc64le', 's390x']\n goos: ['linux', 'windows', 'darwin']\n exclude:\n - goos: darwin\n goarch: '386'\n - goos: windows\n goarch: '386'\n - goos: windows\n goarch: 'ppc64le'\n - goos: darwin\n goarch: 'ppc64le'\n - goos: windows\n goarch: 's390x'\n - goos: darwin\n goarch: 's390x'\n env:\n GOOS: ${{matrix.goos}}\n GOARCH: ${{matrix.goarch}}\n steps:\n - name: Fetch Artifacts\n uses: actions/download-artifact@v7\n id: download\n with:\n name: clair-release\n - name: Unpack\n run: |\n tar -xz -f ${{steps.download.outputs.download-path}}/clair-${{ needs.config.outputs.version }}.tar.gz --strip-components=1\n - uses: actions/setup-go@v6\n with:\n go-version: ${{ needs.config.outputs.build_go_version }}\n - name: Build\n # Build with path trimming, ELF debug stripping, and no VCS injection (should be done by the `git archive` process).\n run: |\n go build\\\n -trimpath -ldflags=\"-s -w\" -buildvcs=false\\\n -o \"clairctl-${{matrix.goos}}-${{matrix.goarch}}\"\\\n ./cmd/clairctl\n - name: Upload\n uses: actions/upload-artifact@v7\n with:\n name: clairctl-${{matrix.goos}}-${{matrix.goarch}}\n path: clairctl-${{matrix.goos}}-${{matrix.goarch}}\n if-no-files-found: error\n\n release:\n name: Release\n runs-on: 'ubuntu-latest'\n if: github.event_name == 'push'\n needs: [config, release-archive, release-binaries]\n outputs:\n upload_url: ${{ steps.create_release.outputs.upload_url }}\n steps:\n - name: Fetch Artifacts\n uses: actions/download-artifact@v7\n id: download\n with:\n name: clair-release\n - name: Create Release\n uses: ncipollo/release-action@v1\n id: create_release\n with:\n name: ${{ needs.config.outputs.version }} Release\n bodyFile: ${{steps.download.outputs.download-path}}/changelog\n prerelease: ${{ needs.config.outputs.is_prerelease }}\n artifacts: '${{steps.download.outputs.download-path}}/clair-*'\n\n publish-container:\n name: Publish Container\n runs-on: 'ubuntu-latest'\n needs: [config, release-archive, release]\n steps:\n - name: Fetch Artifacts\n uses: actions/download-artifact@v7\n id: download\n with:\n name: clair-release\n - name: Set up QEMU\n uses: docker/setup-qemu-action@v3\n with:\n platforms: all\n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v3\n - name: Login\n uses: docker/login-action@v3\n with:\n registry: quay.io\n username: ${{ secrets.QUAY_USER }}\n password: ${{ secrets.QUAY_TOKEN }}\n - name: Extract Release\n run: |\n mkdir \"${{ runner.temp }}/build\"\n tar -xz -f ${{steps.download.outputs.download-path}}/clair-${{ needs.config.outputs.version }}.tar.gz --strip-components=1 -C \"${{ runner.temp }}/build\"\n - name: Build Container\n uses: docker/build-push-action@v6\n with:\n cache-from: type=gha\n cache-to: type=gha,mode=max\n context: ${{ runner.temp }}/build\n platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x\n push: true\n tags: |\n quay.io/${{ needs.config.outputs.image_repo }}:${{ needs.config.outputs.image_tag }}\n - name: Checkout\n if: needs.config.outputs.is_prerelease == 'true'\n uses: actions/checkout@v6\n - name: Set Expiration\n if: needs.config.outputs.is_prerelease == 'true'\n uses: ./.github/actions/set-image-expiration\n with:\n repo: ${{ needs.config.outputs.image_repo }}\n tag: ${{ needs.config.outputs.image_tag }}\n token: ${{ secrets.QUAY_API_TOKEN }}\n\n publish-binaries:\n name: Publish Binaries\n runs-on: 'ubuntu-latest'\n needs: [release-archive, release]\n strategy:\n matrix:\n goarch: ['arm64', 'amd64', '386', 'ppc64le', 's390x']\n goos: ['linux', 'windows', 'darwin']\n exclude:\n - goos: darwin\n goarch: '386'\n - goos: windows\n goarch: '386'\n - goos: darwin\n goarch: ppc64le\n - goos: windows\n goarch: ppc64le\n - goos: windows\n goarch: 's390x'\n - goos: darwin\n goarch: 's390x'\n steps:\n - name: Fetch Artifacts\n uses: actions/download-artifact@v7\n id: download\n with:\n pattern: clairctl-*\n merge-multiple: true\n - name: Publish clairctl-${{matrix.goos}}-${{matrix.goarch}}\n uses: actions/upload-release-asset@v1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n with:\n upload_url: ${{ needs.release.outputs.upload_url }}\n asset_path: ${{steps.download.outputs.download-path}}/clairctl-${{matrix.goos}}-${{matrix.goarch}}\n asset_name: clairctl-${{matrix.goos}}-${{matrix.goarch}}\n asset_content_type: application/octet-stream\n\n deploy-documentation:\n name: Deploy Documentation\n runs-on: ubuntu-latest\n needs: [release]\n steps:\n - uses: actions/checkout@v6\n - uses: ./.github/actions/documentation\n"
},
{
"path": ".github/workflows/documentation.yml",
"content": "---\nname: Deploy Main Documentation\n\non:\n push:\n branches:\n - main\n paths:\n - 'Documentation/**'\n\njobs:\n deploy-documentation:\n name: Deploy Documentation\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n - uses: ./.github/actions/documentation\n"
},
{
"path": ".github/workflows/fast-forward.yml",
"content": "---\nname: Fast Forward\non:\n issue_comment:\n types: [created, edited]\n pull_request_review:\n types: [submitted]\njobs:\n fast-forward:\n # Only run if the comment or approval contains the /fast-forward command,\n # or if it was a dependabot PR.\n if: >-\n ${{\n ( github.event.issue.pull_request && contains(github.event.comment.body, '/fast-forward')) ||\n (\n github.event.review && github.event.review.state == 'approved' && (\n github.event.pull_request.user.url == 'https://api.github.com/users/dependabot%5Bbot%5D' ||\n contains(github.event.review.body, '/fast-forward')\n ))\n }}\n runs-on: ubuntu-latest\n\n permissions:\n contents: write\n pull-requests: write\n issues: write\n\n steps:\n - name: Fast forwarding\n uses: sequoia-pgp/fast-forward@v1\n with:\n merge: true\n comment: on-error\n"
},
{
"path": ".github/workflows/main.yml",
"content": "---\nname: CI\n\non:\n push:\n branches:\n - main\n - release-4.*\n pull_request:\n branches:\n - main\n - release-4.*\n\njobs:\n lints:\n name: Lints\n runs-on: ubuntu-latest\n steps:\n - name: Commit Check\n uses: gsactions/commit-message-checker@v2\n with:\n pattern: |\n ^[^:!]+: .+\\n\\n.*$\n error: 'Commit must begin with : '\n flags: 'gm'\n excludeTitle: true\n excludeDescription: true\n checkAllCommitMessages: true\n accessToken: ${{ secrets.GITHUB_TOKEN }}\n - name: Checkout\n id: checkout\n if: ${{ !cancelled() }}\n uses: actions/checkout@v6\n - name: Check Filenames\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}\n run: | # Check for all the characters Windows hates.\n git ls-files -- ':/:*[<>:\"|?*]*' | while read -r file; do\n printf '::error file=%s,title=Bad Filename::Disallowed character in file name\\n' \"$file\"\n done\n exit $(git ls-files -- ':/:*[<>:\"|?*]*' | wc -l)\n - name: Check Container Versions\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}\n run: |\n # awk ...\n version=$(sed -n '/^go /{s/go \\(1\\.[0-9]\\+\\)\\.[0-9]\\+/\\1/;p;q}' go.mod)\n {\n find . -name Dockerfile |\n xargs awk -v \"want=$version\" '/^ARG GO_VERSION/{split($2,ver,/=/);if(ver[2]!=want) printf \"%s\\t%d\\n\", FILENAME, FNR}'\n awk -v \"want=$version\" '/&go-image/{split($3,ref,/:/);if(ref[2]!=want) printf \"%s\\t%d\\n\", FILENAME, FNR}' docker-compose.yaml\n } |\n awk -v \"want=$version\" '{printf \"::error file=%s,line=%d,title=Go Version Skew::Go version does not match `go.mod`: want %s\\n\", $1, $2, want}'\n - name: Setup Go\n id: 'setupgo'\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}\n uses: actions/setup-go@v6\n with:\n cache: false\n go-version-file: ./go.mod\n - name: Go Tidy\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' && steps.setupgo.conclusion == 'success' }}\n run: |\n # go mod tidy\n trap 'echo \"::error file=go.mod,title=Tidy Check::Commit would leave go.mod untidy\"' ERR\n go mod tidy\n git diff --exit-code\n\n documentation:\n name: Documentation\n needs: ['lints']\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n - uses: ./.github/actions/documentation\n with:\n publish: false\n\n tests:\n name: Tests\n needs: ['lints']\n uses: ./.github/workflows/tests.yml\n with:\n package_expr: ./...\n qemu: false\n"
},
{
"path": ".github/workflows/nightly-ci.yml",
"content": "---\nname: Nightly CI\n\non:\n schedule:\n - cron: '30 4 * * *'\n workflow_dispatch:\n inputs:\n package_expr:\n required: false\n type: string\n description: 'Package expression(s) passed to `go test`'\n\njobs:\n defaults:\n name: Check Input\n runs-on: ubuntu-latest\n outputs:\n package_expr: ${{ steps.config.outputs.package_expr }}\n steps:\n - name: Checkout\n id: checkout\n uses: actions/checkout@v6\n - name: Make package expressions\n id: config\n if: ${{ !cancelled() && steps.checkout.conclusion == 'success' }}\n run: |\n if test -n \"${{ inputs.package_expr }}\"; then\n printf 'package_expr=%s\\n' '${{ inputs.package_expr }}' >> \"$GITHUB_OUTPUT\"\n else\n printf 'package_expr=%s\\n' \"$(go list -m github.com/quay/clair{core,}/... | awk '{printf(\"%s/... \",$1)}')\" >> \"$GITHUB_OUTPUT\"\n fi\n\n tests:\n name: Tests\n needs: ['defaults']\n uses: ./.github/workflows/tests.yml\n with:\n package_expr: ${{ needs.defaults.outputs.package_expr }}\n qemu: true\n"
},
{
"path": ".github/workflows/nightly.yml",
"content": "---\nname: Nightly\n\non:\n workflow_dispatch:\n inputs:\n branch:\n description: 'Claircore branch to reference'\n required: false\n tag:\n description: 'Tag to push resulting image to'\n required: false\n schedule:\n - cron: '30 5 * * *'\n\njobs:\n build:\n name: Build and Push container\n runs-on: 'ubuntu-latest'\n steps:\n - name: Setup\n id: setup\n env:\n QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}\n QUAY_API_TOKEN: ${{ secrets.QUAY_API_TOKEN }}\n # This step uses defaults written in the shell script instead of the\n # nicer workflow inputs so that the cron trigger works.\n run: |\n br=$(test -n \"${{github.event.inputs.branch}}\" && echo \"${{github.event.inputs.branch}}\" || echo main)\n : \"${repo:=$GITHUB_REPOSITORY}\"\n test \"${repo%%/*}\" = quay && repo=\"projectquay/${repo##*/}\" ||:\n cat <<. >>$GITHUB_OUTPUT\n push=${{ env.QUAY_TOKEN != '' }}\n api=${{ env.QUAY_API_TOKEN != '' }}\n date=$(date -u '+%Y-%m-%d')\n tag=$(test -n \"${{github.event.inputs.tag}}\" && echo \"${{github.event.inputs.tag}}\" || echo nightly)\n claircore_branch=${br}\n repo=${repo}\n .\n # Environment variables\n printf 'CLAIRCORE_BRANCH=%s\\n' \"${br}\" >> $GITHUB_ENV\n - uses: docker/setup-qemu-action@v3\n with:\n platforms: all\n - uses: docker/setup-buildx-action@v3\n - uses: actions/checkout@v6\n with:\n fetch-depth: 0\n - id: setup-go\n uses: actions/setup-go@v6\n with:\n go-version-file: go.mod\n check-latest: true\n - name: Warm cache\n if: steps.setup-go.outputs.cache-hit != 'true'\n run: |\n # go mod download\n find . -name go.mod -type f -execdir go mod download \\;\n - id: mod\n run: ./.github/script/nightly-module.sh\n - id: novelty\n uses: actions/cache@v5\n with:\n path: go.sum\n key: novelty-${{ github.sha }}-${{ hashFiles('./go.*') }}\n - uses: docker/login-action@v3\n if: steps.setup.outputs.push && steps.novelty.outputs.cache-hit != 'true'\n with:\n registry: quay.io\n username: ${{ secrets.QUAY_USER }}\n password: ${{ secrets.QUAY_TOKEN }}\n - name: Export\n if: steps.novelty.outputs.cache-hit != 'true'\n # This exports the current state of the main branch, and appends our modified go module files.\n run: |\n mkdir \"${{ runner.temp }}/build\"\n git archive --add-file=go.mod --add-file=go.sum origin/main |\n tar -x -C \"${{ runner.temp }}/build\"\n (\n cd \"${{ runner.temp }}/build\"\n go mod vendor\n )\n - uses: docker/build-push-action@v6\n if: steps.novelty.outputs.cache-hit != 'true'\n with:\n cache-from: type=gha\n cache-to: type=gha,mode=max\n context: ${{ runner.temp }}/build\n platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le\n push: ${{ steps.setup.outputs.push && steps.novelty.outputs.cache-hit != 'true' }}\n tags: |\n quay.io/${{ steps.setup.outputs.repo }}:${{ steps.setup.outputs.tag }}\n quay.io/${{ steps.setup.outputs.repo }}:${{ steps.setup.outputs.tag }}-${{ steps.setup.outputs.date }}\n - uses: ./.github/actions/set-image-expiration\n if: steps.setup.outputs.push && steps.setup.outputs.api && steps.novelty.outputs.cache-hit != 'true'\n with:\n repo: ${{ steps.setup.outputs.repo }}\n tag: ${{ steps.setup.outputs.tag }}-${{ steps.setup.outputs.date }}\n token: ${{ secrets.QUAY_API_TOKEN }}\n"
},
{
"path": ".github/workflows/prepare-release.yml",
"content": "---\nname: Prepare Release\n\non:\n workflow_dispatch:\n inputs:\n branch:\n description: 'the branch to prepare the release against'\n required: true\n default: 'main'\n tag:\n description: 'the tag to be released'\n required: true\n\njobs:\n prepare:\n name: Prepare Release\n runs-on: 'ubuntu-latest'\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n ref: ${{ github.event.inputs.branch }}\n - name: Changelog\n shell: bash\n run: |\n curl -o /tmp/git-chglog.tar.gz -fsSL\\\n https://github.com/git-chglog/git-chglog/releases/download/v0.14.0/git-chglog_0.14.0_linux_amd64.tar.gz\n tar xvf /tmp/git-chglog.tar.gz --directory /tmp\n chmod u+x /tmp/git-chglog\n echo \"creating change log for tag: ${{ github.event.inputs.tag }}\"\n\n # if this is a release branch filter our change\n # log to only include logs with the same minor\n # versions\n # otherwise just filter v4 for full v4 history\n # on main branch\n filter_tag=\"--tag-filter-pattern v4\"\n branch=${{ github.event.inputs.branch }}\n echo \"discovered branch $branch\"\n if [[ ${branch%-*} == \"release\" ]]; then\n filter_tag=\"--tag-filter-pattern v${branch#release-}\"\n fi\n\n /tmp/git-chglog $filter_tag --next-tag \"${{ github.event.inputs.tag }}\" -o CHANGELOG.md v4.0.0-alpha.2..\n - name: Create Pull Request\n uses: peter-evans/create-pull-request@v8\n with:\n title: \"${{ github.event.inputs.tag }} Changelog Bump\"\n body: \"This is an automated changelog commit.\"\n commit-message: \"chore: ${{ github.event.inputs.tag }} changelog bump\"\n branch: \"ready-${{ github.event.inputs.tag }}\"\n signoff: true\n delete-branch: true\n"
},
{
"path": ".github/workflows/tests.yml",
"content": "---\nname: Tests\n\non:\n workflow_call:\n inputs:\n package_expr:\n required: true\n type: string\n description: 'Package expression(s) passed to `go test`'\n qemu:\n required: false\n type: boolean\n default: false\n description: 'Run tests for additional architectures under qemu-static'\n cd:\n required: false\n type: string\n default: \"\"\n description: 'Change to this directory before running tests'\n\njobs:\n setup:\n name: Setup\n runs-on: ubuntu-latest\n strategy:\n matrix:\n go: ['oldstable', 'stable']\n outputs:\n go-cache: ${{ steps.check.outputs.cache-hit == 'true' || steps.setup-go.outputs.cache-hit == 'true' || steps.warm.conclusion == 'success' }}\n runner-arch: ${{ steps.arch.outputs.result }}\n steps:\n - name: Map Arch\n id: arch\n uses: actions/github-script@v8\n with:\n result-encoding: string\n script: |\n switch (process.env.RUNNER_ARCH) {\n case \"X64\":\n return \"amd64\";\n case \"ARM64\":\n return \"arm64\";\n default:\n core.setFailed(`unknown/unsupported architecture: ${process.env.RUNNER_ARCH}`);\n }\n return \"\"\n - name: Checkout\n if: ${{ inputs.cd == '' }}\n id: checkout\n uses: actions/checkout@v6\n - name: Check Go Version\n if: ${{ inputs.cd == '' && steps.checkout.conclusion == 'success' }}\n id: checkversion\n uses: actions/setup-go@v6\n with:\n go-version: ${{ matrix.go }}\n cache: false\n - name: Get ImageOS\n # There's no way around this, because \"ImageOS\" is only available to\n # processes, but the setup-go action uses it in its key.\n if: ${{ inputs.cd == '' && steps.checkout.conclusion == 'success' }}\n id: imageos\n uses: actions/github-script@v8\n with:\n result-encoding: string\n script: |\n return process.env.ImageOS\n - name: Check Cache\n if: ${{ inputs.cd == '' && steps.checkout.conclusion == 'success' }}\n id: check\n uses: actions/cache/restore@v5\n with:\n key: >-\n setup-go-${{ runner.os }}-${{ steps.imageos.outputs.result }}-go-${{ steps.checkversion.outputs.go-version }}-${{ hashFiles('go.sum') }}\n lookup-only: true\n path: |\n ~/go/pkg/mod\n ~/.cache/go-build\n - name: Setup Go\n if: ${{ inputs.cd == '' && steps.check.outputs.cache-hit != 'true' }}\n id: setup-go\n uses: actions/setup-go@v6\n with:\n go-version: ${{ matrix.go }}\n - name: Warm Cache on Miss\n id: warm\n if: ${{ inputs.cd == '' && steps.check.outputs.cache-hit != 'true' && steps.setup-go.outputs.cache-hit != 'true' }}\n run: |\n # Warm module+build cache\n for GOARCH in amd64 arm64 ppc64le s390x; do\n export GOARCH\n for mod in '' github.com/quay/clair/config github.com/quay/claircore github.com/quay/claircore/toolkit; do\n echo Downloading modules for \"${mod-main}/$GOARCH\"\n go mod download $mod\n done\n echo Building '\"std\"' for \"$GOARCH\"\n go build std\n done\n\n tests:\n name: Tests\n runs-on: ubuntu-latest\n needs: ['setup']\n strategy:\n matrix:\n go: ['oldstable', 'stable']\n platform: ${{ inputs.qemu && fromJSON('[\"amd64\",\"arm64\",\"ppc64le\",\"s390x\"]') || fromJSON('[\"amd64\"]')}}\n fail-fast: false\n services:\n postgres:\n image: docker.io/library/postgres:15\n env:\n POSTGRES_DB: \"clair\"\n POSTGRES_INITDB_ARGS: \"--no-sync\"\n POSTGRES_PASSWORD: password\n POSTGRES_USER: \"clair\"\n options: >-\n --health-cmd \"pg_isready -U clair\"\n --health-interval 10s\n --health-timeout 5s\n --health-retries 5\n ports:\n - 5432\n rabbitmq:\n image: docker.io/library/rabbitmq:3\n env:\n RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: '-rabbit vm_memory_high_watermark 0.85'\n ports:\n - 5672\n - 61613\n\n steps:\n - name: Configure RabbitMQ\n run: |\n docker exec ${{ job.services.rabbitmq.id }} rabbitmqctl await_startup\n docker exec ${{ job.services.rabbitmq.id }} rabbitmq-plugins enable rabbitmq_stomp\n docker exec ${{ job.services.rabbitmq.id }} rabbitmq-plugins disable rabbitmq_management_agent rabbitmq_prometheus rabbitmq_web_dispatch\n docker exec ${{ job.services.rabbitmq.id }} rabbitmqctl add_vhost localhost\n docker exec ${{ job.services.rabbitmq.id }} rabbitmqctl set_permissions -p localhost guest '.*' '.*' '.*'\n docker exec ${{ job.services.rabbitmq.id }} rabbitmqctl add_user clair password\n docker exec ${{ job.services.rabbitmq.id }} rabbitmqctl set_permissions -p '/' clair '.*' '.*' '.*'\n docker exec ${{ job.services.rabbitmq.id }} rabbitmqctl set_permissions -p localhost clair '.*' '.*' '.*'\n\n - name: Checkout\n uses: actions/checkout@v6\n - name: Setup Go\n id: setup-go\n uses: actions/setup-go@v6\n with:\n go-version: ${{ matrix.go }}\n cache: ${{ needs.setup.outputs.go-cache }}\n - name: Assets Cache\n id: assets\n uses: actions/cache/restore@v5\n with:\n key: integration-assets-${{ hashFiles('go.sum') }}\n restore-keys: |\n integration-assets-\n path: |\n ~/.cache/clair-testing\n - name: Set up QEMU\n uses: docker/setup-qemu-action@v3\n if: ${{ matrix.platform != needs.setup.outputs.runner-arch }}\n with:\n platforms: linux/${{ matrix.platform }}\n\n - name: Tests\n # NB If Clair gains any C dependencies, this will need additional setup:\n # - `-extldflags=-static`\n # - CGO_ENABLED=1\n # - relevant architecture's libc, linker, etc.\n env:\n POSTGRES_CONNECTION_STRING: >-\n host=localhost\n port=${{ job.services.postgres.ports[5432] }}\n user=clair\n dbname=clair\n password=password\n sslmode=disable\n RABBITMQ_CONNECTION_STRING: \"amqp://clair:password@localhost:${{ job.services.rabbitmq.ports[5672] }}/\"\n STOMP_CONNECTION_STRING: \"stomp://clair:password@localhost:${{ job.services.rabbitmq.ports[61613] }}/\"\n GOARCH: ${{ matrix.platform }}\n CGO_ENABLED: '0'\n GOFLAGS: '-mod=mod'\n working-directory: ./${{ inputs.cd }}\n run: |\n # Go Tests\n for expr in ${{ inputs.package_expr }}; do\n printf '::group::go test %s\\n' \"$expr\"\n go test -tags integration \"$expr\"\n printf '::endgroup::\\n'\n done\n"
},
{
"path": ".github/workflows/v2-issues.yml",
"content": "---\nname: 'Manage v2 Issues'\non:\n workflow_dispatch:\n inputs:\n debug:\n description: 'Run in debug mode (i.e. dry-run)'\n required: false\n default: false\n schedule:\n - cron: '30 1 * * *'\n\njobs:\n stale:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/stale@v10\n with:\n only-labels: 'V2'\n exempt-issue-labels: 'V2/active'\n days-before-stale: 14\n days-before-issue-stale: 0\n days-before-close: 14\n remove-stale-when-updated: false\n ignore-updates: true\n debug-only: ${{ github.event.inputs.debug || false }}\n enable-statistics: true\n operations-per-run: 1000\n"
},
{
"path": ".gitignore",
"content": "vendor/\nbook/\nclairctl\n!clairctl/\n"
},
{
"path": "CHANGELOG.md",
"content": "&2\nSetting reported version to \"${vstr}\".\n\nThis hook into the go build process is not needed if building using a prepared\nsource archive and will go away in the future.\n\nPlease open an issue if this would prevent a desired use-case.\nmsg\n\tvarg=\" -X 'github.com/quay/clair/v4/cmd.Version=${vstr}'\"\nfi\ninstall -d \"${GOBIN}\"\ngo build \\\n\t-ldflags=\"-s -w$varg\" -trimpath \\\n\t-o \"${GOBIN}\" \\\n\t./cmd/...\n.\n\nFROM scratch AS ctl\nCOPY --from=build /out/bin/clairctl* /\n\nFROM registry.access.redhat.com/ubi8/ubi-minimal AS final\nENTRYPOINT [\"/usr/bin/clair\"]\nVOLUME /config\nEXPOSE 6060\nENV CLAIR_CONF=/config/config.yaml\\\n\tCLAIR_MODE=combo\\\n\tSSL_CERT_DIR=\"/etc/ssl/certs:/etc/pki/tls/certs:/var/run/certs\"\nUSER nobody:nobody\n# The WORKDIR command creates an empty layer, there's nothing we can do.\nWORKDIR /run\nCOPY --from=build /out/bin/* /usr/bin/\n"
},
{
"path": "Documentation/SUMMARY.md",
"content": "# Summary\n\n- [What is ClairV4](./whatis.md)\n- [How Tos](./howto.md)\n - [Getting Started With ClairV4](./howto/getting_started.md)\n - [Deployment Models](./howto/deployment.md)\n - [API Definition](./howto/api.md)\n - [Testing ClairV4](./howto/testing.md)\n- [Concepts](./concepts.md)\n - [Indexing](./concepts/indexing.md)\n - [Matching](./concepts/matching.md)\n - [Internal API](./concepts/api_internal.md)\n - [Authentication](./concepts/authentication.md)\n - [Notifications](./concepts/notifications.md)\n - [Updaters and Airgap](./concepts/updatersandairgap.md)\n - [Operation](./concepts/operation.md)\n- [Contribution](./contribution.md)\n - [Building](./contribution/building.md)\n - [Commit Style](./contribution/commit_style.md)\n - [Releases](./contribution/releases.md)\n - [OpenAPI](./contribution/openapi.md)\n- [Reference](./reference.md)\n - [Api](./reference/api.md)\n - [Clairctl](./reference/clairctl.md)\n - [Config](./reference/config.md)\n - [Indexer](./reference/indexer.md)\n - [Matcher](./reference/matcher.md)\n - [Notifier](./reference/notifier.md)\n - [Metrics](./reference/metrics.md)\n"
},
{
"path": "Documentation/concepts/api_internal.md",
"content": "# Internal\n\nInternal endpoints are underneath `/api/v1/internal` and are meant for\ncommunication between Clair microservices. If Clair is operating in combo mode,\nthese endpoints may not exist. Any sort of API ingress should disallow clients\nto talk to these endpoints.\n\nWe do not formally expose these APIs in our OpenAPI spec. \nFurther information and usage is an effort left to the reader.\n\n## Updates Diffs\n\nThe `update_diff/` endpoint exposes the api for diffing two update operations. \nThis is used by the notifier to determine the added and removed vulnerabilities on security database update.\n\n## Update Operation\n\nThe `update_operation` endpoint exposes the api for viewing updaters' activity. \nThis is used by the notifier to determine if new updates have occurred and triggers an update diff to see what has changed.\n\n## AffectedManifest\n\nThe `affected_manifest` endpoint exposes the api for retreiving affected manifests given a list of Vulnerabilities.\nThis is used by the notifier to determine the manifests that need to have a notification generated.\n"
},
{
"path": "Documentation/concepts/authentication.md",
"content": "# Authentication\n\nPrevious versions of Clair used [jwtproxy] to gate authentication. For ease of\nbuilding and deployment, v4 handles authentication itself.\n\nAuthentication is configured by specifying configuration objects underneath the\n`auth` key of the configuration. Multiple authentication configurations may be\npresent, but they will be used preferentially in the order laid out below.\n\n[jwtproxy]: https://github.com/quay/jwtproxy\n\n### PSK\n\nClair implements JWT-based authentication using a pre-shared key.\n\n#### Configuration\n\nThe `auth` stanza of the configuration file requires two parameters: `iss`, which\nis the issuer to validate on all incoming requests; and `key`, which is a base64\nencoded symmetric key for validating the requests.\n\n```yaml\nauth:\n psk:\n key: >-\n MDQ4ODBlNDAtNDc0ZC00MWUxLThhMzAtOTk0MzEwMGQwYTMxCg==\n iss: 'issuer'\n```\n\n"
},
{
"path": "Documentation/concepts/indexing.md",
"content": "# Indexing\n\nThe [Indexer](../reference/indexer.md) service is responsble for \"indexing a manifest\".\n\nIndexing involves taking a manifest representing a container image and computing its constituent parts. The indexer is trying to discover what packages exist in the image, what distribution the image is derived from, and what package repositories are used within the image. Once this information is computed it is persisted in an IndexReport.\n\nThe IndexReport is an intermediate data structure describing the contents of a container image. This report can be fed to a [Matcher](../reference/matcher.md) node for vulnerability analysis.\n\n## Content Addressability\n\nClairV4 treats all manifests and layers as [content addressable](https://en.wikipedia.org/wiki/Content-addressable_storage). In the context of ClairV4 this means once we index a specific manifest we will not index it again unless it's required, and likewise with individual layers. This allows a large reduction in work. \n\nFor example, consider how many images in a registry may use \"ubuntu:artful\" as a base layer. It could be a large majority of images if the developers prefer basing their images off ubuntu. Treating the layers and manifests as content addressable means we will only fetch and scan the base layer once.\n\nThere are of course conditions where ClairV4 should re-index a manifest. \n\nWhen an internal component such as a package scanner is updated, Clair will know to perform the scan with the new package scanner. Clair has enough information to determine that a component has changed and the IndexReport may be different this time around. \n\nA client can track ClairV4's `index_state` endpoint to understand when an internal component has changed and subsequently issue re-indexes. See our [api](../howto/api.md) guide to learn how to view our api specification.\n\n## Summary\n\nIn summary, you should understand that Indexing is the process Clair uses to understand the contents of layers.\n\nFor a more indepth look at indexing check out the [ClairCore Documentation](https://quay.github.io/claircore/)\n"
},
{
"path": "Documentation/concepts/matching.md",
"content": "# Matching\n\nA [Matcher](../reference/matcher.md) node is responsible for matching vulnerabilities to a provided IndexReport. \n\nMatchers by default are also responsible for keeping the database of vulnerabilities up to date. Matchers will typically run a set of Updaters which periodically probe their data sources for new contents, storing new vulnerabilities in the database when discovered.\n\nThe matcher API is designed to be called often and will always provide the most up-to-date VulnerabilityReport when queried. This VulnerabilityReport summaries both a manifest's contents and any vulnerabilities affecting the contents.\n\nSee our [api](../howto/api.md) guide to learn how to view our api specification and work with the Matcher api.\n\n# Remote Matching\n\nA remote matcher behaves similarly to a matcher, except that it uses api calls to fetch vulnerability data for a provided IndexReport.\nRemote matchers are useful when it is not possible to persist data from a given source into the database.\n\nThe `crda` remote matcher is responsible for fetching vulnerabilities from Red Hat Code Ready Dependency Analytics (CRDA).\nBy default, this matcher serves 100 requests per minute.\nThe rate-limiting can be lifted by requesting a dedicated API key, which is done via [this form][CRDA-Request-Form].\n\n[CRDA-Request-Form]: https://developers.redhat.com/content-gateway/link/3872178\n\n## Summary\n\nIn summary you should understand that a Matcher node provides vulnerability reports given the output of an Indexing process. By default it will also run background Updaters keeping the vulnerability database up-to-date.\n\nFor a more indepth look at indexing check out the [ClairCore Documentation](https://quay.github.io/claircore/)\n"
},
{
"path": "Documentation/concepts/notifications.md",
"content": "# Notifications\n\nClairV4 implements a notification system.\n\nThe notifier service will keep track of new security database updates and inform an interested client if new or removed vulnerabilities affect an indexed manifest.\n\nThe interested client can subscribe to notifications via several mechanisms:\n* Webhook delivery\n* AMQP delivery\n* STOMP delivery\n\nConfiguring the notifier is done via the yaml configuration.\n\nSee the \"Notifier\" object in our [config reference](../reference/config.md)\n\n## A Notification\n\nWhen the notifier becomes aware of new vulnerabilities affecting a previously indexed manifest, it will use the configured method(s) to issue notifications about the new changes. Any given notification expresses the **most severe** vulnerability discovered because of the change. This avoids creating a flurry of notifications for the same security database update.\n\nOnce a client receives a notification, it should issue a new request against the [matcher](../reference/matcher.md) to receive an up-to-date vulnerability report.\n\nThe notification schema is the JSON marshaled form of the following types:\n\n```go\n// Reason indicates the catalyst for a notification\ntype Reason string\nconst (\n\tAdded Reason = \"added\"\n\tRemoved Reason = \"removed\"\n\tChanged Reason = \"changed\"\n)\ntype Notification struct {\n\tID uuid.UUID `json:\"id\"`\n\tManifest claircore.Digest `json:\"manifest\"`\n\tReason Reason `json:\"reason\"`\n\tVulnerability VulnSummary `json:\"vulnerability\"`\n}\ntype VulnSummary struct {\n\tName string `json:\"name\"`\n\tDescription string `json:\"description\"`\n\tPackage *claircore.Package `json:\"package,omitempty\"`\n\tDistribution *claircore.Distribution `json:\"distribution,omitempty\"`\n\tRepo *claircore.Repository `json:\"repo,omitempty\"`\n\tSeverity string `json:\"severity\"`\n\tFixedInVersion string `json:\"fixed_in_version\"`\n\tLinks string `json:\"links\"`\n}\n```\n\n## Webhook Delivery\n*See the \"Notifier.Webhook\" object in the [config reference](../reference/config.md) for complete configuration details.*\n\nWhen you configure notifier for webhook delivery you provide the service with the following pieces of information:\n* A target URL where the webhook will fire\n* The callback URL where the notifier may be reached including its API path\n * e.g. \"http://clair-notifier/notifier/api/v1/notification\"\n\nWhen the notifier has determined an updated security database has changed the affected status of an indexed manifest, it will deliver the following JSON body to the configured target:\n```json\n{\n \"notification_id\": {uuid_string},\n \"callback\": {url_to_notifications}\n}\n```\n\nOn receipt, the server can immediately browse to the URL provided in the callback field.\n\n### Pagination\n\nThe URL returned in the callback field brings the client to a paginated result.\n\nThe callback endpoint specification follows:\n\n```go\nGET /notifier/api/v1/notification/{id}?[page_size=N][next=N]\n{\n page: {\n size: int, // maximum number of notifications in the response\n next: string, // if present, the next id to fetch.\n }\n notifications: [ Notification… ] // array of notifications; max len == page.size\n}\n```\nThe GET callback request implements a simple bare-minimum paging mechanism.\n\nThe \"page_size\" url param controls how many notifications are returned in a single page.\nIf not provided a default of 500 is used.\n\nThe \"next\" url param informs Clair the next set of paged notifications to return. If not provided the 0th page is assumed.\n\nA page object accompanying the notification list specifies \"next\" and \"size\" fields.\n\nThe \"next\" field returned in the page must be provided as the subsequent request's \"next\" url parameter to retrieve the next set of notifications.\n\nThe \"size\" field will simply echo back the request page_size parameter.\n\nWhen the final page is served to the client the returned \"page\" data structure will not contain a \"next\" member.\n\nTherefore the following loop is valid for obtaining all notifications for a notification id in pages of a specified size.\n\n```\n{ page, notifications } = http.Get(\"http://clairv4/notifier/api/v1/notification/{id}?page_size=1000\")\n\nwhile (page.Next != None) {\n { page, notifications } = http.Get(\"http://clairv4/notifier/api/v1/notification/{id}?next={page.Next},page_size=1000\")\n}\n```\n\n*Note: If the client specifies a custom page_size it must specify this page_size on every request for accurate responses.*\n\n### Deleting Notifications\n\nWhile not mandatory, the client may issue a delete of the notification via a DELETE method. See [api](../howto/api.md) to view the delete api.\n\nDeleting a notification ID will clean up resources in the notifier quicker. Otherwise the notifier will wait a predetermined length of time before clearing delivered notifications from its database.\n\n## AMQP Delivery\n*See the \"Notifier.AMQP\" object in our [config reference](../reference/config.md) for complete configuration details.*\n\nThe notifier also supports delivering to an AMQP broker. With AMQP delivery you can control whether a callback is delivered to the broker or whether notifications are directly delivered to the queue.\n\nThis allows the developer of the AMQP consumer to determine the logic of notification processing.\n\nNote that AMQP delivery only supports AMQP 0.x protocol (e.g. RabbitMQ). If you need to publish notifications on AMQP 1.x message queue (e.g. ActiveMQ), you can use STOMP delivery.\n\n### Direct Delivery\n\nIf the notifier's configuration specifies `direct: true` for AMQP, notifications will be delivered directly to the configured exchange.\n\nWhen `direct` is set, the `rollup` property may be set to instruct the notifier to send a max number of notifications in a single AMQP message. This allows a balance between size of the message and number of messages delivered to the queue.\n\n## Testing and Development\n\nThe notifier has a testing mode enabled when it sees the \"NOTIFIER_TEST_MODE\" environment variable set. It can be set to any value as we only check to see if it exists.\n\nWhen this environment variable is set, the notifier will begin sending fake notifications to the configured delivery mechanism every \"poll_interval\" interval. This provides an easy way to implement and test new or existing deliverers.\n\nThe notifier will run in this mode until the environment variable is cleared and the service is restarted.\n"
},
{
"path": "Documentation/concepts/operation.md",
"content": "# Operation\n"
},
{
"path": "Documentation/concepts/updatersandairgap.md",
"content": "## Updaters\n\nClair utilizes go packages we call \"updaters\" that encapsulate the logic of\nfetching and parsing different vulnerability databases. Updaters are usually\npared with a matcher to interpret if and how any vulnerability is related to a\npackage.\n\nOperators may wish to update the vulnerability database less frequently or not\nimport vulnerabilities from databases that they know will not be used.\n\n### Configuration\n\nUpdaters can be configured by `updaters` key at the top of the configuration. If\nupdaters are being run automatically within the matcher processes, as is the\ndefault, the period for running updaters is configured under the matcher's\nconfiguration stanza.\n\n#### Choosing Sets\n\nSpecific sets of updaters can be selected by the `sets` list. If not present,\nthe defaults of all upstream updaters will be used.\n\n```yaml\nupdaters:\n sets:\n - rhel\n```\n\n#### Specific Updaters\n\nConfiguration for specific updaters can be passed by putting a key underneath\nthe `config` member of the `updaters` object. The name of an updater may be\nconstructed dynamically; users should examine logs to double-check names.\nThe specific object that an updater expects should be covered in the updater's\ndocumentation.\n\nFor example, to have the \"rhel\" updater fetch a manifest from a different\nlocation:\n\n```yaml\nupdaters:\n config:\n rhel:\n url: https://example.com/mirror/oval/PULP_MANIFEST\n```\n\n### Airgap\n\nFor additional flexibility, Clair supports running updaters in a different\nenvironment and importing the results. This is aimed at supporting installations\nthat disallow the Clair cluster from talking to the Internet directly. An update\nprocedure needs to arrange to call the relevant `clairctl` command in an\nenvironment with access to the Internet, move the resulting artifact across the\nairgap according to site policy, and then call the relevant `clairctl` command\nto import the updates.\n\nFor example:\n\n```sh\n# On a workstation, run:\nclairctl export-updaters updates.json.gz\n```\n\n```sh\n# Move the resulting file to a place reachable by the cluster:\nscp updates.json.gz internal-webserver:/var/www/\n```\n\n```sh\n# On a pod inside the cluster, import the file:\nclairctl import-updaters http://web.svc/updates.json.gz\n```\n\nNote that a configuration file is needed to run these commands.\n\n#### Configuration\n\nMatcher processes should have the `disable_updaters` key set to disable\nautomatic updaters running.\n\n```yaml\nmatcher:\n disable_updaters: true\n```\n\n## Indexers\n\n### Configuration\n\n#### Airgap\n\n```yaml\nindexer:\n airgap: true\n```\n\n#### Specific Scanners\n\n```yaml\nindexer:\n scanner:\n package:\n name:\n key: value\n repo:\n name:\n key: value\n dist:\n name:\n key: value\n```\n\n"
},
{
"path": "Documentation/concepts.md",
"content": "# Concepts\n\nThe following sections give a conceptual overview of how Clair works internally.\n\n- [Internal API](./concepts/api_internal.md)\n- [Authentication](./concepts/authentication.md)\n- [Notifications](./concepts/notifications.md)\n- [Updaters and Airgap](./concepts/updatersandairgap.md)\n"
},
{
"path": "Documentation/contribution/building.md",
"content": "# Building\n\nThis repo is intended to be built with familiar `go build` or `go install` invocations.\nAll binaries (excepting debugging tools) are underneath the `cmd` directory.\n\n### Cross-compiling\n\nCurrently Clair does not have any cgo dependencies, so there should not be any cross-compilation concerns.\n\n## Container\n\nA `Dockerfile` for the project is in the repo root.\n**The only upstream-supported means of using it is Buildkit via `buildctl`.**\nSee the `container`, `container-build`, `dist-container`, and `dist-clairctl` make targets for example invocations.\nThe `BUILDKIT_HOST` environment variable may need to be set, depending on how `buildkitd` is running in one's environment.\n"
},
{
"path": "Documentation/contribution/commit_style.md",
"content": "# Commit Style\n\nThe Clair project utilizes well structured commits to keep the history useful and help with release automation.\nWe suggest signing off on your commits as well.\n\nA typical commit will take on the following structure:\n\n```\n: \n\n\nFixes #1\nPull Request #2\n\nSigned-Off By: \n```\n\nThe header of the commit is regexp checked before commit and your commit will be kicked back if it does not conform.\n\n## Scope\n\nThis is the section of code this commit influences. \n\nYou will often see scopes such as \"notifier\", \"auth\", \"chore\", \"cicd\".\n\nWe use this field to group commits by scope in our automated changelog generation.\n\nIt would be wise to take a look at our changelog before contributing to get an idea of the common scopes we use.\n\n## Subject\n\nSubject is a short and concise summary of the change the commit is introducing. It should be a sentence fragment without starting capitalization and ending punctuation and limited to about 60 characters, to allow for the scope prefix and decoration in the git log.\n\n## Body\n\nBody should be full of detail.\n\nExplain what this commit is doing and why it is necessary.\n\nYou may include references to issues and pull requests as well. Our automated changelog process will discover references prefixed with \"Fixes\", \"Closed\" and \"Pull Request\"\n\n"
},
{
"path": "Documentation/contribution/openapi.md",
"content": "# OpenAPI\n\nThe [OpenAPI specification] has moved from `openapi.yaml` to the `openapi.json`\nand `openapi.yaml` files in `httptransport/api/v1`.\n\nThese files are autogenerated from files in `httptransport/api` and\n`httptransport/types` via the `httptransport/api/openapi.zsh` script. This\nscript requires `zsh` to run and `sha256sum`, `git`, `jq`, `yq`, and `npx`\ncommands in `PATH`.\n\n## Modifications\n\nTo modify the OpenAPI spec, edit the relevant `httptransport/api/*/openapi.jq`\nfile (a [`jq`] script) or the `httptransport/api/lib/oapi.jq` library as needed,\nthen run `go generate ./httptransport`.\n\nThe `go generate` command also needs to be run if files in `httptransport/types`\nare modified.\n\n## Script\n\nThe `openapi.zsh` script works by:\n- for each `v*` directory under `httptransport/api`:\n - for all [JSON Schema] files in the corresponding `httptransport/types/v*` directory:\n - lint the schema\n - slip-steam examples from the corresponding `examples` file\n - amalgamate all the files from the previous step\n - run the `openapi.jq` script with `null` input\n - merge the outputs of the previous two steps\n - ~~validate and lint the OpenAPI spec~~[^note]\n - generate a `yaml` representation\n - write out a `sha256` checksum in [Etag] format\n\n[^note]: The OpenAPI spec _should_ also be validated or linted, but there's not a known tool that handles JSON Schema [reference resolution] correctly.\n\n[OpenAPI specification]: https://spec.openapis.org/oas/v3.1.0.html\n[`jq`]: https://jqlang.org/manual/\n[JSON Schema]: https://json-schema.org/\n[Etag]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/ETag\n[reference resolution]: https://www.learnjsonschema.com/2020-12/core/ref/\n"
},
{
"path": "Documentation/contribution/releases.md",
"content": "# Releases\n\nClair releases are cut roughly every three months and actively maintained for\nsix.\n\nThis means that bugfixes should be landed on `master` (if applicable) and then\nmarked for backporting to a minor version's release branch. The process for\ndoing this is not yet formalized.\n\n## Process\n\n### Minor\n\nWhen cutting a new minor release, two things need to be done: creating a tag and\ncreating a release branch. This can be done like so:\n\n```sh\ngit tag -as v4.x.0 HEAD\ngit push upstream HEAD:release-4.x tag v4.x.0\n```\n\nThen, a \"release\" needs to be created in the Github UI using the created tag.\n\n### Patch\n\nA patch release is just like a minor release with the caveat that minor version\ntags should *only* appear on release branches and a new branch does not need to\nbe created.\n\n```sh\ngit checkout release-4.x\ngit tag -as v4.x.1 HEAD\ngit push upstream tag v4.x.1\n```\n\nThen, a \"release\" needs to be created in the Github UI using the created tag.\n\n### Creating Artifacts\n\nClair's artifact release process is automated and driven off the releases in\nGithub.\n\nPublishing a new release in the Github UI automatically triggers the creation of\na complete source archive and a container. The archive is attached to the\nrelease, and the container is pushed to the\n[`quay.io/projectquay/clair`](https://quay.io/repository/projectquay/clair)\nrepository.\n\nThis is all powered by a Github Action in `.github/workflows/cut-release.yml`.\n\nA complete source archive can be created with `make dist`.\nA corresponding container can be created with `make dist-container`.\nSee `etc/config.mk` for documentation on variables that control these targets.\n"
},
{
"path": "Documentation/contribution.md",
"content": "# Contribuion\nThe following sections provides information on how to contribute to Clair.\n\n- [Building](./contribution/building.md)\n- [Commit Style](./contribution/commit_style.md)\n- [Releases](./contribution/releases.md)\n- [OpenAPI](./contribution/openapi.md)\n"
},
{
"path": "Documentation/howto/api.md",
"content": "# API Definition\n\nClair provides its API definition via an OpenAPI specification. You can view our OpenAPI spec [here][openapi_v1].\n\nThe OpenAPI spec can be used in a variety of ways.\n* Generating http clients for your application\n* Validating data returned from Clair\n* Importing into a rest client such as [Postman](https://learning.postman.com/docs/integrations/available-integrations/working-with-openAPI/)\n* API documentation via [Swagger Editor](https://petstore.swagger.io/#/)\n\nSee [Testing Clair](./testing.md) to learn how the local dev tooling starts a local swagger editor. This is handy for making changes to the spec in real time.\n\nSee [API Reference](../reference/api.md) for a markdown rendered API reference.\n\n[openapi_v1]: https://github.com/quay/clair/tree/main/httptransport/api/v1\n"
},
{
"path": "Documentation/howto/deployment.md",
"content": "# Deploying Clair\n\nClair v4 was designed with flexible deployment architectures in mind.\nAn operator is free to choose a deployment model which scales to their use cases.\n\n## Configuration\n\nBefore jumping directly into the models, its important to note that Clair is designed to use a single configuration file across all node types.\nThis design decision makes it very easy to deploy on systems like Kubernetes and OpenShift.\n\nSee [Config Reference](../reference/config.md)\n\n## Combined Deployment\n\nIn a combined deployment, all the Clair processes run in a single OS process.\nThis is by far the easiest deployment model to configure as it involves the least moving parts. \n\nA load balancer is still recommended if you plan on performing TLS termination.\nTypically this will be a OpenShift route or a Kubernetes ingress.\n\n\n\nIn the above diagram, Clair is running in combo mode and talking to a single database.\nTo configure this mode, you will provide all node types the same database and start Clair in **combo** mode.\n\n```\n...\nindexer:\n connstring: \"host=clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\nmatcher:\n connstring: \"host=clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\n ...\nnotifier:\n connstring: \"host=clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\n ...\n```\nIn this mode, any configuration informing Clair how to talk to other nodes is ignored;\nit is not needed as all intra-process communication is done directly.\n\nFor added flexibility, it's also supported to split the databases while in combo mode.\n\n\n\nIn the above diagram, Clair is running in combo mode but database load is split between multiple databases.\nSince Clair is conceptually a set of micro-services, its processes do not share database tables even when combined into the same OS process.\n\nTo configure this mode, you would provide each process its own \"connstring\" in the configuration. \n```\n...\nindexer:\n connstring: \"host=indexer-clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\nmatcher:\n connstring: \"host=matcher-clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\n ...\nnotifier:\n connstring: \"host=notifier-clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\n ...\n```\n\n## Distributed Deployment\n\nIf your application needs to asymmetrically scale or you expect high load you may want to consider a distributed deployment.\n\nIn a distributed deployment, each Clair process runs in its own OS process.\nTypically this will be a Kubernetes or OpenShift Pod.\n\nA load balancer **must** be setup in this deployment model.\nThe load balancer will route traffic between Clair nodes along with routing API requests via [path based routing] to the correct services.\nIn a Kubernetes or OpenShift deployment this is usually handled with the `Service` and `Route` abstractions.\nIf deploying on bare metal, a load balancer will need to be configured appropriately. \n\n\n\n\nIn the above diagram, a load balancer is configured to route traffic coming from the client to the correct service.\nThis routing is path based and requires a layer 7 load balancer.\nTraefik, Nginx, and HAProxy are all capable of this.\nAs mentioned above, this functionality is native to OpenShift and Kubernetes.\n\nIn this configuration, you'd supply each process with database connection strings and addresses for their dependent services.\nEach OS process will need to have its \"mode\" CLI flag or environment variable set to the appropriate value. \nSee [Config Reference](../reference/config.md)\n\n```\n...\nindexer:\n connstring: \"host=indexer-clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\nmatcher:\n connstring: \"host=matcher-clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\n indexer_addr: \"indexer-service\"\n ...\nnotifier:\n connstring: \"host=notifier-clairdb user=pqgotest dbname=pqgotest sslmode=verify-full\"\n indexer_addr: \"indexer-service\"\n matcher_addr: \"matcher-service\"\n ...\n```\n\nKeep in mind a config file per process is not need.\nProcesses only use the values necessary for their configured mode.\n\n## TLS Termination\n\nIt's recommended to offload TLS termination to the load balancing infrastructure.\nThis design choice is due to the ubiquity of Kubernetes and OpenShift infrastructure already providing this facility.\n\nIf this is not possible for some reason, it is possible to have processes terminate TLS by using the `$.tls` configuration key.\nA load balancer is still required.\n\n## Disk Usage Considerations\n\nBy default, Clair will store container layers in `/var/tmp` while in use.\nThis can be changed by setting the `TMPDIR` environment variable.\nThere's currently no way to change this in the configuration file.\n\nThe disk space needed depends on the precise layers being indexed at any one time,\nbut a good approximation is twice as large as the largest (uncompressed size) layer in the corpus.\n\n## More On Path Routing\n\nIf you are considering a distributed deployment you will need more details on [path based routing]. \n\nLearn how to grab our OpenAPI spec [here](./api.md) and either start up a local dev instance of the swagger editor or load the spec file into the [online editor](https://petstore.swagger.io/#/).\n\nYou will notice particular API paths are grouped by the services which implement them.\nThis is your guide to configure your layer 7 load balancer correctly. \n\nWhen the load balancer encounters a particular path prefix it must send those request to the correct set of Clair nodes. \n\nFor example, this is how we configure Traefik in our local development environment:\n```\n- \"traefik.enable=true\"\n- \"traefik.http.routers.notifier.entrypoints=clair\"\n- \"traefik.http.routers.notifier.rule=PathPrefix(`/notifier`)\"\n- \"traefik.http.routers.notifier.service=notifier\"\n- \"traefik.http.services.notifier.loadbalancer.server.port=6000\"\n```\n\nThis configuration is saying \"take any paths prefixes of /notifier/ and send them to the notifier services on port 6000\".\n\nEvery load balancer will have their own way to perform path routing.\nCheck the documentation for your infrastructure of choice.\n\n[path based routing]: https://devcentral.f5.com/s/articles/the-three-http-routing-patterns-you-should-know-30764\n"
},
{
"path": "Documentation/howto/getting_started.md",
"content": "# Getting Started With Clair\n\n## Releases\n\nAll of the source code needed to build clair is packaged as an archive and\nattached to the release. Releases are tracked at the [github releases].\n\nThe release artifacts also include the clairctl command line tool.\n\n[github releases]: https://github.com/quay/clair/releases\n\n## Official Containers\n\nClair is officially packaged and released as a container at\n[quay.io/projectquay/clair]. The `latest` tag tracks the git development branch,\nand version tags are built from the corresponding release.\n\n[quay.io/projectquay/clair]: https://quay.io/repository/projectquay/clair\n\n## Running Clair\n\nThe easiest way to get Clair up and running for test purposes is to use our [local dev environment](./testing.md)\n\nIf you're the hands on type who wants to get into the details however, continue reading.\n\n## Modes\n\nClair can run in several modes. [Indexer](../reference/indexer.md), [matcher](../reference/matcher.md), [notifier](../reference/notifier.md) or combo mode. In combo mode, everything runs in a single OS process. \n\nIf you are just starting with Clair you will most likely want to start with combo mode and venture out to a distributed deployment once acquainted. \n\nThis how-to will demonstrate combo mode and introduce some further reading on a distributed deployment.\n\n## Postgres\n\nClair uses PostgreSQL for its data persistence. Migrations are supported so you should only need to point Clair to a fresh database and have it do the setup for you.\n\nWe will assume you have setup a postgres database and it's reachable with the following connection string:\n`host=clair-db port=5432 user=clair dbname=clair sslmode=disable`. Adjust for your environment accordingly. \n\n## Starting Clair In Combo Mode\n\nAt this point, you should either have built Clair from source or have pulled the container. In either case, we will assume that the `clair-db` hostname will resolve to your postgres database. \n\n*You may need to configure [docker](https://docs.docker.com/network/) or [podman](https://podman.io/getting-started/network.html) networking if you are utilizing containers. This is out of scope for this how-to.*\n\nA basic config for combo mode can be found [here](https://github.com/quay/clair/blob/main/config.yaml.sample). Make sure to edit this config with your database settings and set \"migrations\" to `true` for all mode stanzas. In this basic combo mode, all \"connstring\" fields should point to the same database and any *_addr fields are simply ignored. For more details see the [config reference](../reference/config.md) and [deployment models](./deployment.md)\n\nClair has 3 requirements to start:\n* The `mode` flag or `CLAIR_MODE` environment variable specifying what mode this instance will run in.\n* The `conf` flag or `CLAIR_CONF` environment variable specifying where Clair can find its configuration.\n* A yaml document providing Clair's configuration.\n\nIf you are running a container, you can [mount](https://docs.docker.com/storage/volumes/) a Clair config and set the `CLAIR_CONF` environment variable to the corresponding path.\n```\nCLAIR_MODE=combo\nCLAIR_CONF=/path/to/mounted/config.yaml\n```\n\nIf you are running a Clair binary directly, its likely easiest to use the command line.\n```\nclair -conf \"path/to/config.yaml\" -mode \"combo\"\n```\n\n## Submitting A Manifest\n\nThe simplest way to submit a manifest to your running Clair is utilizing [clairctl](../reference/clairctl.md). This is a CLI tool capable of grabbing image manifests from public repositories and submitting them for analysis. \nThe command will be in the Clair container, but can also be installed locally by running the following command:\n```\ngo install github.com/quay/clair/v4/cmd/clairctl@latest\n```\n\nYou can submit a manifest to ClairV4 via the following command.\n```shell\n$ clairctl report --host ${net_address_of_clair} ${image_tag}\n```\nYou will need to add the `config` flag if you are using a PSK authentication (as in the [local dev environment](./testing.md) setup, for example).\n```shell\n$ clairctl report --config local-dev/clair/config.yaml --host ${net_address_of_clair} ${image_tag}\n```\nBy default, `clairctl` will look for Clair at `localhost:6060` or the environment variable `CLAIR_API`, and for a configuration at `config.yaml` or the environment variable `CLAIR_CONF`.\n\nIf everything is configured correctly, you should see some output like the following informing you of vulnerabilities affecting the supplied image.\n\n```shell\n$ clairctl report ubuntu:focal\nubuntu:focal found bash 5.0-6ubuntu1.1 CVE-2019-18276\nubuntu:focal found libpcre3 2:8.39-12build1 CVE-2017-11164\nubuntu:focal found libpcre3 2:8.39-12build1 CVE-2019-20838\nubuntu:focal found libpcre3 2:8.39-12build1 CVE-2020-14155\nubuntu:focal found libsystemd0 245.4-4ubuntu3.2 CVE-2018-20839\nubuntu:focal found libsystemd0 245.4-4ubuntu3.2 CVE-2020-13776\nubuntu:focal found libtasn1-6 4.16.0-2 CVE-2018-1000654\nubuntu:focal found libudev1 245.4-4ubuntu3.2 CVE-2018-20839\nubuntu:focal found libudev1 245.4-4ubuntu3.2 CVE-2020-13776\nubuntu:focal found login 1:4.8.1-1ubuntu5.20.04 CVE-2013-4235\nubuntu:focal found login 1:4.8.1-1ubuntu5.20.04 CVE-2018-7169\nubuntu:focal found coreutils 8.30-3ubuntu2 CVE-2016-2781\nubuntu:focal found passwd 1:4.8.1-1ubuntu5.20.04 CVE-2013-4235\nubuntu:focal found passwd 1:4.8.1-1ubuntu5.20.04 CVE-2018-7169\nubuntu:focal found perl-base 5.30.0-9build1 CVE-2020-10543\nubuntu:focal found perl-base 5.30.0-9build1 CVE-2020-10878\nubuntu:focal found perl-base 5.30.0-9build1 CVE-2020-12723\nubuntu:focal found tar 1.30+dfsg-7 CVE-2019-9923\nubuntu:focal found dpkg 1.19.7ubuntu3 CVE-2017-8283\nubuntu:focal found gpgv 2.2.19-3ubuntu2 CVE-2019-13050\nubuntu:focal found libc-bin 2.31-0ubuntu9 CVE-2016-10228\nubuntu:focal found libc-bin 2.31-0ubuntu9 CVE-2020-6096\nubuntu:focal found libc6 2.31-0ubuntu9 CVE-2016-10228\nubuntu:focal found libc6 2.31-0ubuntu9 CVE-2020-6096\nubuntu:focal found libgcrypt20 1.8.5-5ubuntu1 CVE-2019-12904\n```\n\nTo test locally-built images, you'll need to push them to a registry that is accessible by the Clair service and the `clairctl` command.\nA local registry can be used for this, but the specifics of configuration vary by registry and container runtime.\nConsult the relevant documentation for more information.\n\n## What's Next\n\nNow that you see the basic usage of Clair, you can checkout our [deployment models](./deployment.md) to learn different ways of deploying.\n\nYou may also be curious about how `clairctl` did that work. Check out our [API definition](./api.md) to understand how an application interacts with Clair.\n"
},
{
"path": "Documentation/howto/testing.md",
"content": "# Testing Clair\n\nWe provide dev tooling in order to quickly get a fully configured Clair and Quay environment stood up locally.\nThis environment can be used to test and develop Clair's Quay integration.\n\n## Requirements\n\n### Make\n\nMake is used to stand up the local dev environment.\nMake is readily available in just about every package manager you can think of.\nIt's very likely your workstation already has make on it.\n\n### Podman/Docker and Docker Compose\n\nCurrently our local dev tooling is supported by docker and docker-compose.\nPodman should work fine since v3.0.\n\nDocker version 19.03.11 and docker-compose version 1.28.6 are confirmed working.\nOur assumption is most recent versions will not have an issue running the local dev tooling.\n\nSee [Get Started with Podman](https://podman.io/get-started).\n\n### Go Toolchain\n\nGo 1.20 or higher is required.\n\nSee [Install Golang](https://golang.org/doc/install).\n\n## Starting a cluster\n\n```\ngit clone git@github.com:quay/clair.git\ncd clair\ndocker-compose up -d\n# or: make local-dev\n# or: make local-dev-debug\n# or: make local-dev-quay\n```\n\nAfter the local development environment successfully starts, the following infrastructure is available to you:\n\n- `localhost:8080`\n\n Dashboards and debugging services -- See the traefik configs in `local-dev/traefik` for where the various services are served.\n\n- `localhost:6060`\n\n Clair services.\n\n- Quay (if started)\n\n Quay will be started in a single node, local storage configuration.\n A random port will be forwarded from localhost, see `podman port` for the mapping.\n\n- PostgreSQL\n\n PostgreSQL will have a random port forwarded from localhost to the database server.\n See `local-dev/clair/init.sql` for credentials and permissions and `podman port` for the mapping.\n\n### Debugging\n\nWith the `local-dev-debug` make target the operator has access to some more useful tools:\n\n| Tool | Description | URL | Credentials |\n| ---------- | ------------------------------- | ----------------------------------------------------------- | --------------------- |\n| pgAdmin | Postgres administration | [localhost:8080/pgadmin](http://localhost:8080/pgadmin) | clair@clair.com:clair |\n| jaeger | Distributed tracing | [localhost:8080/jaeger](http://localhost:8080/jaeger) | - |\n| prometheus | Metrics collection and querying | [localhost:8080/prom](http://localhost:8080/prom) | - |\n| pyroscope | Continuous profiling | [localhost:8080/pyroscope](http://localhost:8080/pyroscope) | - |\n| grafana | Metrics dashboards | [localhost:8080/grafana](http://localhost:8080/grafana) | admin:admin |\n\n## Pushing to the Local Quay\n\nAs mentioned above, Quay is forwarded to a random port on the host.\nYou can connect to the server on that port and create a account.\nCreating an account named `admin` will ensure you are a super user.\nAn email is required, but is not validated.\nYou'll also need to create a namespace.\n\nTo push to Quay, you'll need to exec into the skopeo container:\n\n```shell\ndocker-compose exec -it skopeo /usr/bin/skopeo copy --dest-creds ':' --dest-tls-verify=false docker://clair-quay:8080//:\n```\nNote that skopeo expects its image arguments in [`containers-transports(5)`] format.\n\n[`containers-transports(5)`]: https://github.com/containers/image/blob/main/docs/containers-transports.5.md\n\n## Viewing Results\n\nBy default, Quay displays security scanner results on the Tags page of the given repository.\n\n## Making changes to configuration\n\nYou may want to play with either Clair or Quay's configuration.\nIf so, the configuration files can be found inside the repository at `local-dev/quay/config.yaml` and `local-dev/clair/config.yaml`.\nAny changes to the configs will require a restart of the relevant service.\nThe quay-specific clair config is autogenerated, see the `Makefile`.\n\n## Tearing it down\n\n```\ndocker-compose down\n```\n\nwill rip the entire environment down.\n\n\n## Troubleshooting\n\nThe most common issue encountered when standing up the dev environment is port conflicts.\nMake sure that you do not have any other processes listening on any of the ports outlined above.\n\nThe second issue you may face is your Docker resource settings being too constrained to support the local dev stack.\nThis is typically seen on Docker4Mac since a VM is used with a specific set of resources configured.\nSee [Docker For Mac Manual](https://docs.docker.com/docker-for-mac/) for instructions on how to change these resources.\n\nIf `docker-compose` reports errors like `Unsupported config option for services.activemq: 'profiles'`, the `docker-compose` version is too old and you'll need to upgrade.\nConsult the relevant documentation for your environment for instructions.\n\nLastly, you can view traefik's ui at [`localhost:8080/dashboard/`](http://localhost:8080/dashboard/).\n"
},
{
"path": "Documentation/howto.md",
"content": "# How Tos\n\nThe following sections provide instructions on accomplish specific goals in Clair.\n\n- [API Definition](./howto/api.md)\n- [Deployment Models](./howto/deployment.md)\n- [Getting Started](./howto/getting_started.md)\n- [Testing ClairV4](./howto/testing.md)\n"
},
{
"path": "Documentation/listing_test.go",
"content": "package Documentation\n\nimport (\n\t\"bufio\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path\"\n\t\"regexp\"\n\t\"sort\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n)\n\n// TestListing fails if the SUMMARY.md falls out of sync with the markdown files\n// in this directory.\nfunc TestListing(t *testing.T) {\n\t// Check that this is the docs test.\n\t// These files are copied into the \"book\" directory, so when left around in\n\t// a work tree, test will run there as well.\n\tif _, err := os.Stat(\"index.html\"); err == nil {\n\t\tt.Skip(\"skip listing check in compiled docs\")\n\t}\n\n\tlinkline, err := regexp.Compile(`\\s*- \\[.+\\]\\((.+)\\)`)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tf, err := os.Open(\"SUMMARY.md\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer f.Close()\n\n\tlinked := []string{\"SUMMARY.md\"}\n\ts := bufio.NewScanner(f)\n\tfor s.Scan() {\n\t\tms := linkline.FindSubmatch(s.Bytes())\n\t\tswitch {\n\t\tcase ms == nil, len(ms) == 1:\n\t\t\tcontinue\n\t\tcase len(ms) == 2:\n\t\t\tlinked = append(linked, path.Clean(string(ms[1])))\n\t\t}\n\t}\n\tif err := s.Err(); err != nil {\n\t\tt.Error(err)\n\t}\n\tsort.Strings(linked)\n\n\tvar files []string\n\terr = fs.WalkDir(os.DirFS(\".\"), \".\", func(p string, d fs.DirEntry, err error) error {\n\t\tswitch {\n\t\tcase err != nil:\n\t\t\treturn err\n\t\tcase d.IsDir():\n\t\t\treturn nil\n\t\tcase path.Ext(d.Name()) != \".md\":\n\t\t\treturn nil\n\t\t}\n\t\tfiles = append(files, p)\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tsort.Strings(files)\n\n\tif !cmp.Equal(linked, files) {\n\t\tt.Error(cmp.Diff(linked, files))\n\t}\n}\n"
},
{
"path": "Documentation/reference/api.md",
"content": "---\ntitle: Clair Container Analyzer v1.2.0\nlanguage_tabs:\n - python: Python\n - go: Golang\n - javascript: Javascript\nlanguage_clients:\n - python: \"\"\n - go: \"\"\n - javascript: \"\"\ntoc_footers:\n - External documentation \nincludes: []\nsearch: false\nhighlight_theme: darkula\nheadingLevel: 2\n\n---\n\n\n\nClair Container Analyzer v1.2.0 \n\n> Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.\n\nClair is a set of cooperating microservices which can index and match a container image's content with known vulnerabilities.\n\n**Note:** Any endpoints tagged \"internal\" are documented for completeness but are considered exempt from versioning.\n\nEmail: Clair Team Web: Clair Team \nLicense: Apache License 2.0 \n\n# Authentication\n\n- HTTP Authentication, scheme: bearer Clair's authentication scheme.\n\nThis is a [JWT](https://datatracker.ietf.org/doc/html/rfc7519) signed with a configured pre-shared key containing an allowlisted `iss` claim.\n\nindexer \n\nIndexer service endpoints.\n\nThese are responsible for determining the contents of containers.\n\n## Index a Manifest\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|body|body|[manifest](#schemamanifest)|true|Manifest to index.|\n\n> Example responses\n\n> 201 Response\n\n```json\n{\n \"manifest_hash\": null,\n \"state\": \"string\",\n \"err\": \"string\",\n \"success\": true,\n \"packages\": {},\n \"distributions\": {},\n \"repository\": {},\n \"environments\": {\n \"property1\": [],\n \"property2\": []\n }\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|201|[Created](https://tools.ietf.org/html/rfc7231#section-6.3.2)|IndexReport created.\n\nClients may want to avoid reading the body if simply submitting the manifest for later vulnerability reporting.|[index_report](#schemaindex_report)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|412|[Precondition Failed](https://tools.ietf.org/html/rfc7232#section-4.2)|Precondition Failed|None|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|201|Location|string||HTTP [Location header](https://httpwg.org/specs/rfc9110.html#field.location)|\n|201|Link|string||Web Linking [Link header](https://httpwg.org/specs/rfc8288.html#header)|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Delete Indexed Manifests\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|body|body|[bulk_delete](#schemabulk_delete)|true|Array of manifest digests to delete.|\n\n> Example responses\n\n> 200 Response\n\n```json\n[\n \"sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\"\n]\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Successfully deleted manifests.|[bulk_delete](#schemabulk_delete)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Delete an Indexed Manifest\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|digest|path|[digest](#schemadigest)|true|OCI-compatible digest of a referred object.|\n\n> Example responses\n\n> 400 Response\n\n```json\n{\n \"code\": \"string\",\n \"message\": \"string\"\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|204|[No Content](https://tools.ietf.org/html/rfc7231#section-6.3.5)|Success|None|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Retrieve the IndexReport for a Manifest\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|digest|path|[digest](#schemadigest)|true|OCI-compatible digest of a referred object.|\n\n> Example responses\n\n> 200 Response\n\n```json\n{\n \"manifest_hash\": null,\n \"state\": \"string\",\n \"err\": \"string\",\n \"success\": true,\n \"packages\": {},\n \"distributions\": {},\n \"repository\": {},\n \"environments\": {\n \"property1\": [],\n \"property2\": []\n }\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|IndexReport retrieved|[index_report](#schemaindex_report)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|Not Found|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Report the Indexer's State\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Indexer State|[index_state](#schemaindex_state)|\n|304|[Not Modified](https://tools.ietf.org/html/rfc7232#section-4.1)|Not Modified|None|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Etag|string||HTTP [ETag header](https://httpwg.org/specs/rfc9110.html#field.etag)|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\nmatcher \n\nMatcher service endpoints.\n\nThese are responsible for generating reports against current vulnerability data.\n\n## Retrieve a VulnerabilityReport for a Manifest\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|digest|path|[digest](#schemadigest)|true|OCI-compatible digest of a referred object.|\n\n> Example responses\n\n> 201 Response\n\n```json\n{\n \"manifest_hash\": null,\n \"packages\": {},\n \"distributions\": {},\n \"repository\": {},\n \"environments\": {\n \"property1\": [],\n \"property2\": []\n },\n \"vulnerabilities\": {},\n \"package_vulnerabilities\": {\n \"property1\": [\n \"string\"\n ],\n \"property2\": [\n \"string\"\n ]\n },\n \"enrichments\": {\n \"property1\": [],\n \"property2\": []\n }\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|201|[Created](https://tools.ietf.org/html/rfc7231#section-6.3.2)|Vulnerability Report Created|[vulnerability_report](#schemavulnerability_report)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|Not Found|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\nnotifier \n\nMatcher service endpoints.\n\nThese are responsible for serving notifications.\n\n## Delete a Notification Set\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|id|path|[token](#schematoken)|true|A notification ID returned by a callback|\n\n> Example responses\n\n> 400 Response\n\n```json\n{\n \"code\": \"string\",\n \"message\": \"string\"\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Delete the notification referenced by the \"id\" parameter.|None|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Retrieve Pages of a Notification Set\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|page_size|query|integer|false|The maximum number of notifications to deliver in a single page.|\n|next|query|[token](#schematoken)|false|The next page to fetch via id. Typically this number is provided on initial response in the \"page.next\" field. The first request should omit this field.|\n|id|path|[token](#schematoken)|true|A notification ID returned by a callback|\n\n> Example responses\n\n> 200 Response\n\n```json\n{\n \"page\": {\n \"size\": 100,\n \"next\": \"1b4d0db2-e757-4150-bbbb-543658144205\"\n },\n \"notifications\": [\n {\n \"id\": \"5e4b387e-88d3-4364-86fd-063447a6fad2\",\n \"manifest\": \"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\",\n \"reason\": \"added\",\n \"vulnerability\": {\n \"name\": \"CVE-2009-5155\",\n \"fixed_in_version\": \"v0.0.1\",\n \"links\": \"http://example.com/CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\\\"\",\n \"normalized_severity\": \"Unknown\",\n \"package\": {\n \"id\": \"10\",\n \"name\": \"libapt-pkg5.0\",\n \"version\": \"1.6.11\",\n \"kind\": \"BINARY\",\n \"arch\": \"x86\",\n \"source\": {\n \"id\": \"9\",\n \"name\": \"apt\",\n \"version\": \"1.6.11\",\n \"kind\": \"SOURCE\",\n \"source\": null\n }\n },\n \"distribution\": {\n \"id\": \"1\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"pretty_name\": \"Ubuntu 18.04.3 LTS\"\n }\n }\n }\n ]\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|A paginated list of notifications|[notification_page](#schemanotification_page)|\n|304|[Not Modified](https://tools.ietf.org/html/rfc7232#section-4.1)|Not Modified|None|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\ninternal \n\nThese are internal endpoints, documented for completeness.\n\nThey are exempted from API stability guarentees.\n\n## Retrieve Manifests Affected by a Vulnerability\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|body|body|[vulnerability_summaries](#schemavulnerability_summaries)|true|Array of vulnerability summaries to report on.|\n\n> Example responses\n\n> 200 Response\n\n```json\n{\n \"vulnerabilities\": {\n \"42\": {\n \"id\": \"42\"\n }\n },\n \"vulnerable_manifests\": {\n \"sha256:01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\": [\n \"42\"\n ]\n }\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|The list of manifests and the corresponding vulnerabilities.|[affected_manifests](#schemaaffected_manifests)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Retrieve Vulnerability Changes Between Two Update Operations\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|cur|query|[token](#schematoken)|false|\"Current\" Update Operation ref.|\n|prev|query|[token](#schematoken)|true|\"Previous\" Update Operation ref.|\n\n> Example responses\n\n> 200 Response\n\n```json\n{\n \"prev\": null,\n \"cur\": null,\n \"added\": [],\n \"removed\": []\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Changes between two Update Operations.|[update_diff](#schemaupdate_diff)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Retrieve Update Operations\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|kind|query|any|false|The \"kind\" of updaters to query.|\n|latest|query|boolean|false|Return only the latest Update Operations instead of all known Update Operations.|\n\n#### Enumerated Values\n\n|Parameter|Value|\n|---|---|\n|kind|vulnerability|\n|kind|enrichment|\n\n> Example responses\n\n> 200 Response\n\n```json\n{\n \"property1\": [],\n \"property2\": []\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Update Operations, keyed by updater.|[update_operations](#schemaupdate_operations)|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n## Delete an Update Operation\n\nParameters \n\n|Name|In|Type|Required|Description|\n|---|---|---|---|---|\n|digest|path|[digest](#schemadigest)|true|OCI-compatible digest of a referred object.|\n\n> Example responses\n\n> 400 Response\n\n```json\n{\n \"code\": \"string\",\n \"message\": \"string\"\n}\n```\n\nResponses \n\n|Status|Meaning|Description|Schema|\n|---|---|---|---|\n|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Success|None|\n|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|Bad Request|[error](#schemaerror)|\n|415|[Unsupported Media Type](https://tools.ietf.org/html/rfc7231#section-6.5.13)|Unsupported Media Type|[error](#schemaerror)|\n|default|Default|Internal Server Error|[error](#schemaerror)|\n\n### Response Headers\n\n|Status|Header|Type|Format|Description|\n|---|---|---|---|---|\n|200|Clair-Error|string||This is a trailer containing any errors encountered while writing the response.|\n\n\nTo perform this operation, you must be authenticated by means of one of the following methods:\nNone, PSK\n \n\n# Schemas\n\ntoken \n\naffected_manifests \n\nbulk_delete \n\ncpe \n\ndigest \n\ndistribution \n\nenvironment \n\nerror \n\nindex_report \n\nindex_state \n\nlayer \n\nmanifest \n\nnormalized_severity \n\nnotification_page \n\nnotification \n\nnotification_webhook \n\npackage \n\nrange \n\nrepository \n\nupdate_diff \n\nupdate_operation \n\nupdate_operations \n\nvulnerability_core \n\nvulnerability_report \n\nvulnerability \n\nvulnerability_summaries \n\nvulnerability_summary \n\n:` format where `` can be an empty string.\n\nThis configures where the HTTP API is exposed.\nSee `/openapi/v1` for the API spec.\n\n### `$.introspection_addr`\nA string in `:` format where `` can be an empty string.\n\nThis configures where Clair's metrics and health endpoints are exposed.\n\n### `$.log_level`\nSet the logging level.\n\nOne of the following strings:\n* debug-color\n* debug\n* info\n* warn\n* error\n* fatal\n* panic\n\n### `$.tls`\nTLS is a map containing the config for serving the HTTP API over TLS (and\nHTTP/2).\n\n#### `$.tls.cert`\nThe TLS certificate to be used. Must be a full-chain certificate, as in nginx.\n\n#### `$.tls.key`\nA key file for the TLS certificate. Encryption is not supported on the key.\n\n### `$.indexer`\nIndexer provides Clair Indexer node configuration.\n\n#### `$.indexer.airgap`\nDisables HTTP access to the Internet for indexers and fetchers.\nPrivate IPv4 and IPv6 addresses are allowed.\nDatabase connections are unaffected.\n\n#### `$.indexer.connstring`\nA Postgres connection string.\n\nAccepts a format as a url (e.g.,\n`postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full`)\nor a libpq connection string (e.g.,\n`user=pqgotest dbname=pqgotest sslmode=verify-full`).\n\n#### `$.indexer.index_report_request_concurrency`\nInteger.\n\nRate limits the number of index report creation requests.\n\nSetting this to 0 will attempt to auto-size this value. Setting a negative value\nmeans \"unlimited.\" The auto-sizing is a multiple of the number of available\ncores.\n\nThe API will return a 429 status code if concurrency is exceeded.\n\n#### `$.indexer.scanlock_retry`\nA positive integer representing seconds.\n\nConcurrent Indexers lock on manifest scans to avoid clobbering.\nThis value tunes how often a waiting Indexer will poll for the lock.\n\n\n#### `$.indexer.layer_scan_concurrency`\nPositive integer limiting the number of concurrent layer scans.\n\nIndexers will index a Manifest's layers concurrently.\nThis value tunes the number of layers an Indexer will scan in parallel.\n\n#### `$.indexer.migrations`\nA boolean value.\n\nWhether Indexer nodes handle migrations to their database.\n\n#### `$.indexer.scanner`\nIndexer configurations.\n\nScanner allows for passing configuration options to layer scanners.\nThe scanner will have this configuration passed to it on construction if\ndesigned to do so.\n\n#### `$.indexer.scanner.dist`\nA map with the name of a particular scanner and arbitrary yaml as a value.\n\n#### `$.indexer.scanner.package`\nA map with the name of a particular scanner and arbitrary yaml as a value.\n\n#### `$.indexer.scanner.repo`\nA map with the name of a particular scanner and arbitrary yaml as a value.\n\n### `$.matcher`\nMatcher provides Clair matcher node configuration.\n\n#### `$.matcher.cache_age`\nDuration string.\n\nControls how long clients should be hinted to cache responses for.\n\n#### `$.matcher.connstring`\nA Postgres connection string.\n\nAccepts a format as a url (e.g.,\n`postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full`)\nor a libpq connection string (e.g.,\n`user=pqgotest dbname=pqgotest sslmode=verify-full`).\n\n#### `$.matcher.max_conn_pool`\nA positive integer limiting the database connection pool size.\n\nClair allows for a custom connection pool size.\nThis number will directly set how many active database\nconnections are allowed concurrently.\n\nThis parameter will be ignored in a future version.\nUsers should configure this through the connection string.\n\n#### `$.matcher.indexer_addr`\nA string in `:` format where `` can be an empty string.\n\nA Matcher contacts an Indexer to create a VulnerabilityReport.\nThe location of this Indexer is required.\n\n#### `$.matcher.migrations`\nA boolean value.\n\nWhether Matcher nodes handle migrations to their databases.\n\n#### `$.matcher.period`\nA time.ParseDuration parseable string.\n\nDetermines how often updates for new security advisories will take place.\n\nDefaults to 6 hours.\n\n#### `$.matcher.disable_updaters`\nA boolean value.\n\nWhether to run background updates or not.\n\n#### `$.matcher.disable_enrichment`\nA boolean value.\n\nWhether to enrich the returned vulnerabilities or not.\n\n#### `$.matcher.update_retention`\nAn integer value limiting the number of update operations kept in the database.\n\nSets the number of update operations to retain between garbage collection\ncycles. This should be set to a safe MAX value based on database size\nconstraints.\n\nDefaults to 10.\n\nIf a value less than 0 is provided, GC is disabled. 2 is the minimum value to\nensure updates can be compared for notifications. \n\n### `$.matchers`\nMatchers provides configuration for the in-tree Matchers and RemoteMatchers.\n\n#### `$.matchers.names`\nA list of string values informing the matcher factory about enabled matchers.\n\nIf the value is nil the default list of Matchers will run:\n* alpine-matcher\n* aws-matcher\n* debian-matcher\n* gobin\n* java-maven\n* oracle\n* photon\n* python\n* rhel\n* rhel-container-matcher\n* suse\n* ubuntu-matcher\n\nIf an empty list is provided zero matchers will run.\n\n#### `$.matchers.config`\nProvides configuration to specific matcher.\n\nA map keyed by the name of the matcher containing a sub-object which\nwill be provided to the matchers factory constructor.\n\nA hypothetical example:\n\n config:\n python:\n ignore_vulns:\n - CVE-XYZ\n - CVE-ABC\n\n### `$.updaters`\nUpdaters provides configuration for the Matcher's update manager.\n\n#### `$.updaters.sets`\nA list of string values informing the update manager which Updaters to run.\n\nIf the value is nil (or `null` in yaml) the default set of Updaters will run:\n* alpine\n* aws\n* debian\n* oracle\n* osv\n* photon\n* rhcc\n* rhel\n* suse\n* ubuntu\n\nIf an empty list is provided zero updaters will run.\n\n#### `$.updaters.config`\nProvides configuration to specific updater sets.\n\nA map keyed by the name of the updater set name containing a sub-object\nwhich will be provided to the updater set's constructor.\n\nA hypothetical example:\n\n config:\n ubuntu:\n security_tracker_url: http://security.url\n ignore_distributions: \n - cosmic\n\n### `$.notifier`\nNotifier provides Clair notifier node configuration.\n\n#### `$.notifier.connstring`\nA Postgres connection string.\n\nAccepts a format as a url (e.g.,\n`postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full`)\nor a libpq connection string (e.g.,\n`user=pqgotest dbname=pqgotest sslmode=verify-full`).\n\n#### `$.notifier.migrations`\nA boolean value.\n\nWhether Notifier nodes handle migrations to their database.\n\n#### `$.notifier.indexer_addr`\nA string in `:` format where `` can be an empty string.\n\nA Notifier contacts an Indexer to create obtain manifests affected by\nvulnerabilities. The location of this Indexer is required.\n\n#### `$.notifier.matcher_addr`\nA string in `:` format where `` can be an empty string.\n\nA Notifier contacts a Matcher to list update operations and acquire diffs.\nThe location of this Indexer is required.\n\n#### `$.notifier.poll_interval`\nA time.ParseDuration parsable string.\n\nThe frequency at which the notifier will query at Matcher for Update Operations.\n\n#### `$.notifier.delivery_interval`\nA time.ParseDuration parsable string.\n\nThe frequency at which the notifier attempt delivery of created or previously\nfailed notifications.\n\n#### `$.notifier.disable_summary`\nA boolean.\n\nControls whether notifications should be summarized to one per manifest or not.\n\n#### `$.notifier.webhook`\nConfigures the notifier for webhook delivery.\n\n#### `$.notifier.webhook.target`\nURL where the webhook will be delivered.\n\n#### `$.notifier.webhook.callback`\nThe callback url where notifications can be retrieved.\nThe notification ID will be appended to this url.\n\nThis will typically be where the clair notifier is hosted.\n\n#### `$.notifier.webhook.headers`\nA map associating a header name to a list of values.\n\n#### `$.notifier.amqp`\nConfigures the notifier for AMQP delivery.\n\nNote: Clair does not declare any AMQP components on its own. All attempts\nto use an exchange or queue are passive only and will fail The broker\nadministrators should setup exchanges and queues ahead of time.\n\n#### `$.notifier.amqp.direct`\nA boolean value.\n\nIf true the Notifier will deliver individual notifications (not a callback)\nto the configured AMQP broker.\n\n#### `$.notifier.amqp.rollup`\nInteger 0 or greater.\n\nIf `direct` is true this value will inform notifier how many notifications\nto send in a single direct delivery. For example, if `direct` is set to\n`true` and `rollup` is set to `5`, the notifier will deliver no more then\n5 notifications in a single json payload to the broker. Setting the value\nto 0 will effectively set it to 1.\n\n#### `$.notifier.amqp.exchange`\nThe AMQP Exchange to connect to.\n\n#### `$.notifier.amqp.exchange.name`\nstring value\n\nThe name of the exchange to connect to.\n\n#### `$.notifier.amqp.exchange.type`\nstring value\n\nThe type of the exchange. Typically:\n* direct\n* fanout\n* topic\n* headers\n\n#### `$.notifier.amqp.exchange.durability`\nbool value\n\nWhether the configured queue is durable or not.\n\n#### `$.notifier.amqp.exchange.auto_delete`\nbool value\n\nWhether the configured queue uses an auto_delete policy.\n\n#### `$.notifier.amqp.routing_key`\nstring value\n\nThe name of the routing key each notification will be sent with.\n\n#### `$.notifier.amqp.callback`\na URL string\n\nIf `direct` is `false`, this URL is provided in the notification callback sent\nto the broker. This URL should point to Clair's notification API endpoint.\n\n#### `$.notifier.amqp.uris`\nlist of URL strings\n\nA list of one or more AMQP brokers to connect to, in priority order.\n\n#### `$.notifier.amqp.tls`\nConfigures TLS connection to AMQP broker.\n\n#### `$.notifier.amqp.tls.root_ca`\nstring value\n\nThe filesystem path where a root CA can be read.\n\n#### `$.notifier.amqp.tls.cert`\nstring value\n\nThe filesystem path where a tls certificate can be read. Note that clair\nalso respects `SSL_CERT_DIR`, as documented for the Go `crypto/x509` package.\n\n#### `$.notifier.amqp.tls.key`\nstring value\n\nThe filesystem path where a TLS private key can be read.\n\n#### `$.notifier.stomp`\nConfigures the notifier for STOMP delivery.\n\n#### `$.notifier.stomp.direct`\nA boolean value.\n\nIf `true`, the Notifier will deliver individual notifications (not a\ncallback) to the configured STOMP broker.\n\n#### `$.notifier.stomp.rollup`\nInteger 0 or greater.\n\nIf `direct` is `true`, this value will limit the number of notifications\nsent in a single direct delivery. For example, if `direct` is set to\n`true` and `rollup` is set to `5`, the notifier will deliver no more\nthen 5 notifications in a single json payload to the broker. Setting the value\nto 0 will effectively set it to 1.\n\n#### `$.notifier.stomp.callback`\na URL string\n\nIf `direct` is `false`, this URL is provided in the notification callback sent\nto the broker. This URL should point to Clair's notification API endpoint.\n\n#### `$.notifier.stomp.destination`\na string value\n\nThe STOMP destination to deliver notifications to. \n\n#### `$.notifier.stomp.uris`\nlist of URL strings\n\nA list of one or more STOMP brokers to connect to in priority order.\n\n#### `$.notifier.stomp.tls`\nConfigures TLS connection to STOMP broker.\n\n#### `$.notifier.stomp.tls.root_ca`\nstring value\n\nThe filesystem path where a root CA can be read.\nNote that clair also respects `SSL_CERT_DIR`, as documented for the Go\n`crypto/x509` package.\n\n#### `$.notifier.stomp.tls.cert`\nstring value\n\nThe filesystem path where a tls certificate can be read.\n\n#### `$.notifier.stomp.tls.key`\nstring value\n\nThe filesystem path where a tls private key can be read.\n\n#### `$.notifier.stomp.user`\nConfigures login details for the STOMP broker.\n\n#### `$.notifier.stomp.user.login`\nstring value\n\nThe STOMP login to connect with.\n\n#### `$.notifier.stomp.user.passcode`\nstring value\n\nThe STOMP passcode to connect with.\n\n### `$.auth`\nDefines ClairV4's external and intra-service JWT based authentication.\n\nIf multiple auth mechanisms are defined, Clair will pick one. Currently, there\nare not multiple mechanisms.\n\n### `$.auth.psk`\nDefines preshared key authentication.\n\n#### `$.auth.psk.key`\na string value\n\nA shared base64 encoded key distributed between all parties signing and\nverifying JWTs.\n\n#### `$.auth.psk.iss`\na list of string value\n\nA list of JWT issuers to verify. An empty list will accept any issuer in a\nJWT claim.\n\n### `$.trace`\nDefines distributed tracing configuration based on OpenTelemetry.\n\n#### `$.trace.name`\nWhich submission format to use, one of:\n- jaeger\n- otlp\n- sentry\n\n#### `$.trace.probability`\na float value\n\nThe probability a trace will occur.\n\n### `$.trace.jaeger`\nDefines values for Jaeger tracing.\n\n***NOTE***: Jaeger has deprecated using the `jaeger` protocol and encouraging users to migrate to OTLP,\nwhich Jaeger can ingest natively.\n\n#### `$.trace.jaeger.agent`\nDefines values for configuring delivery to a Jaeger agent.\n\n#### `$.trace.jaeger.agent.endpoint`\na string value\n\nAn address in `:` syntax where traces can be submitted.\n\n#### `$.trace.jaeger.collector`\nDefines values for configuring delivery to a Jaeger collector.\n\n#### `$.trace.jaeger.collector.endpoint`\na string value\n\nAn address in `:` syntax where traces can be submitted.\n\n#### `$.trace.jaeger.collector.username`\na string value\n\n#### `$.trace.jaeger.collector.password`\na string value\n\n#### `$.trace.jaeger.service_name`\na string value\n\n#### `$.trace.jaeger.tags`\na mapping of a string to a string\n\n#### `$.trace.jaeger.buffer_max`\nan integer value\n\n### `$.trace.otlp`\nConfiguration for OTLP traces.\n\nOnly one of the `http` or `grpc` keys should be provided.\n\n#### `$.trace.otlp.http`\nConfiguration for OTLP traces submitted by HTTP.\n\n##### `$.trace.otlp.http.url_path`\nRequest path to use for submissions.\nDefaults to `/v1/traces`.\n\n##### `$.trace.otlp.http.compression`\nCompression for payloads.\nOne of:\n- gzip\n- none\n\n##### `$.trace.otlp.http.endpoint`\n`Host:port` for submission. Defaults to `localhost:4318`.\n\n##### `$.trace.otlp.http.headers`\nKey-value pairs of additional headers for submissions.\n\n##### `$.trace.otlp.http.insecure`\nUse HTTP instead of HTTPS.\n\n##### `$.trace.otlp.http.timeout`\nMaximum of of time for a trace submission.\n\n##### `$.trace.otlp.http.client_tls.cert`\nClient certificate for connection.\n\n##### `$.trace.otlp.http.client_tls.key`\nKey for the certificate specified in `cert`.\n\n#### `$.trace.otlp.grpc`\nConfiguration for OTLP traces submitted by gRPC.\n\n##### `$.trace.otlp.grpc.reconnect`\nSets the minimum time between connection attempts.\n\n##### `$.trace.otlp.grpc.service_config`\nA string containing a JSON-format gRPC service config.\n\n##### `$.trace.otlp.grpc.compression`\nCompression for payloads.\nOne of:\n- gzip\n- none\n\n##### `$.trace.otlp.grpc.endpoint`\n`Host:port` for submission. Defaults to `localhost:4317`.\n\n##### `$.trace.otlp.grpc.headers`\nKey-value pairs of additional headers for submissions.\n\n##### `$.trace.otlp.grpc.insecure`\nDo not verify the server certificate.\n\n##### `$.trace.otlp.grpc.timeout`\nMaximum of of time for a trace submission.\n\n##### `$.trace.otlp.grpc.client_tls.cert`\nClient certificate for connection.\n\n##### `$.trace.otlp.grpc.client_tls.key`\nKey for the certificate specified in `cert`.\n\n### `$.trace.sentry`\nConfiguration for submitting traces to Sentry.\n\nThis is done via OpenTelemetry instrumentation, so may not provide identical\nresults compared to other tracing backends or native Sentry instrumentation.\n\nThere's no integration for error submission.\nThis means that alternative implementations of the Sentry API that do not support submitting traces (such as [GlitchTip]) are not usable.\n\n[GlitchTip]: https://glitchtip.com/\n\n#### `$.trace.sentry.dsn`\nSentry DSN to use.\nSee also [`sentry-go.ClientOptions`](https://pkg.go.dev/github.com/getsentry/sentry-go#ClientOptions).\n\n#### `$.trace.sentry.environment`\nSentry environment to use.\nSee also [`sentry-go.ClientOptions`](https://pkg.go.dev/github.com/getsentry/sentry-go#ClientOptions).\n\n### `$.metrics`\nDefines distributed tracing configuration based on OpenTelemetry.\n\n#### `$.metrics.name`\na string value\n\n### `$.metrics.prometheus`\nConfiguration for a prometheus metrics exporter.\n\n#### `$.metrics.prometheus.endpoint`\na string value\n\nDefines the path where metrics will be served.\n\n### `$.metrics.otlp`\nConfiguration for OTLP metrics.\n\nOnly one of the `http` or `grpc` keys should be provided.\n\n#### `$.metrics.otlp.http`\nConfiguration for OTLP metrics submitted by HTTP.\n\n##### `$.metrics.otlp.http.url_path`\nRequest path to use for submissions.\nDefaults to `/v1/metrics`.\n\n##### `$.metrics.otlp.http.compression`\nCompression for payloads.\nOne of:\n- gzip\n- none\n\n##### `$.metrics.otlp.http.endpoint`\n`Host:port` for submission. Defaults to `localhost:4318`.\n\n##### `$.metrics.otlp.http.headers`\nKey-value pairs of additional headers for submissions.\n\n##### `$.metrics.otlp.http.insecure`\nUse HTTP instead of HTTPS.\n\n##### `$.metrics.otlp.http.timeout`\nMaximum of of time for a metrics submission.\n\n##### `$.metrics.otlp.http.client_tls.cert`\nClient certificate for connection.\n\n##### `$.metrics.otlp.http.client_tls.key`\nKey for the certificate specified in `cert`.\n\n#### `$.metrics.otlp.grpc`\nConfiguration for OTLP metrics submitted by gRPC.\n\n##### `$.metrics.otlp.grpc.reconnect`\nSets the minimum time between connection attempts.\n\n##### `$.metrics.otlp.grpc.service_config`\nA string containing a JSON-format gRPC service config.\n\n##### `$.metrics.otlp.grpc.compression`\nCompression for payloads.\nOne of:\n- gzip\n- none\n\n##### `$.metrics.otlp.grpc.endpoint`\n`Host:port` for submission. Defaults to `localhost:4318`.\n\n##### `$.metrics.otlp.grpc.headers`\nKey-value pairs of additional headers for submissions.\n\n##### `$.metrics.otlp.grpc.insecure`\nUse HTTP instead of HTTPS.\n\n##### `$.metrics.otlp.grpc.timeout`\nMaximum of of time for a metrics submission.\n\n##### `$.metrics.otlp.grpc.client_tls.cert`\nClient certificate for connection.\n\n##### `$.metrics.otlp.grpc.client_tls.key`\nKey for the certificate specified in `cert`.\n\n* * *\n\n[^1]: Support added in version `4.7.0`.\n"
},
{
"path": "Documentation/reference/indexer.md",
"content": "# Indexer\n\nWhen Clair is running in Indexer mode, it is responsible for receiving Manifests and generating IndexReports. An IndexReport is an intermediate representation of a manifest's content and is used to discover vulnerabilities.\n"
},
{
"path": "Documentation/reference/matcher.md",
"content": "# Matcher\n\nWhen Clair is running in Matcher mode it is responsible for receiving IndexReports and generating VulnerabilityReports. A VulnerabilityReport describes the contents of a manifest and any vulnerabilities affecting it.\n"
},
{
"path": "Documentation/reference/metrics.md",
"content": "Clair exports [metrics](./config.md#metrics) on the [introspection\nport](./config.md#introspection_addr) in the Prometheus format.\n\nThe exact metrics exposed are not considered API (and so are subject to change\nbetween releases) but should be well described. An up-to-date grafana dashboard\nexample is in `contrib/openshift/grafana`.\n"
},
{
"path": "Documentation/reference/notifier.md",
"content": "# Notifier \n\nWhen Clair is running in Notifier mode, it is responsible for generating notifications when new vulnerabilities affecting a previously indexed manifest enters the system. The notifier will send notifications via the configured mechanisms.\n"
},
{
"path": "Documentation/reference.md",
"content": "# Reference\nThe following sections provide reference information useful when exploring the documentation or working with Clair directly.\n\n- [API](./reference/api.md)\n- [Clairctl](./reference/clairctl.md)\n- [Config](./reference/config.md)\n- [Indexer](./reference/indexer.md)\n- [Matcher](./reference/matcher.md)\n- [Notifier](./reference/notifier.md)\n"
},
{
"path": "Documentation/reference_test.go",
"content": "package Documentation\n\nimport (\n\t\"bufio\"\n\t\"fmt\"\n\t\"os\"\n\t\"reflect\"\n\t\"regexp\"\n\t\"sort\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/quay/clair/config\"\n)\n\nfunc TestConfigReference(t *testing.T) {\n\tf, err := os.Open(\"reference/config.md\")\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tdefer f.Close()\n\n\theader := regexp.MustCompile(\"^#+ `\\\\$[^`]+`\")\n\tvar got []string\n\ts := bufio.NewScanner(f)\n\tfor s.Scan() {\n\t\tif header.Match(s.Bytes()) {\n\t\t\tgot = append(got, strings.Trim(s.Text(), \" #`\"))\n\t\t}\n\t}\n\tif err := s.Err(); err != nil {\n\t\tt.Error(err)\n\t}\n\tvar want []string\n\tif err := walk(&want, \"$\", reflect.TypeOf(config.Config{})); err != nil {\n\t\tt.Error(err)\n\t}\n\tsort.Strings(want)\n\tsort.Strings(got)\n\tif !cmp.Equal(got, want) {\n\t\tt.Error(cmp.Diff(got, want))\n\t}\n}\n\ntype walkFunc func(interface{}) ([]string, error)\n\nfunc walk(ws *[]string, path string, t reflect.Type) error {\n\t// Dereference the pointer, if this is a pointer.\n\tif t.Kind() == reflect.Ptr {\n\t\tt = t.Elem()\n\t}\n\tif t.Kind() == reflect.Struct {\n\t\tfor i, lim := 0, t.NumField(); i < lim; i++ {\n\t\t\tf := t.Field(i)\n\t\t\tif f.Anonymous {\n\t\t\t\tif err := walk(ws, path, t.Field(i).Type); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvar n string\n\t\t\tswitch t := f.Tag.Get(\"json\"); t {\n\t\t\tcase \"-\", \"\":\n\t\t\t\tcontinue\n\t\t\tdefault:\n\t\t\t\tif i := strings.IndexByte(t, ','); i != -1 {\n\t\t\t\t\tt = t[:i]\n\t\t\t\t}\n\t\t\t\tn = t\n\t\t\t}\n\t\t\tp := fmt.Sprintf(`%s.%s`, path, n)\n\t\t\t*ws = append(*ws, p)\n\t\t\tif err := walk(ws, p, t.Field(i).Type); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n"
},
{
"path": "Documentation/whatis.md",
"content": "# What is Clair\n\nClair is an application for parsing image contents and reporting vulnerabilities affecting the contents. This is done via static analysis and not at runtime.\n\nClair supports the extraction of contents and assignment of vulnerabilities from the following official base containers:\n- Ubuntu\n- Debian\n- RHEL\n- Suse\n- Oracle\n- Alpine\n- AWS Linux\n- VMWare Photon\n- Python\n\nThe above list defines Clair's current support matrix.\n\n## Architecture\n\nClair v4 utilizes the [ClairCore](https://quay.github.io/claircore/) library as its engine for examining contents and reporting vulnerabilities. At a high level you can consider Clair a service wrapper to the functionality provided in the ClairCore library. \n\n\n\nThe above diagram expresses the separation of concerns between Clair and the ClairCore library. Most development involving new distributions, vulnerability sources, and layer indexing will occur in ClairCore.\n\n## How Clair Works\n\nClair's analysis is broken into three distinct parts.\n\n### Indexing\n\nIndexing starts with submitting a Manifest to Clair. On receipt, Clair will fetch layers, scan their contents, and return an intermediate representation called an IndexReport. \n\nManifests are Clair's representation of a container image. Clair leverages the fact that OCI Manifests and Layers are content-addressed to reduce duplicated work.\n\nOnce a Manifest is indexed, the IndexReport is persisted for later retrieval. \n\n### Matching\n\nMatching is taking an IndexReport and correlating vulnerabilities affecting the manifest the report represents. \n\nClair is continually ingesting new security data and a request to the matcher will always provide you with the most up to date vulnerability analysis of an IndexReport.\n\n*How we implement indexing and matching in detail is covered in [ClairCore's](https://quay.github.io/claircore/) documentation.*\n\n### Notifications\n\nClair implements a notification service. \n\nWhen new vulnerabilities are discovered, the notifier service will determine if these vulnerabilities affect any indexed Manifests. The notifier will then take action according to its configuration.\n\n### Getting Started\n\nAt this point you'll probably want to check out [Getting Started With Clair](./howto/getting_started.md).\n"
},
{
"path": "LICENSE",
"content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n"
},
{
"path": "Makefile",
"content": "# Copyright 2024 clair authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Set the \"DEBUG\" variable to enable some debugging output for the Makefile\n# itself.\n\n.ONESHELL:\n.SHELL = /usr/bin/bash\n.SHELLFLAGS = -o pipefail -uec\n.DELETE_ON_ERROR:\ncomma:=,\nsplice = $(subst $(eval ) ,$(comma),$1)\n# See this file for all the variables that can be tuned by the environment.\ninclude etc/config.mk\n# Append shell patterns to this to hook the \"clean\" target.\nrm_pat =\n\nall:\n\t$(go) build ./cmd/...\n\ncontrib/openshift/grafana/dashboards/dashboard-clair.configmap.yaml: \\\n\tlocal-dev/grafana/provisioning/dashboards/clair.json \\\n\tcontrib/openshift/grafana/dashboard-clair.configmap.yaml.tpl\n\tname=$$(sed 's/[\\&/]/\\\\&/g;s/$$/\\\\n/;s/^/ /' $< | tr -d '\\n')\n\tsed \"s/GRAFANA_MANIFEST/$$name/\"\\\n\t\t$(word 2,$^)\\\n\t\t> $@\n# Intended to be checked-in, so not cleaned.\n\ninclude etc/container.mk\ninclude etc/dev.mk\ninclude etc/dist.mk\ninclude etc/doc.mk\n\nrm_flag := -rf\nifdef DEBUG\nrm_flag += -v\nendif\n.PHONY: clean\nclean:\n\t$(go) clean\n\trm $(rm_flag) -- $(rm_pat)\n"
},
{
"path": "NOTICE",
"content": "CoreOS Project\nCopyright 2015 CoreOS, Inc\n\nThis product includes software developed at CoreOS, Inc.\n(http://www.coreos.com/).\n"
},
{
"path": "README.md",
"content": "# Clair\n\n[![Docker Repository on Quay](https://quay.io/repository/projectquay/clair/status \"Docker Repository on Quay\")](https://quay.io/repository/projectquay/clair)\n[![PkgGoDev](https://pkg.go.dev/badge/github.com/quay/clair/v4 \"Go Documentation\")](https://pkg.go.dev/github.com/quay/clair/v4)\n[![IRC Channel](https://img.shields.io/badge/freenode-%23clair-blue.svg \"IRC Channel\")](http://webchat.freenode.net/?channels=clair)\n\n**Note**: The `main` branch may be in an *unstable or even broken state* during development.\nPlease use [releases] instead of the `main` branch in order to get stable binaries.\n\n\n\nClair is an open source project for the [static analysis] of vulnerabilities in\napplication containers (currently including [OCI] and [docker]).\n\nClients use the Clair API to index their container images and can then match it against known vulnerabilities.\n\nOur goal is to enable a more transparent view of the security of container-based infrastructure.\nThus, the project was named `Clair` after the French term which translates to *clear*, *bright*, *transparent*.\n\n[The book] contains all the documentation on Clair's architecture and operation.\n\n[OCI]: https://github.com/opencontainers/image-spec/blob/master/spec.md\n[docker]: https://github.com/docker/docker/blob/master/image/spec/v1.2.md\n[releases]: https://github.com/quay/clair/releases\n[static analysis]: https://en.wikipedia.org/wiki/Static_program_analysis\n[The book]: https://quay.github.io/clair/\n\n## Community\n\n- Mailing List: [clair-dev@googlegroups.com](https://groups.google.com/forum/#!forum/clair-dev)\n- IRC: #[clair](irc://irc.freenode.org:6667/#clair) on freenode.org\n- Bugs: [issues](https://github.com/quay/clair/issues)\n\n## Contributing\n\nSee [CONTRIBUTING](.github/CONTRIBUTING.md) for details on submitting patches and the contribution workflow.\n\n## License\n\nClair is under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.\n"
},
{
"path": "ROADMAP.md",
"content": "# Clair Roadmap\n\nThis document defines a high level roadmap for Clair development.\n\nThe dates below should not be considered authoritative, but rather indicative of the projected timeline of the project.\nThe [milestones defined in GitHub](https://github.com/coreos/clair/milestones) represent the most up-to-date and issue-for-issue plans.\n\nThe roadmap below outlines new features that will be added to Clair, and while subject to change, define what future stable will look like.\n\n- Support multiple namespaces per image\n - This enables language-level package managers (e.g. npm, pip) in the future\n- Take advantage of OCI/Docker content-addressiblity to avoid duplicated work\n - This simplifies the amount of work required for an offline clair in the future\n- Support mappings between source packages and binary packages\n- Versioned detectors that are present in API results\n - This will enable clients to determine when images need to be reindexed\n- gRPC API that works on sets of layers rather than individual layers\n- Structured logging in JSON\n- Improve coverage and readability of documentation\n"
},
{
"path": "book.toml",
"content": "[book]\ntitle = \"Clair Documentation\"\nauthors = [\"Clair Authors\"]\ndescription = \"Documentation for Clair.\"\nsrc = \"Documentation\"\nlanguage = \"en\"\n\n[build]\nbuild-dir = \"book\"\ncreate-missing = true\n\n[output.html]\ngit-repository-url= \"https://github.com/quay/clair\"\npreferred-dark-theme = \"coal\"\n"
},
{
"path": "clair-error/errors.go",
"content": "package clairerror\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/google/uuid\"\n)\n\n// ErrRequestFail indicates an http request failure\ntype ErrRequestFail struct {\n\tCode int\n\tStatus string\n}\n\nfunc (e *ErrRequestFail) Error() string {\n\treturn fmt.Sprintf(\"code: %v status %v\", e.Code, e.Status)\n}\n\n// ErrBadManifest inidcates a manifest could not be parsed\ntype ErrBadManifest struct {\n\tE error\n}\n\nfunc (e *ErrBadManifest) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrBadManifest) Unwrap() error {\n\treturn e.E\n}\n\n// ErrBadManifest inidcates a manifest could not be parsed\ntype ErrBadIndexReport struct {\n\tE error\n}\n\nfunc (e *ErrBadIndexReport) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrBadIndexReport) Unwrap() error {\n\treturn e.E\n}\n\n// IndexStartErr indicates an index operation failed to start\ntype ErrIndexStart struct {\n\tE error\n}\n\nfunc (e *ErrIndexStart) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrIndexStart) Unwrap() error {\n\treturn e.E\n}\n\n// ErrIndexReportNotFound indicates a requested IndexReport was not found\ntype ErrIndexReportNotFound struct {\n\tHash string\n}\n\nfunc (e *ErrIndexReportNotFound) Error() string {\n\treturn fmt.Sprintf(\"failed to find manifest: %v\", e.Hash)\n}\n\n// ErrIndexReportRetrieval indicates an error while attempting to retrieve an IndexReport\ntype ErrIndexReportRetrieval struct {\n\tE error\n}\n\nfunc (e *ErrIndexReportRetrieval) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrIndexReportRetrieval) Unwrap() error {\n\treturn e.E\n}\n\n// ErrMatch indicates an issue with matching a IndexReport to a VulnerabilityReport\ntype ErrMatch struct {\n\tE error\n}\n\nfunc (e *ErrMatch) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrMatch) Unwrap() error {\n\treturn e.E\n}\n\n// ErrNotInitialized indicates an issue with initialization.\ntype ErrNotInitialized struct {\n\tMsg string\n}\n\nfunc (e ErrNotInitialized) Error() string {\n\treturn e.Msg\n}\n\n// ErrBadVulnerabilities indicates an issue where a set of Vulnerabilities could not be marshalled or unmarshalled\n// into JSON.\ntype ErrBadVulnerabilities struct {\n\tE error\n}\n\nfunc (e *ErrBadVulnerabilities) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrBadVulnerabilities) Unwrap() error {\n\treturn e.E\n}\n\n// ErrBadAffectedManifests indicates an issue where an AffectedManifests could not be marshalled or unmarshalled\n// into JSON.\ntype ErrBadAffectedManifests struct {\n\tE error\n}\n\nfunc (e *ErrBadAffectedManifests) Error() string {\n\treturn e.E.Error()\n}\n\nfunc (e *ErrBadAffectedManifests) Unwrap() error {\n\treturn e.E\n}\n\ntype ErrKeyNotFound struct {\n\tID uuid.UUID\n}\n\nfunc (e ErrKeyNotFound) Error() string {\n\treturn \"key with id \" + e.ID.String() + \" not found\"\n}\n"
},
{
"path": "clair-error/notifications.go",
"content": "package clairerror\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/google/uuid\"\n)\n\n// ErrNoUpdateOperation inidcates that the queried updater has no\n// update operations associated.\ntype ErrNoUpdateOperation struct {\n\tUpdater string\n}\n\nfunc (e ErrNoUpdateOperation) Error() string {\n\treturn fmt.Sprintf(\"updater %s has no associated update operations\", e.Updater)\n}\n\n// ErrBadNotification indicates a notification was malformed.\n// The wrapped error will contain further details.\ntype ErrBadNotification struct {\n\tNotificationID uuid.UUID\n\tE error\n}\n\nfunc (e ErrBadNotification) Error() string {\n\treturn fmt.Sprintf(\"notification associated with id %s is malformed: %v\", e.NotificationID, e.E)\n}\n\nfunc (e ErrBadNotification) Unwrap() error {\n\treturn e.E\n}\n\n// ErrDeleteNotification indicates an error while deleting notifications.\n// The wrapped error will contain further details.\ntype ErrDeleteNotification struct {\n\tNotificationID uuid.UUID\n\tE error\n}\n\nfunc (e ErrDeleteNotification) Error() string {\n\treturn fmt.Sprintf(\"notifications associated with id %s were not deleted: %v\", e.NotificationID, e.E)\n}\n\nfunc (e ErrDeleteNotification) Unwrap() error {\n\treturn e.E\n}\n\n// ErrNoReceipt is returned when a notification id has no associated Receipt.\ntype ErrNoReceipt struct {\n\tNotificationID uuid.UUID\n}\n\nfunc (e ErrNoReceipt) Error() string {\n\treturn fmt.Sprintf(\"no receipt exists for notification id %s\", e.NotificationID)\n}\n\n// ErrReceipt indicates an error retreiving a receipt for referenced notification id.\ntype ErrReceipt struct {\n\tNotificationID uuid.UUID\n\tE error\n}\n\nfunc (e ErrReceipt) Error() string {\n\treturn fmt.Sprintf(\"failed to retrieve receipt for notification id %s: %v\", e.NotificationID, e.E)\n}\n\nfunc (e ErrReceipt) Unwrap() error {\n\treturn e.E\n}\n\n// ErrCreated indicates an error occurred when retrieving created notification ids.\ntype ErrCreated struct {\n\tE error\n}\n\nfunc (e ErrCreated) Error() string {\n\treturn fmt.Sprintf(\"failed to retrieve created notification ids: %v\", e.E)\n}\n\nfunc (e ErrCreated) Unwrap() error {\n\treturn e.E\n}\n\n// ErrFailed indicates an error occurred when retrieving created notification ids.\ntype ErrFailed struct {\n\tE error\n}\n\nfunc (e ErrFailed) Error() string {\n\treturn fmt.Sprintf(\"failed to retrieve failed notification ids: %v\", e.E)\n}\n\nfunc (e ErrFailed) Unwrap() error {\n\treturn e.E\n}\n\n// ErrPutNotifications indicates an issues occurred when persisting a slice of\n// computed notifications.\n// The wrapped error will contain further details.\ntype ErrPutNotifications struct {\n\tNotificationID uuid.UUID\n\tE error\n}\n\nfunc (e ErrPutNotifications) Error() string {\n\treturn fmt.Sprintf(\"failed to persist notification associated with id %s: %v\", e.NotificationID.String(), e.E)\n}\n\nfunc (e ErrPutNotifications) Unwrap() error {\n\treturn e.E\n}\n\n// ErrDeliveryFailed indicates a failure to deliver a notification.\ntype ErrDeliveryFailed struct {\n\tE error\n}\n\nfunc (e ErrDeliveryFailed) Error() string {\n\treturn \"failed to deliver notification: \" + e.E.Error()\n}\n\nfunc (e ErrDeliveryFailed) Unwrap() error {\n\treturn e.E\n}\n"
},
{
"path": "cmd/build.go",
"content": "// Package cmd provides some common information to clair's binaries.\npackage cmd // import \"github.com/quay/clair/v4/cmd\"\n\nimport (\n\t\"runtime\"\n\t\"runtime/debug\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n)\n\n// Injected via git-export(1). See that man page and gitattributes(5).\nconst (\n\t// Needs a length check because GitHub zipballs/tarballs don't do the\n\t// describe and just strip the pattern.\n\tdescribe = `$Format:%(describe:match=v4.*)$`\n\trevision = `$Format:%h (%cI)$`\n)\n\nvar versionInfo = promauto.NewGaugeVec(\n\tprometheus.GaugeOpts{\n\t\tNamespace: \"clair\",\n\t\tSubsystem: \"cmd\",\n\t\tName: \"version_info\",\n\t\tHelp: \"Version information.\",\n\t},\n\t[]string{\n\t\t\"claircore_version\",\n\t\t\"goversion\",\n\t\t\"modified\",\n\t\t\"revision\",\n\t\t\"version\",\n\t},\n)\n\nfunc init() {\n\tif revision[0] != '$' {\n\t\t_, d, _ := strings.Cut(revision, \"(\")\n\t\tt, err := time.Parse(time.RFC3339, strings.TrimSuffix(d, \")\"))\n\t\tif err == nil {\n\t\t\tCommitDate = t\n\t\t}\n\t}\n\n\tmeta := prometheus.Labels{\n\t\t\"claircore_version\": \"\",\n\t\t\"goversion\": runtime.Version(),\n\t\t\"modified\": \"\",\n\t\t\"revision\": revision,\n\t\t\"version\": \"\",\n\t}\n\tinfo, infoOK := debug.ReadBuildInfo()\n\tvar vcs []string\n\tvar core string\n\tif infoOK {\n\t\t// If not OK, built without modules? Weird.\n\t\tfor _, s := range info.Settings {\n\t\t\tswitch s.Key {\n\t\t\tcase `vcs.revision`:\n\t\t\t\tmeta[\"revision\"] = s.Value\n\t\t\t\tvcs = append(vcs, `rev`, s.Value)\n\t\t\tcase `vcs.modified`:\n\t\t\t\tmeta[\"modified\"] = s.Value\n\t\t\t\tif s.Value == `true` {\n\t\t\t\t\tvcs = append(vcs, `(dirty)`)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t// If we can read out the current binary's debug info, find the\n\t\t// claircore version.\n\t\tfor _, m := range info.Deps {\n\t\t\tif m.Path != \"github.com/quay/claircore\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tcore = m.Version\n\t\t\tif m.Replace != nil && m.Replace.Version != m.Version {\n\t\t\t\tcore = m.Replace.Version\n\t\t\t}\n\t\t}\n\t\tmeta[\"claircore_version\"] = core\n\t}\n\n\tswitch {\n\tcase Version != \"\":\n\t\t// Had our version injected at build: do nothing.\n\tcase len(describe) > 0 && describe[0] != '$' && !strings.HasPrefix(describe, \"%(describe:\"):\n\t\t// Some git versions apparently don't know about the describe format\n\t\t// verb, so need to check that it's not just \"%(describe...\"\n\t\tVersion = describe\n\tcase revision[0] == '$':\n\t\tVersion = `(random source build)`\n\t\tif len(vcs) == 0 {\n\t\t\t// A `go run` invocation, perhaps.\n\t\t\tbreak\n\t\t}\n\t\tVersion = strings.Join(vcs, \" \")\n\tdefault:\n\t\tVersion = revision\n\t}\n\tmeta[\"version\"] = Version\n\tif core != \"\" {\n\t\tVersion += \" (claircore \" + core + \")\"\n\t}\n\tversionInfo.With(meta).Set(1)\n}\n\n// Version is a version string, injected at release time for release builds.\nvar Version string\n\n// CommitDate is the best guess of the source commit date.\n//\n// May be zero when the resulting code is not produced by a git export.\nvar CommitDate time.Time\n"
},
{
"path": "cmd/clair/main.go",
"content": "package main\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"os/signal\"\n\t\"runtime\"\n\t\"time\"\n\n\t\"github.com/quay/clair/config\"\n\t_ \"github.com/quay/claircore/updater/defaults\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/quay/clair/v4/cmd\"\n\t\"github.com/quay/clair/v4/health\"\n\t\"github.com/quay/clair/v4/httptransport\"\n\t\"github.com/quay/clair/v4/initialize\"\n\t\"github.com/quay/clair/v4/initialize/auto\"\n\t\"github.com/quay/clair/v4/introspection\"\n)\n\nconst (\n\tenvConfig = `CLAIR_CONF`\n\tenvMode = `CLAIR_MODE`\n)\n\nfunc main() {\n\tfail := false\n\tdefer func() {\n\t\tif fail {\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\tbail := func(msg string, args ...any) {\n\t\tslog.Error(msg, args...)\n\t\tfail = true\n\t\truntime.Goexit()\n\t}\n\n\t// parse conf from cli\n\tvar conf config.Config\n\tflag.String(\"conf\", \"\", \"The file system path to Clair's config file.\")\n\tflag.String(\"mode\", \"\", \"The operation mode for this server, will default to combo.\")\n\tflag.Parse()\n\tflag.VisitAll(func(f *flag.Flag) {\n\t\tfv := f.Value.(flag.Getter).Get().(string)\n\t\tvar key string\n\t\tswitch f.Name {\n\t\tcase \"conf\":\n\t\t\tkey = envConfig\n\t\tcase \"mode\":\n\t\t\tkey = envMode\n\t\t}\n\t\tv, ok := os.LookupEnv(key)\n\t\tif fv == \"\" && !ok {\n\t\t\tbail(\"missing flag or environment variable\", \"flag\", \"-\"+f.Name, \"variable\", key)\n\t\t}\n\t\tif fv == \"\" && ok {\n\t\t\tfv = v\n\t\t}\n\t\tswitch f.Name {\n\t\tcase \"conf\":\n\t\t\tif err := cmd.LoadConfig(&conf, fv, true); err != nil {\n\t\t\t\tbail(\"failed loading config\", \"reason\", err)\n\t\t\t}\n\t\tcase \"mode\":\n\t\t\tif fv == \"\" {\n\t\t\t\tfv = \"combo\"\n\t\t\t}\n\t\t\tm, err := config.ParseMode(fv)\n\t\t\tif err != nil {\n\t\t\t\tbail(\"bad mode\", \"mode\", fv, \"reason\", err)\n\t\t\t}\n\t\t\tconf.Mode = m\n\t\t}\n\t})\n\n\t// Grab the warnings to print after the logger is configured.\n\tws, err := config.Validate(&conf)\n\tif err != nil {\n\t\tbail(\"failed to validate config\", \"reason\", err)\n\t}\n\n\tctx, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\n\tif err := initialize.Logging(ctx, &conf); err != nil {\n\t\tbail(\"failed to set up logging\", \"reason\", err)\n\t}\n\tslog.InfoContext(ctx, \"starting\", \"version\", cmd.Version)\n\tif len(ws) != 0 {\n\t\tslog.InfoContext(ctx, \"configuration lints\",\n\t\t\t\"lint\", ws)\n\t}\n\tauto.PrintLogs(ctx)\n\n\t// Signal handler, for orderly shutdown.\n\tsig, stop := signal.NotifyContext(ctx, append(platformShutdown, os.Interrupt)...)\n\tdefer stop()\n\tslog.InfoContext(ctx, \"registered signal handler\")\n\tgo func() {\n\t\t<-sig.Done()\n\t\tstop()\n\t\tslog.InfoContext(ctx, \"unregistered signal handler\")\n\t}()\n\n\tsrvs, srvctx := errgroup.WithContext(sig)\n\tsrvs.Go(serveIntrospection(srvctx, &conf))\n\tsrvs.Go(serveAPI(srvctx, &conf))\n\n\tslog.InfoContext(ctx, \"ready\", \"version\", cmd.Version)\n\tif err := srvs.Wait(); err != nil {\n\t\tslog.ErrorContext(ctx, \"fatal error\", \"reason\", err)\n\t\tfail = true\n\t}\n}\n\nfunc serveAPI(ctx context.Context, cfg *config.Config) func() error {\n\treturn func() error {\n\t\tslog.InfoContext(ctx, \"launching http transport\")\n\t\tsrvs, err := initialize.Services(ctx, cfg)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"service initialization failed: %w\", err)\n\t\t}\n\t\tsrv := http.Server{\n\t\t\tBaseContext: func(_ net.Listener) context.Context {\n\t\t\t\treturn context.WithoutCancel(ctx)\n\t\t\t},\n\t\t}\n\t\tsrv.Handler, err = httptransport.New(ctx, cfg, srvs.Indexer, srvs.Matcher, srvs.Notifier)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"http transport configuration failed: %w\", err)\n\t\t}\n\t\tl, err := net.Listen(\"tcp\", cfg.HTTPListenAddr)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"http transport configuration failed: %w\", err)\n\t\t}\n\t\tif cfg.TLS != nil {\n\t\t\tcfg, err := cfg.TLS.Config()\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"tls configuration failed: %w\", err)\n\t\t\t}\n\t\t\tcfg.NextProtos = []string{\"h2\"}\n\t\t\tsrv.TLSConfig = cfg\n\t\t\tl = tls.NewListener(l, cfg)\n\t\t}\n\t\thealth.Ready()\n\n\t\tvar eg errgroup.Group\n\t\teg.Go(func() error {\n\t\t\tif err := srv.Serve(l); !errors.Is(err, http.ErrServerClosed) {\n\t\t\t\treturn fmt.Errorf(\"http transport failed to launch: %w\", err)\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\teg.Go(func() error {\n\t\t\t<-ctx.Done()\n\t\t\tctx, done := context.WithTimeoutCause(context.Background(), 10*time.Second, context.Cause(ctx))\n\t\t\tdefer done()\n\t\t\treturn srv.Shutdown(ctx)\n\t\t})\n\t\treturn eg.Wait()\n\t}\n}\n\nfunc serveIntrospection(ctx context.Context, cfg *config.Config) func() error {\n\treturn func() error {\n\t\tslog.InfoContext(ctx, \"launching introspection server\")\n\t\tsrv, err := introspection.New(ctx, cfg, nil)\n\t\tif err != nil {\n\t\t\tslog.WarnContext(ctx, \"introspection server configuration failed; continuing anyway\",\n\t\t\t\t\"reason\", err)\n\t\t\treturn nil\n\t\t}\n\n\t\tvar eg errgroup.Group\n\t\teg.Go(func() error {\n\t\t\tif err := srv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {\n\t\t\t\tslog.WarnContext(ctx, \"introspection server failed to launch; continuing anyway\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\teg.Go(func() error {\n\t\t\t<-ctx.Done()\n\t\t\tctx, done := context.WithTimeoutCause(context.Background(), 10*time.Second, context.Cause(ctx))\n\t\t\tdefer done()\n\t\t\treturn srv.Shutdown(ctx)\n\t\t})\n\t\treturn eg.Wait()\n\t}\n}\n"
},
{
"path": "cmd/clair/os_other.go",
"content": "//go:build !unix\n\npackage main\n\nimport \"os\"\n\nvar platformShutdown = []os.Signal{}\n"
},
{
"path": "cmd/clair/os_unix.go",
"content": "//go:build unix\n\npackage main\n\nimport (\n\t\"os\"\n\t\"syscall\"\n)\n\nvar platformShutdown = []os.Signal{syscall.SIGTERM}\n"
},
{
"path": "cmd/config.go",
"content": "package cmd\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\tjsonpatch \"github.com/evanphx/json-patch/v5\"\n\t\"github.com/quay/clair/config\"\n\t\"gopkg.in/yaml.v3\"\n)\n\n// LoadConfig loads the named config file or reports an error.\n//\n// JSON and YAML formatted files are supported, as determined by the file extension (\"json\" or \"yaml\" -- \"yml\" is not supported).\n// If a directory suffixed with \".d\" exists (e.g. a file \"config.json\" and a directory \"config.json.d\"),\n// then all files with the same extension or the same extension suffixed with \"-patch\" will be loaded in lexical order and merged with the main configuration or applied as an RFC6902 patch, respectively.\n//\n// For example, given the paths:\n//\n//\tconfig.yaml\n//\tconfig.yaml.d/\n//\tconfig.yaml.d/secrets.yaml\n//\tconfig.yaml.d/override.yaml-patch\n//\tconfig.yaml.d/unloved.json-patch\n//\n// \"Config.yaml\" will be the base config,\n// \"override.yaml-patch\" will be applied as a patch to the base config,\n// \"secrets.yaml\" will be merged into the base config,\n// and \"unloved.json-patch\" will be ignored.\n//\n// The \"strict\" argument controls whether the function returns on the first\n// error, or runs the full routine and returns all accumulated errors at the\n// end.\nfunc LoadConfig(cfg *config.Config, name string, strict bool) error {\n\t// This function would probably benefit from some logging, but the logging\n\t// configuration is specified _inside_ the configuration, so it's hard to\n\t// say what should be done here.\n\tname = filepath.Clean(name)\n\text := filepath.Ext(name)\n\tswitch ext {\n\tcase \".yaml\": // OK\n\tcase \".json\": // OK\n\tdefault:\n\t\treturn fmt.Errorf(\"unknown config kind %q\", ext)\n\t}\n\tvar errs []error\n\n\tb, err := loadAsJSON(name)\n\tif err != nil {\n\t\tif strict {\n\t\t\treturn err\n\t\t}\n\t\terrs = append(errs, err)\n\t}\n\tdropinDir := name + \".d\"\n\terr = filepath.WalkDir(dropinDir, func(path string, d fs.DirEntry, err error) error {\n\t\tswitch {\n\t\tcase path == dropinDir:\n\t\t\treturn nil\n\t\tcase !errors.Is(err, nil):\n\t\t\treturn fmt.Errorf(\"error walking filesystem: %w\", err)\n\t\tcase d.IsDir():\n\t\t\treturn fs.SkipDir\n\t\t}\n\t\t// After this, make sure everything assigns errors to \"err\" so that the\n\t\t// non-strict behavior works.\n\n\t\tvar doc []byte\n\t\tswitch dext := filepath.Ext(path); {\n\t\tcase dext == ext:\n\t\t\tdoc, err = loadAsJSON(path)\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tb, err = jsonpatch.MergePatch(b, doc)\n\t\t\tif err != nil {\n\t\t\t\terr = fmt.Errorf(\"error merging drop-in %q: %w\", path, err)\n\t\t\t\tbreak\n\t\t\t}\n\t\tcase dext == ext+\"-patch\":\n\t\t\tdoc, err = loadAsJSON(path)\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tvar p jsonpatch.Patch\n\t\t\tp, err = jsonpatch.DecodePatch(doc)\n\t\t\tif err != nil {\n\t\t\t\terr = fmt.Errorf(\"bad patch %q: %w\", path, err)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tb, err = p.Apply(b)\n\t\t\tif err != nil {\n\t\t\t\terr = fmt.Errorf(\"error applying patch %q: %w\", path, err)\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif err != nil {\n\t\t\tif strict {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\terrs = append(errs, err)\n\t\t}\n\t\treturn nil\n\t})\n\tswitch {\n\tcase errors.Is(err, nil):\n\tcase errors.Is(err, fs.ErrNotExist): // OK\n\tcase strict:\n\t\treturn err\n\tdefault:\n\t\terrs = append(errs, err)\n\t}\n\n\tif len(b) == 0 {\n\t\terr := fmt.Errorf(\"error load config %q: empty document after merges\", name)\n\t\tif strict {\n\t\t\treturn err\n\t\t}\n\t\terrs = append(errs, err)\n\t}\n\tdec := json.NewDecoder(bytes.NewReader(b))\n\tdec.DisallowUnknownFields()\n\tif err := dec.Decode(cfg); err != nil {\n\t\t// Hide that this error is coming from the `json` package, as it might\n\t\t// confuse people.\n\t\terr := fmt.Errorf(\"error decoding config %q: %s\", name, strings.TrimPrefix(err.Error(), `json: `))\n\t\tif strict {\n\t\t\treturn err\n\t\t}\n\t\terrs = append(errs, err)\n\t}\n\treturn errors.Join(errs...)\n}\n\nfunc loadAsJSON(path string) ([]byte, error) {\n\tb, err := os.ReadFile(path)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error reading file %q: %w\", path, err)\n\t}\n\text := filepath.Ext(path)\n\tswitch ext {\n\tcase \".json\", \".json-patch\":\n\t\tif len(b) < 2 {\n\t\t\treturn nil, fmt.Errorf(\"malformed file %q: not a JSON document\", path)\n\t\t}\n\tcase \".yaml\", \".yaml-patch\":\n\t\tvar y interface{}\n\t\tif err := yaml.Unmarshal(b, &y); err != nil {\n\t\t\tmsg := strings.TrimPrefix(err.Error(), `yaml: `)\n\t\t\treturn nil, fmt.Errorf(\"malformed file %q: %v\", path, msg)\n\t\t}\n\t\t// For arbitrary yaml documents we'd have to do a step to ensure there's\n\t\t// no disallowed constructs (binary keys, binary data tags) but we know\n\t\t// this should only ever be some snippet of our config.Config type.\n\t\tb, err = json.Marshal(y)\n\t\tif err != nil { // Not sure how this would happen. 🤔\n\t\t\tmsg := strings.TrimPrefix(err.Error(), `json: `)\n\t\t\treturn nil, fmt.Errorf(\"malformed file %q: %s\", path, msg)\n\t\t}\n\tdefault:\n\t\tpanic(\"programmer error: called on bad path\")\n\t}\n\tswitch ext {\n\tcase \".json\":\n\t\tif b[0] != '{' {\n\t\t\treturn nil, fmt.Errorf(\"malformed file %q: not a JSON object\", path)\n\t\t}\n\tcase \".json-patch\", \".yaml-patch\":\n\t\tif b[0] != '[' {\n\t\t\treturn nil, fmt.Errorf(\"malformed file %q: not a patch document\", path)\n\t\t}\n\tcase \".yaml\":\n\t\tif b[0] != '{' {\n\t\t\t// If this was an empty file (for some reason), note it and return an\n\t\t\t// empty JSON object. This can't happen with JSON -- we checked if it\n\t\t\t// meets the minimum size above.\n\t\t\tb = []byte(\"{}\")\n\t\t}\n\t}\n\treturn b, nil\n}\n"
},
{
"path": "cmd/config_test.go",
"content": "package cmd_test\n\nimport (\n\t\"encoding/json\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/quay/clair/config\"\n\n\t\"github.com/quay/clair/v4/cmd\"\n)\n\nfunc TestLoadConfig(t *testing.T) {\n\tms, err := filepath.Glob(`testdata/*/config.*[^d]`)\n\tif err != nil {\n\t\tpanic(\"programmer error\")\n\t}\n\tfor _, m := range ms {\n\t\tname := filepath.Base(filepath.Dir(m))\n\t\tt.Run(name, func(t *testing.T) {\n\t\t\twantpath := filepath.Join(filepath.Dir(m), \"want.json\")\n\t\t\twf, err := os.Open(wantpath)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tdefer wf.Close()\n\t\t\tvar got, want config.Config\n\t\t\tif err := json.NewDecoder(wf).Decode(&want); err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif err := cmd.LoadConfig(&got, m, true); err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif !cmp.Equal(got, want) {\n\t\t\t\tt.Error(cmp.Diff(got, want))\n\t\t\t}\n\t\t})\n\t}\n\tms, err = filepath.Glob(`testdata/Error/*[^d]`)\n\tif err != nil {\n\t\tpanic(\"programmer error\")\n\t}\n\tt.Run(\"Error\", func(t *testing.T) {\n\t\tfor _, m := range ms {\n\t\t\tname := filepath.Base(m)\n\t\t\tname = strings.TrimSuffix(name, filepath.Ext(name))\n\t\t\tt.Run(name, func(t *testing.T) {\n\t\t\t\tvar got config.Config\n\t\t\t\terr := cmd.LoadConfig(&got, m, false)\n\t\t\t\tt.Log(err)\n\t\t\t\tif err == nil {\n\t\t\t\t\tt.Fail()\n\t\t\t\t}\n\t\t\t})\n\t\t}\n\t})\n}\n"
},
{
"path": "cmd/testdata/ComplexJSON/config.json",
"content": "{\n\t\"http_listen_addr\": \":80\",\n\t\"log_level\": \"error\",\n\t\"matcher\": {}\n}\n"
},
{
"path": "cmd/testdata/ComplexJSON/config.json.d/dropin.json",
"content": "{\n \"log_level\": \"error\"\n}\n"
},
{
"path": "cmd/testdata/ComplexJSON/want.json",
"content": "{\n\t\"http_listen_addr\": \":80\",\n\t\"log_level\": \"error\"\n}\n"
},
{
"path": "cmd/testdata/ComplexYAML/config.yaml",
"content": "---\nlog_level: debug-color\nintrospection_addr: \":8089\"\nhttp_listen_addr: \":6060\"\nupdaters:\n sets:\n - ubuntu\n - debian\n - rhel\n - alpine\nauth:\n psk:\n key: 'c2VjcmV0'\n iss:\n - quay\n - clairctl\nindexer:\n connstring: host=clair-database user=clair dbname=indexer sslmode=disable\n scanlock_retry: 10\n layer_scan_concurrency: 5\n migrations: true\nmatcher:\n indexer_addr: http://clair-indexer:6060/\n connstring: host=clair-database user=clair dbname=matcher sslmode=disable\n max_conn_pool: 100\n migrations: true\nmatchers: {}\nnotifier:\n indexer_addr: http://clair-indexer:6060/\n matcher_addr: http://clair-matcher:6060/\n connstring: host=clair-database user=clair dbname=notifier sslmode=disable\n migrations: true\n delivery_interval: 30s\n poll_interval: 1m\n webhook:\n target: \"http://webhook-target/\"\n callback: \"http://clair-notifier:6060/notifier/api/v1/notification/\"\n # amqp:\n # direct: true\n # exchange:\n # name: \"\"\n # type: \"direct\"\n # durable: true\n # auto_delete: false\n # uris: [\"amqp://guest:guest@clair-rabbitmq:5672/\"]\n # routing_key: \"notifications\"\n # callback: \"http://clair-notifier/notifier/api/v1/notifications\"\n# tracing and metrics config\ntrace:\n name: \"jaeger\"\n# probability: 1\n jaeger:\n agent:\n endpoint: \"clair-jaeger:6831\"\n service_name: \"clair\"\nmetrics:\n name: \"prometheus\"\n"
},
{
"path": "cmd/testdata/ComplexYAML/config.yaml.d/dropin.yaml",
"content": "log_level: null\n"
},
{
"path": "cmd/testdata/ComplexYAML/config.yaml.d/empty.yaml",
"content": "\n"
},
{
"path": "cmd/testdata/ComplexYAML/config.yaml.d/ignored.json-patch",
"content": "# This file is ignored -- look at all this invalid JSON!\n[\n {\n \"op\": \"add\",\n \"path\": \"/updaters/sets/-\",\n \"value\": \"osv\",\n },\n]\n"
},
{
"path": "cmd/testdata/ComplexYAML/config.yaml.d/later.yaml",
"content": "log_level: panic\nupdaters:\n sets:\n - rhel\n"
},
{
"path": "cmd/testdata/ComplexYAML/config.yaml.d/updater.yaml-patch",
"content": "- op: add\n path: /updaters/sets/-\n value: osv\n"
},
{
"path": "cmd/testdata/ComplexYAML/want.json",
"content": "{\n \"log_level\": \"panic\",\n \"introspection_addr\": \":8089\",\n \"http_listen_addr\": \":6060\",\n \"updaters\": {\n \"sets\": [\n \"rhel\",\n \"osv\"\n ]\n },\n \"auth\": {\n \"psk\": {\n \"key\": \"c2VjcmV0\",\n \"iss\": [\n \"quay\",\n \"clairctl\"\n ]\n }\n },\n \"indexer\": {\n \"connstring\": \"host=clair-database user=clair dbname=indexer sslmode=disable\",\n \"scanlock_retry\": 10,\n \"layer_scan_concurrency\": 5,\n \"migrations\": true\n },\n \"matcher\": {\n \"indexer_addr\": \"http://clair-indexer:6060/\",\n \"connstring\": \"host=clair-database user=clair dbname=matcher sslmode=disable\",\n \"max_conn_pool\": 100,\n \"migrations\": true\n },\n \"notifier\": {\n \"indexer_addr\": \"http://clair-indexer:6060/\",\n \"matcher_addr\": \"http://clair-matcher:6060/\",\n \"connstring\": \"host=clair-database user=clair dbname=notifier sslmode=disable\",\n \"migrations\": true,\n \"delivery_interval\": \"30s\",\n \"poll_interval\": \"1m\",\n \"webhook\": {\n \"target\": \"http://webhook-target/\",\n \"callback\": \"http://clair-notifier:6060/notifier/api/v1/notification/\"\n }\n },\n \"trace\": {\n \"name\": \"jaeger\",\n \"jaeger\": {\n \"agent\": {\n \"endpoint\": \"clair-jaeger:6831\"\n },\n \"service_name\": \"clair\"\n }\n },\n \"metrics\": {\n \"name\": \"prometheus\"\n }\n}\n"
},
{
"path": "cmd/testdata/Error/BadKind.toml",
"content": ""
},
{
"path": "cmd/testdata/Error/BadPatch.json",
"content": "{}\n"
},
{
"path": "cmd/testdata/Error/BadPatch.json.d/decode.json-patch",
"content": "[\n [\n null\n ]\n]\n"
},
{
"path": "cmd/testdata/Error/BadPatch.json.d/invalid.json-patch",
"content": "[\n {\n \"op\": \"invalid\",\n \"path\": \"any\",\n \"value\": null\n }\n]\n"
},
{
"path": "cmd/testdata/Error/Indents.yaml",
"content": "auth:\r\n psk:\r\n iss:\r\n - quay\r\n - clairctl\r\n key: dmVyeXNlY3JldA0K #gitleaks:allow\r\nhttp_listen_addr: :80\r\nindexer:\r\n connstring: host=/var/run/postgresql\r\n migrations: true\r\n airgap: true\r\n scanner:\r\n repo:\r\n rhel-repository-scanner:\r\n repo2cpe_mapping_file: /config/repository-to-cpe.json\r\n package:\r\n rhel_containerscanner:\r\n name2repos_mapping_file: /config/container-name-repos-map.json\r\nlog_level: info\r\nmatcher:\r\n connstring: host=/var/run/postgresql\r\n migrations: true\r\n disable_updaters: true\r\nmetrics:\r\n name: prometheus\r\nnotifier:\r\n connstring: host=/var/run/postgresql\r\n delivery_interval: 1m0s\r\n migrations: true\r\n poll_interval: 5m0s\r\n webhook:\r\n callback: http://clair/notifier/api/v1/notifications\r\n target: https://quay/secscan/notification\r\n"
},
{
"path": "cmd/testdata/Error/NotAnArray.json",
"content": "{}\n"
},
{
"path": "cmd/testdata/Error/NotAnArray.json.d/badpatch.json-patch",
"content": "{}\n"
},
{
"path": "cmd/testdata/Error/NotAnObject.json",
"content": "[]\n"
},
{
"path": "cmd/testdata/Error/NotYAML.yaml",
"content": "key:\n\t- no tabs allowed\n"
},
{
"path": "cmd/testdata/Error/TooShort.json",
"content": "0"
},
{
"path": "cmd/testdata/SimpleJSON/config.json",
"content": "{\n\t\"http_listen_addr\": \":80\",\n\t\"log_level\": \"error\",\n\t\"matcher\": {}\n}\n"
},
{
"path": "cmd/testdata/SimpleJSON/want.json",
"content": "{\n\t\"http_listen_addr\": \":80\",\n\t\"log_level\": \"error\"\n}\n"
},
{
"path": "cmd/testdata/SimpleYAML/config.yaml",
"content": "---\nlog_level: debug-color\nintrospection_addr: \":8089\"\nhttp_listen_addr: \":6060\"\nupdaters:\n sets:\n - ubuntu\n - debian\n - rhel\n - alpine\nauth:\n psk:\n key: 'c2VjcmV0'\n iss:\n - quay\n - clairctl\nindexer:\n connstring: host=clair-database user=clair dbname=indexer sslmode=disable\n scanlock_retry: 10\n layer_scan_concurrency: 5\n migrations: true\nmatcher:\n indexer_addr: http://clair-indexer:6060/\n connstring: host=clair-database user=clair dbname=matcher sslmode=disable\n max_conn_pool: 100\n migrations: true\nmatchers: {}\nnotifier:\n indexer_addr: http://clair-indexer:6060/\n matcher_addr: http://clair-matcher:6060/\n connstring: host=clair-database user=clair dbname=notifier sslmode=disable\n migrations: true\n delivery_interval: 30s\n poll_interval: 1m\n webhook:\n target: \"http://webhook-target/\"\n callback: \"http://clair-notifier:6060/notifier/api/v1/notification/\"\n # amqp:\n # direct: true\n # exchange:\n # name: \"\"\n # type: \"direct\"\n # durable: true\n # auto_delete: false\n # uris: [\"amqp://guest:guest@clair-rabbitmq:5672/\"]\n # routing_key: \"notifications\"\n # callback: \"http://clair-notifier/notifier/api/v1/notifications\"\n# tracing and metrics config\ntrace:\n name: \"jaeger\"\n# probability: 1\n jaeger:\n agent:\n endpoint: \"clair-jaeger:6831\"\n service_name: \"clair\"\nmetrics:\n name: \"prometheus\"\n"
},
{
"path": "cmd/testdata/SimpleYAML/want.json",
"content": "{\n \"log_level\": \"debug-color\",\n \"introspection_addr\": \":8089\",\n \"http_listen_addr\": \":6060\",\n \"updaters\": {\n \"sets\": [\n \"ubuntu\",\n \"debian\",\n \"rhel\",\n \"alpine\"\n ]\n },\n \"auth\": {\n \"psk\": {\n \"key\": \"c2VjcmV0\",\n \"iss\": [\n \"quay\",\n \"clairctl\"\n ]\n }\n },\n \"indexer\": {\n \"connstring\": \"host=clair-database user=clair dbname=indexer sslmode=disable\",\n \"scanlock_retry\": 10,\n \"layer_scan_concurrency\": 5,\n \"migrations\": true\n },\n \"matcher\": {\n \"indexer_addr\": \"http://clair-indexer:6060/\",\n \"connstring\": \"host=clair-database user=clair dbname=matcher sslmode=disable\",\n \"max_conn_pool\": 100,\n \"migrations\": true\n },\n \"notifier\": {\n \"indexer_addr\": \"http://clair-indexer:6060/\",\n \"matcher_addr\": \"http://clair-matcher:6060/\",\n \"connstring\": \"host=clair-database user=clair dbname=notifier sslmode=disable\",\n \"migrations\": true,\n \"delivery_interval\": \"30s\",\n \"poll_interval\": \"1m\",\n \"webhook\": {\n \"target\": \"http://webhook-target/\",\n \"callback\": \"http://clair-notifier:6060/notifier/api/v1/notification/\"\n }\n },\n \"trace\": {\n \"name\": \"jaeger\",\n \"jaeger\": {\n \"agent\": {\n \"endpoint\": \"clair-jaeger:6831\"\n },\n \"service_name\": \"clair\"\n }\n },\n \"metrics\": {\n \"name\": \"prometheus\"\n }\n}\n"
},
{
"path": "code-of-conduct.md",
"content": "## CoreOS Community Code of Conduct\n\n### Contributor Code of Conduct\n\nAs contributors and maintainers of this project, and in the interest of\nfostering an open and welcoming community, we pledge to respect all people who\ncontribute through reporting issues, posting feature requests, updating\ndocumentation, submitting pull requests or patches, and other activities.\n\nWe are committed to making participation in this project a harassment-free\nexperience for everyone, regardless of level of experience, gender, gender\nidentity and expression, sexual orientation, disability, personal appearance,\nbody size, race, ethnicity, age, religion, or nationality.\n\nExamples of unacceptable behavior by participants include:\n\n* The use of sexualized language or imagery\n* Personal attacks\n* Trolling or insulting/derogatory comments\n* Public or private harassment\n* Publishing others' private information, such as physical or electronic addresses, without explicit permission\n* Other unethical or unprofessional conduct.\n\nProject maintainers have the right and responsibility to remove, edit, or\nreject comments, commits, code, wiki edits, issues, and other contributions\nthat are not aligned to this Code of Conduct. By adopting this Code of Conduct,\nproject maintainers commit themselves to fairly and consistently applying these\nprinciples to every aspect of managing this project. Project maintainers who do\nnot follow or enforce the Code of Conduct may be permanently removed from the\nproject team.\n\nThis code of conduct applies both within project spaces and in public spaces\nwhen an individual is representing the project or its community.\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported by contacting a project maintainer, Brandon Philips\n, and/or Rithu John .\n\nThis Code of Conduct is adapted from the Contributor Covenant\n(http://contributor-covenant.org), version 1.2.0, available at\nhttp://contributor-covenant.org/version/1/2/0/\n\n### CoreOS Events Code of Conduct\n\nCoreOS events are working conferences intended for professional networking and\ncollaboration in the CoreOS community. Attendees are expected to behave\naccording to professional standards and in accordance with their employer’s\npolicies on appropriate workplace behavior.\n\nWhile at CoreOS events or related social networking opportunities, attendees\nshould not engage in discriminatory or offensive speech or actions including\nbut not limited to gender, sexuality, race, age, disability, or religion.\nSpeakers should be especially aware of these concerns.\n\nCoreOS does not condone any statements by speakers contrary to these standards.\nCoreOS reserves the right to deny entrance and/or eject from an event (without\nrefund) any individual found to be engaging in discriminatory or offensive\nspeech or actions.\n\nPlease bring any concerns to the immediate attention of designated on-site\nstaff, Brandon Philips , and/or Rithu John .\n"
},
{
"path": "config/auth.go",
"content": "package config\n\nimport (\n\t\"encoding\"\n\t\"encoding/base64\"\n\t\"fmt\"\n)\n\n// Base64 is a byte slice that encodes to and from base64-encoded strings.\ntype Base64 []byte\n\nvar (\n\t_ encoding.TextMarshaler = (Base64)(nil)\n\t_ encoding.TextUnmarshaler = (*Base64)(nil)\n)\n\n// MarshalText implements encoding.TextMarshaler.\nfunc (b Base64) MarshalText() ([]byte, error) {\n\tsz := base64.StdEncoding.EncodedLen(len(b))\n\tout := make([]byte, sz)\n\tbase64.StdEncoding.Encode(out, b)\n\treturn out, nil\n}\n\n// UnmarshalText implements encoding.TextUnmarshaler.\nfunc (b *Base64) UnmarshalText(in []byte) error {\n\tsz := base64.StdEncoding.DecodedLen(len(in))\n\ts := make([]byte, sz)\n\tn, err := base64.StdEncoding.Decode(s, in)\n\tif err != nil {\n\t\treturn err\n\t}\n\t*b = s[:n]\n\treturn nil\n}\n\n// Auth holds the specific configs for different authentication methods.\n//\n// These should be pointers to structs, so that it's possible to distinguish\n// between \"absent\" and \"present and misconfigured.\"\ntype Auth struct {\n\tPSK *AuthPSK `yaml:\"psk,omitempty\" json:\"psk,omitempty\"`\n\tKeyserver *AuthKeyserver `yaml:\"keyserver,omitempty\" json:\"keyserver,omitempty\"`\n}\n\n// Any reports whether any sort of authentication is configured.\nfunc (a Auth) Any() bool {\n\treturn a.PSK != nil\n}\n\nfunc (a *Auth) lint() ([]Warning, error) {\n\treturn nil, nil\n}\n\n// AuthKeyserver is the configuration for doing authentication with the Quay\n// keyserver protocol.\n//\n// The \"Intraservice\" key is only needed when the overall config mode is not\n// \"combo\".\n//\n// Deprecated: This authentication method was never used. It was planned for\n// integration with Quay, but ultimately the Quay team decided to remove the\n// keyserver feature altogether.\ntype AuthKeyserver struct {\n\tAPI string `yaml:\"api\" json:\"api\"`\n\tIntraservice Base64 `yaml:\"intraservice\" json:\"intraservice\"`\n}\n\nfunc (a *AuthKeyserver) lint() ([]Warning, error) {\n\treturn nil, &Warning{\n\t\tinner: fmt.Errorf(`authentication method deprecated: %w`, ErrDeprecated),\n\t}\n}\n\n// AuthPSK is the configuration for doing pre-shared key based authentication.\n//\n// The \"Issuer\" key is what the service expects to verify as the \"issuer\" claim.\ntype AuthPSK struct {\n\tKey Base64 `yaml:\"key\" json:\"key\"`\n\tIssuer []string `yaml:\"iss\" json:\"iss\"`\n}\n\nfunc (a *AuthPSK) validate(_ Mode) ([]Warning, error) {\n\tif len(a.Key) == 0 {\n\t\treturn nil, &Warning{\n\t\t\tmsg: \"key is empty\",\n\t\t}\n\t}\n\tif len(a.Issuer) == 0 {\n\t\treturn nil, &Warning{\n\t\t\tpath: \".iss\",\n\t\t\tmsg: \"no issuers defined\",\n\t\t}\n\t}\n\treturn nil, nil\n}\n"
},
{
"path": "config/auth_test.go",
"content": "package config_test\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"testing\"\n\t\"testing/quick\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\n\t\"github.com/quay/clair/config\"\n)\n\nfunc TestBase64(t *testing.T) {\n\troundtrip := func(in []byte) bool {\n\t\tb1 := config.Base64(in)\n\t\ttxt, err := b1.MarshalText()\n\t\tif err != nil {\n\t\t\treturn false\n\t\t}\n\t\tout := new(config.Base64)\n\t\tif err := out.UnmarshalText(txt); err != nil {\n\t\t\treturn false\n\t\t}\n\t\treturn bytes.Equal(in, []byte(*out))\n\t}\n\tif err := quick.Check(roundtrip, nil); err != nil {\n\t\tt.Error(err)\n\t}\n}\n\nfunc TestAuthUnmarshal(t *testing.T) {\n\tt.Run(\"PSK\", func(t *testing.T) {\n\t\ttype testcase struct {\n\t\t\tIn string\n\t\t\tWant config.AuthPSK\n\t\t}\n\t\ttt := []testcase{\n\t\t\t{\n\t\t\t\tIn: `{\"key\":\"ZGVhZGJlZWZkZWFkYmVlZg==\",\"iss\":[\"iss\"]}`,\n\t\t\t\tWant: config.AuthPSK{\n\t\t\t\t\tKey: []byte(\"deadbeefdeadbeef\"),\n\t\t\t\t\tIssuer: []string{\"iss\"},\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\n\t\tcheck := func(t *testing.T, tc testcase) {\n\t\t\tv := config.AuthPSK{}\n\t\t\tif err := json.Unmarshal([]byte(tc.In), &v); err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif got, want := v, tc.Want; !cmp.Equal(got, want) {\n\t\t\t\tt.Error(cmp.Diff(got, want))\n\t\t\t}\n\t\t}\n\t\tfor _, tc := range tt {\n\t\t\tcheck(t, tc)\n\t\t}\n\t})\n\n\tt.Run(\"Keyserver\", func(t *testing.T) {\n\t\ttype testcase struct {\n\t\t\tIn string\n\t\t\tWant config.AuthKeyserver\n\t\t}\n\t\ttt := []testcase{\n\t\t\t{\n\t\t\t\tIn: `{\"api\":\"quay/keys\",\"intraservice\":\"ZGVhZGJlZWZkZWFkYmVlZg==\"}`,\n\t\t\t\tWant: config.AuthKeyserver{\n\t\t\t\t\tAPI: \"quay/keys\",\n\t\t\t\t\tIntraservice: []byte(\"deadbeefdeadbeef\"),\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\n\t\tcheck := func(t *testing.T, tc testcase) {\n\t\t\tv := config.AuthKeyserver{}\n\t\t\tif err := json.Unmarshal([]byte(tc.In), &v); err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif got, want := v, tc.Want; !cmp.Equal(got, want) {\n\t\t\t\tt.Error(cmp.Diff(got, want))\n\t\t\t}\n\t\t}\n\t\tfor _, tc := range tt {\n\t\t\tcheck(t, tc)\n\t\t}\n\t})\n}\n\nfunc TestAuthMarshal(t *testing.T) {\n\twant := `{\"key\":\"ZGVhZGJlZWZkZWFkYmVlZg==\",\"iss\":[\"iss\"]}`\n\tin := config.AuthPSK{\n\t\tKey: []byte(\"deadbeefdeadbeef\"),\n\t\tIssuer: []string{\"iss\"},\n\t}\n\tgotb, err := json.Marshal(in)\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tif got := string(gotb); !cmp.Equal(got, want) {\n\t\tt.Error(cmp.Diff(got, want))\n\t}\n}\n"
},
{
"path": "config/config.go",
"content": "package config\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"time\"\n)\n\n// Config is the configuration object for the commands in\n// github.com/quay/clair/v4/cmd/...\ntype Config struct {\n\t// TLS configures HTTPS support.\n\t//\n\t// Note that any non-trivial deployment means the certificate provided here\n\t// will need to be for the name the load balancer uses to connect to a given\n\t// Clair instance.\n\t//\n\t// This is not used for outgoing requests; setting the SSL_CERT_DIR\n\t// environment variable is the recommended way to do that. The release\n\t// container has `/var/run/certs` added to the list already.\n\tTLS *TLS `yaml:\"tls,omitempty\" json:\"tls,omitempty\"`\n\t// Sets which mode the clair instance will run.\n\tMode Mode `yaml:\"-\" json:\"-\"`\n\t// A string in : format where can be an empty string.\n\t//\n\t// exposes Clair node's functionality to the network.\n\t// see /openapi/v1 for api spec.\n\tHTTPListenAddr string `yaml:\"http_listen_addr\" json:\"http_listen_addr\"`\n\t// A string in : format where can be an empty string.\n\t//\n\t// exposes Clair's metrics and health endpoints.\n\tIntrospectionAddr string `yaml:\"introspection_addr\" json:\"introspection_addr\"`\n\t// Set the logging level.\n\tLogLevel LogLevel `yaml:\"log_level\" json:\"log_level\"`\n\tIndexer Indexer `yaml:\"indexer,omitempty\" json:\"indexer,omitempty\"`\n\tMatcher Matcher `yaml:\"matcher,omitempty\" json:\"matcher,omitempty\"`\n\tMatchers Matchers `yaml:\"matchers,omitempty\" json:\"matchers,omitempty\"`\n\tUpdaters Updaters `yaml:\"updaters,omitempty\" json:\"updaters,omitempty\"`\n\tNotifier Notifier `yaml:\"notifier,omitempty\" json:\"notifier,omitempty\"`\n\tAuth Auth `yaml:\"auth,omitempty\" json:\"auth,omitempty\"`\n\tTrace Trace `yaml:\"trace,omitempty\" json:\"trace,omitempty\"`\n\tMetrics Metrics `yaml:\"metrics,omitempty\" json:\"metrics,omitempty\"`\n}\n\nfunc (c *Config) validate(mode Mode) ([]Warning, error) {\n\tif c.HTTPListenAddr == \"\" {\n\t\tc.HTTPListenAddr = DefaultAddress\n\t}\n\tif c.Matcher.DisableUpdaters {\n\t\tc.Updaters.Sets = []string{}\n\t}\n\tswitch mode {\n\tcase ComboMode, IndexerMode, MatcherMode, NotifierMode:\n\t\t// OK\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unknown mode: %q\", mode)\n\t}\n\tif _, _, err := net.SplitHostPort(c.HTTPListenAddr); err != nil {\n\t\treturn nil, err\n\t}\n\treturn c.lint()\n}\n\nfunc (c *Config) lint() (ws []Warning, err error) {\n\tif c.HTTPListenAddr == \"\" {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".http_listen_addr\",\n\t\t\tmsg: `http listen address not provided, default will be used`,\n\t\t})\n\t}\n\tif c.IntrospectionAddr == \"\" {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".introspection_addr\",\n\t\t\tmsg: `introspection address not provided, default will be used`,\n\t\t})\n\t}\n\treturn ws, nil\n}\n\n// Duration is a serializeable [time.Duration].\ntype Duration time.Duration\n\n// UnmarshalText implements [encoding.TextUnmarshaler].\nfunc (d *Duration) UnmarshalText(b []byte) error {\n\tdur, err := time.ParseDuration(string(b))\n\tif err != nil {\n\t\treturn err\n\t}\n\t*d = Duration(dur)\n\treturn nil\n}\n\n// MarshalText implements [encoding.TextMarshaler].\nfunc (d *Duration) MarshalText() ([]byte, error) {\n\treturn []byte(time.Duration(*d).String()), nil\n}\n"
},
{
"path": "config/config_test.go",
"content": "package config_test\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/quay/clair/config\"\n)\n\ntype ValidateTestcase struct {\n\tName string\n\tCheck func(*testing.T, *config.Config, error)\n\tConf config.Config\n}\n\nfunc (tc ValidateTestcase) Run(t *testing.T) {\n\tws, err := config.Validate(&tc.Conf)\n\tfor _, w := range ws {\n\t\tt.Logf(\"lint: %v\", &w)\n\t}\n\tif tc.Check != nil {\n\t\ttc.Check(t, &tc.Conf, err)\n\t} else {\n\t\tif err != nil {\n\t\t\tt.Errorf(\"unexpected error: %v\", err)\n\t\t}\n\t}\n}\n\n// This test looks a little sprawling, but it's structured by the field name\n// into subtests, with the leaf test being the element triggering the failure.\n//\n// Doing this means the go test \"run\" flag is much easier to use.\nfunc TestValidateFailure(t *testing.T) {\n\tshouldFail := func(t *testing.T, _ *config.Config, err error) {\n\t\tif err == nil {\n\t\t\tt.Error(\"unexpected success\")\n\t\t}\n\t}\n\n\t// Tests on the base Config struct.\n\ttt := []ValidateTestcase{\n\t\t{\n\t\t\tName: \"InvalidMode\",\n\t\t\tConf: config.Config{\n\t\t\t\tMode: config.Mode(-1),\n\t\t\t},\n\t\t\tCheck: shouldFail,\n\t\t},\n\t\t{\n\t\t\tName: \"MalformedListenAddr\",\n\t\t\tConf: config.Config{\n\t\t\t\tMode: config.ComboMode,\n\t\t\t\tHTTPListenAddr: \"xyz\",\n\t\t\t},\n\t\t\tCheck: shouldFail,\n\t\t},\n\t}\n\tfor _, tc := range tt {\n\t\tt.Run(tc.Name, tc.Run)\n\t}\n\n\tt.Run(\"Matcher\", func(t *testing.T) {\n\t\ttt := []ValidateTestcase{\n\t\t\t{\n\t\t\t\tName: \"IndexerAddr\",\n\t\t\t\tConf: config.Config{\n\t\t\t\t\tMode: config.MatcherMode,\n\t\t\t\t\tHTTPListenAddr: \"localhost:8080\",\n\t\t\t\t\tMatcher: config.Matcher{\n\t\t\t\t\t\tIndexerAddr: \"\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tCheck: shouldFail,\n\t\t\t},\n\t\t}\n\t\tfor _, tc := range tt {\n\t\t\tt.Run(tc.Name, tc.Run)\n\t\t}\n\t})\n\n\tt.Run(\"Auth\", func(t *testing.T) {\n\t\ttt := []ValidateTestcase{\n\t\t\t{\n\t\t\t\tName: \"BadPSKKey\",\n\t\t\t\tConf: config.Config{\n\t\t\t\t\tMode: config.IndexerMode,\n\t\t\t\t\tAuth: config.Auth{\n\t\t\t\t\t\tPSK: &config.AuthPSK{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tCheck: shouldFail,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"BadPSKIssuer\",\n\t\t\t\tConf: config.Config{\n\t\t\t\t\tMode: config.IndexerMode,\n\t\t\t\t\tAuth: config.Auth{\n\t\t\t\t\t\tPSK: &config.AuthPSK{\n\t\t\t\t\t\t\tKey: config.Base64([]byte{0xde, 0xad, 0xbe, 0xef}),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tCheck: shouldFail,\n\t\t\t},\n\t\t}\n\t\tfor _, tc := range tt {\n\t\t\tt.Run(tc.Name, tc.Run)\n\t\t}\n\t})\n\n\tt.Run(\"Notifier\", func(t *testing.T) {\n\t\ttt := []ValidateTestcase{\n\t\t\t{\n\t\t\t\tName: \"Multiple\",\n\t\t\t\tConf: config.Config{\n\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\tAMQP: &config.AMQP{},\n\t\t\t\t\t\tSTOMP: &config.STOMP{},\n\t\t\t\t\t\tWebhook: &config.Webhook{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tCheck: shouldFail,\n\t\t\t},\n\t\t}\n\t\tfor _, tc := range tt {\n\t\t\tt.Run(tc.Name, tc.Run)\n\t\t}\n\n\t\tt.Run(\"Webhook\", func(t *testing.T) {\n\t\t\ttt := []ValidateTestcase{\n\t\t\t\t{\n\t\t\t\t\tName: \"Target\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tWebhook: &config.Webhook{\n\t\t\t\t\t\t\t\tTarget: \" http://example.com/\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"Callback\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tWebhook: &config.Webhook{\n\t\t\t\t\t\t\t\tCallback: \" http://example.com/\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t}\n\t\t\tfor _, tc := range tt {\n\t\t\t\tt.Run(tc.Name, tc.Run)\n\t\t\t}\n\t\t})\n\n\t\tt.Run(\"AMQP\", func(t *testing.T) {\n\t\t\ttt := []ValidateTestcase{\n\t\t\t\t{\n\t\t\t\t\tName: \"RoutingKey\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tAMQP: &config.AMQP{},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"URIs\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tAMQP: &config.AMQP{\n\t\t\t\t\t\t\t\tRoutingKey: \"test\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"InvalidURI\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tAMQP: &config.AMQP{\n\t\t\t\t\t\t\t\tRoutingKey: \"test\",\n\t\t\t\t\t\t\t\tURIs: []string{\" amqp://\"},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"Callback\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tAMQP: &config.AMQP{\n\t\t\t\t\t\t\t\tRoutingKey: \"test\",\n\t\t\t\t\t\t\t\tURIs: []string{\"amqp://\"},\n\t\t\t\t\t\t\t\tCallback: \" http://example.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t}\n\t\t\tfor _, tc := range tt {\n\t\t\t\tt.Run(tc.Name, tc.Run)\n\t\t\t}\n\t\t})\n\n\t\tt.Run(\"STOMP\", func(t *testing.T) {\n\t\t\ttt := []ValidateTestcase{\n\t\t\t\t{\n\t\t\t\t\tName: \"URIs\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tSTOMP: &config.STOMP{},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"InvalidURI\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tSTOMP: &config.STOMP{\n\t\t\t\t\t\t\t\tURIs: []string{\"::42\"},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"Callback\",\n\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\tSTOMP: &config.STOMP{\n\t\t\t\t\t\t\t\tURIs: []string{\"stomp:567\"},\n\t\t\t\t\t\t\t\tCallback: \" http://example.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t},\n\t\t\t}\n\t\t\tfor _, tc := range tt {\n\t\t\t\tt.Run(tc.Name, tc.Run)\n\t\t\t}\n\n\t\t\tt.Run(\"TLS\", func(t *testing.T) {\n\t\t\t\ttt := []ValidateTestcase{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"Key\",\n\t\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\t\tSTOMP: &config.STOMP{\n\t\t\t\t\t\t\t\t\tURIs: []string{\"stomp:567\"},\n\t\t\t\t\t\t\t\t\tCallback: \"http://example.com/\",\n\t\t\t\t\t\t\t\t\tTLS: &config.TLS{\n\t\t\t\t\t\t\t\t\t\tCert: \"fail.crt\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"Cert\",\n\t\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\t\tSTOMP: &config.STOMP{\n\t\t\t\t\t\t\t\t\tURIs: []string{\"stomp:567\"},\n\t\t\t\t\t\t\t\t\tCallback: \"http://example.com/\",\n\t\t\t\t\t\t\t\t\tTLS: &config.TLS{\n\t\t\t\t\t\t\t\t\t\tKey: \"fail.key\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"RootCA\",\n\t\t\t\t\t\tConf: config.Config{\n\t\t\t\t\t\t\tMode: config.NotifierMode,\n\t\t\t\t\t\t\tNotifier: config.Notifier{\n\t\t\t\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\t\t\t\tMatcherAddr: \"http://example.com/\",\n\t\t\t\t\t\t\t\tSTOMP: &config.STOMP{\n\t\t\t\t\t\t\t\t\tURIs: []string{\"stomp:567\"},\n\t\t\t\t\t\t\t\t\tCallback: \"http://example.com/\",\n\t\t\t\t\t\t\t\t\tTLS: &config.TLS{\n\t\t\t\t\t\t\t\t\t\tRootCA: \"fail.pem\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCheck: shouldFail,\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\tfor _, tc := range tt {\n\t\t\t\t\tt.Run(tc.Name, tc.Run)\n\t\t\t\t}\n\t\t\t})\n\t\t})\n\t})\n}\n\nfunc TestUpdateRetention(t *testing.T) {\n\texpect := func(n int) func(*testing.T, *config.Config, error) {\n\t\treturn func(t *testing.T, c *config.Config, err error) {\n\t\t\tif err != nil {\n\t\t\t\tt.Errorf(\"unexpected error: %v\", err)\n\t\t\t}\n\t\t\tif got, want := c.Matcher.UpdateRetention, n; got != want {\n\t\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t\t}\n\t\t}\n\t}\n\n\t// Construct a bunch of test cases from (in, out) pairs.\n\ttt := func(p [][2]int) (tt []ValidateTestcase) {\n\t\tfor _, p := range p {\n\t\t\ttt = append(tt, ValidateTestcase{\n\t\t\t\tName: fmt.Sprintf(\"%d\", p[0]),\n\t\t\t\tConf: config.Config{\n\t\t\t\t\tMode: config.ComboMode,\n\t\t\t\t\tHTTPListenAddr: \"localhost:8080\",\n\t\t\t\t\tMatcher: config.Matcher{\n\t\t\t\t\t\tUpdateRetention: p[0],\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tCheck: expect(p[1]),\n\t\t\t})\n\t\t}\n\t\treturn\n\t}([][2]int{\n\t\t{-1, 0},\n\t\t{0, config.DefaultUpdateRetention},\n\t\t{1, config.DefaultUpdateRetention},\n\t\t{2, 2},\n\t})\n\tfor _, tc := range tt {\n\t\tt.Run(tc.Name, tc.Run)\n\t}\n}\n\nfunc TestDisableUpdaters(t *testing.T) {\n\tsetsEmpty := func(t *testing.T, c *config.Config, err error) {\n\t\tif err != nil {\n\t\t\tt.Errorf(\"unexpected error: %v\", err)\n\t\t}\n\t\tif !cmp.Equal(c.Updaters.Sets, []string{}) {\n\t\t\tt.Error(cmp.Diff(c.Updaters.Sets, []string{}))\n\t\t}\n\t}\n\ttt := []ValidateTestcase{\n\t\t{\n\t\t\tName: \"ComboMode\",\n\t\t\tConf: config.Config{\n\t\t\t\tMode: config.ComboMode,\n\t\t\t\tMatcher: config.Matcher{\n\t\t\t\t\tDisableUpdaters: true,\n\t\t\t\t},\n\t\t\t\tUpdaters: config.Updaters{\n\t\t\t\t\tSets: []string{\"alpine\", \"aws\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\tCheck: setsEmpty,\n\t\t},\n\t\t{\n\t\t\tName: \"MatcherMode\",\n\t\t\tConf: config.Config{\n\t\t\t\tMode: config.MatcherMode,\n\t\t\t\tMatcher: config.Matcher{\n\t\t\t\t\tIndexerAddr: \"http://example.com/\",\n\t\t\t\t\tDisableUpdaters: true,\n\t\t\t\t},\n\t\t\t\tUpdaters: config.Updaters{\n\t\t\t\t\tSets: []string{\"alpine\", \"aws\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\tCheck: setsEmpty,\n\t\t},\n\t}\n\n\tfor _, tc := range tt {\n\t\tt.Run(tc.Name, tc.Run)\n\t}\n}\n"
},
{
"path": "config/database.go",
"content": "package config\n\nimport (\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n)\n\nfunc checkDSN(s string) (w []Warning, err error) {\n\tswitch {\n\tcase s == \"\":\n\t\t// Nothing specified, make sure something's in the environment.\n\t\tenvSet := false\n\t\tfor _, k := range os.Environ() {\n\t\t\tif strings.HasPrefix(k, `PG`) {\n\t\t\t\tenvSet = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !envSet {\n\t\t\tw = append(w, Warning{\n\t\t\t\tmsg: \"connection string is empty and no relevant environment variables found\",\n\t\t\t})\n\t\t}\n\tcase strings.HasPrefix(s, \"postgresql://\"):\n\t\t// Looks like a URL\n\t\tif _, err := url.Parse(s); err != nil {\n\t\t\tw = append(w, Warning{inner: err})\n\t\t}\n\tcase strings.ContainsRune(s, '='):\n\t\t// Looks like a DSN\n\tcase strings.Contains(s, `://`):\n\t\tw = append(w, Warning{\n\t\t\tmsg: \"connection string looks like a URL but scheme is unrecognized\",\n\t\t})\n\tdefault:\n\t\tw = append(w, Warning{\n\t\t\tmsg: \"unable to make sense of connection string\",\n\t\t})\n\t}\n\treturn w, nil\n}\n"
},
{
"path": "config/defaults.go",
"content": "package config\n\nimport \"time\"\n\n// These are defaults, used in the documented spots.\nconst (\n\t// DefaultAddress is used if an \"http_listen_addr\" is not provided in the config.\n\tDefaultAddress = \":6060\"\n\t// DefaultScanLockRetry is the default retry period for attempting locks\n\t// during the indexing process. Its name is a historical accident.\n\tDefaultScanLockRetry = 1\n\t// DefaultMatcherPeriod is the default interval for running updaters.\n\tDefaultMatcherPeriod = 6 * time.Hour\n\t// DefaultUpdateRetention is the number of updates per vulnerability\n\t// database to retain.\n\tDefaultUpdateRetention = 10\n\t// DefaultNotifierPollInterval is the default (and minimum) interval for the\n\t// notifier's change poll interval. The notifier will poll the database for\n\t// updated vulnerability databases at this rate.\n\tDefaultNotifierPollInterval = 6 * time.Hour\n\t// DefaultNotifierDeliveryInterval is the default (and minimum) interval for\n\t// the notifier's delivery interval. The notifier will attempt to deliver\n\t// outstanding notifications at this rate.\n\tDefaultNotifierDeliveryInterval = 1 * time.Hour\n)\n"
},
{
"path": "config/doc.go",
"content": "// Package config is the configuration package for Clair's binaries. See the\n// [Config] type for the main entry point.\n//\n// It's currently meant for reading configurations and tested against YAML and\n// JSON.\n//\n// # Version Scheme\n//\n// This package uses an idiosyncratic versioning scheme:\n//\n// - The major version tracks the input format.\n// - The minor version tracks the Go source API.\n// - The patch version increases with fixes and additions.\n//\n// This means that any valid configuration accepted by `v1.0.0` should continue\n// to be accepted for all revisions of the v1 module, but `v1.1.0` may force\n// changes on a program importing the module.\npackage config\n\n// This package can't use \"omitempty\" tags on slices because \"not present\" and\n// \"empty\" aren't distinguished. This would be much easier if code didn't\n// serialize our config struct. It's impossible to implement custom YAML\n// marshalling without importing the yaml.v3 package.\n"
},
{
"path": "config/enums.go",
"content": "package config\n\nimport (\n\t\"encoding\"\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n)\n\n//go:generate -command stringer go run golang.org/x/tools/cmd/stringer@v0.8.0\n//go:generate stringer -type Mode,LogLevel -linecomment -output enums_string.go\n\n// A Mode is an operating mode recognized by Clair.\n//\n// This is not directly settable by serializing into a Config object.\ntype Mode int\n\n// Clair modes, with their string representations as the comments.\nconst (\n\tComboMode Mode = iota // combo\n\tIndexerMode // indexer\n\tMatcherMode // matcher\n\tNotifierMode // notifier\n)\n\n// ParseMode returns a mode for the given string.\n//\n// The passed string is case-insensitive.\nfunc ParseMode(s string) (Mode, error) {\n\tfor i, lim := 0, len(_Mode_index); i < lim; i++ {\n\t\tm := Mode(i)\n\t\tif strings.EqualFold(s, m.String()) {\n\t\t\treturn m, nil\n\t\t}\n\t}\n\treturn Mode(-1), fmt.Errorf(`unknown mode %q`, s)\n}\n\n// A LogLevel is a log level recognized by Clair.\n//\n// The zero value is \"info\".\ntype LogLevel int\n\n// The recognized log levels, with their string representations as the comments.\n//\n// NB \"Fatal\" and \"Panic\" are not used in clair or claircore, and will result in\n// almost no logging.\nconst (\n\tInfoLog LogLevel = iota // info\n\tDebugColorLog // debug-color\n\tDebugLog // debug\n\tWarnLog // warn\n\tErrorLog // error\n\tFatalLog // fatal\n\tPanicLog // panic\n)\n\n// ParseLogLevel returns the log lever for the given string.\n//\n// The passed string is case-insensitive.\nfunc ParseLogLevel(s string) (LogLevel, error) {\n\tfor i, lim := 0, len(_LogLevel_index); i < lim; i++ {\n\t\tl := LogLevel(i)\n\t\tif strings.EqualFold(s, l.String()) {\n\t\t\treturn l, nil\n\t\t}\n\t}\n\treturn LogLevel(-1), fmt.Errorf(`unknown log level %q`, s)\n}\n\n// UnmarshalText implements encoding.TextUnmarshaler.\nfunc (l *LogLevel) UnmarshalText(b []byte) (err error) {\n\t*l, err = ParseLogLevel(string(b))\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// MarshalText implements encoding.TextMarshaler.\nfunc (l *LogLevel) MarshalText() ([]byte, error) {\n\tif l == nil {\n\t\treturn nil, errors.New(\"invalid LogLevel pointer: \")\n\t}\n\ti := *l\n\tif i < 0 || i >= LogLevel(len(_LogLevel_index)-1) {\n\t\treturn nil, fmt.Errorf(\"invalid LogLevel: %q\", l.String())\n\t}\n\treturn []byte(_LogLevel_name[_LogLevel_index[i]:_LogLevel_index[i+1]]), nil\n}\n\n// Assert LogLevel implements TextUnmarshaler and TextMarshaler.\nvar (\n\t_ encoding.TextUnmarshaler = (*LogLevel)(nil)\n\t_ encoding.TextMarshaler = (*LogLevel)(nil)\n)\n"
},
{
"path": "config/enums_string.go",
"content": "// Code generated by \"stringer -type Mode,LogLevel -linecomment -output enums_string.go\"; DO NOT EDIT.\n\npackage config\n\nimport \"strconv\"\n\nfunc _() {\n\t// An \"invalid array index\" compiler error signifies that the constant values have changed.\n\t// Re-run the stringer command to generate them again.\n\tvar x [1]struct{}\n\t_ = x[ComboMode-0]\n\t_ = x[IndexerMode-1]\n\t_ = x[MatcherMode-2]\n\t_ = x[NotifierMode-3]\n}\n\nconst _Mode_name = \"comboindexermatchernotifier\"\n\nvar _Mode_index = [...]uint8{0, 5, 12, 19, 27}\n\nfunc (i Mode) String() string {\n\tif i < 0 || i >= Mode(len(_Mode_index)-1) {\n\t\treturn \"Mode(\" + strconv.FormatInt(int64(i), 10) + \")\"\n\t}\n\treturn _Mode_name[_Mode_index[i]:_Mode_index[i+1]]\n}\nfunc _() {\n\t// An \"invalid array index\" compiler error signifies that the constant values have changed.\n\t// Re-run the stringer command to generate them again.\n\tvar x [1]struct{}\n\t_ = x[InfoLog-0]\n\t_ = x[DebugColorLog-1]\n\t_ = x[DebugLog-2]\n\t_ = x[WarnLog-3]\n\t_ = x[ErrorLog-4]\n\t_ = x[FatalLog-5]\n\t_ = x[PanicLog-6]\n}\n\nconst _LogLevel_name = \"infodebug-colordebugwarnerrorfatalpanic\"\n\nvar _LogLevel_index = [...]uint8{0, 4, 15, 20, 24, 29, 34, 39}\n\nfunc (i LogLevel) String() string {\n\tif i < 0 || i >= LogLevel(len(_LogLevel_index)-1) {\n\t\treturn \"LogLevel(\" + strconv.FormatInt(int64(i), 10) + \")\"\n\t}\n\treturn _LogLevel_name[_LogLevel_index[i]:_LogLevel_index[i+1]]\n}\n"
},
{
"path": "config/enums_test.go",
"content": "package config_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/quay/clair/config\"\n)\n\nfunc TestEnumMarshal(t *testing.T) {\n\tt.Run(\"LogLevel\", func(t *testing.T) {\n\t\ttt := [][]byte{\n\t\t\t[]byte(\"info\"),\n\t\t\t[]byte(\"debug-color\"),\n\t\t\t[]byte(\"debug\"),\n\t\t\t[]byte(\"warn\"),\n\t\t\t[]byte(\"error\"),\n\t\t\t[]byte(\"fatal\"),\n\t\t\t[]byte(\"panic\"),\n\t\t}\n\t\tt.Run(\"Marshal\", func(t *testing.T) {\n\t\t\tfor i, want := range tt {\n\t\t\t\tl := config.LogLevel(i)\n\t\t\t\tgot, err := l.MarshalText()\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif !bytes.Equal(got, want) {\n\t\t\t\t\tt.Errorf(\"got: %q, want: %q\", got, want)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t\tt.Run(\"Unmarshal\", func(t *testing.T) {\n\t\t\tfor want, in := range tt {\n\t\t\t\tvar l config.LogLevel\n\t\t\t\tif err := l.UnmarshalText(in); err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif got := int(l); got != want {\n\t\t\t\t\tt.Errorf(\"got: %q, want: %q\", got, want)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t})\n}\n"
},
{
"path": "config/go.mod",
"content": "module github.com/quay/clair/config\n\ngo 1.22.0\n\nrequire github.com/google/go-cmp v0.7.0\n"
},
{
"path": "config/go.sum",
"content": "github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\n"
},
{
"path": "config/indexer.go",
"content": "package config\n\nimport \"runtime\"\n\n// Indexer provides Clair Indexer node configuration\ntype Indexer struct {\n\t// Scanner allows for passing configuration options to layer scanners.\n\tScanner ScannerConfig `yaml:\"scanner,omitempty\" json:\"scanner,omitempty\"`\n\t// A Postgres connection string.\n\t//\n\t// formats\n\t// url: \"postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full\"\n\t// or\n\t// string: \"user=pqgotest dbname=pqgotest sslmode=verify-full\"\n\tConnString string `yaml:\"connstring\" json:\"connstring\"`\n\t// A positive value representing seconds.\n\t//\n\t// Concurrent Indexers lock on manifest scans to avoid clobbering.\n\t// This value tunes how often a waiting Indexer will poll for the lock.\n\tScanLockRetry int `yaml:\"scanlock_retry,omitempty\" json:\"scanlock_retry,omitempty\"`\n\t// A positive values representing quantity.\n\t//\n\t// Indexers will index a Manifest's layers concurrently.\n\t// This value tunes the number of layers an Indexer will scan in parallel.\n\tLayerScanConcurrency int `yaml:\"layer_scan_concurrency,omitempty\" json:\"layer_scan_concurrency,omitempty\"`\n\t// Rate limits the number of index report creation requests.\n\t//\n\t// Setting this to 0 will attempt to auto-size this value. Setting a\n\t// negative value means \"unlimited.\" The auto-sizing is a multiple of the\n\t// number of available cores.\n\t//\n\t// The API will return a 429 status code if concurrency is exceeded.\n\tIndexReportRequestConcurrency int `yaml:\"index_report_request_concurrency,omitempty\" json:\"index_report_request_concurrency,omitempty\"`\n\t// A \"true\" or \"false\" value\n\t//\n\t// Whether Indexer nodes handle migrations to their database.\n\tMigrations bool `yaml:\"migrations,omitempty\" json:\"migrations,omitempty\"`\n\t// Airgap disables HTTP access to the Internet. This affects both indexers and\n\t// the layer fetcher. Database connections are unaffected.\n\t//\n\t// \"Airgap\" is a bit of a misnomer, as [RFC 4193] and [RFC 1918] addresses\n\t// are always allowed. This means that setting this flag and also\n\t// configuring a proxy on a private network does not prevent contact with\n\t// the Internet.\n\t//\n\t// [RFC 1918]: https://datatracker.ietf.org/doc/html/rfc1918\n\t// [RFC 4193]: https://datatracker.ietf.org/doc/html/rfc4193\n\tAirgap bool `yaml:\"airgap,omitempty\" json:\"airgap,omitempty\"`\n}\n\nfunc (i *Indexer) validate(mode Mode) (ws []Warning, err error) {\n\tconst DefaultScanLockRetry = 1\n\tif mode != ComboMode && mode != IndexerMode {\n\t\treturn nil, nil\n\t}\n\tif i.ScanLockRetry == 0 {\n\t\ti.ScanLockRetry = DefaultScanLockRetry\n\t}\n\tif i.IndexReportRequestConcurrency == 0 {\n\t\t// GOMAXPROCS should be set to the number of cores available.\n\t\tgmp := runtime.GOMAXPROCS(0)\n\t\tconst wildGuess = 4\n\t\ti.IndexReportRequestConcurrency = gmp * wildGuess\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".index_report_request_concurrency\",\n\t\t\tmsg: `automatically sizing number of concurrent requests`,\n\t\t})\n\t}\n\tlws, err := i.lint()\n\treturn append(ws, lws...), err\n}\n\nfunc (i *Indexer) lint() (ws []Warning, err error) {\n\tws, err = checkDSN(i.ConnString)\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\tfor i := range ws {\n\t\tws[i].path = \".connstring\"\n\t}\n\tif i.ScanLockRetry > 10 { // Guess at what a \"large\" value is here.\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".scanlock_retry\",\n\t\t\tmsg: `large values will increase latency`,\n\t\t})\n\t}\n\tswitch {\n\tcase i.LayerScanConcurrency == 0:\n\t\t// Skip, autosized.\n\tcase i.LayerScanConcurrency < 4:\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".layer_scan_concurrency\",\n\t\t\tmsg: `small values will limit resource utilization and increase latency`,\n\t\t})\n\tcase i.LayerScanConcurrency > 32:\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".layer_scan_concurrency\",\n\t\t\tmsg: `large values may exceed resource quotas`,\n\t\t})\n\t}\n\n\treturn ws, nil\n}\n\n// ScannerConfig is the object consulted for configuring the various types of\n// scanners.\ntype ScannerConfig struct {\n\tPackage map[string]interface{} `yaml:\"package,omitempty\" json:\"package,omitempty\"`\n\tDist map[string]interface{} `yaml:\"dist,omitempty\" json:\"dist,omitempty\"`\n\tRepo map[string]interface{} `yaml:\"repo,omitempty\" json:\"repo,omitempty\"`\n}\n"
},
{
"path": "config/introspection.go",
"content": "package config\n\nimport \"fmt\"\n\n// Trace specifies how to configure Clair's tracing support.\n//\n// The \"Name\" key must match the provider to use.\ntype Trace struct {\n\tName string `yaml:\"name\" json:\"name\"`\n\tProbability *float64 `yaml:\"probability,omitempty\" json:\"probability,omitempty\"`\n\tJaeger Jaeger `yaml:\"jaeger,omitempty\" json:\"jaeger,omitempty\"`\n\tOTLP TraceOTLP `yaml:\"otlp,omitempty\" json:\"otlp,omitempty\"`\n\tSentry Sentry `yaml:\"sentry,omitempty\" json:\"sentry,omitempty\"`\n}\n\nfunc (t *Trace) lint() ([]Warning, error) {\n\tswitch t.Name {\n\tcase \"\":\n\tcase \"otlp\":\n\tcase \"sentry\":\n\tcase \"jaeger\":\n\t\treturn []Warning{{\n\t\t\tpath: \".name\",\n\t\t\tmsg: `trace provider \"jaeger\" is deprecated; migrate to \"otlp\"`,\n\t\t}}, nil\n\tdefault:\n\t\treturn []Warning{{\n\t\t\tpath: \".name\",\n\t\t\tmsg: fmt.Sprintf(`unrecognized trace provider: %q`, t.Name),\n\t\t}}, nil\n\t}\n\treturn nil, nil\n}\n\n// Jaeger specific distributed tracing configuration.\n//\n// Deprecated: The Jaeger project recommends using their OTLP ingestion support\n// and the OpenTelemetry exporter for Jaeger has since been removed. Users\n// should migrate to OTLP. Clair may refuse to start when configured to emit\n// Jaeger traces.\ntype Jaeger struct {\n\tTags map[string]string `yaml:\"tags,omitempty\" json:\"tags,omitempty\"`\n\tAgent struct {\n\t\tEndpoint string `yaml:\"endpoint\" json:\"endpoint\"`\n\t} `yaml:\"agent,omitempty\" json:\"agent,omitempty\"`\n\tCollector struct {\n\t\tUsername *string `yaml:\"username,omitempty\" json:\"username,omitempty\"`\n\t\tPassword *string `yaml:\"password,omitempty\" json:\"password,omitempty\"`\n\t\tEndpoint string `yaml:\"endpoint\" json:\"endpoint\"`\n\t} `yaml:\"collector,omitempty\" json:\"collector,omitempty\"`\n\tServiceName string `yaml:\"service_name,omitempty\" json:\"service_name,omitempty\"`\n\tBufferMax int `yaml:\"buffer_max,omitempty\" json:\"buffer_max,omitempty\"`\n}\n\n// Sentry is the [Sentry] specific tracing configuration.\n//\n// [Sentry]: https://sentry.io\ntype Sentry struct {\n\t// DSN to be passed to [github.com/getsentry/sentry-go.ClientOptions.Dsn].\n\tDSN string `yaml:\"dsn\" json:\"dsn\"`\n\t// Environment to be passed to\n\t// [github.com/getsentry/sentry-go.ClientOptions.Environment].\n\tEnvironment string `yaml:\"environment,omitempty\" json:\"environment,omitempty\"`\n}\n\n// Metrics specifies how to configure Clair's metrics exporting.\n//\n// The \"Name\" key must match the provider to use.\ntype Metrics struct {\n\tName string `yaml:\"name\" json:\"name\"`\n\tPrometheus Prometheus `yaml:\"prometheus,omitempty\" json:\"prometheus,omitempty\"`\n\tOTLP MetricOTLP `yaml:\"otlp,omitempty\" json:\"otlp,omitempty\"`\n}\n\nfunc (m *Metrics) lint() ([]Warning, error) {\n\tswitch m.Name {\n\tcase \"\":\n\tcase \"otlp\":\n\t\treturn []Warning{{\n\t\t\tpath: \".name\",\n\t\t\tmsg: `please consult the documentation for the status of metrics via \"otlp\"`,\n\t\t}}, nil\n\tcase \"prometheus\":\n\tdefault:\n\t\treturn []Warning{{\n\t\t\tpath: \".name\",\n\t\t\tmsg: fmt.Sprintf(`unrecognized metrics provider: %q`, m.Name),\n\t\t}}, nil\n\t}\n\treturn nil, nil\n}\n\n// Prometheus specific metrics configuration.\ntype Prometheus struct {\n\t// Endpoint is a URL path where Prometheus metrics will be hosted.\n\tEndpoint *string `yaml:\"endpoint,omitempty\" json:\"endpoint,omitempty\"`\n}\n"
},
{
"path": "config/lint.go",
"content": "package config\n\nimport (\n\t\"errors\"\n\t\"strings\"\n)\n\n// Lint runs lints on the provided Config.\n//\n// An error is reported only if an error occurred while running the lints. An\n// invalid Config may still report a nil error along with a slice of Warnings.\n//\n// Most validation steps run by Validate will also run lints.\nfunc Lint(c *Config) ([]Warning, error) {\n\treturn forEach(c, func(i interface{}) ([]Warning, error) {\n\t\tif l, ok := i.(linter); ok {\n\t\t\treturn l.lint()\n\t\t}\n\t\treturn nil, nil\n\t})\n}\n\n// Types in this package can implement this interface to report common issues or\n// deprecation warnings.\ntype linter interface {\n\tlint() ([]Warning, error)\n}\n\n// Warning is a linter warning.\n//\n// Users can treat them like errors and use the sentinel values exported by this\n// package.\ntype Warning struct {\n\tinner error\n\tpath string // json-schema style path\n\tmsg string\n}\n\n// Should have inner xor msg\n\nfunc (w *Warning) Error() string {\n\tvar b strings.Builder\n\tif w.inner != nil {\n\t\tb.WriteString(w.inner.Error())\n\t} else {\n\t\tb.WriteString(w.msg)\n\t}\n\tb.WriteString(\" (at \")\n\tb.WriteString(w.path)\n\tb.WriteRune(')')\n\treturn b.String()\n}\n\nfunc (w *Warning) Unwrap() error { return w.inner }\n\n// These are some common kinds of Warnings.\nvar (\n\tErrDeprecated = errors.New(\"setting will be removed in a future release\")\n)\n"
},
{
"path": "config/lint_test.go",
"content": "package config\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n)\n\nfunc init() {\n\t// Forcibly clear PostgreSQL environment variables to get consistent example\n\t// results:\n\tfor _, kv := range os.Environ() {\n\t\tk, _, _ := strings.Cut(kv, \"=\")\n\t\tif strings.HasPrefix(k, `PG`) {\n\t\t\tos.Unsetenv(k)\n\t\t}\n\t}\n}\n\nfunc ExampleLint() {\n\tvar c Config\n\tc.Auth.PSK = &AuthPSK{}\n\tws, err := Lint(&c)\n\tfmt.Println(\"error:\", err)\n\tfor _, w := range ws {\n\t\tfmt.Printf(\"warning: %v\\n\", &w)\n\t}\n\t// Output:\n\t// error: \n\t// warning: http listen address not provided, default will be used (at $.http_listen_addr)\n\t// warning: introspection address not provided, default will be used (at $.introspection_addr)\n\t// warning: connection string is empty and no relevant environment variables found (at $.indexer.connstring)\n\t// warning: connection string is empty and no relevant environment variables found (at $.matcher.connstring)\n\t// warning: updater period is very aggressive: most sources are updated daily (at $.matcher.period)\n\t// warning: update garbage collection is off (at $.matcher.update_retention)\n\t// warning: connection string is empty and no relevant environment variables found (at $.notifier.connstring)\n\t// warning: interval is very fast: may result in increased workload (at $.notifier.poll_interval)\n\t// warning: interval is very fast: may result in increased workload (at $.notifier.delivery_interval)\n}\n"
},
{
"path": "config/matcher.go",
"content": "package config\n\nimport (\n\t\"fmt\"\n\t\"net/url\"\n)\n\n// Matcher is the configuration for the matcher service.\ntype Matcher struct {\n\t// A Postgres connection string.\n\t//\n\t// Formats:\n\t// url: \"postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full\"\n\t// or\n\t// string: \"user=pqgotest dbname=pqgotest sslmode=verify-full\"\n\tConnString string `yaml:\"connstring\" json:\"connstring\"`\n\t// A string in : format where can be an empty string.\n\t//\n\t// A Matcher contacts an Indexer to create a VulnerabilityReport.\n\t// The location of this Indexer is required.\n\tIndexerAddr string `yaml:\"indexer_addr\" json:\"indexer_addr\"`\n\t// Period controls how often updaters are run.\n\t//\n\t// The default is 6 hours.\n\tPeriod Duration `yaml:\"period,omitempty\" json:\"period,omitempty\"`\n\t// UpdateRetention controls the number of updates to retain between\n\t// garbage collection periods.\n\t//\n\t// The lowest possible value is 2 in order to compare updates for notification\n\t// purposes.\n\t//\n\t// A value of 0 disables GC.\n\tUpdateRetention int `yaml:\"update_retention\" json:\"update_retention\"`\n\t// A positive integer\n\t//\n\t// Clair allows for a custom connection pool size. This number will\n\t// directly set how many active sql connections are allowed concurrently.\n\t//\n\t// Deprecated: Pool size should be set through the ConnString member.\n\t// Currently, Clair only uses the \"pgxpool\" package to connect to the\n\t// database, so see\n\t// https://pkg.go.dev/github.com/jackc/pgx/v5/pgxpool#ParseConfig for more\n\t// information.\n\tMaxConnPool int `yaml:\"max_conn_pool,omitempty\" json:\"max_conn_pool,omitempty\"`\n\t// CacheAge controls how long clients should be hinted to cache responses\n\t// for.\n\t//\n\t// If empty, the duration set in \"Period\" will be used. This means client\n\t// may cache \"stale\" results for 2(Period) - 1 seconds.\n\tCacheAge Duration `yaml:\"cache_age,omitempty\" json:\"cache_age,omitempty\"`\n\t// A \"true\" or \"false\" value\n\t//\n\t// Whether Matcher nodes handle migrations to their databases.\n\tMigrations bool `yaml:\"migrations,omitempty\" json:\"migrations,omitempty\"`\n\t// DisableUpdaters disables the updater's running of matchers.\n\t//\n\t// This should be toggled on if vulnerabilities are being provided by\n\t// another mechanism.\n\tDisableUpdaters bool `yaml:\"disable_updaters,omitempty\" json:\"disable_updaters,omitempty\"`\n\t// DisableEnrichment disables the enrichment of vulnerability data.\n\tDisableEnrichment bool `yaml:\"disable_enrichment,omitempty\" json:\"disable_enrichment,omitempty\"`\n}\n\nfunc (m *Matcher) validate(mode Mode) ([]Warning, error) {\n\tif mode != ComboMode && mode != MatcherMode {\n\t\treturn nil, nil\n\t}\n\tif m.Period == 0 {\n\t\tm.Period = Duration(DefaultMatcherPeriod)\n\t}\n\tswitch {\n\tcase m.UpdateRetention < 0:\n\t\t// Less than 0 means GC is off.\n\t\tm.UpdateRetention = 0\n\tcase m.UpdateRetention < 2:\n\t\t// Anything less than 2 gets the default.\n\t\tm.UpdateRetention = DefaultUpdateRetention\n\t}\n\tif m.CacheAge == 0 {\n\t\tm.CacheAge = m.Period\n\t}\n\tswitch mode {\n\tcase ComboMode:\n\tcase MatcherMode:\n\t\tif m.IndexerAddr == \"\" {\n\t\t\treturn nil, fmt.Errorf(\"matcher mode requires a remote Indexer address\")\n\t\t}\n\t\t_, err := url.Parse(m.IndexerAddr)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to parse matcher mode IndexerAddr string: %v\", err)\n\t\t}\n\tdefault:\n\t\tpanic(\"programmer error\")\n\t}\n\treturn m.lint()\n}\n\nfunc (m *Matcher) lint() (ws []Warning, err error) {\n\tws, err = checkDSN(m.ConnString)\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\tfor i := range ws {\n\t\tws[i].path = \".connstring\"\n\t}\n\n\tif m.Period < Duration(DefaultMatcherPeriod) {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".period\",\n\t\t\tmsg: \"updater period is very aggressive: most sources are updated daily\",\n\t\t})\n\t}\n\tif m.CacheAge < m.Period/2 {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".cache_age\",\n\t\t\tmsg: \"expiry very low: may result in increased workload\",\n\t\t})\n\t}\n\tif m.UpdateRetention == 0 {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".update_retention\",\n\t\t\tmsg: \"update garbage collection is off\",\n\t\t})\n\t}\n\tif m.MaxConnPool != 0 {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".max_conn_pool\",\n\t\t\tmsg: \"this parameter will be ignored in a future release\",\n\t\t})\n\t}\n\n\treturn ws, nil\n}\n"
},
{
"path": "config/matchers.go",
"content": "package config\n\n// Matchers configures the individual matchers run by the matcher system.\ntype Matchers struct {\n\t// Config holds configuration blocks for MatcherFactories and Matchers,\n\t// keyed by name.\n\tConfig map[string]interface{} `yaml:\"config,omitempty\" json:\"config,omitempty\"`\n\t// A slice of strings representing which matchers will be used.\n\t//\n\t// If nil all default Matchers will be used\n\t//\n\t// The following names are supported by default:\n\t// \"alpine\"\n\t// \"aws\"\n\t// \"debian\"\n\t// \"oracle\"\n\t// \"photon\"\n\t// \"python\"\n\t// \"rhel\"\n\t// \"suse\"\n\t// \"ubuntu\"\n\t// \"crda\" - remotematcher calls hosted api via RPC.\n\tNames []string `yaml:\"names,omitempty\" json:\"names,omitempty\"`\n}\n"
},
{
"path": "config/notifier.go",
"content": "package config\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"reflect\"\n\t\"strings\"\n\t\"time\"\n)\n\n// Notifier provides Clair Notifier node configuration\ntype Notifier struct {\n\t// Only one of the following should be provided in the configuration\n\t//\n\t// Configures the notifier for webhook delivery\n\tWebhook *Webhook `yaml:\"webhook,omitempty\" json:\"webhook,omitempty\"`\n\t// Configures the notifier for AMQP delivery.\n\tAMQP *AMQP `yaml:\"amqp,omitempty\" json:\"amqp,omitempty\"`\n\t// Configures the notifier for STOMP delivery.\n\tSTOMP *STOMP `yaml:\"stomp,omitempty\" json:\"stomp,omitempty\"`\n\t// A Postgres connection string.\n\t//\n\t// Formats:\n\t// url: \"postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full\"\n\t// or\n\t// string: \"user=pqgotest dbname=pqgotest sslmode=verify-full\"\n\tConnString string `yaml:\"connstring\" json:\"connstring\"`\n\t// A string in : format where can be an empty string.\n\t//\n\t// A Notifier contacts an Indexer to create obtain manifests affected by vulnerabilities.\n\t// The location of this Indexer is required.\n\tIndexerAddr string `yaml:\"indexer_addr\" json:\"indexer_addr\"`\n\t// A string in : format where can be an empty string.\n\t//\n\t// A Notifier contacts a Matcher to list update operations and acquire diffs.\n\t// The location of this Indexer is required.\n\tMatcherAddr string `yaml:\"matcher_addr\" json:\"matcher_addr\"`\n\t// A time.ParseDuration parsable string\n\t//\n\t// The frequency at which the notifier will query at Matcher for Update Operations.\n\t// If a value smaller then 1 minute is provided it will be replaced with the\n\t// default 6 hour poll interval as the default updater period is 6 hours.\n\tPollInterval Duration `yaml:\"poll_interval,omitempty\" json:\"poll_interval,omitempty\"`\n\t// A time.ParseDuration parsable string\n\t//\n\t// The frequency at which the notifier attempt delivery of created or previously failed\n\t// notifications\n\t// If a value smaller then 1 minute is provided it will be replaced with the\n\t// default 1 hour delivery interval.\n\tDeliveryInterval Duration `yaml:\"delivery_interval,omitempty\" json:\"delivery_interval,omitempty\"`\n\t// DisableSummary disables summarizing vulnerabilities per-manifest.\n\t//\n\t// The default is to summarize any new vulnerabilities to the most severe\n\t// one, in the thought that any additional processing for end-user\n\t// notifications can have policies around severity and fetch a complete\n\t// VulnerabilityReport if it'd like.\n\t//\n\t// For a machine-consumption use case, it may be easier to instead have the\n\t// notifier push all the data.\n\tDisableSummary bool `yaml:\"disable_summary,omitempty\" json:\"disable_summary,omitempty\"`\n\t// A \"true\" or \"false\" value\n\t//\n\t// Whether Notifier nodes handle migrations to their database.\n\tMigrations bool `yaml:\"migrations,omitempty\" json:\"migrations,omitempty\"`\n}\n\nfunc (n *Notifier) validate(mode Mode) ([]Warning, error) {\n\tif mode != ComboMode && mode != NotifierMode {\n\t\treturn nil, nil\n\t}\n\tif n.PollInterval < Duration(1*time.Minute) {\n\t\tn.PollInterval = Duration(DefaultNotifierPollInterval)\n\t}\n\tif n.DeliveryInterval < Duration(1*time.Minute) {\n\t\tn.DeliveryInterval = Duration(DefaultNotifierDeliveryInterval)\n\t}\n\tswitch mode {\n\tcase ComboMode:\n\tcase NotifierMode:\n\t\tif n.IndexerAddr == \"\" {\n\t\t\treturn nil, fmt.Errorf(\"notifier mode requires a remote Indexer\")\n\t\t}\n\t\tif n.MatcherAddr == \"\" {\n\t\t\treturn nil, fmt.Errorf(\"notifier mode requires a remote Matcher\")\n\t\t}\n\tdefault:\n\t\tpanic(\"programmer error\")\n\t}\n\treturn n.lint()\n}\n\nfunc (n *Notifier) lint() (ws []Warning, err error) {\n\tws, err = checkDSN(n.ConnString)\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\tfor i := range ws {\n\t\tws[i].path = \".connstring\"\n\t}\n\tgot := 0\n\tif n.AMQP != nil {\n\t\tgot++\n\t}\n\tif n.STOMP != nil {\n\t\tgot++\n\t}\n\tif n.Webhook != nil {\n\t\tgot++\n\t}\n\tswitch {\n\tcase got == 0 && !reflect.ValueOf(n).Elem().IsZero():\n\t\tws = append(ws, Warning{\n\t\t\tmsg: \"no delivery mechanisms specified\",\n\t\t})\n\tcase got > 1:\n\t\tws = append(ws, Warning{\n\t\t\tmsg: \"multiple delivery mechanisms specified\",\n\t\t})\n\t}\n\n\tif n.PollInterval < Duration(DefaultNotifierPollInterval) {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".poll_interval\",\n\t\t\tmsg: \"interval is very fast: may result in increased workload\",\n\t\t})\n\t}\n\tif n.DeliveryInterval < Duration(DefaultNotifierDeliveryInterval) {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".delivery_interval\",\n\t\t\tmsg: \"interval is very fast: may result in increased workload\",\n\t\t})\n\t}\n\tif n.DisableSummary {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".disable_summary\",\n\t\t\tmsg: \"disabling notification summary significantly increases memory consumption\",\n\t\t})\n\t}\n\n\treturn ws, nil\n}\n\n// Webhook configures the \"webhook\" notification mechanism.\ntype Webhook struct {\n\t// any HTTP headers necessary for the request to Target\n\tHeaders http.Header `yaml:\"headers,omitempty\" json:\"headers,omitempty\"`\n\t// the URL where our webhook will be delivered\n\tTarget string `yaml:\"target\" json:\"target\"`\n\t// the callback url where notifications can be received\n\t// the notification will be appended to this url\n\tCallback string `yaml:\"callback\" json:\"callback\"`\n\t// whether the webhook deliverer will sign out going.\n\t// if true webhooks will be sent with a jwt signed by\n\t// the notifier's private key.\n\tSigned bool `yaml:\"signed,omitempty\" json:\"signed,omitempty\"`\n}\n\n// Validate will return a copy of the Config on success.\n// If any validation fails an error will be returned.\nfunc (w *Webhook) validate(mode Mode) ([]Warning, error) {\n\tif mode != ComboMode && mode != NotifierMode {\n\t\treturn nil, nil\n\t}\n\tvar ws []Warning\n\tif _, err := url.Parse(w.Target); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse target url: %w\", err)\n\t}\n\n\t// Require trailing slash so url.Parse() can easily append notification id.\n\tif !strings.HasSuffix(w.Callback, \"/\") {\n\t\tw.Callback = w.Callback + \"/\"\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".callback\",\n\t\t\tmsg: `URL should end in a \"/\"`,\n\t\t})\n\t}\n\n\tif _, err := url.Parse(w.Callback); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse callback url: %w\", err)\n\t}\n\tls, err := w.lint()\n\tws = append(ws, ls...)\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\treturn ws, nil\n}\n\nfunc (w *Webhook) lint() ([]Warning, error) {\n\tif w.Signed {\n\t\treturn []Warning{{\n\t\t\tpath: \".signed\",\n\t\t\tinner: ErrDeprecated,\n\t\t}}, nil\n\t}\n\treturn nil, nil\n}\n\n// Exchange are the required fields necessary to check\n// the existence of an Exchange\n//\n// For more details see: https://godoc.org/github.com/streadway/amqp#Channel.ExchangeDeclarePassive\ntype Exchange struct {\n\t// The name of the exchange\n\tName string `yaml:\"name\" json:\"name\"`\n\t// The type of the exchange. Typically:\n\t// \"direct\"\n\t// \"fanout\"\n\t// \"topic\"\n\t// \"headers\"\n\tType string `yaml:\"type\" json:\"type\"`\n\t// Whether the exchange survives server restarts\n\tDurable bool `yaml:\"durability,omitempty\" json:\"durability,omitempty\"`\n\t// Whether bound consumers define the lifecycle of the Exchange.\n\tAutoDelete bool `yaml:\"auto_delete,omitempty\" json:\"auto_delete,omitempty\"`\n}\n\nfunc (e *Exchange) validate(_ Mode) ([]Warning, error) {\n\tif e.Type == \"\" {\n\t\treturn nil, fmt.Errorf(\"field required\")\n\t}\n\treturn nil, nil\n}\n\n// AMQP configures the AMQP notification mechanism.\ntype AMQP struct {\n\tTLS *TLS `yaml:\"tls,omitempty\" json:\"tls,omitempty\"`\n\t// The AMQP exchange notifications will be delivered to.\n\t// A passive declare is performed and if the exchange does not exist\n\t// the declare will fail.\n\tExchange Exchange `yaml:\"exchange\" json:\"exchange\"`\n\t// The routing key used to route notifications to the desired queue.\n\tRoutingKey string `yaml:\"routing_key\" json:\"routing_key\"`\n\t// The callback url where notifications are retrieved.\n\tCallback string `yaml:\"callback\" json:\"callback\"`\n\t// A list of AMQP compliant URI scheme. see: https://www.rabbitmq.com/uri-spec.html\n\t// example: \"amqp://user:pass@host:10000/vhost\"\n\t//\n\t// The first successful connection will be used by the amqp deliverer.\n\t//\n\t// If \"amqps://\" broker URI schemas are provided the TLS configuration below is required.\n\tURIs []string `yaml:\"uris\" json:\"uris\"`\n\t// Specifies the number of notifications delivered in single AMQP message\n\t// when Direct is true.\n\t//\n\t// Ignored if Direct is not true\n\t// If 0 or 1 is provided no rollup occurs and each notification is delivered\n\t// separately.\n\tRollup int `yaml:\"rollup,omitempty\" json:\"rollup,omitempty\"`\n\t// AMQPConfigures the AMQP delivery to deliver notifications directly to\n\t// the configured Exchange.\n\t//\n\t// If true \"Callback\" is ignored.\n\t// If false a notifier.Callback is delivered to the queue and clients\n\t// utilize the pagination API to retrieve.\n\tDirect bool `yaml:\"direct,omitempty\" json:\"direct,omitempty\"`\n}\n\n// Validate confirms configuration is valid.\nfunc (c *AMQP) validate(mode Mode) ([]Warning, error) {\n\tif mode != ComboMode && mode != NotifierMode {\n\t\treturn nil, nil\n\t}\n\tvar ws []Warning\n\tif c.RoutingKey == \"\" {\n\t\treturn nil, fmt.Errorf(\"AMQP config requires the routing key field\")\n\t}\n\tif len(c.URIs) == 0 {\n\t\treturn nil, fmt.Errorf(\"missing URIs for AMQP broker\")\n\t}\n\tfor _, uri := range c.URIs {\n\t\tif _, err := url.Parse(uri); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"invalid URI %q: %w\", uri, err)\n\t\t}\n\t}\n\n\tif !c.Direct {\n\t\tif !strings.HasSuffix(c.Callback, \"/\") {\n\t\t\tc.Callback = c.Callback + \"/\"\n\t\t\tws = append(ws, Warning{\n\t\t\t\tpath: \".callback\",\n\t\t\t\tmsg: `URL should end in a \"/\"`,\n\t\t\t})\n\t\t}\n\t\tif _, err := url.Parse(c.Callback); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to parse callback url: %w\", err)\n\t\t}\n\t}\n\tls, err := c.lint()\n\tws = append(ws, ls...)\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\treturn ws, nil\n}\n\nfunc (c *AMQP) lint() (w []Warning, err error) {\n\tif c.Rollup == 1 {\n\t\tw = append(w, Warning{\n\t\t\tmsg: \"`Rollup` set to 1: this means nothing\",\n\t\t})\n\t}\n\tif c.Direct && c.Callback != \"\" {\n\t\tw = append(w, Warning{\n\t\t\tmsg: \"`Callback` and `Direct` set: `Callback` will be ignored\",\n\t\t})\n\t}\n\treturn w, nil\n}\n\n// Login is the login details for a STOMP broker.\ntype Login struct {\n\tLogin string `yaml:\"login\" json:\"login\"`\n\tPasscode string `yaml:\"passcode\" json:\"passcode\"`\n}\n\n// STOMP configures the STOMP notification mechanism.\ntype STOMP struct {\n\t// optional tls portion of config\n\tTLS *TLS `yaml:\"tls,omitempty\" json:\"tls,omitempty\"`\n\t// optional user login portion of config\n\tLogin *Login `yaml:\"user,omitempty\" json:\"user,omitempty\"`\n\t// The callback url where notifications are retrieved.\n\tCallback string `yaml:\"callback\" json:\"callback\"`\n\t// the destination messages will be delivered to\n\tDestination string `yaml:\"destination\" json:\"destination\"`\n\t// a list of URIs to send messages to.\n\t// a linear search of this list is always performed.\n\t//\n\t// Note that \"URI\" is a misnomer, this must be host:port pairs.\n\tURIs []string `yaml:\"uris\" json:\"uris\"`\n\t// Specifies the number of notifications delivered in single STOMP message\n\t// when Direct is true.\n\t//\n\t// Ignored if Direct is not true\n\t// If 0 or 1 is provided no rollup occurs and each notification is delivered\n\t// separately.\n\tRollup int `yaml:\"rollup,omitempty\" json:\"rollup,omitempty\"`\n\t// Configures the STOMP delivery to deliver notifications directly to\n\t// the configured Destination.\n\t//\n\t// If true \"Callback\" is ignored.\n\t// If false a notifier.Callback is delivered to the queue and clients\n\t// utilize the pagination API to retrieve.\n\tDirect bool `yaml:\"direct,omitempty\" json:\"direct,omitempty\"`\n}\n\nfunc (c *STOMP) validate(mode Mode) ([]Warning, error) {\n\tif mode != ComboMode && mode != NotifierMode {\n\t\treturn nil, nil\n\t}\n\tvar ws []Warning\n\tif len(c.URIs) == 0 {\n\t\treturn nil, fmt.Errorf(\"missing URIs for STOMP broker\")\n\t}\n\tfor _, u := range c.URIs {\n\t\tif _, _, err := net.SplitHostPort(u); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"bad host:port %q: %w\", u, err)\n\t\t}\n\t}\n\tif !c.Direct {\n\t\tif !strings.HasSuffix(c.Callback, \"/\") {\n\t\t\tc.Callback = c.Callback + \"/\"\n\t\t\tws = append(ws, Warning{\n\t\t\t\tpath: \".callback\",\n\t\t\t\tmsg: `URL should end in a \"/\"`,\n\t\t\t})\n\t\t}\n\t\tif _, err := url.Parse(c.Callback); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to parse callback url: %w\", err)\n\t\t}\n\t}\n\tls, err := c.lint()\n\tws = append(ws, ls...)\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\treturn ws, nil\n}\n\nfunc (c *STOMP) lint() (w []Warning, err error) {\n\tif c.Rollup == 1 {\n\t\tw = append(w, Warning{\n\t\t\tmsg: \"`Rollup` set to 1: this means nothing\",\n\t\t})\n\t}\n\tif c.Direct && c.Callback != \"\" {\n\t\tw = append(w, Warning{\n\t\t\tmsg: \"`Callback` and `Direct` set: `Callback` will be ignored\",\n\t\t})\n\t}\n\treturn w, nil\n}\n"
},
{
"path": "config/otlp.go",
"content": "package config\n\nimport (\n\t\"fmt\"\n\t\"path\"\n\t\"strings\"\n)\n\n// OTLPCommon is common configuration options for an OTLP client.\ntype OTLPCommon struct {\n\t// Compression configures payload compression.\n\t//\n\t// Only \"gzip\" is guaranteed to exist for both HTTP and gRPC.\n\tCompression OTLPCompressor `yaml:\"compression,omitempty\" json:\"compression,omitempty\"`\n\t// Endpoint is the host and port pair that the client should connect to.\n\t// This is not a URL and must not have a scheme or trailing slashes.\n\t//\n\t// The default is \"localhost:4317\" for gRPC and \"localhost:4318\" for HTTP.\n\tEndpoint string `yaml:\"endpoint,omitempty\" json:\"endpoint,omitempty\"`\n\t// Headers adds additional headers to requests.\n\tHeaders map[string]string `yaml:\"headers,omitempty\" json:\"headers,omitempty\"`\n\t// Insecure allows using an unsecured connection to the collector.\n\t//\n\t// For gRPC, this means certificate validation is not done.\n\t// For HTTP, this means HTTP is used instead of HTTPS.\n\tInsecure bool `yaml:\"insecure,omitempty\" json:\"insecure,omitempty\"`\n\t// Timeout is the maximum amount of time for a submission.\n\t//\n\t// The default is 10 seconds.\n\tTimeout *Duration `yaml:\"timeout,omitempty\" json:\"timeout,omitempty\"`\n\t// ClientTLS configures client TLS certificates, meaning a user should\n\t// ignore the \"RootCA\" member and look only at the \"Cert\" and \"Key\" members.\n\t//\n\t// See the documentation for the TLS struct for recommendations on\n\t// configuring certificate authorities.\n\tClientTLS *TLS `yaml:\"client_tls,omitempty\" json:\"client_tls,omitempty\"`\n}\n\n// Lint implements [linter].\nfunc (c *OTLPCommon) lint() (ws []Warning, _ error) {\n\tif c.Timeout != nil && *c.Timeout == 0 {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".timeout\",\n\t\t\tmsg: \"timeout of 0 is almost certainly wrong\",\n\t\t})\n\t}\n\treturn ws, nil\n}\n\n// Validate implements [validator].\nfunc (c *OTLPCommon) validate(_ Mode) (ws []Warning, _ error) {\n\treturn c.lint()\n}\n\n// OTLPHTTPCommon is common configuration options for an OTLP HTTP client.\ntype OTLPHTTPCommon struct {\n\tOTLPCommon\n\t// URLPath overrides the URL path for sending traces. If unset, the default\n\t// is \"/v1/traces\".\n\tURLPath string `yaml:\"url_path,omitempty\" json:\"url_path,omitempty\"`\n}\n\n// Lint implements [linter].\nfunc (c *OTLPHTTPCommon) lint() (ws []Warning, _ error) {\n\tif c.URLPath != \"\" && strings.HasSuffix(c.URLPath, \"/\") {\n\t\tws = append(ws, Warning{\n\t\t\tpath: \".URLPath\",\n\t\t\tmsg: fmt.Sprintf(\"path %q has a trailing slash; this is probably incorrect\", c.URLPath),\n\t\t})\n\t}\n\treturn ws, nil\n}\n\n// Validate implements [validator].\nfunc (c *OTLPHTTPCommon) validate(_ Mode) (ws []Warning, err error) {\n\tws, err = c.lint()\n\tif err != nil {\n\t\treturn ws, err\n\t}\n\tif c.URLPath != \"\" {\n\t\tc.URLPath = path.Clean(c.URLPath)\n\t\tif !path.IsAbs(c.URLPath) {\n\t\t\treturn ws, &Warning{\n\t\t\t\tpath: \".URLPath\",\n\t\t\t\tmsg: fmt.Sprintf(\"path %q must be absolute\", c.URLPath),\n\t\t\t}\n\t\t}\n\t}\n\treturn ws, nil\n}\n\n// OTLPgRPCCommon is common configuration options for an OTLP gRPC client.\ntype OTLPgRPCCommon struct {\n\tOTLPCommon\n\t// Reconnect sets the minimum amount of time between connection attempts.\n\tReconnect *Duration `yaml:\"reconnect,omitempty\" json:\"reconnect,omitempty\"`\n\t// ServiceConfig specifies a gRPC service config as a string containing JSON.\n\t// See the [doc] for the format and possibilities.\n\t//\n\t// [doc]: https://github.com/grpc/grpc/blob/master/doc/service_config.md\n\tServiceConfig string `yaml:\"service_config,omitempty\" json:\"service_config,omitempty\"`\n}\n\n// TraceOTLP is the configuration for an OTLP traces client.\n//\n// See the [OpenTelemetry docs] for more information on traces.\n// See the Clair docs for the current status of of the instrumentation.\n//\n// [OpenTelemetry docs]: https://opentelemetry.io/docs/concepts/signals/traces/\ntype TraceOTLP struct {\n\t// HTTP configures OTLP via HTTP.\n\tHTTP *TraceOTLPHTTP `yaml:\"http,omitempty\" json:\"http,omitempty\"`\n\t// GRPC configures OTLP via gRPC.\n\tGRPC *TraceOTLPgRPC `yaml:\"grpc,omitempty\" json:\"grpc,omitempty\"`\n}\n\n// Lint implements [linter].\nfunc (t *TraceOTLP) lint() (ws []Warning, _ error) {\n\tif t.HTTP != nil && t.GRPC != nil {\n\t\tws = append(ws, Warning{\n\t\t\tmsg: `both \"http\" and \"grpc\" are configured, this may cause duplicate submissions`,\n\t\t})\n\t}\n\treturn ws, nil\n}\n\n// TraceOTLPHTTP is the configuration for an OTLP traces HTTP client.\ntype TraceOTLPHTTP struct {\n\tOTLPHTTPCommon\n}\n\n// TraceOTLPgRPC is the configuration for an OTLP traces gRPC client.\ntype TraceOTLPgRPC struct {\n\tOTLPgRPCCommon\n}\n\n// MetricOTLP is the configuration for an OTLP metrics client.\n//\n// See the [OpenTelemetry docs] for more information on metrics.\n// See the Clair docs for the current status of of the instrumentation.\n//\n// [OpenTelemetry docs]: https://opentelemetry.io/docs/concepts/signals/metrics/\ntype MetricOTLP struct {\n\t// HTTP configures OTLP via HTTP.\n\tHTTP *MetricOTLPHTTP `yaml:\"http,omitempty\" json:\"http,omitempty\"`\n\t// GRPC configures OTLP via gRPC.\n\tGRPC *MetricOTLPgRPC `yaml:\"grpc,omitempty\" json:\"grpc,omitempty\"`\n}\n\n// Lint implements [linter].\nfunc (m *MetricOTLP) lint() (ws []Warning, _ error) {\n\tif m.HTTP != nil && m.GRPC != nil {\n\t\tws = append(ws, Warning{\n\t\t\tmsg: `both \"http\" and \"grpc\" are configured, this may cause duplicate submissions`,\n\t\t})\n\t}\n\treturn ws, nil\n}\n\n// MetricOTLPHTTP is the configuration for an OTLP metrics HTTP client.\ntype MetricOTLPHTTP struct {\n\tOTLPHTTPCommon\n}\n\n// MetricOTLPgRPC is the configuration for an OTLP metrics gRPC client.\ntype MetricOTLPgRPC struct {\n\tOTLPgRPCCommon\n}\n\n//go:generate go run golang.org/x/tools/cmd/stringer@latest -type OTLPCompressor -linecomment\n\n// OTLPCompressor is the valid options for compressing OTLP payloads.\ntype OTLPCompressor int\n\n// OTLPCompressor values\nconst (\n\tOTLPCompressUnset OTLPCompressor = iota //\n\tOTLPCompressNone // none\n\tOTLPCompressGzip // gzip\n)\n"
},
{
"path": "config/otlpcompressor_string.go",
"content": "// Code generated by \"stringer -type OTLPCompressor -linecomment\"; DO NOT EDIT.\n\npackage config\n\nimport \"strconv\"\n\nfunc _() {\n\t// An \"invalid array index\" compiler error signifies that the constant values have changed.\n\t// Re-run the stringer command to generate them again.\n\tvar x [1]struct{}\n\t_ = x[OTLPCompressUnset-0]\n\t_ = x[OTLPCompressNone-1]\n\t_ = x[OTLPCompressGzip-2]\n}\n\nconst _OTLPCompressor_name = \"nonegzip\"\n\nvar _OTLPCompressor_index = [...]uint8{0, 0, 4, 8}\n\nfunc (i OTLPCompressor) String() string {\n\tif i < 0 || i >= OTLPCompressor(len(_OTLPCompressor_index)-1) {\n\t\treturn \"OTLPCompressor(\" + strconv.FormatInt(int64(i), 10) + \")\"\n\t}\n\treturn _OTLPCompressor_name[_OTLPCompressor_index[i]:_OTLPCompressor_index[i+1]]\n}\n"
},
{
"path": "config/reflect.go",
"content": "package config\n\nimport (\n\t\"fmt\"\n\t\"reflect\"\n\t\"strings\"\n)\n\ntype walkFunc func(interface{}) ([]Warning, error)\n\nfunc forEach(i interface{}, f walkFunc) ([]Warning, error) {\n\tvar ws []Warning\n\tv := reflect.ValueOf(i)\n\treturn ws, walk(&ws, \"$\", v, f)\n}\n\nfunc walk(ws *[]Warning, path string, v reflect.Value, wf walkFunc) error {\n\tt := v.Type()\n\tvar vi interface{}\n\t// Figure out if we should take the address to do the interface\n\t// assertion, or if the value is already a pointer.\n\tswitch {\n\tcase t.Kind() != reflect.Ptr && v.CanAddr():\n\t\tvi = v.Addr().Interface()\n\tcase v.CanInterface() && v.IsValid() && !v.IsZero():\n\t\tvi = v.Interface()\n\t}\n\n\tif vi != nil {\n\t\tw, err := wf(vi)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor i := range w {\n\t\t\t// Adjust the path here, so that the lint method doesn't need to\n\t\t\t// know where it is.\n\t\t\tw[i].path = path + w[i].path\n\t\t}\n\t\t*ws = append(*ws, w...)\n\t}\n\n\t// Dereference the pointer, if this is a pointer.\n\tif t.Kind() == reflect.Ptr {\n\t\tt = t.Elem()\n\t\tv = v.Elem()\n\t}\n\tif !v.IsValid() {\n\t\treturn nil\n\t}\n\tswitch t.Kind() {\n\tcase reflect.Struct:\n\t\tfor i, lim := 0, t.NumField(); i < lim; i++ {\n\t\t\tf := t.Field(i)\n\t\t\tn := f.Name\n\t\t\tif t := f.Tag.Get(\"json\"); t != \"\" && t != \"-\" {\n\t\t\t\t// Handle the comma options.\n\t\t\t\tif i := strings.IndexByte(t, ','); i != -1 {\n\t\t\t\t\tt = t[:i]\n\t\t\t\t}\n\t\t\t\tn = t\n\t\t\t}\n\t\t\tp := fmt.Sprintf(`%s.%s`, path, n)\n\t\t\tif err := walk(ws, p, v.Field(i), wf); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\tcase reflect.Map:\n\t\ti := v.MapRange()\n\t\tfor i.Next() {\n\t\t\tp := fmt.Sprintf(`%s.[%s]`, path, i.Key().String())\n\t\t\tif err := walk(ws, p, i.Value(), wf); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t}\n\tcase reflect.Slice:\n\t\tfor i, lim := 0, v.Len(); i < lim; i++ {\n\t\t\tp := fmt.Sprintf(`%s.[%d]`, path, i)\n\t\t\tif err := walk(ws, p, v.Index(i), wf); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\tdefault:\n\t\t// everything else, just pass\n\t}\n\treturn nil\n}\n"
},
{
"path": "config/tags_test.go",
"content": "package config\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n)\n\n// TestTags checks that exported types and fields used in the root Config struct\n// have struct tags.\nfunc TestTags(t *testing.T) {\n\tt.Logf(\"checking for: %v\", wanttags)\n\tnt := reflect.TypeOf(Config{})\n\tt.Run(nt.Name(), func(t *testing.T) { typecheck(t, nt) })\n}\n\nvar wanttags = []string{`json`, `yaml`}\n\nfunc typecheck(t *testing.T, typ reflect.Type) {\n\tfor i, lim := 0, typ.NumField(); i < lim; i++ {\n\t\tf := typ.Field(i)\n\t\tif !f.IsExported() {\n\t\t\tcontinue\n\t\t}\n\t\t// track the number of names for this field\n\t\tvals := make(map[string]struct{})\n\t\t// track which tag has which name\n\t\ttagval := make(map[string]string)\n\t\t// If embedded, there shouldn't be any tags.\n\t\tif f.Anonymous {\n\t\t\tif f.Tag != \"\" {\n\t\t\t\tt.Errorf(\"%s.%s: unexpected tag %q\", typ.Name(), f.Name, f.Tag)\n\t\t\t}\n\t\t\tgoto Recurse\n\t\t}\n\t\tfor _, n := range wanttags {\n\t\t\tif v, ok := f.Tag.Lookup(n); !ok {\n\t\t\t\tt.Errorf(\"%s.%s: missing %q tag\", typ.Name(), f.Name, n)\n\t\t\t} else {\n\t\t\t\tvals[v] = struct{}{}\n\t\t\t\ttagval[n] = v\n\t\t\t}\n\t\t}\n\t\tif len(vals) != 1 {\n\t\t\tt.Errorf(\"different names for %q: %v\", f.Name, tagval)\n\t\t}\n\tRecurse:\n\t\t// Recurse on structs and pointers-to-structs.\n\t\tswitch nt := f.Type; nt.Kind() {\n\t\tcase reflect.Ptr:\n\t\t\tpt := nt.Elem()\n\t\t\tif pt.Kind() != reflect.Struct {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tnt = nt.Elem()\n\t\t\tfallthrough\n\t\tcase reflect.Struct:\n\t\t\tt.Run(nt.Name(), func(t *testing.T) { typecheck(t, nt) })\n\t\t}\n\t}\n}\n"
},
{
"path": "config/tls.go",
"content": "package config\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n)\n\n// TLS describes some TLS settings.\n//\n// Some uses of this type ignore the RootCA member; see the documentation at the\n// use site to determine if that's the case.\n//\n// Using the environment variables \"SSL_CERT_DIR\" or \"SSL_CERT_FILE\" or\n// modifying the system's trust store are the ways to modify root CAs for all\n// outgoing TLS connections.\ntype TLS struct {\n\t// The filesystem path where a root CA can be read.\n\t//\n\t// This can also be controlled by the SSL_CERT_FILE and SSL_CERT_DIR\n\t// environment variables, or adding the relevant certs to the system trust\n\t// store.\n\tRootCA string `yaml:\"root_ca\" json:\"root_ca\"`\n\t// The filesystem path where a TLS certificate can be read.\n\tCert string `yaml:\"cert\" json:\"cert\"`\n\t// The filesystem path where a TLS private key can be read.\n\tKey string `yaml:\"key\" json:\"key\"`\n}\n\n// Config returns a tls.Config modified according to the TLS struct.\n//\n// If the *TLS is nil, a default tls.Config is returned.\nfunc (t *TLS) Config() (*tls.Config, error) {\n\tvar cfg tls.Config\n\tif t == nil {\n\t\treturn &cfg, nil\n\t}\n\n\tif t.RootCA != \"\" {\n\t\tp, err := x509.SystemCertPool()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tca, err := os.ReadFile(t.RootCA)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to read tls root ca: %w\", err)\n\t\t}\n\t\tif !p.AppendCertsFromPEM(ca) {\n\t\t\treturn nil, errors.New(\"unable to add certificate to pool\")\n\t\t}\n\t\tcfg.RootCAs = p\n\t}\n\n\tcert, err := tls.LoadX509KeyPair(t.Cert, t.Key)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to read x509 cert and key pair: %w\", err)\n\t}\n\tcfg.Certificates = append(cfg.Certificates, cert)\n\tcfg.MinVersion = tls.VersionTLS12\n\n\treturn &cfg, nil\n}\n\nfunc (t *TLS) lint() ([]Warning, error) {\n\tif t.RootCA != \"\" {\n\t\treturn []Warning{{\n\t\t\tpath: \".root_ca\",\n\t\t\tinner: fmt.Errorf(`use environment variables \"SSL_CERT_FILE\" or \"SSL_CERT_DIR\": %w`, ErrDeprecated),\n\t\t}}, nil\n\t}\n\treturn nil, nil\n}\n\nfunc (t *TLS) validate(_ Mode) ([]Warning, error) {\n\tif (t.Cert != \"\" || t.Key != \"\") && (t.Cert == \"\" || t.Key == \"\") {\n\t\treturn nil, errors.New(\"both tls cert and key are required\")\n\t}\n\tfor _, n := range []string{t.RootCA, t.Cert, t.Key} {\n\t\tif n == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\t_, err := os.Stat(n)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(`error accessing %q: %w`, n, err)\n\t\t}\n\t}\n\treturn nil, nil\n}\n"
},
{
"path": "config/updaters.go",
"content": "package config\n\n// Updaters configures updater behavior.\ntype Updaters struct {\n\t// Filter is a regexp that disallows updaters that do not match from\n\t// running.\n\t// TODO(louis): this is only used in clairctl, should we keep this?\n\t// it may offer an escape hatch for a particular updater name\n\t// from running, vs disabling the updater set completely.\n\tFilter string `yaml:\"filter,omitempty\" json:\"filter,omitempty\"`\n\t// Config holds configuration blocks for UpdaterFactories and Updaters,\n\t// keyed by name.\n\t//\n\t// These are defined by the updater implementation and can't be documented\n\t// here. Improving the documentation for these is an open issue.\n\tConfig map[string]interface{} `yaml:\"config,omitempty\" json:\"config,omitempty\"`\n\t// A slice of strings representing which updaters will be used.\n\t//\n\t// If nil all default UpdaterSets will be used\n\t//\n\t// The following sets are supported by default:\n\t// \"alpine\"\n\t// \"aws\"\n\t// \"clair.cvss\"\n\t// \"debian\"\n\t// \"oracle\"\n\t// \"osv\"\n\t// \"photon\"\n\t// \"rhcc\"\n\t// \"rhel-vex\"\n\t// \"suse\"\n\t// \"ubuntu\"\n\tSets []string `yaml:\"sets,omitempty\" json:\"sets,omitempty\"`\n}\n"
},
{
"path": "config/validate.go",
"content": "package config\n\n// Validate confirms the necessary values to support the desired Clair mode\n// exist and sets default values.\nfunc Validate(c *Config) ([]Warning, error) {\n\treturn forEach(c, func(i interface{}) ([]Warning, error) {\n\t\tif v, ok := i.(validator); ok {\n\t\t\treturn v.validate(c.Mode)\n\t\t}\n\t\treturn nil, nil\n\t})\n}\n\n// Types that want complex defaults or to fail validation can implement the\n// validator interface.\ntype validator interface {\n\tvalidate(Mode) ([]Warning, error)\n}\n"
},
{
"path": "config.yaml.sample",
"content": "# Copyright 2015 clair authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n---\nintrospection_addr: localhost:8089\nhttp_listen_addr: localhost:8080\nlog_level: debug\nindexer:\n connstring: host=localhost port=5432 user=clair dbname=clair sslmode=disable\n scanlock_retry: 10\n layer_scan_concurrency: 5\n migrations: true\nmatcher:\n indexer_addr: \"localhost:8080\"\n connstring: host=localhost port=5432 user=clair dbname=clair sslmode=disable\n max_conn_pool: 100\n migrations: true\n updater_sets:\n - \"alpine\"\n - \"aws\"\n - \"debian\"\n - \"oracle\"\n - \"osv\"\n - \"photon\"\n - \"rhcc\"\n - \"rhel\"\n - \"suse\"\n - \"ubuntu\"\nmatchers:\n names:\n - \"alpine-matcher\"\n - \"aws-matcher\"\n - \"debian-matcher\"\n - \"gobin\"\n - \"java-maven\"\n - \"oracle\"\n - \"photon\"\n - \"python\"\n - \"rhel\"\n - \"rhel-container-matcher\"\n - \"suse\"\n - \"ubuntu\"\n config: {}\nnotifier:\n indexer_addr: http://clair-indexer:8080/\n matcher_addr: http://clair-matcher:8080/\n connstring: host=localhost port=5432 user=clair dbname=clair sslmode=disable\n migrations: true\n delivery_interval: 1m\n poll_interval: 5m\n # if multiple delivery methods are defined the only one will be selected.\n # preference order:\n # webhook, amqp, stomp\n webhook:\n target: \"http://webhook/\"\n callback: \"http://clair-notifier/notifier/api/v1/notification\"\n amqp:\n exchange:\n name: \"\"\n type: \"direct\"\n durable: true\n auto_delete: false\n uris: [\"amqp://user:pass@host:10000/vhost\"]\n direct: false\n routing_key: \"notifications\"\n callback: \"http://clair-notifier/notifier/api/v1/notification\"\n tls:\n root_ca: \"optional/path/to/rootca\"\n cert: \"mandatory/path/to/cert\"\n key: \"mandatory/path/to/key\"\n stomp:\n destination: \"notifications\"\n direct: false\n callback: \"http://clair-notifier/notifier/api/v1/notification\"\n login:\n login: \"username\"\n passcode: \"passcode\"\n tls:\n root_ca: \"optional/path/to/rootca\"\n cert: \"mandatory/path/to/cert\"\n key: \"mandatory/path/to/key\"\n\ntrace:\n name: \"jaeger\"\n probability: 1\n jaeger:\n agent:\n endpoint: \"localhost:6831\"\n service_name: \"clair\"\n\nmetrics:\n name: \"prometheus\"\n"
},
{
"path": "contrib/cmd/quaybackstop/Dockerfile",
"content": "# syntax=docker.io/docker/dockerfile:1.7\n\n# Copyright 2024 clair authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# This Dockerfile expects the context to be the root of the repo, e.g.:\n# go run github.com/moby/buildkit/cmd/buildctl@latest build \\\n# --frontend dockerfile.v0 \\\n# --local context=. --local dockerfile=contrib/cmd/quaybackstop\n\nARG GOTOOLCHAIN=local\nARG GO_VERSION=1.25\nFROM --platform=$BUILDPLATFORM quay.io/projectquay/golang:${GO_VERSION} AS build\nWORKDIR /build\nRUN --mount=type=cache,target=/root/.cache/go-build \\\n\t--mount=type=cache,target=/go/pkg/mod \\\n\t--mount=type=bind,source=go.mod,target=go.mod \\\n\t--mount=type=bind,source=go.sum,target=go.sum \\\n\tgo mod download\n\nARG TARGETOS\nARG TARGETARCH\nARG TARGETVARIANT\nRUN --mount=type=bind,target=. \\\n\t--mount=type=cache,target=/root/.cache/go-build \\\n\t--mount=type=cache,target=/go/pkg/mod \\\n\t--network=none \\\n\t<<.\nset -e\nexport GOOS=\"$TARGETOS\" GOARCH=\"$TARGETARCH\" GOBIN=/out/bin CGO_ENABLED=0\nif [ -n \"$TARGETVARIANT\" ]; then\n\tcase \"$TARGETARCH\" in\n\tamd64) export GOAMD64=\"$TARGETVARIANT\" ;;\n\tppc64*) export GOPPC64=\"$TARGETVARIANT\" ;;\n\tesac\nfi\ninstall -d \"${GOBIN}\"\ngo build -ldflags=\"-s -w\" -trimpath -o \"${GOBIN}\" ./contrib/cmd/quaybackstop\n.\n\nFROM gcr.io/distroless/static:nonroot AS final\nCOPY --from=build /out/bin/quaybackstop /\nWORKDIR /run\nUSER 65532:65532\nENTRYPOINT [\"/quaybackstop\"]\n"
},
{
"path": "contrib/cmd/quaybackstop/clair.go",
"content": "//go:build go1.23\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"iter\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/quay/clair/v4/cmd\"\n\n\t\"github.com/go-jose/go-jose/v3\"\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/rogpeppe/go-internal/lockedfile\"\n\t\"golang.org/x/sync/errgroup\"\n)\n\nfunc (a *App) SetClairGABI(s string) (err error) {\n\ta.ClairGABI, err = url.Parse(s)\n\treturn err\n}\n\nfunc (a *App) SetClairGABIAuth(s string) error {\n\tif s == \"\" {\n\t\treturn errors.New(\"bad Clair GABI auth: empty string\")\n\t}\n\ta.ClairGABIAuth = &s\n\treturn nil\n}\n\nfunc (a *App) SetClairConfig(s string) error {\n\tslog.Debug(\"clair config flag\", \"argument\", s)\n\ta.ClairConfig = new(config.Config)\n\tif err := cmd.LoadConfig(a.ClairConfig, s, false); err != nil {\n\t\treturn err\n\t}\n\n\tsk := jose.SigningKey{\n\t\tAlgorithm: jose.HS256,\n\t\tKey: []byte(a.ClairConfig.Auth.PSK.Key),\n\t}\n\tsigner, err := jose.NewSigner(sk, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\ta.jwtSigner = signer\n\n\ta.clairDB = sync.OnceValues(func() (*pgxpool.Pool, error) {\n\t\tcfg, err := pgxpool.ParseConfig(a.ClairConfig.Indexer.ConnString)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tcfg.MaxConns = int32(1) // Should only need one -- only used for reading the set of Clair manifests.\n\t\tinit, done := context.WithTimeoutCause(context.Background(), 10*time.Second,\n\t\t\terrors.New(\"too slow to do initial connection to Clair database\"))\n\t\tdefer done()\n\t\treturn pgxpool.NewWithConfig(init, cfg)\n\t})\n\treturn nil\n}\n\nfunc (a *App) SetIndexerAddr(s string) (err error) {\n\ta.IndexerAddr, err = url.Parse(s)\n\treturn err\n}\n\n// AllManifests reports pages (slices of length [App.PageSize]) of all manifests\n// in the Clair database.\n//\n// This process is single-threaded, although it might be able to be made\n// concurrent with sufficient effort.\nfunc (a *App) AllManifests(ctx context.Context) (iter.Seq[[]string], func() error) {\n\tvar retErr error\n\tvar inner func(*int64) iter.Seq2[[]string, error]\n\tvar pageToken int64\n\tvar lastPage bool\n\tqstr := fmt.Sprintf(\n\t\t`SELECT id, hash FROM manifest WHERE id > $1 ORDER BY id ASC LIMIT %d;`,\n\t\ta.PageSize)\n\n\tupdateCursor := func() {}\n\tif a.CursorFile != nil {\n\t\tb, err := lockedfile.Read(*a.CursorFile)\n\t\tswitch {\n\t\tcase err == nil:\n\t\t\t_, err = fmt.Fscanln(bytes.NewReader(b), &pageToken)\n\t\tcase errors.Is(err, fs.ErrNotExist):\n\t\t\terr = nil\n\t\tdefault:\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, func() error {\n\t\t\t\treturn fmt.Errorf(\"unable to read cursor file %q: %w\", *a.CursorFile, err)\n\t\t\t}\n\t\t}\n\t\tslog.Info(\"loaded id from cursor\", \"id\", pageToken)\n\n\t\tupdateCursor = func() {\n\t\t\tif lastPage {\n\t\t\t\tslog.Info(\"reached last page; resetting cursor for next run\", \"id\", pageToken)\n\t\t\t\tpageToken = 0\n\t\t\t}\n\t\t\terr := lockedfile.Transform(*a.CursorFile, func(prev []byte) ([]byte, error) {\n\t\t\t\tif !bytes.Equal(b, prev) {\n\t\t\t\t\treturn nil,\n\t\t\t\t\t\tfmt.Errorf(\"cursorfile changed while running, not updating (got %#q, expected %#q)\",\n\t\t\t\t\t\t\tstring(prev), string(b))\n\t\t\t\t}\n\t\t\t\treturn append(strconv.AppendInt(nil, pageToken, 10), '\\n'), nil\n\t\t\t})\n\t\t\tif err != nil {\n\t\t\t\tslog.Error(\"unable to write cursor file\", \"error\", err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tslog.Info(\"wrote cursor file\", \"file\", *a.CursorFile, \"id\", pageToken)\n\t\t}\n\t}\n\n\tswitch {\n\t// Prefer using the GABI interface.\n\tcase a.ClairGABI != nil:\n\t\tinner = func(id *int64) iter.Seq2[[]string, error] {\n\t\t\tstr := &strings.Builder{}\n\t\t\tbuf := &bytes.Buffer{}\n\t\t\tenc := json.NewEncoder(buf)\n\t\t\tenc.SetEscapeHTML(false)\n\t\t\tfstr := strings.ReplaceAll(qstr, \"$1\", \"%d\")\n\t\t\treturn func(yield func([]string, error) bool) {\n\t\t\t\tfor {\n\t\t\t\t\tstr.Reset()\n\t\t\t\t\tfmt.Fprintf(str, fstr, *id)\n\t\t\t\t\tif err := enc.Encode(query(str)); err != nil {\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\n\t\t\t\t\tvar qRes *gabiResponse\n\t\t\t\t\tqRes, err := a.GABIQuery(ctx, a.ClairGABI, buf)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\n\t\t\t\t\t// Skip the initial value, it's the list of columns\n\t\t\t\t\trows := qRes.Result[1:]\n\t\t\t\t\t*id, err = strconv.ParseInt(rows[len(rows)-1][0], 10, 64)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t\tvals := make([]string, len(rows))\n\t\t\t\t\tfor i, row := range rows {\n\t\t\t\t\t\tvals[i] = row[1]\n\t\t\t\t\t}\n\t\t\t\t\tif !yield(vals, nil) {\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t// Second favorite: direct database access.\n\tcase a.clairDB != nil:\n\t\tpool, err := a.clairDB()\n\t\tif err != nil {\n\t\t\tretErr = err\n\t\t\tbreak\n\t\t}\n\n\t\tinner = func(id *int64) iter.Seq2[[]string, error] {\n\t\t\treturn func(yield func([]string, error) bool) {\n\t\t\t\tfor {\n\t\t\t\t\tvals := make([]string, a.PageCount)\n\t\t\t\t\terr := pool.AcquireFunc(ctx, func(c *pgxpool.Conn) error {\n\t\t\t\t\t\trows, err := c.Query(ctx, qstr, *id)\n\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t}\n\t\t\t\t\t\tdefer rows.Close()\n\n\t\t\t\t\t\ti := 0\n\t\t\t\t\t\tfor rows.Next() {\n\t\t\t\t\t\t\tif err := rows.Scan(id, &vals[i]); err != nil {\n\t\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\ti++\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif err := rows.Err(); err != nil {\n\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvals = vals[:i]\n\n\t\t\t\t\t\treturn nil\n\t\t\t\t\t})\n\t\t\t\t\tswitch {\n\t\t\t\t\tcase err == nil:\n\t\t\t\t\tcase errors.Is(err, pgx.ErrNoRows):\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t\tif !yield(vals, nil) {\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Seq wraps \"inner\" and does page counting and error handling.\n\tseq := func(yield func([]string) bool) {\n\t\tnext, stop := iter.Pull2(inner(&pageToken))\n\t\tdefer stop()\n\t\tfor i := 0; a.PageCount < 0 || i < a.PageCount; i++ {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\tretErr = context.Cause(ctx)\n\t\t\t\treturn\n\t\t\tdefault:\n\t\t\t}\n\t\t\ts, err, valid := next()\n\t\t\tif err != nil {\n\t\t\t\tretErr = err\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif !valid {\n\t\t\t\tslog.Debug(\"done reading manifests\", \"count\", len(s), \"want\", a.PageSize, \"valid\", valid)\n\t\t\t\tlastPage = true\n\t\t\t}\n\t\t\tif !yield(s) || lastPage {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\n\treturn seq, func() error {\n\t\tdefer updateCursor()\n\t\tif err := retErr; err != nil {\n\t\t\treturn fmt.Errorf(\"querying Clair DB: %w\", err)\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// IssueDeletes sends bulk manifest delete requests to Clair.\n//\n// If not in dry-run mode, this requires the Indexer address and any needed auth\n// to be configured.\nfunc (a *App) IssueDeletes(ctx context.Context, seq iter.Seq[[]string]) error {\n\t// Memoized endpoint -- done this way to make the dry-run mode play nice.\n\tu := sync.OnceValue(func() *url.URL {\n\t\treturn a.IndexerAddr.JoinPath(\"manifest\")\n\t})\n\t// Channel that feeds the workers. Closed by the reader.\n\t// The reader waits on the passed context.\n\tch := make(chan []string)\n\t// Worker function: has its own dedicated buffer and JSON encoder.\n\tworker := func() error {\n\t\tbuf := &bytes.Buffer{}\n\t\tenc := json.NewEncoder(buf)\n\t\tfor todo := range ch {\n\t\t\tif a.DryRun {\n\t\t\t\tif len(todo) != 0 {\n\t\t\t\t\tslog.Debug(\"would delete\", \"manifests\", todo)\n\t\t\t\t}\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tif err := enc.Encode(todo); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treq, err := a.NewRequestWithContext(ctx, http.MethodDelete, u(), buf)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\n\t\t\tres, err := http.DefaultClient.Do(req)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tswitch res.StatusCode {\n\t\t\tcase http.StatusOK:\n\t\t\t\tif err := res.Body.Close(); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\tdefault:\n\t\t\t\treturn errors.Join(\n\t\t\t\t\tfmt.Errorf(\"unexpected response: %s\", res.Status),\n\t\t\t\t\tres.Body.Close(),\n\t\t\t\t)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n\n\teg, ctx := errgroup.WithContext(ctx)\n\teg.SetLimit(runtime.GOMAXPROCS(0) + 1) // allow GOMAXPROCS workers and 1 reader.\n\t// Reader goroutine\n\teg.Go(func() error {\n\t\tnext, stop := iter.Pull(seq)\n\t\tdefer stop()\n\t\tdefer close(ch)\n\t\tzCt, i := 0, 0\n\t\tdefer func() {\n\t\t\tif i%10 != 0 { // Don't print the status if the last page already did.\n\t\t\t\ttotal := i * a.PageSize\n\t\t\t\tslog.Info(\"manifests checked\", \"total\", total, \"exists\", zCt, \"removeable\", total-zCt)\n\t\t\t}\n\t\t}()\n\n\t\tfor todo, ok := next(); ok; todo, ok = next() {\n\t\t\ti++\n\t\t\tzCt += (a.PageSize - len(todo))\n\t\t\tif i%10 == 0 {\n\t\t\t\ttotal := i * a.PageSize\n\t\t\t\tslog.Info(\"manifests checked\", \"total\", total, \"exists\", zCt, \"removeable\", total-zCt)\n\t\t\t}\n\t\t\tselect {\n\t\t\tcase ch <- todo:\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn context.Cause(ctx)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\t// Worker goroutines.\n\tfor eg.TryGo(worker) {\n\t}\n\n\treturn eg.Wait()\n}\n"
},
{
"path": "contrib/cmd/quaybackstop/main.go",
"content": "//go:build go1.23\n\n// Quaybackstop is a helper command to ensure that Quay's GC decisions are\n// propagated back to Clair.\n//\n// This command can read either from [GABI] services or backing databases\n// directly. For Quay, database support is limited to PostgreSQL; Clair only\n// supports PostgreSQL.\n//\n// There's support for controlling the load on the database via the\n// \"page-count\", \"page-size\", and \"cursor-file\" flags. See the help output for\n// more information.\n//\n// [GABI]: https://github.com/app-sre/gabi\npackage main\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"io\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/signal\"\n\t\"runtime/debug\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v3\"\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/quay/clair/config\"\n)\n\nfunc main() {\n\tvar code int\n\tdefer func() {\n\t\tif code != 0 {\n\t\t\tos.Exit(code)\n\t\t}\n\t}()\n\tctx := context.Background()\n\tctx, done := signal.NotifyContext(ctx, append(signals, os.Interrupt)...)\n\tdefer done()\n\tvar app App\n\topts := &slog.HandlerOptions{\n\t\tLevel: slog.LevelInfo,\n\t}\n\tflag.CommandLine.Usage = usage(flag.CommandLine)\n\tflag.BoolFunc(\"D\", \"print debugging output (-D=2 for more output)\", setLogging(opts))\n\tflag.BoolVar(&app.DryRun, \"n\", false, \"dry-run: do not issue delete requests\")\n\tflag.IntVar(&app.PageSize, \"page-size\", 100, \"pull pages of `SIZE` from the Quay database\")\n\tflag.IntVar(&app.PageCount, \"page-count\", -1, \"only process `N` pages before stopping (-1 for \\\"all\\\")\")\n\tflag.Func(\"cursor-file\", \"resume state from `FILE` and write state if \\\"page-count\\\" is set\", app.SetCursorFile)\n\tflag.Func(\"clair-gabi\", \"query Clair database via specified GABI `URL`\", app.SetClairGABI)\n\tflag.Func(\"clair-gabi-auth\", \"use provided `TOKEN` for Clair GABI queries\", app.SetClairGABIAuth)\n\tflag.Func(\"clair-config\", \"load Clair configuration from `FILE` and connect to database directly\", app.SetClairConfig)\n\tflag.Func(\"quay-gabi\", \"query Quay database via specified GABI `URL`\", app.SetQuayGABI)\n\tflag.Func(\"quay-gabi-auth\", \"use provided `TOKEN` for Quay GABI queries\", app.SetQuayGABIAuth)\n\tflag.Func(\"quay-config\", \"load Quay configuration from `FILE` and connect to database directly\", app.SetQuayConfig)\n\tflag.Func(\"indexer-addr\", \"issue deletes to indexer at `URL` (using credentials from \\\"clair-config\\\")\", app.SetIndexerAddr)\n\tflag.Parse()\n\tslog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, opts)))\n\n\tif err := Run(ctx, app); err != nil {\n\t\tslog.Error(\"exiting with error\", \"err\", err)\n\t\tcode = 1\n\t}\n}\n\n// Usage returns a function printing the customized help output for the provided\n// [flag.FlagSet].\nfunc usage(set *flag.FlagSet) func() {\n\tbuf := bufio.NewWriter(set.Output())\n\twords := []string{\n\t\t\"Usage: quaybackstop\", \"[-D]\", \"[-page-size SIZE]\", \"[-page-count N]\",\n\t\t\"[-cursor-file FILE]\", \"[-indexer-addr URL | -n]\",\n\t\t\"[-clair-gabi URL [-clair-gabi-auth TOKEN]]\", \"[-clair-config FILE]\",\n\t\t\"[-quay-gabi URL [-quay-gabi-auth TOKEN] | -quay-config FILE]\",\n\t}\n\tcols := 80\n\tif v, ok := os.LookupEnv(\"COLUMNS\"); ok && v != \"\" {\n\t\tif c, err := strconv.Atoi(v); err == nil { // backwards conditional\n\t\t\tcols = c\n\t\t}\n\t}\n\n\treturn func() {\n\t\tp, l := 0, 0\n\t\tfor _, w := range words {\n\t\t\tif p+len(w)+1 > cols {\n\t\t\t\tbuf.WriteByte('\\n')\n\t\t\t\tp = 0\n\t\t\t\tl++\n\t\t\t}\n\t\t\tif p == 0 && l != 0 {\n\t\t\t\tp, _ = buf.WriteString(strings.Repeat(\" \", len(words[0])))\n\t\t\t}\n\t\t\tif p != 0 {\n\t\t\t\tbuf.WriteByte(' ')\n\t\t\t\tp++\n\t\t\t}\n\t\t\tct, _ := buf.WriteString(w)\n\t\t\tp += ct\n\t\t}\n\t\tbuf.WriteByte('\\n')\n\t\tbuf.WriteByte('\\n')\n\t\tbuf.WriteString(\"Quaybackstop is a helper command to ensure that Quay's GC decisions are\\npropagated back to Clair.\\n\")\n\t\tbuf.WriteByte('\\n')\n\t\tbuf.WriteString(\"OPTIONS:\\n\")\n\t\tbuf.Flush()\n\t\tset.PrintDefaults()\n\t}\n}\n\n// SetLogging returns a function to be used as a [flag.BoolFunc] that sets the\n// Level of the closed-over [*slog.HandlerOptions].\nfunc setLogging(opts *slog.HandlerOptions) func(string) error {\n\treturn func(s string) error {\n\t\tif ct, err := strconv.Atoi(s); err == nil {\n\t\t\tif ct != 0 {\n\t\t\t\topts.Level = opts.Level.Level() + slog.Level(ct*int(slog.LevelDebug))\n\t\t\t} else {\n\t\t\t\topts.Level = slog.LevelInfo\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\tok, err := strconv.ParseBool(s)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif ok {\n\t\t\topts.Level = opts.Level.Level() + slog.LevelDebug\n\t\t} else {\n\t\t\topts.Level = slog.LevelInfo\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// LevelTrace is a more granular logging level.\nconst LevelTrace = slog.LevelDebug + slog.LevelDebug\n\n// Run is the main entrypoint.\nfunc Run(ctx context.Context, app App) error {\n\tapp.Status()\n\tif err := app.OK(); err != nil {\n\t\treturn err\n\t}\n\n\tdigests, clairErr := app.AllManifests(ctx)\n\trm, quayErr := app.SelectMissing(ctx, digests)\n\treturn errors.Join(app.IssueDeletes(ctx, rm), clairErr(), quayErr(), app.Close())\n}\n\n// App is the giant bag of state for the process.\n//\n// If tinkering with this struct, prefer \"Set*\" functions along with\n// [flag.FlagSet.Func] to add new elements.\ntype App struct {\n\tclairDB func() (*pgxpool.Pool, error)\n\tquayDB func() (*pgxpool.Pool, error)\n\n\tClairGABI *url.URL\n\tClairGABIAuth *string\n\tClairConfig *config.Config\n\n\tQuayGABI *url.URL\n\tQuayGABIAuth *string\n\tQuayConfig *quayConfig\n\n\tIndexerAddr *url.URL\n\tjwtSigner jose.Signer\n\tclairTokenMu *sync.RWMutex\n\tclairToken *string\n\tclairTokenResign time.Time\n\n\tCursorFile *string\n\tPageSize int\n\tPageCount int\n\n\tDryRun bool\n}\n\nfunc (a *App) SetCursorFile(s string) (err error) {\n\tslog.Debug(\"cursor file flag\", \"argument\", s)\n\tif s != \"\" {\n\t\ta.CursorFile = &s\n\t}\n\treturn nil\n}\n\n// OK reports if the App is configured sanely.\nfunc (a *App) OK() error {\n\tvar errs []error\n\tif a.ClairConfig == nil && a.ClairGABI == nil {\n\t\terrs = append(errs, errors.New(\"no Clair config provided\"))\n\t}\n\tif a.QuayConfig == nil && a.QuayGABI == nil {\n\t\terrs = append(errs, errors.New(\"no Quay config provided\"))\n\t}\n\tif a.PageCount == 0 {\n\t\terrs = append(errs, errors.New(\"asked for 0 pages\"))\n\t}\n\treturn errors.Join(errs...)\n}\n\n// Status prints the current configuration as Debug messages.\nfunc (a *App) Status() {\n\tslog.Debug(\"log level\", \"level\", slog.LevelDebug)\n\tslog.Debug(\"page size\", \"count\", a.PageSize)\n\tslog.Debug(\"page count\", \"count\", a.PageCount)\n\tslog.LogAttrs(context.Background(), slog.LevelDebug, \"cursor file\", func() (as []slog.Attr) {\n\t\tok := a.CursorFile != nil\n\t\tas = []slog.Attr{\n\t\t\tslog.Bool(\"provided\", ok),\n\t\t}\n\t\tif ok {\n\t\t\tas = append(as, slog.String(\"file\", *a.CursorFile))\n\t\t}\n\t\treturn as\n\t}()...)\n\tslog.Debug(\"Clair GABI\", \"enabled\", a.ClairGABI != nil, \"URL\", a.ClairGABI)\n\tslog.Debug(\"Clair GABI auth\", \"provided\", a.ClairGABIAuth != nil)\n\tslog.Debug(\"Clair config\", \"provided\", a.ClairConfig != nil)\n\tslog.Debug(\"Quay GABI\", \"enabled\", a.QuayGABI != nil, \"URL\", a.QuayGABI)\n\tslog.Debug(\"Quay GABI auth\", \"provided\", a.QuayGABIAuth != nil)\n\tslog.Debug(\"Quay config\", \"provided\", a.QuayConfig != nil)\n\tslog.Debug(\"indexer address\", \"URL\", a.IndexerAddr)\n\tslog.Debug(\"dry-run mode\", \"enabled\", a.DryRun)\n}\n\n// Close closes any constructed database pools.\nfunc (a *App) Close() error {\n\tvar errs []error\n\tfor _, f := range []func() (*pgxpool.Pool, error){\n\t\ta.clairDB,\n\t\ta.quayDB,\n\t} {\n\t\tif f == nil {\n\t\t\tcontinue\n\t\t}\n\t\tpool, err := f()\n\t\terrs = append(errs, err)\n\t\tif pool != nil {\n\t\t\tpool.Close()\n\t\t}\n\t}\n\treturn errors.Join(errs...)\n}\n\n// NewRequestWithContext is a wrapper around [http.NewRequestWithContext] that\n// sets defaults and authentication.\nfunc (a *App) NewRequestWithContext(ctx context.Context, method string, url *url.URL, body io.Reader) (*http.Request, error) {\n\treq, err := http.NewRequestWithContext(ctx, method, url.String(), body)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to construct request: %w\", err)\n\t}\n\treq.Header.Set(\"user-agent\", ua())\n\t// Set auth headers if needed.\n\tvar auth *string\n\tswitch h := url.Hostname(); {\n\tcase a.ClairGABI != nil && a.ClairGABI.Hostname() == h:\n\t\tauth = a.ClairGABIAuth\n\tcase a.QuayGABI != nil && a.QuayGABI.Hostname() == h:\n\t\tauth = a.QuayGABIAuth\n\tcase a.IndexerAddr != nil && a.ClairConfig != nil &&\n\t\ta.IndexerAddr.Hostname() == h:\n\t\t// This looks more complicated than it is.\n\t\tnow := time.Now()\n\n\t\ta.clairTokenMu.RLock()\n\t\tif !a.clairTokenResign.IsZero() && a.clairTokenResign.Sub(now) > jwt.DefaultLeeway {\n\t\t\tauth = a.clairToken\n\t\t}\n\t\ta.clairTokenMu.RUnlock()\n\t\tif auth != nil {\n\t\t\tbreak\n\t\t}\n\n\t\tcl := jwt.Claims{Issuer: `quay`}\n\t\tcl.IssuedAt = jwt.NewNumericDate(now)\n\t\tcl.NotBefore = jwt.NewNumericDate(now.Add(-jwt.DefaultLeeway))\n\t\ta.clairTokenResign = now.Add(15 * time.Minute)\n\t\tcl.Expiry = jwt.NewNumericDate(a.clairTokenResign)\n\t\ttok, err := jwt.Signed(a.jwtSigner).Claims(&cl).CompactSerialize()\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"jwt construction: %w\", err)\n\t\t}\n\n\t\ta.clairTokenMu.Lock()\n\t\t// Only update the stored token if we need to, but since we've taken the\n\t\t// expensive lock, make sure to at least populate the pointer.\n\t\tif a.clairTokenResign.IsZero() || a.clairTokenResign.Sub(now) < jwt.DefaultLeeway {\n\t\t\ta.clairToken = &tok\n\t\t}\n\t\tauth = a.clairToken\n\t\ta.clairTokenMu.Unlock()\n\tdefault:\n\t}\n\tif auth != nil {\n\t\treq.Header.Set(\"authorization\", \"Bearer \"+*auth)\n\t}\n\tslog.Debug(\"constructed request\", \"URL\", url, \"auth\", auth != nil)\n\treturn req, nil\n}\n\n// GABIQuery does a GABI query to the server at \"u\".\nfunc (a *App) GABIQuery(ctx context.Context, u *url.URL, buf *bytes.Buffer) (*gabiResponse, error) {\n\turl := u.JoinPath(\"query\")\n\tslog.Log(ctx, LevelTrace, \"GABI query\", \"query\", buf, \"url\", url.String())\n\n\treq, err := a.NewRequestWithContext(ctx, http.MethodPost, url, buf)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to construct query: %w\", err)\n\t}\n\tresp, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable execute query: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\tvar res gabiResponse\n\tswitch resp.StatusCode {\n\tcase http.StatusOK:\n\t\tif err := json.NewDecoder(resp.Body).Decode(&res); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"unable to read response: %w\", err)\n\t\t}\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unexpected response: %s\", resp.Status)\n\t}\n\tif res.Error != \"\" {\n\t\treturn nil, fmt.Errorf(\"gabi API error: %s\", res.Error)\n\t}\n\n\treturn &res, nil\n}\n\n// Query takes a full-formed SQL query (i.e. no parameter expansion is done) and\n// returns a [gabiQuery] that can be marshaled to the correct JSON.\nfunc query(str *strings.Builder) gabiQuery {\n\treturn gabiQuery{str.String()}\n}\n\n// GabiQuery marshals to a JSON request body for GABI.\ntype gabiQuery struct {\n\tQuery string `json:\"query\"`\n}\n\n// GabiResponse is the data returned from a GABI request.\ntype gabiResponse struct {\n\tError string `json:\"error\"`\n\tResult [][]string `json:\"result\"`\n}\n\n// Ua builds and returns a \"user-agent\" header value.\nvar ua = sync.OnceValue(func() string {\n\tua := \"quaybackstop/\"\n\tif info, ok := debug.ReadBuildInfo(); ok {\n\t\tua += info.Main.Version\n\t} else {\n\t\tua += \"???\"\n\t}\n\treturn ua\n})\n\n// FmtPostgresqlArray writes an array literal with the contents of \"strs\" to\n// \"w\".\n//\n// The input must not contain \"'\" characters.\nfunc fmtPostgresqlArray(w io.Writer, strs []string) {\n\tio.WriteString(w, `ARRAY[`)\n\tfor i, s := range strs {\n\t\tif i != 0 {\n\t\t\tw.Write([]byte(\",\"))\n\t\t}\n\t\tw.Write([]byte(\"'\"))\n\t\tio.WriteString(w, s)\n\t\tw.Write([]byte(\"'\"))\n\t}\n\tw.Write([]byte(\"]\"))\n}\n"
},
{
"path": "contrib/cmd/quaybackstop/main_old.go",
"content": "//go:build !go1.23\n\npackage main\n\nimport (\n\t\"fmt\"\n\t\"os\"\n)\n\nfunc main() {\n\tfmt.Fprintln(os.Stderr, \"This command was compiled with an old go version: 1.23 or greater is required.\")\n\tos.Exit(2)\n}\n"
},
{
"path": "contrib/cmd/quaybackstop/quay.go",
"content": "//go:build go1.23\n\npackage main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"iter\"\n\t\"log/slog\"\n\t\"net/url\"\n\t\"os\"\n\t\"runtime\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"golang.org/x/sync/errgroup\"\n\t\"gopkg.in/yaml.v3\"\n)\n\nfunc (a *App) SetQuayGABIAuth(s string) error {\n\tif s == \"\" {\n\t\treturn errors.New(\"bad Quay GABI auth: empty string\")\n\t}\n\ta.QuayGABIAuth = &s\n\treturn nil\n}\n\nfunc (a *App) SetQuayGABI(s string) (err error) {\n\ta.QuayGABI, err = url.Parse(s)\n\treturn err\n}\n\nfunc (a *App) SetQuayConfig(s string) error {\n\tslog.Debug(\"quay config flag\", \"argument\", s)\n\ta.QuayConfig = new(quayConfig)\n\tf, err := os.Open(s)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\tif err := yaml.NewDecoder(f).Decode(&a.QuayConfig); err != nil {\n\t\treturn err\n\t}\n\tif !strings.HasPrefix(a.QuayConfig.URI, \"postgresql://\") {\n\t\treturn fmt.Errorf(`unrecognized database URI: %q (only \"postgresql\" is supported)`, a.QuayConfig.URI)\n\t}\n\n\ta.quayDB = sync.OnceValues(func() (*pgxpool.Pool, error) {\n\t\tcfg, err := pgxpool.ParseConfig(a.QuayConfig.URI)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif p := a.QuayConfig.Args.SSL.CA; p != nil {\n\t\t\ttlsCfg := cfg.ConnConfig.TLSConfig.Clone()\n\t\t\tcertPool := tlsCfg.RootCAs\n\t\t\tif certPool == nil {\n\t\t\t\tcertPool, err = x509.SystemCertPool()\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t}\n\t\t\tpem, err := os.ReadFile(*p)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif !certPool.AppendCertsFromPEM(pem) {\n\t\t\t\treturn nil, fmt.Errorf(\"unable to add CA from %q (is it PEM encoded CA certificate(s)?)\", *p)\n\t\t\t}\n\t\t}\n\t\tcfg.MaxConns = int32(runtime.GOMAXPROCS(0)) // This is how many goroutines we'll have checking manifest existence.\n\t\tinit, done := context.WithTimeoutCause(context.Background(), 10*time.Second,\n\t\t\terrors.New(\"too slow to do initial connection to Quay database\"))\n\t\tdefer done()\n\t\treturn pgxpool.NewWithConfig(init, cfg)\n\t})\n\n\treturn nil\n}\n\n// Just enough Quay config to be dangerous.\ntype quayConfig struct {\n\tArgs struct {\n\t\tSSL struct {\n\t\t\tCA *string `json:\"ca\" yaml:\"ca\"`\n\t\t} `json:\"ssl\" yaml:\"ssl\"`\n\t} `json:\"DB_CONNECTION_ARGS\" yaml:\"DB_CONNECTION_ARGS\"`\n\tURI string `json:\"DB_URI\" yaml:\"DB_URI\"`\n}\n\n// SelectMissing selects manifests that are absent from Quay (or filters\n// manifests that are present in Quay, if one prefers).\n//\n// The current implementation fans out to GOMAXPROCS goroutines and fans back in\n// to an iterator.\nfunc (a *App) SelectMissing(ctx context.Context, manifests iter.Seq[[]string]) (iter.Seq[[]string], func() error) {\n\t// Gone signals that the returned iterator's reader has stopped.\n\tgone := make(chan struct{})\n\t// In is pages from the \"manifests\" iterator.\n\t// Out is filtered pages for returning to the iterator reader.\n\tin, out := make(chan []string), make(chan []string)\n\n\teg, ctx := errgroup.WithContext(ctx)\n\teg.SetLimit(runtime.GOMAXPROCS(0) + 1) // allow GOMAXPROCS workers and 1 reader.\n\t// Reader goroutine\n\teg.Go(func() error {\n\t\tnext, stop := iter.Pull(manifests)\n\t\tdefer stop()\n\t\tdefer close(in)\n\t\tfor i := 1; ; i++ {\n\t\t\tms, ok := next()\n\t\t\tif !ok {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\tselect {\n\t\t\tcase in <- ms:\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn context.Cause(ctx)\n\t\t\tcase <-gone:\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t})\n\t// Inner is a function closing over the channel and returning an iterator\n\t// returning filtered manifests.\n\tvar inner func(<-chan []string) iter.Seq2[[]string, error]\n\n\tswitch {\n\t// Prefer the GABI interface.\n\tcase a.QuayGABI != nil:\n\t\tqueryFormatter := func(enc *json.Encoder, str *strings.Builder) func([]string) error {\n\t\t\treturn func(ms []string) error {\n\t\t\t\tstr.Reset()\n\t\t\t\tstr.WriteString(`SELECT * FROM unnest(`)\n\t\t\t\tfmtPostgresqlArray(str, ms)\n\t\t\t\tstr.WriteString(`) EXCEPT ALL SELECT digest FROM manifest WHERE digest = ANY(`)\n\t\t\t\tfmtPostgresqlArray(str, ms)\n\t\t\t\tstr.WriteString(`);`)\n\t\t\t\treturn enc.Encode(query(str))\n\t\t\t}\n\t\t}\n\t\tinner = func(in <-chan []string) iter.Seq2[[]string, error] {\n\t\t\tbuf := &bytes.Buffer{}\n\t\t\tenc := json.NewEncoder(buf)\n\t\t\tenc.SetEscapeHTML(false)\n\t\t\tmkQuery := queryFormatter(enc, new(strings.Builder))\n\t\t\treturn func(yield func([]string, error) bool) {\n\t\t\t\tvar ok bool\n\t\t\t\tfor {\n\t\t\t\t\tvar ms []string\n\t\t\t\t\tselect {\n\t\t\t\t\tcase ms, ok = <-in:\n\t\t\t\t\t\tif !ok {\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t}\n\t\t\t\t\tcase <-ctx.Done():\n\t\t\t\t\t\tyield(nil, context.Cause(ctx))\n\t\t\t\t\t\treturn\n\t\t\t\t\tcase <-gone:\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t\tif err := mkQuery(ms); err != nil {\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\n\t\t\t\t\tqRes, err := a.GABIQuery(ctx, a.QuayGABI, buf)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\n\t\t\t\t\t// Skip the initial value, it's the list of columns\n\t\t\t\t\trows := qRes.Result[1:]\n\t\t\t\t\tvals := make([]string, len(rows))\n\t\t\t\t\tfor i, row := range rows {\n\t\t\t\t\t\tvals[i] = row[0]\n\t\t\t\t\t}\n\t\t\t\t\tif !yield(nil, err) {\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t// Second favorite: direct database access.\n\tcase a.quayDB != nil:\n\t\tpool, err := a.quayDB()\n\t\tif err != nil {\n\t\t\treturn nil, func() error { return err }\n\t\t}\n\t\tconst query = `SELECT * FROM unnest($1::TEXT[]) EXCEPT ALL SELECT digest FROM manifest WHERE digest = ANY($1::TEXT[]);`\n\t\tinner = func(in <-chan []string) iter.Seq2[[]string, error] {\n\t\t\treturn func(yield func([]string, error) bool) {\n\t\t\t\tvar ok bool\n\t\t\t\tfor {\n\t\t\t\t\tvar ms []string\n\t\t\t\t\tselect {\n\t\t\t\t\tcase ms, ok = <-in:\n\t\t\t\t\t\tif !ok {\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t}\n\t\t\t\t\tcase <-ctx.Done():\n\t\t\t\t\t\tyield(nil, context.Cause(ctx))\n\t\t\t\t\t\treturn\n\t\t\t\t\tcase <-gone:\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t\tvals := make([]string, a.PageCount)\n\t\t\t\t\terr := pool.AcquireFunc(ctx, func(c *pgxpool.Conn) error {\n\t\t\t\t\t\trows, err := c.Query(ctx, query, ms)\n\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t}\n\t\t\t\t\t\tdefer rows.Close()\n\n\t\t\t\t\t\ti := 0\n\t\t\t\t\t\tfor rows.Next() {\n\t\t\t\t\t\t\tif err := rows.Scan(&vals[i]); err != nil {\n\t\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\ti++\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif err := rows.Err(); err != nil {\n\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvals = vals[:i]\n\t\t\t\t\t\treturn nil\n\t\t\t\t\t})\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tyield(nil, err)\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t\tif !yield(vals, nil) {\n\t\t\t\t\t\treturn\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Worker goroutines.\n\tfor eg.TryGo(func() error {\n\t\tdefer func() {\n\t\t\tslog.Debug(\"worker done\", \"worker\", \"quay\")\n\t\t}()\n\t\tfor ms, err := range inner(in) {\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn context.Cause(ctx)\n\t\t\tcase <-gone:\n\t\t\t\tslog.Debug(\"dropped value\", \"worker\", \"quay\")\n\t\t\tcase out <- ms:\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}) {\n\t}\n\t// Wait for workers+reader to finish and close the output channel. Causes\n\t// the returned iterator to fall out of its reading loop.\n\tgo func() {\n\t\teg.Wait()\n\t\tclose(out)\n\t\tslog.Debug(\"output channel closed\", \"worker\", \"quay\")\n\t}()\n\n\treturn func(yield func([]string) bool) {\n\t\tct := 0\n\t\tdefer func() {\n\t\t\tslog.Debug(\"sequence done\", \"worker\", \"quay\", \"sent\", ct)\n\t\t}()\n\t\tdefer close(gone)\n\t\tfor ms := range out {\n\t\t\tct++\n\t\t\tif !yield(ms) {\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}, eg.Wait\n}\n"
},
{
"path": "contrib/cmd/quaybackstop/sig_linux.go",
"content": "//go:build linux\n\npackage main\n\nimport (\n\t\"os\"\n\t\"syscall\"\n)\n\nvar signals = []os.Signal{\n\tsyscall.SIGTERM, syscall.SIGINT, syscall.SIGHUP,\n}\n"
},
{
"path": "contrib/cmd/quaybackstop/sig_other.go",
"content": "//go:build !linux\n\npackage main\n\nimport \"os\"\n\nvar signals = []os.Signal{}\n"
},
{
"path": "contrib/openshift/build_and_deploy.sh",
"content": "#!/usr/bin/bash\nset -euo pipefail\n\nsplice() { local IFS=\"$1\"; shift; echo \"$*\"; }\n\nwhile getopts nxz name; do\n\tcase \"$name\" in\n\tx) set -x ;;\n\tn) dryrun=1 ;;\n\tz) declare -g login_done ;;\n\t?)\n\t\tprintf \"Usage: %s: [-nxz]\\n\" \"$0\"\n\t\texit 2\n\t\t;;\n\tesac\ndone\n\n: \"${REGISTRY:=quay.io}\"\n: \"${NAMESPACE:=app-sre}\"\n: \"${REPOSITORY:=clair}\"\n: \"${IMAGE:=$(splice / \"$REGISTRY\" \"$NAMESPACE\" \"$REPOSITORY\")}\"\n: \"${BUILDKIT_VERSION:=0.15.2}\"\n: \"${BUILDKIT_IMAGE:=$(splice / \"$REGISTRY\" \"$NAMESPACE\" \"buildkit:latest\")}\"\n: \"${CONTAINER_ENGINE:=$(command -v podman 2>/dev/null || command -v docker 2>/dev/null)}\"\n: \"${cidfile:=buildkit.cid}\"\nGIT_HASH=\"$(git rev-parse --short=7 HEAD)\"\ntags=(\"${IMAGE}:latest\" \"${IMAGE}:${GIT_HASH}\")\ntrap 'rm -rf clair-v*.{tar*,oci} ' ERR\nexport GOTOOLCHAIN=auto # have any local invocations of go use the correct version magically\n\npatch_source() {\n\tin=$1\n\twant=$(git ls-files ':**Dockerfile' | wc -l)\n\tif [[ $(tar tf \"$in\" '*/Dockerfile' | wc -l) -gt $want ]]; then\n\t\techo already patched >&2\n\t\treturn\n\tfi\n\tif [[ \"${BUILDKIT_IMAGE%%/*}\" = docker.io ]]; then\n\t\techo guessing no patching needed, based on BUILDKIT_IMAGE \"(${BUILDKIT_IMAGE})\" >&2\n\t\treturn\n\tfi\n\n\t( # Subshell to set a cleanup trap.\n\ttmp=$(mktemp -d)\n\ttrap 'rm -r \"$tmp\"' EXIT\n\tgunzip \"$in\"\n\tin=${in%.gz}\n\n\t# remove the syntax line -- should be OK as long as we're not using features\n\t# beyond the buildkit-shipped version.\n\tfor file in $(tar tf \"$in\" '*/Dockerfile'); do\n\t\ttar -xOf \"$in\" \"$file\" |\n\t\t\tsed '/# syntax/d' >\"${tmp}/Dockerfile\"\n\t\ttar -rf \"$in\" --transform \"s,.*,${file},\" \"${tmp}/Dockerfile\"\n\tdone\n\tgzip -n -q -f \"$in\"\n\t)\n}\n\nregistry_login(){\n\t[[ -v login_done ]] && return\n\tf=\"$(mktemp -d)/auth.json\"\n\texport REGISTRY_AUTH_FILE=\"$f\" DOCKER_CONFIG=\"${f%/*}\"\n\t${CONTAINER_ENGINE} login -u=\"${QUAY_USER}\" -p=\"${QUAY_TOKEN}\" \"${REGISTRY}\"\n\tdeclare -g login_done\n}\n\nif [[ -d bin ]]; then\n\tPATH=$(realpath bin):${PATH}\nfi\nif ! command -v buildctl >/dev/null 2>&1; then\n\techo Fetching buildctl:\n\tmkdir -p bin\n\tPATH=$(realpath bin):${PATH}\n\tcurl -sSfL \"https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-amd64.tar.gz\" |\n\t\ttar -xzC bin --strip-components=1 bin/buildctl\n\tcommand -V buildctl\n\tbuildctl --version\nfi\n\ncleanup() {\n\ttodo=( ${login_done:+${REGISTRY_AUTH_FILE}} )\n\tif [[ -f \"${cidfile}\" ]]; then\n\t\techo Stopping buildkitd container:\n\t\t[[ -o x ]] && ${CONTAINER_ENGINE} logs \"$(cat \"${cidfile}\")\"\n\t\t${CONTAINER_ENGINE} stop --cidfile \"${cidfile}\" || echo Failed to stop buildkit container >&2\n\t\ttodo+=( \"${cidfile}\" )\n\tfi\n\t[[ \"${#todo[@]}\" -ne 0 ]] && rm -rf \"${todo[@]}\"\n}\n\ntrap 'cleanup' EXIT\n# Unconditionally log in if we have credentials because AppSRE CI can't be\n# bothered to clear them between Jenkins jobs.\nif [[ -n \"${QUAY_USER-}\" && -n \"${QUAY_TOKEN-}\" ]]; then\n\tregistry_login\nfi\nif [[ ! -v BUILDKIT_HOST ]]; then\n\techo Starting buildkitd container:\n\t[[ -x o ]] && skopeo list-tags \"docker://${BUILDKIT_IMAGE%:*}\"\n\t${CONTAINER_ENGINE} run \\\n\t\t--cidfile \"${cidfile}\" \\\n\t\t--detach \\\n\t\t--privileged \\\n\t\t--rm \\\n\t\t\"${BUILDKIT_IMAGE}\"\n\tBUILDKIT_HOST=\"$(basename \"${CONTAINER_ENGINE}\")-container://$(cat \"$cidfile\")\"\n\texport BUILDKIT_HOST\nfi\n\necho Exporting source:\nmake dist\n\necho Applying self-inflicted wound:\nif [[ $(find . -maxdepth 1 -type f -name 'clair-v*.tar*' | wc -l) -ne 1 ]]; then\n\techo found multiple dist tarballs, exiting: >&2\n\tls clair-v*.tar* >&2\n\texit 99\nfi\npatch_source clair-v*.tar.gz\n\necho Building container:\nmake \"IMAGE_NAME=$(splice , \"${tags[@]}\")\" dist-container\n\n# Make repeated runs work more-or-less correctly.\ntouch -m -t 197001010000 clair-v*.{tar.gz,oci}\n\n[[ -n \"${dryrun-}\" ]] && exit 0\n\n: \"${QUAY_USER:?Missing QUAY_USER variable.}\"\n: \"${QUAY_TOKEN:?Missing QUAY_TOKEN variable.}\"\nregistry_login\n\nar=$(echo clair-v4.*.oci)\nfor t in \"${tags[@]}\"; do\n\techo Copy to \"${t@Q}:\"\n\tskopeo copy --all --preserve-digests \"oci-archive:${ar}:${tags[0]##*:}\" \"docker://${t}\"\ndone\n"
},
{
"path": "contrib/openshift/grafana/dashboard-clair.configmap.yaml.tpl",
"content": "# WARNING: This is generated from local-dev/grafana/data/dashboards/clair.json\n# please modify there and run make contrib/openshift/grafana/dashboards/dashboard-clair.configmap.yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n creationTimestamp: null\n name: grafana-dashboard-clair\n labels:\n grafana_dashboard: \"true\"\n annotations:\n grafana-folder: /grafana-dashboard-definitions/Clair\ndata:\n clair-dashboard.json: |-\nGRAFANA_MANIFEST\n"
},
{
"path": "contrib/openshift/grafana/dashboards/dashboard-clair.configmap.yaml",
"content": "# WARNING: This is generated from local-dev/grafana/data/dashboards/clair.json\n# please modify there and run make contrib/openshift/grafana/dashboards/dashboard-clair.configmap.yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n creationTimestamp: null\n name: grafana-dashboard-clair\n labels:\n grafana_dashboard: \"true\"\n annotations:\n grafana-folder: /grafana-dashboard-definitions/Clair\ndata:\n clair-dashboard.json: |-\n {\n \"annotations\": {\n \"list\": [\n {\n \"builtIn\": 1,\n \"datasource\": \"-- Grafana --\",\n \"enable\": true,\n \"hide\": true,\n \"iconColor\": \"rgba(0, 211, 255, 1)\",\n \"name\": \"Annotations & Alerts\",\n \"target\": {\n \"limit\": 100,\n \"matchAny\": false,\n \"tags\": [],\n \"type\": \"dashboard\"\n },\n \"type\": \"dashboard\"\n }\n ]\n },\n \"editable\": true,\n \"gnetId\": null,\n \"graphTooltip\": 1,\n \"iteration\": 1694452951165,\n \"links\": [],\n \"panels\": [\n {\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 0\n },\n \"id\": 24,\n \"title\": \"Runtime metrics\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 1\n },\n \"id\": 26,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (scanned_before) (rate(claircore_indexer_scanned_manifests[$rate]))\",\n \"interval\": \"\",\n \"legendFormat\": \"{{scanned_before}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Previously scanned manifests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n }\n },\n \"mappings\": []\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 1\n },\n \"id\": 32,\n \"options\": {\n \"legend\": {\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"pieType\": \"pie\",\n \"reduceOptions\": {\n \"calcs\": [\n \"lastNotNull\"\n ],\n \"fields\": \"\",\n \"values\": false\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (scanned_before) (rate(claircore_indexer_scanned_manifests[$rate]))\",\n \"interval\": \"\",\n \"legendFormat\": \"{{scanned_before}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Previously scanned rate\",\n \"type\": \"piechart\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 9\n },\n \"id\": 35,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum (clair_cmd_version_info) by (job, goversion)\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{job}} - {{goversion}}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum (clair_cmd_version_info) by(job, version)\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{job}} clair - {{version}}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum (clair_cmd_version_info) by(job, claircore_version)\",\n \"interval\": \"\",\n \"legendFormat\": \"{{job}} claircore - {{claircore_version}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Versions\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 9\n },\n \"id\": 45,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_http_concurrencylimited_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"Endpoint: {{ endpoint }} Method: {{ method }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Ratelimiting / s\",\n \"type\": \"timeseries\"\n },\n {\n \"collapsed\": false,\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 17\n },\n \"id\": 18,\n \"panels\": [],\n \"title\": \"Database Indexer\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 7,\n \"w\": 24,\n \"x\": 0,\n \"y\": 18\n },\n \"id\": 20,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_setindexreport_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"IndexReport: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_layerscanned_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"LayerScanned: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_manifestscanned_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"ManifestScanned: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_persistmanifest_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"PersistManifest: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_registerscanners_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"RegisterScanners: {{instance }}: {{ query }}\",\n \"refId\": \"E\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_setindexreport_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"SetIndexReport: {{instance }}: {{ query }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"Database query count (indexer)\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 0,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 22,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"repeat\": null,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_setindexreport_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Set index_report query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 4,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 48,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_layerscanned_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"B\"\n }\n ],\n \"title\": \"Layer scanned query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 8,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 51,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_persistmanifest_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Persist manifest query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 12,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 52,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_manifestscanned_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"C\"\n }\n ],\n \"title\": \"Manifest scanned query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 16,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 53,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_registerscanners_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Register scanners query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 20,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 54,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_setindexfinished_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"Set index finished query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 24,\n \"x\": 0,\n \"y\": 33\n },\n \"id\": 63,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_idle_conns{application_name=\\\"libindex\\\"})\",\n \"interval\": \"\",\n \"legendFormat\": \"idle\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_max_conns{application_name=\\\"libindex\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"max\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_total_conns{application_name=\\\"libindex\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"total\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_acquired_conns{application_name=\\\"libindex\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"acquired\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Connections (Indexer)\",\n \"type\": \"timeseries\"\n },\n {\n \"collapsed\": false,\n \"datasource\": null,\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 41\n },\n \"id\": 50,\n \"panels\": [],\n \"title\": \"Database matcher\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 7,\n \"w\": 24,\n \"x\": 0,\n \"y\": 42\n },\n \"id\": 21,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getvulnerabilities_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"VulnStoreGet: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getlatestrefs_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GetLatestRefs: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getlatestupdateref_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GetLatestUpdateRef: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getupdateoperations_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GetUpdateOperations: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_updatevulnerabilities_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"UpdateVulnerabilities: {{instance }}: {{ query }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Database query count (matcher)\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 0,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 33,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getvulnerabilities_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Get vulnerabilities latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 4,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 55,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getlatestrefs_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"B\"\n }\n ],\n \"title\": \"Get latest refs latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 8,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 56,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getlatestupdateref_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"C\"\n }\n ],\n \"title\": \"Get latest update refs latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 12,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 57,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getupdateoperations_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Get update operations latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 16,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 58,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_updatevulnerabilities_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Update vulnerabilities latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 7,\n \"w\": 24,\n \"x\": 0,\n \"y\": 57\n },\n \"id\": 43,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_gc_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GarbageCollection: {{instance }}: {{ query }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Database query count GC\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 24,\n \"x\": 0,\n \"y\": 64\n },\n \"id\": 64,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_idle_conns{application_name=\\\"libvuln\\\"})\",\n \"interval\": \"\",\n \"legendFormat\": \"idle\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_max_conns{application_name=\\\"libvuln\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"max\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_total_conns{application_name=\\\"libvuln\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"total\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_acquired_conns{application_name=\\\"libvuln\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"acquired\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Connections (Matcher)\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 72\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 44,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_gc_duration_seconds_bucket{query=\\\"updateOps\\\"}[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"GC - updateOps latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 72\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 59,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_gc_duration_seconds_bucket{query=\\\"deleteVulns\\\"}[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"GC - deleteVulns latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"collapsed\": true,\n \"datasource\": null,\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 80\n },\n \"id\": 61,\n \"panels\": [\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 20\n },\n \"id\": 36,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_created_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"CreatedTotal: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_failed_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierFailed: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_putreceipt_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierPutReceipt: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_receiptbyuoid_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierReceiptByUOID: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Database query count (notifier)\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 30,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 20\n },\n \"id\": 38,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_created_duration_seconds_bucket[$rate]))\",\n \"interval\": \"\",\n \"legendFormat\": \"CreatedTotal: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_failed_duration_seconds_bucket[$rate]))\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierFailed: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_putreceipt_duration_seconds_bucket[$rate]))\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierPutReceipt: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_receiptbyuoid_duration_seconds_bucket[$rate]))\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierReceiptByUOID: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Database query duration (notifier) (p$dbquantile)\",\n \"type\": \"timeseries\"\n }\n ],\n \"title\": \"Database - Notifier\",\n \"type\": \"row\"\n },\n {\n \"collapsed\": false,\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 81\n },\n \"id\": 2,\n \"panels\": [],\n \"title\": \"API Requests\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 82\n },\n \"id\": 4,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_matcherv1_request_total{handler=\\\"/matcher/api/v1/vulnerability_report/\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Vulnerability Report Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 82\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 15,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"repeat\": null,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(clair_http_matcherv1_request_duration_seconds_bucket{handler=\\\"/matcher/api/v1/vulnerability_report/\\\"}[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"\",\n \"intervalFactor\": 1,\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Vulnerability Report Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"middle\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 90\n },\n \"id\": 7,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{handler=\\\"/indexer/api/v1/index_report\\\", method=\\\"post\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Create Index Report Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 90\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 14,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"post\\\", handler=\\\"/indexer/api/v1/index_report\\\", code=\\\"201\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Create Index Report Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"stepBefore\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 98\n },\n \"id\": 6,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{handler=\\\"/indexer/api/v1/index_state\\\", method=\\\"get\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"\",\n \"legendFormat\": \"Status {{code}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Indexer State Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 98\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 47,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"get\\\", handler=\\\"/indexer/api/v1/index_state\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Indexer State Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 106\n },\n \"id\": 5,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{method=\\\"get\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 106\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 46,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"get\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 114\n },\n \"id\": 66,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report\\\"}[$rate]))\",\n \"hide\": false,\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"B\"\n }\n ],\n \"title\": \"Index Report Bulk Deletion Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 114\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 67,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Bulk Deletion Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 122\n },\n \"id\": 68,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Deletion Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 122\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 69,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Deletion Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 130\n },\n \"id\": 41,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_notifier_api_v1_notification_request_total{method=\\\"get\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Get Notifications Requests\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"Seconds\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 30,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 130\n },\n \"id\": 40,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($apiquantile, rate(clair_http_notifier_api_v1_notification_request_duration_seconds_bucket[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Get Notification Request Latency (p$apiquantile)\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 138\n },\n \"id\": 39,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_notifier_api_v1_notification_request_total{method=\\\"delete\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Delete Notification Requests\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"Seconds\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 30,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 138\n },\n \"id\": 42,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($apiquantile, rate(clair_http_notifier_api_v1_notification_request_duration_seconds_bucket[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Delete Notification Request Latency (p$apiquantile)\",\n \"type\": \"timeseries\"\n },\n {\n \"collapsed\": false,\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 146\n },\n \"id\": 9,\n \"panels\": [],\n \"title\": \"Memory metrics\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 147\n },\n \"id\": 11,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (job)(go_goroutines)\",\n \"interval\": \"\",\n \"legendFormat\": \"{{ job }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Goroutine count\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 10,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n },\n \"unit\": \"bytes\"\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 147\n },\n \"id\": 12,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (job)(go_memstats_heap_inuse_bytes)\",\n \"interval\": \"\",\n \"legendFormat\": \"{{ job }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Memory\",\n \"type\": \"timeseries\"\n }\n ],\n \"refresh\": false,\n \"schemaVersion\": 30,\n \"style\": \"dark\",\n \"tags\": [],\n \"templating\": {\n \"list\": [\n {\n \"auto\": false,\n \"auto_count\": 30,\n \"auto_min\": \"10s\",\n \"current\": {\n \"selected\": false,\n \"text\": \"1m\",\n \"value\": \"1m\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"label\": null,\n \"name\": \"rate\",\n \"options\": [\n {\n \"selected\": true,\n \"text\": \"1m\",\n \"value\": \"1m\"\n },\n {\n \"selected\": false,\n \"text\": \"5m\",\n \"value\": \"5m\"\n },\n {\n \"selected\": false,\n \"text\": \"10m\",\n \"value\": \"10m\"\n },\n {\n \"selected\": false,\n \"text\": \"30m\",\n \"value\": \"30m\"\n },\n {\n \"selected\": false,\n \"text\": \"1h\",\n \"value\": \"1h\"\n },\n {\n \"selected\": false,\n \"text\": \"6h\",\n \"value\": \"6h\"\n },\n {\n \"selected\": false,\n \"text\": \"12h\",\n \"value\": \"12h\"\n },\n {\n \"selected\": false,\n \"text\": \"1d\",\n \"value\": \"1d\"\n },\n {\n \"selected\": false,\n \"text\": \"7d\",\n \"value\": \"7d\"\n },\n {\n \"selected\": false,\n \"text\": \"14d\",\n \"value\": \"14d\"\n },\n {\n \"selected\": false,\n \"text\": \"30d\",\n \"value\": \"30d\"\n }\n ],\n \"query\": \"1m,5m,10m,30m,1h,6h,12h,1d,7d,14d,30d\",\n \"refresh\": 2,\n \"skipUrlSync\": false,\n \"type\": \"interval\"\n },\n {\n \"allValue\": null,\n \"current\": {\n \"selected\": false,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"includeAll\": false,\n \"label\": \"Database Latency Quantile\",\n \"multi\": false,\n \"name\": \"dbquantile\",\n \"options\": [\n {\n \"selected\": true,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n {\n \"selected\": false,\n \"text\": \"0.90\",\n \"value\": \"0.90\"\n },\n {\n \"selected\": false,\n \"text\": \"0.5\",\n \"value\": \"0.5\"\n },\n {\n \"selected\": false,\n \"text\": \"0.20\",\n \"value\": \"0.20\"\n },\n {\n \"selected\": false,\n \"text\": \"0\",\n \"value\": \"0\"\n }\n ],\n \"query\": \"0.95,0.90,0.5,0.20,0\",\n \"queryValue\": \"\",\n \"skipUrlSync\": false,\n \"type\": \"custom\"\n },\n {\n \"allValue\": null,\n \"current\": {\n \"selected\": true,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"includeAll\": false,\n \"label\": \"API Latency Quantile\",\n \"multi\": false,\n \"name\": \"apiquantile\",\n \"options\": [\n {\n \"selected\": true,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n {\n \"selected\": false,\n \"text\": \"0.90\",\n \"value\": \"0.90\"\n },\n {\n \"selected\": false,\n \"text\": \"0.5\",\n \"value\": \"0.5\"\n },\n {\n \"selected\": false,\n \"text\": \"0.20\",\n \"value\": \"0.20\"\n },\n {\n \"selected\": false,\n \"text\": \"0\",\n \"value\": \"0\"\n }\n ],\n \"query\": \"0.95,0.90,0.5,0.20,0\",\n \"queryValue\": \"\",\n \"skipUrlSync\": false,\n \"type\": \"custom\"\n },\n {\n \"current\": {\n \"selected\": true,\n \"text\": \"Prometheus\",\n \"value\": \"Prometheus\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"includeAll\": false,\n \"label\": null,\n \"multi\": false,\n \"name\": \"datasource\",\n \"options\": [],\n \"query\": \"prometheus\",\n \"queryValue\": \"\",\n \"refresh\": 1,\n \"regex\": \"/(^clair|^app-sre-stage-01|^Prometheus$|^appsre)(?!.*cluster)/\",\n \"skipUrlSync\": false,\n \"type\": \"datasource\"\n }\n ]\n },\n \"time\": {\n \"from\": \"now-1h\",\n \"to\": \"now\"\n },\n \"timepicker\": {},\n \"timezone\": \"\",\n \"title\": \"Clair V4\",\n \"uid\": \"I1JBFlRnz\",\n \"version\": 4\n }\n\n"
},
{
"path": "contrib/openshift/manifests/backstop.yaml",
"content": "---\napiVersion: template.openshift.io/v1\nkind: Template\nmetadata:\n name: clair-gc-quaybackstop\n labels:\n app: clair\nlabels:\n app: clair\nobjects:\n- apiVersion: batch/v1\n kind: CronJob\n metadata:\n name: quaybackstop\n spec:\n schedule: '23 1 * * 1'\n timeZone: Etc/UTC\n concurrencyPolicy: Forbid\n successfulJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n spec:\n serviceAccountName: ${{SERVICE_ACCOUNT}}\n volumes:\n - name: clair-config\n secret:\n secretName: ${{CLAIR_CONFIG_SECRET}}\n - name: quay-config\n secret:\n secretName: ${{QUAY_CONFIG_SECRET}}\n - name: database-cert\n emptyDir:\n sizeLimit: 50Mi\n restartPolicy: OnFailure\n initContainers:\n - name: fetch-certs\n image: registry.access.redhat.com/ubi9/ubi:latest\n command:\n - /usr/bin/sh\n args:\n - -c\n - |\n set -ex\n cd /run/certs\n curl -sSfLO https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem\n volumeMounts:\n - name: database-cert\n mountPath: /run/certs\n containers:\n - name: quaybackstop\n resources:\n limits:\n cpu: 4\n requests:\n cpu: 2\n image: ${IMAGE_NAME}:${IMAGE_TAG}\n imagePullPolicy: Always\n env:\n - name: SSL_CERT_DIR\n value: /run/certs\n args:\n - -D=${DEBUG}\n - -clairconfig=/run/clair/config.yaml\n - -quayconfig=/run/quay/config.yaml\n - -indexer-addr=${INDEXER_ADDRESS}\n - -page-size=${PAGE_SIZE}\n - -page-count=${PAGE_COUNT}\n - -cursor=${CURSOR_FILE}\n volumeMounts:\n - name: clair-config\n mountPath: /run/clair\n - name: quay-config\n mountPath: /run/quay\n - name: database-cert\n mountPath: /run/certs\nparameters:\n- name: IMAGE_NAME\n value: quay.io/app-sre/clair\n displayName: Image\n description: Image name for the quaybackstop job.\n- name: IMAGE_TAG\n value: quaybackstop-latest\n displayName: Image Tag\n description: Tag name for the quaybackstop job.\n- name: CLAIR_CONFIG_SECRET\n value: config\n displayName: Clair Config\n description: Clair config secret name.\n- name: QUAY_CONFIG_SECRET\n value: quay-config\n displayName: Quay Config\n description: Quay config secret name.\n- name: SERVICE_ACCOUNT\n value: clair\n displayName: Service Account\n description: Service account name to use for API interaction.\n- name: INDEXER_ADDRESS\n value: http://clair-indexer/\n displayName: Indexer Address\n description: Indexer service to make API requests to.\n- name: PAGE_SIZE\n value: 100\n displayName: Page Size\n description: Pull pages of this size from the Quay database.\n- name: PAGE_COUNT\n value: -1\n displayName: Page Count\n description: Only process this number of pages before stopping (-1 for \"all\").\n- name: CURSOR_FILE\n value: ''\n displayName: Cursor\n description: File to store the cursor to. Allows for incremental work.\n- name: DEBUG\n value: 0\n displayName: Debug Output\n description: Enable debugging output. (Must be numeric or one of t, f, T, F, true, false, TRUE, FALSE, True, False)\nmessage: |\n Made cronjob \"quaybackstop\", it might have worked.\n"
},
{
"path": "contrib/openshift/manifests/db-job.yaml",
"content": "---\napiVersion: v1\nkind: Template\nmetadata:\n name: clair-db-jobs\nparameters:\n- name: SUBCOMMAND\n value: \"pre\"\n required: true\n- name: VERSION\n value: \"\"\n required: true\n- name: IMAGE\n value: \"quay.io/app-sre/clair\"\n required: true\n- name: IMAGE_TAG\n value: \"\"\n required: true\n- name: JOB_NAME\n value: \"\"\n required: true\n- name: SERVICE_ACCOUNT\n value: \"clair\"\n displayName: clair service account\n required: true\n- name: SECRET_NAME\n value: \"config\"\n displayName: Name of the config secret\n required: true\n\nobjects:\n- apiVersion: batch/v1\n kind: Job\n metadata:\n name: clair-db-jobs-${JOB_NAME}\n spec:\n template:\n metadata:\n labels:\n app: clair-db-jobs-${JOB_NAME}\n spec:\n serviceAccountName: ${{SERVICE_ACCOUNT}}\n volumes:\n - name: clair-config\n secret:\n secretName: ${{SECRET_NAME}}\n backoffLimit: 1\n completions: 1\n parallelism: 1\n restartPolicy: Never\n containers:\n - name: clair-db-jobs-${JOB_NAME}\n image: ${IMAGE}:${IMAGE_TAG}\n resources:\n limits:\n cpu: 100m\n memory: 128Mi\n requests:\n cpu: 100m\n memory: 128Mi\n command: [clairctl]\n args:\n - \"-D\"\n - \"--config\"\n - \"/etc/clair/config.yaml\"\n - \"admin\"\n - ${SUBCOMMAND}\n - ${VERSION}\n volumeMounts:\n - name: clair-config\n mountPath: /etc/clair\n\n"
},
{
"path": "contrib/openshift/manifests/manifests.yaml",
"content": "---\napiVersion: v1\nkind: Template\nmetadata:\n name: clair\n labels:\n app: clair\nobjects:\n #\n # indexer deployment\n #\n - apiVersion: apps/v1\n kind: StatefulSet\n metadata:\n annotations:\n ${{CLAIR_DISABLE_MIN_REPLICAS_CHECK}}: ${{CLAIR_DISABLE_MIN_REPLICAS_REASON}}\n ${{CLAIR_DISABLE_ANTI_AFFINITY_CHECK}}: ${{CLAIR_DISABLE_ANTI_AFFINITY_REASON}}\n name: clair-indexer\n labels:\n service: indexer\n app: clair\n spec:\n podManagementPolicy: Parallel\n replicas: ${{INDEXER_DEPLOYMENT_REPLICAS}}\n selector:\n matchLabels:\n service: indexer\n app: clair\n volumeClaimTemplates:\n - metadata:\n name: indexer-layer-storage\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n storageClassName: ${{STORAGE_CLASS_NAME}}\n resources:\n requests:\n storage: ${{INDEXER_STORAGE_REQS}}\n template:\n metadata:\n name: clair-indexer\n labels:\n service: indexer\n app: clair\n ${{INDEXER_COMPONENT_LABEL_KEY}}: ${{INDEXER_COMPONENT_LABEL_VALUE}}\n spec:\n serviceAccountName: ${SERVICE_ACCOUNT}\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - weight: 1\n podAffinityTerm:\n labelSelector:\n matchExpressions:\n - key: ${{INDEXER_COMPONENT_LABEL_KEY}}\n operator: In\n values:\n - ${{INDEXER_COMPONENT_LABEL_VALUE}}\n topologyKey: kubernetes.io/hostname\n volumes:\n - name: clair-config\n secret:\n secretName: config\n containers:\n - name: clair-indexer\n resources:\n limits:\n cpu: ${{INDEXER_CPU_LIMITS}}\n memory: ${{INDEXER_MEM_LIMITS}}\n requests:\n cpu: ${{INDEXER_CPU_REQS}}\n memory: ${{INDEXER_MEM_REQS}}\n command: [clair]\n env:\n - name: CLAIR_CONF\n value: '/etc/clair/config.yaml'\n - name: CLAIR_MODE\n value: indexer\n image: ${CLAIR_IMAGE}:${IMAGE_TAG}\n ports:\n - containerPort: ${{HTTP_TRANSPORT_PORT}}\n name: http-transport\n - containerPort: ${{INTROSPECTION_PORT}}\n name: introspection\n livenessProbe:\n httpGet:\n path: ${{HEALTH_PATH}}\n port: ${{HEALTH_PORT}}\n readinessProbe:\n httpGet:\n path: ${{READY_PATH}}\n port: ${{HEALTH_PORT}}\n startupProbe:\n httpGet:\n path: ${{READY_PATH}}\n port: ${{HEALTH_PORT}}\n failureThreshold: 400\n periodSeconds: 10\n volumeMounts:\n - name: clair-config\n mountPath: /etc/clair\n - name: indexer-layer-storage\n mountPath: /var/tmp\n\n #\n # matcher deployment\n #\n - apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: clair-matcher\n labels:\n service: matcher\n app: clair\n annotations:\n ${{CLAIR_DISABLE_MIN_REPLICAS_CHECK}}: ${{CLAIR_DISABLE_MIN_REPLICAS_REASON}}\n ${{CLAIR_DISABLE_ANTI_AFFINITY_CHECK}}: ${{CLAIR_DISABLE_ANTI_AFFINITY_REASON}}\n spec:\n replicas: ${{MATCHER_DEPLOYMENT_REPLICAS}}\n selector:\n matchLabels:\n service: matcher\n app: clair\n template:\n metadata:\n name: clair-matcher\n labels:\n service: matcher\n app: clair\n ${{MATCHER_COMPONENT_LABEL_KEY}}: ${{MATCHER_COMPONENT_LABEL_VALUE}}\n spec:\n serviceAccountName: ${SERVICE_ACCOUNT}\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - weight: 1\n podAffinityTerm:\n labelSelector:\n matchExpressions:\n - key: ${{MATCHER_COMPONENT_LABEL_KEY}}\n operator: In\n values:\n - ${{MATCHER_COMPONENT_LABEL_VALUE}}\n topologyKey: kubernetes.io/hostname\n volumes:\n - name: clair-config\n secret:\n secretName: config\n containers:\n - name: clair-matcher\n resources:\n limits:\n cpu: ${{MATCHER_CPU_LIMITS}}\n memory: ${{MATCHER_MEM_LIMITS}}\n requests:\n cpu: ${{MATCHER_CPU_REQS}}\n memory: ${{MATCHER_MEM_REQS}}\n command: [clair]\n env:\n - name: CLAIR_CONF\n value: '/etc/clair/config.yaml'\n - name: CLAIR_MODE\n value: matcher\n image: ${CLAIR_IMAGE}:${IMAGE_TAG}\n ports:\n - containerPort: ${{HTTP_TRANSPORT_PORT}}\n name: http-transport\n - containerPort: ${{INTROSPECTION_PORT}}\n name: introspection\n livenessProbe:\n httpGet:\n path: ${{HEALTH_PATH}}\n port: ${{HEALTH_PORT}}\n readinessProbe:\n httpGet:\n path: ${{READY_PATH}}\n port: ${{HEALTH_PORT}}\n startupProbe:\n httpGet:\n path: ${{READY_PATH}}\n port: ${{HEALTH_PORT}}\n failureThreshold: 400\n periodSeconds: 10\n volumeMounts:\n - name: clair-config\n mountPath: /etc/clair\n #\n # notifier deployment\n #\n - apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: clair-notifier\n annotations:\n ${{CLAIR_DISABLE_MIN_REPLICAS_CHECK}}: ${{CLAIR_DISABLE_MIN_REPLICAS_REASON}}\n ${{CLAIR_DISABLE_ANTI_AFFINITY_CHECK}}: ${{CLAIR_DISABLE_ANTI_AFFINITY_REASON}}\n labels:\n service: notifier\n app: clair\n spec:\n replicas: ${{NOTIFIER_DEPLOYMENT_REPLICAS}}\n selector:\n matchLabels:\n service: notifier\n app: clair\n template:\n metadata:\n name: clair-notifier\n labels:\n service: notifier\n app: clair\n ${{NOTIFIER_COMPONENT_LABEL_KEY}}: ${{NOTIFIER_COMPONENT_LABEL_VALUE}}\n spec:\n serviceAccountName: ${SERVICE_ACCOUNT}\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - weight: 1\n podAffinityTerm:\n labelSelector:\n matchExpressions:\n - key: ${{NOTIFIER_COMPONENT_LABEL_KEY}}\n operator: In\n values:\n - ${{NOTIFIER_COMPONENT_LABEL_VALUE}}\n topologyKey: kubernetes.io/hostname\n volumes:\n - name: clair-config\n secret:\n secretName: config\n containers:\n - name: clair-notifier\n resources:\n limits:\n cpu: ${{NOTIFIER_CPU_LIMITS}}\n memory: ${{NOTIFIER_MEM_LIMITS}}\n requests:\n cpu: ${{NOTIFIER_CPU_REQS}}\n memory: ${{NOTIFIER_MEM_REQS}}\n command: [clair]\n env:\n - name: CLAIR_CONF\n value: '/etc/clair/config.yaml'\n - name: CLAIR_MODE\n value: notifier\n image: ${CLAIR_IMAGE}:${IMAGE_TAG}\n ports:\n - containerPort: ${{HTTP_TRANSPORT_PORT}}\n name: http-transport\n - containerPort: ${{INTROSPECTION_PORT}}\n name: introspection\n livenessProbe:\n httpGet:\n path: ${{HEALTH_PATH}}\n port: ${{HEALTH_PORT}}\n readinessProbe:\n httpGet:\n path: ${{READY_PATH}}\n port: ${{HEALTH_PORT}}\n startupProbe:\n httpGet:\n path: ${{READY_PATH}}\n port: ${{HEALTH_PORT}}\n failureThreshold: 400\n periodSeconds: 10\n volumeMounts:\n - name: clair-config\n mountPath: /etc/clair\n #\n # indexer service\n #\n - apiVersion: v1\n kind: Service\n metadata:\n name: clair-indexer\n labels:\n service: indexer\n app: clair\n annotations:\n prometheus.io/scrape: 'true'\n spec:\n ports:\n - name: http-transport\n protocol: TCP\n port: 80\n targetPort: ${{HTTP_TRANSPORT_PORT}}\n - name: introspection\n protocol: TCP\n port: 8089\n targetPort: ${{INTROSPECTION_PORT}}\n selector:\n service: indexer\n app: clair\n #\n # matcher service\n #\n - apiVersion: v1\n kind: Service\n metadata:\n name: clair-matcher\n labels:\n service: matcher\n app: clair\n annotations:\n prometheus.io/scrape: 'true'\n spec:\n ports:\n - name: http-transport\n protocol: TCP\n port: 80\n targetPort: ${{HTTP_TRANSPORT_PORT}}\n - name: introspection\n protocol: TCP\n port: 8089\n targetPort: ${{INTROSPECTION_PORT}}\n selector:\n service: matcher\n app: clair\n #\n # notifier service\n #\n - apiVersion: v1\n kind: Service\n metadata:\n name: clair-notifier\n labels:\n service: notifier\n app: clair\n annotations:\n prometheus.io/scrape: 'true'\n spec:\n ports:\n - name: http-transport\n protocol: TCP\n port: 80\n targetPort: ${{HTTP_TRANSPORT_PORT}}\n - name: introspection\n protocol: TCP\n port: 8089\n targetPort: ${{INTROSPECTION_PORT}}\n selector:\n service: notifier\n app: clair\n #\n # service account\n #\n - apiVersion: v1\n kind: ServiceAccount\n metadata:\n name: ${SERVICE_ACCOUNT}\n imagePullSecrets:\n - name: quay.io\n\nparameters:\n #\n # indexer params\n #\n - name: INDEXER_DEPLOYMENT_REPLICAS\n value: \"40\"\n displayName: the number of indexers deployed\n - name: INDEXER_CPU_LIMITS\n value: \"4\"\n displayName: the indexer's cpu limits in vCPUs\n - name: INDEXER_CPU_REQS\n value: \"2\"\n displayName: the indexer's cpu requests in vCPUs\n - name: INDEXER_MEM_LIMITS\n value: \"8192Mi\"\n displayName: the indexer's memory limits\n - name: INDEXER_MEM_REQS\n value: \"4096Mi\"\n displayName: the indexer's memory requests\n - name: INDEXER_STORAGE_REQS\n value: \"200Gi\"\n displayName: the indexer's VPC volume size\n - name: INDEXER_COMPONENT_LABEL_KEY\n value: \"clair-indexer-component\"\n displayName: the label key used for indexer pod anti-affinity\n - name: INDEXER_COMPONENT_LABEL_VALUE\n value: \"indexer\"\n displayName: the label value used for indexer pod anti-affinity\n #\n # matcher params\n #\n - name: MATCHER_DEPLOYMENT_REPLICAS\n value: \"10\"\n displayName: the number of matchers deployed\n - name: MATCHER_CPU_LIMITS\n value: \"4\"\n displayName: the matcher's cpu limits in vCPUs\n - name: MATCHER_CPU_REQS\n value: \"2\"\n displayName: the matcher's cpu requests in vCPUs\n - name: MATCHER_MEM_LIMITS\n value: \"8192Mi\"\n displayName: the matcher's memory limits in vCPUs\n - name: MATCHER_MEM_REQS\n value: \"4096Mi\"\n displayName: the matcher's memory requests in vCPUs\n - name: MATCHER_COMPONENT_LABEL_KEY\n value: \"clair-matcher-component\"\n displayName: the label key used for matcher pod anti-affinity\n - name: MATCHER_COMPONENT_LABEL_VALUE\n value: \"matcher\"\n displayName: the label value used for matcher pod anti-affinity\n #\n # notifier params\n #\n - name: NOTIFIER_DEPLOYMENT_REPLICAS\n value: \"10\"\n displayName: the number of matchers deployed\n - name: NOTIFIER_CPU_LIMITS\n value: \"4\"\n displayName: the matcher's cpu limits in vCPUs\n - name: NOTIFIER_CPU_REQS\n value: \"2\"\n displayName: the matcher's cpu requests in vCPUs\n - name: NOTIFIER_MEM_LIMITS\n value: \"8192Mi\"\n displayName: the matcher's memory limits in vCPUs\n - name: NOTIFIER_MEM_REQS\n value: \"4096Mi\"\n displayName: the matcher's memory requests in vCPUs\n - name: NOTIFIER_COMPONENT_LABEL_KEY\n value: \"clair-notifier-component\"\n displayName: the label key used for notifier pod anti-affinity\n - name: NOTIFIER_COMPONENT_LABEL_VALUE\n value: \"notifier\"\n displayName: the label value used for notifier pod anti-affinity\n #\n # shared params\n #\n - name: CLAIR_IMAGE\n value: \"quay.io/app-sre/clair\"\n displayName: the image of clair v4 to deploy\n - name: IMAGE_TAG\n value: \"latest\"\n displayName: the image tag of clair v4 to deploy\n - name: HTTP_TRANSPORT_PORT\n value: \"8080\"\n displayName: http port where clair's main functionality is provided\n - name: INTROSPECTION_PORT\n value: \"8089\"\n displayName: http port where clair's health/metrics endpoints are provided\n - name: HEALTH_PATH\n value: \"/healthz\"\n displayName: the http path to clair's health check endpoint\n - name: READY_PATH\n value: \"/readyz\"\n displayName: the http path to clair's ready endpoint\n - name: HEALTH_PORT\n value: \"8089\"\n displayName: the port to clair's health check endpoint\n - name: STORAGE_CLASS_NAME\n value: \"gp2\"\n displayName: the storage class to use when creating VPCs\n - name: SERVICE_ACCOUNT\n value: \"clair\"\n displayName: clair service account\n description: name of the service account to use for API interaction\n # DVO\n - name: CLAIR_DISABLE_MIN_REPLICAS_CHECK\n displayName: Disable Minimum Replicas Check\n value: \"min-replicas-check-not-disabled\"\n - name: CLAIR_DISABLE_MIN_REPLICAS_REASON\n displayName: Reason for Disabling Minimum Replicas Check\n value: \"\"\n - name: CLAIR_DISABLE_ANTI_AFFINITY_CHECK\n value: \"anti-affinity-check-not-disabled\"\n displayName: disable DVO check for anti-affinity\n - name: CLAIR_DISABLE_ANTI_AFFINITY_REASON\n value: \"\"\n displayName: reason for disabling anti-affinity check\n"
},
{
"path": "contrib/openshift/pr_check.sh",
"content": "#!/usr/bin/bash\nset -euo pipefail\n[ -n \"${DEBUG-}\" ] && set -x\n\n# This should be run from the repo root, but enforce that:\npushd \"$(git rev-parse --show-toplevel)\"\n./contrib/openshift/build_and_deploy.sh \"-n${-//[^x]}${SKIP_LOGIN:+z}\"\npopd\n\n# If anything specific for the quay.io Clair instance needs to happen, add that here.\n"
},
{
"path": "docker-compose.yaml",
"content": "---\n# This is just to hold a bunch of yaml anchors and try to consolidate parts of\n# the config.\nx-anchors:\n go: &go-image quay.io/projectquay/golang:1.25\n grafana: &grafana-image docker.io/grafana/grafana:10.3.1\n jaeger: &jaeger-image docker.io/jaegertracing/all-in-one:1\n pgadmin: &pgadmin-image docker.io/dpage/pgadmin4:5.7\n postgres: &postgres-image docker.io/library/postgres:15\n postgres-exporter: &postgres-exporter-image docker.io/prometheuscommunity/postgres-exporter:latest\n prom: &prom-image docker.io/prom/prometheus:latest\n pyroscope: &pyroscope-image docker.io/grafana/pyroscope:latest\n quay: &quay-image quay.io/projectquay/quay:latest\n rabbitmq: &rabbitmq-image docker.io/library/rabbitmq:3\n redis: &redis-image docker.io/library/redis:6\n skopeo: &skopeo-image quay.io/skopeo/stable:latest\n traefik: &traefik-image docker.io/library/traefik:v3.0\n clair-service: &clair-service\n image: *go-image\n depends_on:\n clair-database:\n condition: service_healthy\n volumes:\n - \"./local-dev/clair:/etc/clair:ro\"\n - \".:/src\"\n # Can't specify the config via environment because maps are not recursively\n # merged.\n command:\n - go\n - run\n - .\n - -conf\n - /etc/clair/${CLAIR_CONFIG:-config.yaml}\n restart: unless-stopped\n working_dir: /src/cmd/clair\n\nservices:\n indexer:\n <<: *clair-service\n container_name: clair-indexer\n environment:\n CLAIR_MODE: \"indexer\"\n matcher:\n <<: *clair-service\n container_name: clair-matcher\n environment:\n CLAIR_MODE: \"matcher\"\n clair-database:\n container_name: clair-database\n image: *postgres-image\n environment:\n POSTGRES_HOST_AUTH_METHOD: trust\n volumes:\n - type: bind\n source: ./local-dev/clair/init.sql\n target: /docker-entrypoint-initdb.d/init.sql\n healthcheck:\n test:\n - CMD-SHELL\n - \"pg_isready -U postgres\"\n interval: 5s\n timeout: 4s\n retries: 12\n start_period: 10s\n traefik:\n container_name: clair-traefik\n image: *traefik-image\n depends_on:\n - matcher\n - indexer\n ports:\n - '6060:6060'\n - '8080:8080'\n - '8443'\n - '5432'\n volumes:\n - './local-dev/traefik/:/etc/traefik/:ro'\n\n # Debugging services -- use profile 'debug'\n pgadmin:\n container_name: clair-pgadmin\n profiles:\n - debug\n image: *pgadmin-image\n environment:\n PGADMIN_DEFAULT_EMAIL: clair@clair.com\n PGADMIN_DEFAULT_PASSWORD: clair\n PGADMIN_SERVER_JSON_FILE: /pgadmin4/config/servers.json\n SCRIPT_NAME: /pgadmin\n volumes:\n - \"./local-dev/pgadmin:/pgadmin4/config\"\n depends_on:\n - clair-database\n jaeger:\n container_name: clair-jaeger\n profiles:\n - debug\n image: *jaeger-image\n environment:\n QUERY_BASE_PATH: '/jaeger'\n COLLECTOR_OTLP_ENABLED: 'true'\n prometheus:\n container_name: clair-prometheus\n profiles:\n - debug\n image: *prom-image\n volumes:\n - \"./local-dev/prometheus:/etc/prometheus/\"\n command:\n - '--config.file=/etc/prometheus/prometheus.yml'\n - '--storage.tsdb.path=/prometheus'\n - '--web.external-url=http://localhost:8080/prom/'\n - '--web.console.libraries=/usr/share/prometheus/console_libraries'\n - '--web.console.templates=/usr/share/prometheus/consoles'\n pyroscope:\n container_name: clair-pyroscope\n profiles:\n - debug\n image: *pyroscope-image\n volumes:\n - ./local-dev/pyroscope:/etc/pyroscope/\n command:\n - server\n environment:\n PYROSCOPE_LOG_LEVEL: info\n PYROSCOPE_WAIT_AFTER_STOP: 'true'\n grafana:\n container_name: clair-grafana\n profiles:\n - debug\n image: *grafana-image\n user: \"472\"\n environment:\n GF_SERVER_ROOT_URL: /grafana\n GF_SERVER_SERVE_FROM_SUB_PATH: 'true'\n GF_INSTALL_PLUGINS: 'pyroscope-datasource,pyroscope-panel'\n volumes:\n - ./local-dev/grafana/provisioning/:/etc/grafana/provisioning/\n depends_on:\n - prometheus\n - pyroscope\n postgres-exporter:\n container_name: clair-postgres-exporter\n profiles:\n - debug\n image: *postgres-exporter-image\n environment:\n DATA_SOURCE_NAME: \"postgresql://postgres@clair-database:5432/postgres?sslmode=disable\"\n depends_on:\n clair-database:\n condition: service_healthy\n\n # Notifier services -- use profile 'notifier'\n notifier: ¬ifier\n <<: *clair-service\n container_name: clair-notifier\n profiles:\n - notifier\n environment:\n CLAIR_MODE: \"notifier\"\n NOTIFIER_TEST_MODE: \"true\"\n webhook-target:\n <<: *clair-service\n container_name: webhook-target\n profiles:\n - notifier\n working_dir: /src\n depends_on: {}\n command:\n - go\n - run\n - ./notifier/webhook/cmd/webhookd\n - -D\n - -key\n - c2VjcmV0\n rabbitmq:\n # This provides STOMP and AMQP on the usual ports.\n # The web UI is available on /rabbitmq\n container_name: clair-rabbitmq\n profiles:\n - notifier\n image: *rabbitmq-image\n command:\n - sh\n - -c\n - |\n set -e\n rabbitmq-plugins enable rabbitmq_stomp rabbitmq_management >/dev/null\n exec rabbitmq-server\n\n # Quay -- starts a Quay stack for integration testing.\n # Use profile 'quay'\n quay:\n container_name: clair-quay\n profiles:\n - quay\n image: *quay-image\n volumes:\n - \"./local-dev/quay:/quay-registry/conf/stack\"\n environment:\n DEBUGLOG: \"true\"\n IGNORE_VALIDATION: \"true\"\n depends_on:\n - redis\n - clair-database\n redis:\n container_name: quay-redis\n profiles:\n - quay\n image: *redis-image\n quay-notifier:\n <<: *notifier\n profiles:\n - quay\n environment:\n CLAIR_MODE: \"notifier\"\n skopeo:\n container_name: quay-skopeo\n profiles:\n - quay\n image: *skopeo-image\n entrypoint:\n - sleep\n - inf\n"
},
{
"path": "etc/.gitignore",
"content": "config.local.mk\n"
},
{
"path": "etc/config.mk",
"content": "# `docker` and `docker-compose` control the commands invoked for a container\n# engine and a \"compose file\" handler, respectively.\ndocker ?= $(notdir $(shell command -v podman 2>/dev/null || command -v docker 2>/dev/null))\nifndef docker\n$(error 'docker' must not be defined as empty [checked for: podman, docker])\nendif\ndocker-compose ?= $(notdir $(shell command -v docker-compose 2>/dev/null))\nifndef docker-compose\n$(error 'docker-compose' must not be defined as empty [checked for: docker-compose])\nendif\n\n# `Skopeo` controls the specific skopeo command invoked when needed.\nskopeo ?= $(notdir $(shell command -v skopeo 2>/dev/null))\nifndef skopeo\n$(error 'skopeo' must not be defined as empty [checked for: skopeo])\nendif\n\n# `go` controls the specific go command invoked when needed.\ngo ?= $(notdir $(shell command -v go 2>/dev/null))\nifndef go\n$(error 'go' must not be defined as empty [checked for: go])\nendif\n\n# The package used (via `go run`) to format go files.\ngoimports ?= golang.org/x/tools/cmd/goimports@latest\n\n# `Buildctl` controls the specific buildctl command invoked when needed.\nbuildctl ?= $(notdir $(shell command -v buildctl 2>/dev/null))\nifndef buildctl\nbuildctl = $(go) run github.com/moby/buildkit/cmd/buildctl@latest\nendif\n\n# This is the command invoked when `git archive` is needed.\n# The config option forces consistent line endings.\ngit_archive = git -c core.autocrlf=false archive\n\n# These are arguments added to `go test` invocations.\ntestargs =\n\n# VERSION is the version used when guessing at the current version to be used\n# in dist artifacts.\n#\n# This should be able to be interpreted according to gitrevisions(7) and a\n# semver. The default does this by processing `git describe` output.\nVERSION ?= $(shell git describe --match 'v*' --long | sed 's/\\(.\\+\\)-\\([0-9]\\+-g[a-f0-9]\\)/\\1+\\2/')\nifndef VERSION\n$(error 'VERSION' must not be defined as empty)\nendif\n\n# `IMAGE_NAME` is the names(s) used for the `buildctl` invocations.\n# Can be provided as a comma-separated list for multiple names.\nIMAGE_NAME ?= localhost/clair:latest\nifndef IMAGE_NAME\n$(error 'IMAGE_NAME' not defined, need at least one comma-separated value)\nendif\n\n# `CONTAINER_PLATFORMS` controls the architectures (in OCI notation) of the\n# platforms to build container images for. The OS component is always \"linux.\"\nCONTAINER_PLATFORMS ?= amd64 arm64 ppc64le s390x\nifndef CONTAINER_PLATFORMS\n$(error 'CONTAINER_PLATFORMS' not defined, need at least one space-separated value)\nendif\n\n# The following environment variables are passed as build arguments to the buildctl command, if present:\n#\n# - `CLAIR_VERSION`\n# - `GO_VERSION`\n# - `GOTOOLCHAIN`\n# - `SOURCE_DATE_EPOCH`\n#\n# The first three are used in the Dockerfile.\n# The last is an argument to the dockerfile fronend. See also:\n# https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/reference.md#buildkit-built-in-build-args\nbuildkit_passthru := CLAIR_VERSION GO_VERSION GOTOOLCHAIN SOURCE_DATE_EPOCH\n\n# Any overrides can be put here:\n-include etc/config.local.mk\n\nifdef DEBUG\n$(let vars,\\\n\tdocker docker-compose go goimports testargs VERSION IMAGE_NAME CONTAINER_PLATFORMS $(buildkit_passthru),\\\n\t$(foreach var,$(vars), $(info DEBUG: $(var): $($(var))))\\\n)\nendif\n"
},
{
"path": "etc/container.mk",
"content": "# The following builds a command in the \"buildctl_cmd\" variable that expects a\n# context in the shell variable \"src\" and for the make variable \"@\" (the\n# target) to be present. NB these purposefully are not immediately expanded.\noutput_args = type=oci \\\"name=$(IMAGE_NAME)\\\" oci-mediatypes=true compression=estargz rewrite-timestamp=true dest=$@\nbuildctl_cmd = $(buildctl) build --frontend dockerfile.v0\nbuildctl_cmd += --opt platform=$(call splice,$(foreach a,$(CONTAINER_PLATFORMS),linux/$a))\n# DEBUG toggles on the \"plain\" buildkit output.\nifdef DEBUG\nbuildctl_cmd += --progress plain\nendif\nbuildctl_cmd += --opt build-arg:BUILDKIT_MULTI_PLATFORM=1\nbuildctl_cmd += $(strip $(foreach v,$(buildkit_passthru),$(if $($v),--opt build-arg:$v=$($v),)))\nbuildctl_cmd += --local context=$$src\nbuildctl_cmd += --local dockerfile=$$src\nbuildctl_cmd += --output $(call splice,$(output_args))\nifdef GITHUB_ACTIONS\nbuildctl_cmd += --export-cache type=gha,mode=max\nbuildctl_cmd += --import-cache type=gha\nendif\nifndef BUILDKIT_HOST\n# Add a (hopefully) helpful warning that's printed on buildctl use.\nbuildctl_cmd += $(warning 'BUILDKIT_HOST' is not defined)\nendif\n\n# The \"container\" target builds a container using the current state of the tree.\n.PHONY: container\ncontainer: clair.oci\nrm_pat += *.oci\n\n# Clair.oci builds a container using the current state of the tree.\nclair.oci: $(shell git ls-files -- ':*.go' ':go.mod' ':go.sum') Makefile Dockerfile\n\tsrc=.\n\t$(buildctl_cmd)\n\n# Container-build creates a container using the current state of the tree and\n# loads it into the container engine.\n.PHONY: container-build\ncontainer-build: clair.oci\n\t$(docker) load <$<\n\n# Clair-nightly.oci builds a container after applying our \"nightly\" modifications.\nclair-nightly.oci: $(shell git ls-files -- ':*.go' ':go.mod' ':go.sum') Makefile Dockerfile\n\t$(MAKE) nightly-deps\n\tsrc=$$(mktemp -d)\n\ttrap 'rm -rf $$src' EXIT\n\t$(git_archive) --add-file=go.mod --add-file=go.sum HEAD |\n\t\ttar -x -C \"$$src\"\n\t$(buildctl_cmd)\n\n# The \"dist-container\" target builds a container using a created dist archive.\n.PHONY: dist-container\ndist-container: clair-$(VERSION).oci\n\n# Clair-%.oci builds a container using the state of the tree at the commit\n# indicated by the pattern.\nclair-%.oci: clair-%.tar.gz\n\tsrc=$$(mktemp -d)\n\ttrap 'rm -rf $$src' EXIT\n\ttar -xzf $< -C $$src --strip-components=1\n\t$(buildctl_cmd)\n\n# The \"dist-clairctl\" target builds a container containing all the platforms\n# where upstream supports clairctl.\n.PHONY: dist-clairctl\ndist-clairctl: clairctl-$(VERSION)\n\n# Clairctl-% builds a set of clairctl binaries using the state of the tree at\n# the commit indicated by the pattern\nclairctl-%: clair-%.tar.gz\n\tsrc=$$(mktemp -d)\n\ttrap 'rm -rf $$src' EXIT\n\ttar -xzf $< -C $$src --strip-components=1\n\t$(patsubst type=%,$(strip $(call splice,type=local dest=$@)),\\\n\t$(patsubst platform=%,\\\n\tplatform=$(call splice,$(strip\\\n\t\t$(foreach a,amd64 arm64 ppc64le s390x,linux/$a)\\\n\t\t$(foreach a,amd64 arm64,darwin/$a)\\\n\t\t$(foreach a,amd64 arm64,windows/$a)\\\n\t)),\\\n\t$(buildctl_cmd))) --opt target=ctl\nrm_pat += clairctl-*\n"
},
{
"path": "etc/dev.mk",
"content": "# The \"vendor\" target aliases the actual file that controls the go vendor\n# directory.\n.PHONY: vendor\nvendor: vendor/modules.txt\n\nfindpat := find . -name vendor -prune -o -name\n\n# Helper target for warming the local module cache.\n.PHONY: __moddownload\n__moddownload:\n\t$(findpat) go.mod -execdir $(go) mod download \\;\n\n# `Vendor/modules.txt` is the file that records vendored modules.\n#\n# It's touched on every run of `go mod vendor`, so should be a good proxy for\n# the whole tree.\nvendor/modules.txt: go.mod $(shell $(findpat) *.go -print) | __moddownload\n\t$(go) mod vendor\nrm_pat += vendor\n\n# Nightly-deps modifies the current `go.mod`\n.PHONY: nightly-deps\nnightly-deps: | clean\n\tdeclare -A require exclude replace\n\treplace=(\n\t\t[github.com/quay/claircore]=\"$${CLAIRCORE_BRANCH:=main}\"\n\t)\nifdef GITHUB_ACTIONS\n\techo \"::group::Edits\"\nendif\n\t$(go) mod edit \\\n\t\t$$(for k in \"$${!require[@]}\"; do echo \"-require=$$k@$${require[$$k]}\"; done)\\\n\t\t$$(for k in \"$${!exclude[@]}\"; do echo \"-exclude=$$k@$${exclude[$$k]}\"; done)\\\n\t\t$$(for k in \"$${!replace[@]}\"; do echo \"-replace=$$k=$$k@$${replace[$$k]}\"; done)\n\t$(go) mod tidy\n\t$(go) mod download\nifdef GITHUB_ACTIONS\n\techo \"::endgroup::\"\n\t: \"$${GITHUB_OUTPUT:=/dev/null}\"\n\t: \"$${GITHUB_STEP_SUMMARY:=/dev/stderr}\"\n\tclair_version=\"$$(git describe --tags --always --dirty --match 'v4.*')\"\n\techo \"clair_version=$${clair_version}\" >> \"$$GITHUB_OUTPUT\"\n\tcat <<. >>\"$$GITHUB_STEP_SUMMARY\"\n\t### Changes\n\n\t- **Go version:** $$($(go) version)\n\t- **Clair version:** $${clair_version}\n\t$$(printf '```patch\\n%s\\n```\\n' \"$$(git diff go.mod)\")\n\t.\nendif\n\n# Formats all imports to place local packages below out of tree packages.\n.PHONY: fmt\nfmt:\n\t$(go) list -f '{{$$d := .Dir}}{{range .GoFiles}}{{printf \"%s/%s\\n\" $$d .}}{{end}}' ./... |\\\n\t\txargs sed -i'' '/import (/,/)/{ /^$$/d }'\n\t$(go) list -f '{{.Dir}}' ./... |\\\n\t\txargs $(go) run $(goimports) -local $(shell $(go) list -m) -w\n\na := $(if $(testargs), $(testargs),)\n# Check runs tests for all modules in the local repository.\n#\n# Use the `testargs` variable to add flags to `go test`.\n.PHONY: check\ncheck:\n\t$(findpat) go.mod -execdir $(go) test$(a) ./... \\;\n\n# Checkall runs tests for all modules in the local repository and all\n# dependencies starting with `github.com/quay/clair`.\n#\n# Use the `testargs` variable to add flags to `go test`.\n.PHONY: checkall\ncheckall:\n\t$(go) test$(a) $$( $(go) list -m all | awk '$$1~/github\\.com\\/quay\\/clair/{print $$1\"/...\"}' )\n\n# Start a local development environment.\n#\n# Each service runs in its own container to test service-to-service\n# communication. Local dev configuration can be found in\n# \"/local-dev/clair/config.yaml\"\n.PHONY: local-dev\nlocal-dev: vendor/modules.txt\n\t$(docker-compose) up -d\n\tprintf 'postgresql on port:\\t%s\\n' \"$$($(docker-compose) port traefik 5432)\"\n\n# Targets for docker-compose profiles.\n#\n# TODO(hank) This should build the list of profiles from the docker-compose.yaml file?\n#\tyq '[.services[]|.profiles //[]]|flatten|unique|.[]' docker-compose.yaml\ncompose_profiles := quay notifier debug\ncompose_targets := $(addprefix local-dev-,$(compose_profiles))\ncompose_clair_configs := $(addprefix local-dev/clair/,$(addsuffix .yaml,$(compose_profiles)))\n.PHONY: $(compose_targets)\nlocal-dev-%: local-dev/clair/$*.yaml vendor/modules.txt\n\tCLAIR_CONFIG=$($(out))\n# The following uses the \"call\" on the contents of \"dev-config-${profile}\" if\n# defined, falling back to \"dev-config\".\n$(compose_clair_configs): local-dev/clair/%.yaml: local-dev/clair/config.yaml\n\t$(call $(if $(dev-config-$*),dev-config-$*,dev-config),$< $@)\nrm_pat += local-dev/clair/{$(call splice,$(compose_profiles))}.yaml\n"
},
{
"path": "etc/dist.mk",
"content": "# The \"dist\" target builds a dist archive at git revision \"VERSION\".\n.PHONY: dist\ndist: clair-$(VERSION).tar.gz\n\n# Clair-%.tar.gz builds a dist archive using the state of the tree at the commit\n# indicated by the pattern.\nclair-%.tar.gz: vendor/modules.txt\n\ttarball=$(subst .gz,,$@)\n\tprefix=$(subst .tar.gz,/,$@)\n\t$(git_archive) --format tar\\\n\t\t--prefix \"$$prefix\"\\\n\t\t--output \"$$tarball\"\\\n\t\t$*\n\tdt=$$(tar --list --file \"$$tarball\" --utc --full-time \"$${prefix}go.mod\" | awk '{print $$4 \"T\" $$5 \"Z\"}')\n\ttar --append --file \"$$tarball\"\\\n\t\t--transform \"s,^,$${prefix},\"\\\n\t\t--mtime \"$$(date -Iseconds --date $$dt)\"\\\n\t\t--sort name\\\n\t\t--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime\\\n\t\tvendor\n\tgzip -n -q -f \"$$tarball\"\nrm_pat += clair-*.tar.gz\n"
},
{
"path": "etc/doc.mk",
"content": "# Book builds the documentation into the `book` directory.\nbook:\n\tmdbook build\nrm_pat += book\n"
},
{
"path": "go.mod",
"content": "module github.com/quay/clair/v4\n\ngo 1.25.0\n\nrequire (\n\tgithub.com/Masterminds/semver v1.5.0\n\tgithub.com/evanphx/json-patch/v5 v5.9.11\n\tgithub.com/go-jose/go-jose/v3 v3.0.4\n\tgithub.com/go-stomp/stomp/v3 v3.1.5\n\tgithub.com/google/go-cmp v0.7.0\n\tgithub.com/google/go-containerregistry v0.20.7\n\tgithub.com/google/uuid v1.6.0\n\tgithub.com/grafana/pyroscope-go/godeltaprof v0.1.9\n\tgithub.com/jackc/pgx/v5 v5.8.0\n\tgithub.com/klauspost/compress v1.18.4\n\tgithub.com/prometheus/client_golang v1.23.2\n\tgithub.com/quay/clair/config v1.4.3\n\tgithub.com/quay/claircore v1.5.50\n\tgithub.com/quay/claircore/toolkit v1.4.0\n\tgithub.com/quay/zlog/v2 v2.1.0\n\tgithub.com/rabbitmq/amqp091-go v1.10.0\n\tgithub.com/remind101/migrate v0.0.0-20170729031349-52c1edff7319\n\tgithub.com/rogpeppe/go-internal v1.14.1\n\tgithub.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80\n\tgithub.com/ugorji/go/codec v1.2.14\n\tgithub.com/urfave/cli/v2 v2.27.7\n\tgo.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.65.0\n\tgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0\n\tgo.opentelemetry.io/otel v1.41.0\n\tgo.opentelemetry.io/otel/exporters/jaeger v1.17.0\n\tgo.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0\n\tgo.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0\n\tgo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0\n\tgo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0\n\tgo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0\n\tgo.opentelemetry.io/otel/exporters/prometheus v0.63.0\n\tgo.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.41.0\n\tgo.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.41.0\n\tgo.opentelemetry.io/otel/sdk v1.41.0\n\tgo.opentelemetry.io/otel/sdk/metric v1.41.0\n\tgo.opentelemetry.io/otel/trace v1.41.0\n\tgolang.org/x/net v0.51.0\n\tgolang.org/x/sync v0.19.0\n\tgolang.org/x/time v0.14.0\n\tgoogle.golang.org/grpc v1.79.1\n\tgopkg.in/yaml.v3 v3.0.1\n)\n\nrequire (\n\tgithub.com/beorn7/perks v1.0.1 // indirect\n\tgithub.com/cenkalti/backoff/v5 v5.0.3 // indirect\n\tgithub.com/cespare/xxhash/v2 v2.3.0 // indirect\n\tgithub.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect\n\tgithub.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect\n\tgithub.com/docker/cli v29.0.3+incompatible // indirect\n\tgithub.com/docker/distribution v2.8.3+incompatible // indirect\n\tgithub.com/docker/docker-credential-helpers v0.9.3 // indirect\n\tgithub.com/doug-martin/goqu/v8 v8.6.0 // indirect\n\tgithub.com/dustin/go-humanize v1.0.1 // indirect\n\tgithub.com/felixge/httpsnoop v1.0.4 // indirect\n\tgithub.com/go-logr/logr v1.4.3 // indirect\n\tgithub.com/go-logr/stdr v1.2.2 // indirect\n\tgithub.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect\n\tgithub.com/jackc/chunkreader/v2 v2.0.1 // indirect\n\tgithub.com/jackc/pgconn v1.14.3 // indirect\n\tgithub.com/jackc/pgio v1.0.0 // indirect\n\tgithub.com/jackc/pgpassfile v1.0.0 // indirect\n\tgithub.com/jackc/pgproto3/v2 v2.3.3 // indirect\n\tgithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect\n\tgithub.com/jackc/puddle/v2 v2.2.2 // indirect\n\tgithub.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect\n\tgithub.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d // indirect\n\tgithub.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 // indirect\n\tgithub.com/kylelemons/godebug v1.1.0 // indirect\n\tgithub.com/mattn/go-isatty v0.0.20 // indirect\n\tgithub.com/mitchellh/go-homedir v1.1.0 // indirect\n\tgithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect\n\tgithub.com/ncruces/go-strftime v1.0.0 // indirect\n\tgithub.com/opencontainers/go-digest v1.0.0 // indirect\n\tgithub.com/opencontainers/image-spec v1.1.1 // indirect\n\tgithub.com/package-url/packageurl-go v0.1.4 // indirect\n\tgithub.com/prometheus/client_model v0.6.2 // indirect\n\tgithub.com/prometheus/common v0.67.5 // indirect\n\tgithub.com/prometheus/otlptranslator v1.0.0 // indirect\n\tgithub.com/prometheus/procfs v0.19.2 // indirect\n\tgithub.com/quay/claircore/updater/driver v1.0.0 // indirect\n\tgithub.com/quay/goval-parser v0.8.8 // indirect\n\tgithub.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect\n\tgithub.com/russross/blackfriday/v2 v2.1.0 // indirect\n\tgithub.com/sirupsen/logrus v1.9.3 // indirect\n\tgithub.com/ulikunitz/xz v0.5.15 // indirect\n\tgithub.com/vbatts/tar-split v0.12.2 // indirect\n\tgithub.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect\n\tgo.opentelemetry.io/auto/sdk v1.2.1 // indirect\n\tgo.opentelemetry.io/otel/metric v1.41.0 // indirect\n\tgo.opentelemetry.io/proto/otlp v1.9.0 // indirect\n\tgo.uber.org/mock v0.6.0 // indirect\n\tgo.yaml.in/yaml/v2 v2.4.3 // indirect\n\tgolang.org/x/crypto v0.48.0 // indirect\n\tgolang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect\n\tgolang.org/x/mod v0.33.0 // indirect\n\tgolang.org/x/sys v0.41.0 // indirect\n\tgolang.org/x/text v0.34.0 // indirect\n\tgolang.org/x/tools v0.42.0 // indirect\n\tgoogle.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect\n\tgoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect\n\tgoogle.golang.org/protobuf v1.36.11 // indirect\n\tmodernc.org/libc v1.67.6 // indirect\n\tmodernc.org/mathutil v1.7.1 // indirect\n\tmodernc.org/memory v1.11.0 // indirect\n\tmodernc.org/sqlite v1.46.1 // indirect\n)\n"
},
{
"path": "go.sum",
"content": "github.com/DATA-DOG/go-sqlmock v1.3.3 h1:CWUqKXe0s8A2z6qCgkP4Kru7wC11YoAnoupUKFDnH08=\ngithub.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=\ngithub.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=\ngithub.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=\ngithub.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=\ngithub.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=\ngithub.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=\ngithub.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=\ngithub.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=\ngithub.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8=\ngithub.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=\ngithub.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/docker/cli v29.0.3+incompatible h1:8J+PZIcF2xLd6h5sHPsp5pvvJA+Sr2wGQxHkRl53a1E=\ngithub.com/docker/cli v29.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=\ngithub.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=\ngithub.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=\ngithub.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=\ngithub.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=\ngithub.com/doug-martin/goqu/v8 v8.6.0 h1:KWuDGL135poBgY+SceArvOtIIEpieNKgIZCvgerI228=\ngithub.com/doug-martin/goqu/v8 v8.6.0/go.mod h1:wiiYWkiguNXK5d4kGIkYmOxBScEL37d9Cfv9tXhPsTk=\ngithub.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=\ngithub.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=\ngithub.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=\ngithub.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=\ngithub.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=\ngithub.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=\ngithub.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=\ngithub.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=\ngithub.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=\ngithub.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=\ngithub.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=\ngithub.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=\ngithub.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=\ngithub.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=\ngithub.com/go-stomp/stomp/v3 v3.1.5 h1:Pikz1OSusmSKUm5mRKYfXQZaDatfZ+EnBBA1JJ2xENQ=\ngithub.com/go-stomp/stomp/v3 v3.1.5/go.mod h1:ztzZej6T2W4Y6FlD+Tb5n7HQP3/O5UNQiuC169pIp10=\ngithub.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=\ngithub.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=\ngithub.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=\ngithub.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=\ngithub.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=\ngithub.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=\ngithub.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=\ngithub.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\ngithub.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4phx0aUgzYzHW6I=\ngithub.com/google/go-containerregistry v0.20.7/go.mod h1:Lx5LCZQjLH1QBaMPeGwsME9biPeo1lPx6lbGj/UmzgM=\ngithub.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=\ngithub.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=\ngithub.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=\ngithub.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=\ngithub.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=\ngithub.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=\ngithub.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=\ngithub.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=\ngithub.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=\ngithub.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=\ngithub.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=\ngithub.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=\ngithub.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=\ngithub.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=\ngithub.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=\ngithub.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=\ngithub.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=\ngithub.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=\ngithub.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=\ngithub.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=\ngithub.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=\ngithub.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=\ngithub.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=\ngithub.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=\ngithub.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=\ngithub.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=\ngithub.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=\ngithub.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=\ngithub.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=\ngithub.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM=\ngithub.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=\ngithub.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=\ngithub.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=\ngithub.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=\ngithub.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=\ngithub.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=\ngithub.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o=\ngithub.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=\ngithub.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=\ngithub.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=\ngithub.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=\ngithub.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=\ngithub.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=\ngithub.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=\ngithub.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=\ngithub.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=\ngithub.com/package-url/packageurl-go v0.1.4 h1:RHfiiN1SSY+Kic537DXch6fy593rxGJW6WDzAiOwNdk=\ngithub.com/package-url/packageurl-go v0.1.4/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=\ngithub.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=\ngithub.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=\ngithub.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=\ngithub.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=\ngithub.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=\ngithub.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=\ngithub.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=\ngithub.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=\ngithub.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=\ngithub.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=\ngithub.com/quay/clair/config v1.4.3 h1:ZrvqKJrAR2Noyl1XcMl9oOucdMJsdjGzqQqT/rzxb50=\ngithub.com/quay/clair/config v1.4.3/go.mod h1:MyYm2qGw55+I598zEpwpFFmBq1jp5NLIhBhCigv6tRM=\ngithub.com/quay/claircore v1.5.50 h1:ASYcI4YCdSdSoaNYJvYbihtIzs9cbS9FRjVyUeKjI9k=\ngithub.com/quay/claircore v1.5.50/go.mod h1:MUpoIaI2d83GMn7OwiTJMAXC/11KsEQQJZ8GhDsWFcI=\ngithub.com/quay/claircore/toolkit v1.0.0/go.mod h1:3ELtgf92x7o1JCTSKVOAqhcnCTXc4s5qiGaEDx62i20=\ngithub.com/quay/claircore/toolkit v1.4.0 h1:ygHG1pLAOTSk7r2Wmo/UbIz9WHJb+K3hhQnNIvLrBSQ=\ngithub.com/quay/claircore/toolkit v1.4.0/go.mod h1:0cQXEt/BIYSxo/Wq6ItyAJOJzdvD6ty1wPZJ9xR3b6E=\ngithub.com/quay/claircore/updater/driver v1.0.0 h1:w7dAUjO3GBK6RjNyTZ2Kwz0l/Wuic3ykKJWPB80uA94=\ngithub.com/quay/claircore/updater/driver v1.0.0/go.mod h1:My5aY1wBpgxcWaHQZ0VoPmmj/EzuH7fq4ntzJbos4OI=\ngithub.com/quay/goval-parser v0.8.8 h1:Uf+f9iF2GIR5GPUY2pGoa9il2+4cdES44ZlM0mWm4cA=\ngithub.com/quay/goval-parser v0.8.8/go.mod h1:Y0NTNfPYOC7yxsYKzJOrscTWUPq1+QbtHw4XpPXWPMc=\ngithub.com/quay/zlog/v2 v2.1.0 h1:U55jQXHqB3NyWEt0iPESzIOjQho3PG4HWfXj9j40vEs=\ngithub.com/quay/zlog/v2 v2.1.0/go.mod h1:+FmBwcNIbXOKRWfaIqHGPF+g9WW4hn+OiomLN7eC/dM=\ngithub.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzukfVhBw=\ngithub.com/rabbitmq/amqp091-go v1.10.0/go.mod h1:Hy4jKW5kQART1u+JkDTF9YYOQUHXqMuhrgxOEeS7G4o=\ngithub.com/remind101/migrate v0.0.0-20170729031349-52c1edff7319 h1:ukjThsA2ou7AmovpwtMVkNQSuoN/v5U16+JomTz3c7o=\ngithub.com/remind101/migrate v0.0.0-20170729031349-52c1edff7319/go.mod h1:rhSvwcijY9wfmrBYrfCvapX8/xOTV46NAUjBRgUyJqc=\ngithub.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=\ngithub.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=\ngithub.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=\ngithub.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=\ngithub.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=\ngithub.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=\ngithub.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=\ngithub.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=\ngithub.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=\ngithub.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=\ngithub.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=\ngithub.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=\ngithub.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 h1:nrZ3ySNYwJbSpD6ce9duiP+QkD3JuLCcWkdaehUS/3Y=\ngithub.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80/go.mod h1:iFyPdL66DjUD96XmzVL3ZntbzcflLnznH0fr99w5VqE=\ngithub.com/ugorji/go/codec v1.2.14 h1:yOQvXCBc3Ij46LRkRoh4Yd5qK6LVOgi0bYOXfb7ifjw=\ngithub.com/ugorji/go/codec v1.2.14/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=\ngithub.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=\ngithub.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=\ngithub.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=\ngithub.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=\ngithub.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=\ngithub.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=\ngithub.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=\ngithub.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=\ngithub.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngo.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=\ngo.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=\ngo.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.65.0 h1:ab5U7DpTjjN8pNgwqlA/s0Csb+N2Raqo9eTSDhfg4Z8=\ngo.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.65.0/go.mod h1:nwFJC46Dxhqz5R9k7IV8To/Z46JPvW+GNKhTxQQlUzg=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=\ngo.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=\ngo.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=\ngo.opentelemetry.io/otel/exporters/jaeger v1.17.0 h1:D7UpUy2Xc2wsi1Ras6V40q806WM07rqoCWzXu7Sqy+4=\ngo.opentelemetry.io/otel/exporters/jaeger v1.17.0/go.mod h1:nPCqOnEH9rNLKqH/+rrUjiMzHJdV1BlpKcTwRTyKkKI=\ngo.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 h1:VO3BL6OZXRQ1yQc8W6EVfJzINeJ35BkiHx4MYfoQf44=\ngo.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0/go.mod h1:qRDnJ2nv3CQXMK2HUd9K9VtvedsPAce3S+/4LZHjX/s=\ngo.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0 h1:MMrOAN8H1FrvDyq9UJ4lu5/+ss49Qgfgb7Zpm0m8ABo=\ngo.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0/go.mod h1:Na+2NNASJtF+uT4NxDe0G+NQb+bUgdPDfwxY/6JmS/c=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 h1:ao6Oe+wSebTlQ1OEht7jlYTzQKE+pnx/iNywFvTbuuI=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0/go.mod h1:u3T6vz0gh/NVzgDgiwkgLxpsSF6PaPmo2il0apGJbls=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 h1:mq/Qcf28TWz719lE3/hMB4KkyDuLJIvgJnFGcd0kEUI=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0/go.mod h1:yk5LXEYhsL2htyDNJbEq7fWzNEigeEdV5xBF/Y+kAv0=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 h1:inYW9ZhgqiDqh6BioM7DVHHzEGVq76Db5897WLGZ5Go=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0/go.mod h1:Izur+Wt8gClgMJqO/cZ8wdeeMryJ/xxiOVgFSSfpDTY=\ngo.opentelemetry.io/otel/exporters/prometheus v0.63.0 h1:OLo1FNb0pBZykLqbKRZolKtGZd0Waqlr240YdMEnhhg=\ngo.opentelemetry.io/otel/exporters/prometheus v0.63.0/go.mod h1:8yeQAdhrK5xsWuFehO13Dk/Xb9FuhZoVpJfpoNCfJnw=\ngo.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.41.0 h1:8+lzlbtX0QZ2TfILr7utn3YBipxmIjPHuHgcI1hDLI4=\ngo.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.41.0/go.mod h1:sYzlrHkIULlZBHvhA0wqbR8tHt23pv4eJ87fINn4/Tc=\ngo.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.41.0 h1:61oRQmYGMW7pXmFjPg1Muy84ndqMxQ6SH2L8fBG8fSY=\ngo.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.41.0/go.mod h1:c0z2ubK4RQL+kSDuuFu9WnuXimObon3IiKjJf4NACvU=\ngo.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=\ngo.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=\ngo.opentelemetry.io/otel/sdk v1.41.0 h1:YPIEXKmiAwkGl3Gu1huk1aYWwtpRLeskpV+wPisxBp8=\ngo.opentelemetry.io/otel/sdk v1.41.0/go.mod h1:ahFdU0G5y8IxglBf0QBJXgSe7agzjE4GiTJ6HT9ud90=\ngo.opentelemetry.io/otel/sdk/metric v1.41.0 h1:siZQIYBAUd1rlIWQT2uCxWJxcCO7q3TriaMlf08rXw8=\ngo.opentelemetry.io/otel/sdk/metric v1.41.0/go.mod h1:HNBuSvT7ROaGtGI50ArdRLUnvRTRGniSUZbxiWxSO8Y=\ngo.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=\ngo.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=\ngo.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=\ngo.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=\ngo.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=\ngo.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=\ngo.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=\ngo.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=\ngo.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=\ngo.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=\ngolang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=\ngolang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=\ngolang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=\ngolang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=\ngolang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=\ngolang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=\ngolang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=\ngolang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=\ngolang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=\ngolang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=\ngolang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=\ngolang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=\ngolang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=\ngolang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=\ngolang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=\ngolang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=\ngolang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=\ngolang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=\ngolang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=\ngolang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=\ngolang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=\ngolang.org/x/tools v0.0.0-20190924052046-3ac2a5bbd98a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=\ngolang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=\ngolang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=\ngonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=\ngoogle.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 h1:JLQynH/LBHfCTSbDWl+py8C+Rg/k1OVH3xfcaiANuF0=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:kSJwQxqmFXeo79zOmbrALdflXQeAYcUbgS7PbpMknCY=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 h1:mWPCjDEyshlQYzBpMNHaEof6UX1PmHcaUODUywQ0uac=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=\ngoogle.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=\ngoogle.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=\ngoogle.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=\ngoogle.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=\ngopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=\ngotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=\nmodernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=\nmodernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=\nmodernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=\nmodernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=\nmodernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=\nmodernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=\nmodernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=\nmodernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=\nmodernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=\nmodernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=\nmodernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=\nmodernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=\nmodernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=\nmodernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=\nmodernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=\nmodernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=\nmodernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=\nmodernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=\nmodernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=\nmodernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=\nmodernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=\nmodernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=\nmodernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=\nmodernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=\nmodernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=\nmodernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=\nmodernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=\nmodernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=\n"
},
{
"path": "health/readinesshandler.go",
"content": "package health\n\nimport (\n\t\"net/http\"\n\t\"sync/atomic\"\n)\n\nvar ready atomic.Uint32\n\n// Ready instructs the ReadinessHandler to begin serving 200 OK status.\nfunc Ready() {\n\tready.Store(uint32(1))\n}\n\n// Unready instructs the ReadinessHandler to begin serving 503\n// Service Unavailable.\nfunc Unready() {\n\tready.Store(uint32(0))\n}\n\n// ReadinessHandler will return a 200 OK or 503 \"Service Unavailable\" status\n// depending on whether the Ready or Unready functions have been called.\n//\n// The Ready() method must be called to begin returning 200 OK.\nfunc ReadinessHandler() http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\th := w.Header()\n\t\th.Set(\"X-Content-Type-Options\", \"nosniff\")\n\t\th.Set(\"Content-Type\", \"text/plain; charset=utf-8\")\n\t\th.Set(\"Content-Length\", \"0\")\n\t\th.Set(\"Cache-Control\", \"no-store\")\n\t\tif r.Method != http.MethodGet {\n\t\t\tw.WriteHeader(http.StatusMethodNotAllowed)\n\t\t\treturn\n\t\t}\n\n\t\tif ready.Load() != 1 {\n\t\t\tw.WriteHeader(http.StatusServiceUnavailable)\n\t\t}\n\t})\n}\n"
},
{
"path": "health/readinesshandler_test.go",
"content": "package health_test\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/quay/clair/v4/health\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\nfunc TestReadinessHandler(t *testing.T) {\n\tctx := context.Background()\n\tserver := httptest.NewServer(health.ReadinessHandler())\n\tclient := server.Client()\n\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, server.URL, nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t}\n\t// default handler state should return StatusServiceUnavailable\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to do request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusServiceUnavailable {\n\t\tt.Fatalf(\"expected %d got %d\", http.StatusServiceUnavailable, resp.StatusCode)\n\t}\n\n\t// signal to handler that process is ready. should return StatusOK\n\thealth.Ready()\n\tresp, err = client.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to do request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusOK {\n\t\tt.Fatalf(\"expected %d got %d\", http.StatusOK, resp.StatusCode)\n\t}\n\n\t// signal to handler that process is unready. should return StatusServiceUnavailable\n\thealth.Unready()\n\tresp, err = client.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to do request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusServiceUnavailable {\n\t\tt.Fatalf(\"expected %d got %d\", http.StatusServiceUnavailable, resp.StatusCode)\n\t}\n}\n"
},
{
"path": "httptransport/api/.gitattributes",
"content": "v*/openapi.json linguist-generated\nv*/openapi.yaml linguist-generated\nv*/openapi.etag linguist-generated\n"
},
{
"path": "httptransport/api/lib/oapi.jq",
"content": "# vim: set expandtab ts=2 sw=2:\nmodule {\n name: \"openapi\",\n};\n\n# Some helper functions:\n\ndef ref($ref): # Construct a JSON Schema reference object.\n { \"$ref\": \"\\($ref)\" }\n;\n\ndef lref($kind; $id): # Construct a ref object to an OpenAPI component.\n ref(\"#/components/\\($kind)/\\($id)\")\n;\n\ndef param_ref($id): # Construct a ref object to an OpenAPI parameter component.\n lref(\"parameters\"; $id)\n;\n\ndef response_ref($id): # Construct a ref object to an OpenAPI response component.\n lref(\"responses\"; $id)\n;\n\ndef header_ref($id): # Construct a ref object to an OpenAPI header component.\n lref(\"headers\"; $id)\n;\n\ndef schema_ref($id): # Construct a ref object to an OpenAPI schema component.\n lref(\"schemas\"; $id)\n;\n\ndef mediatype($t; $v): # Return the local vendor mediatype for $t, version $v.\n \"application/vnd.clair.\\($t).\\($v)+json\"\n;\n\ndef mediatype($t): # As mediatype/2, but with the default of \"v1\".\n mediatype($t; \"v1\")\n;\n\ndef contenttype($t; $v): # Construct an OpenAPI content type object for $t, version $v.\n { (mediatype($t; $v)): { \"schema\": schema_ref($t) } }\n;\n\ndef contenttype($t): # As contenttype/2, but with the default version.\n { (mediatype($t)): { \"schema\": schema_ref($t) } }\n;\n\ndef cli_hints: # Add some hints that CLI tools can pick up on to ignore our internal paths.\n (.paths[][] | select(objects and (.tags|contains([\"internal\"]))) ) |= . + {\"x-cli-ignore\": true}\n;\n\ndef sort_paths: # Sort the paths object.\n .paths |= (. | to_entries | sort_by(.key) | from_entries)\n;\n\ndef content_defaults: # All responses that don't have a \"default\" type, pick the first one.\n \"application/json\" as $t |\n [[\"example\"], [\"examples\"]] as $rm |\n ( .paths[][] | select(objects) | .responses[].content | select(objects and (has($t)|not)) ) |= (. + { $t: (to_entries[0].value | delpaths($rm)) })\n |\n ( .paths[][] | select(objects) | .requestBody.content | select(objects and (has($t)|not)) ) |= (. + { $t: (to_entries[0].value | delpaths($rm)) })\n |\n ( .components.responses[].content | select(has($t)|not) ) |= (. + { $t: (to_entries[0].value | delpaths($rm)) })\n;\n"
},
{
"path": "httptransport/api/openapi.zsh",
"content": "#!/usr/bin/zsh\nset -euo pipefail\n\n# This script builds the OpenAPI documents, rendering them into YAML and JSON.\n#\n# The main inputs for this are the \"openapi.jq\" files in the \"v?\" directories.\n# These are jq(1) scripts that are executed with no input in the relevant\n# directory; they're expected to output a valid OpenAPI document. All the JSON\n# Schema documents in the matching \"httptransport/types/v?\" directory are\n# copied into the working directory. Matching files in the \"examples\"\n# subdirectory will be slipstreamed to the expected field.\n#\n# The result is then \"bundled\" into one document, then linted, rendered out to\n# both YAML and JSON, and strings to be used as HTTP Etags are written out.\n\nfor cmd in sha256sum git jq yq npx; do\n\tif ! command -v \"$cmd\" &>/dev/null; then\n\t\tprint missing needed command: \"$cmd\" >&2\n\t\texit 1\n\tfi\ndone\nlocal root=$(git rev-parse --show-toplevel)\n\nfunction jq() {\n\tcommand jq --exit-status \"$@\"\n}\n\nfunction yq() {\n\tcommand yq --exit-status \"$@\"\n}\n\nfunction schemalint() {\n\tlocal tmp=$(mktemp --tmpdir schemalint.out.XXX)\n\ttrap \"\n\t\t[[ \\\"\\$?\\\" -eq 0 ]] || cat \\\"$tmp\\\"\n\t\t[[ -f \\\"$tmp\\\" ]] && rm \\\"$tmp\\\"\n\t\" EXIT\n\tnpx --yes @sourcemeta/jsonschema metaschema --resolve \"$1\" \"$1\" &>>\"$tmp\"\n\tnpx --yes @sourcemeta/jsonschema lint --resolve \"$1\" \"$1\" &>>\"$tmp\"\n}\n\nfunction widdershins() {\n\tlocal tmp=$(mktemp --tmpdir widdershins.out.XXX)\n\ttrap \"\n\t\t[[ \\\"\\$?\\\" -eq 0 ]] || cat \\\"$tmp\\\"\n\t\t[[ -f \\\"$tmp\\\" ]] && rm \\\"$tmp\\\"\n\t\" EXIT\n\tnpx --yes widdershins \\\n\t\t-o \"${root}/Documentation/reference/api.md\" \\\n\t\t--search false \\\n\t\t--language_tabs python:Python go:Golang javascript:Javascript \\\n\t\t--summary \\\n\t\t\"${1?missing OpenAPI document}\" &>\"$tmp\"\n}\n\nfunction render() {\n\ttrap '\n\t\trm openapi.*.{json,yaml}(N) *.schema.json(N)\n\t\tpopd -q\n\t' EXIT\n\tpushd -q \"${1?missing directory argument}\"\n\tlocal v=${1:A:t}\n\tlocal t=${1:A:h:h}/types/$v\n\n\tschemalint \"$t\"\n\tfor f in ${t}/*.schema.json; do\n\t\tlocal ex=examples/${${f:t}%.schema.json}.json\n\t\tif [[ -f \"$ex\" ]]; then\n\t\t\tjq --slurpfile ex \"${ex}\" 'setpath([\"examples\"]; $ex)' \"$f\" > \"${f:t}\"\n\t\telse\n\t\t\tcp \"$f\" .\n\t\tfi\n\tdone\n\n\tjq --null-input \\\n\t\t'reduce (inputs|(.[\"$id\"]|split(\"/\")|.[-1]|rtrimstr(\".schema.json\")) as $k|{components:{schemas:{$k:.}}}) as $it({};. * $it)'\\\n\t\t*.schema.json >openapi.types.json\n\n\n\tjq --null-input -L \"${1:A:h}/lib\" --from-file openapi.jq >openapi.frag.json\n\tjq --null-input 'reduce inputs as $it({};. * $it)' openapi.{frag,types}.json >openapi.json\n\n\tyq -pj eval . openapi.yaml\n\t# Need some validator that actually works >:(\n\n\tsha256sum openapi.json |\n\t\tawk '{printf \"\\\"%s\\\"\", $1 >\"openapi.etag\" }'\n}\n\n# Process all the openapi generation scripts.\nfor d in ${root}/httptransport/api/v*/openapi.jq(om); do\n\trender \"${d:h}\"\ndone\n\n# Generate documentation for the highest version.\nwiddershins \"${root}\"/httptransport/api/v*/openapi.yaml(NnOn[1])\n"
},
{
"path": "httptransport/api/v1/examples/affected_manifests.json",
"content": "{\"vulnerabilities\":{\"42\":{\"id\":\"42\"}},\"vulnerable_manifests\":{\"sha256:01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\":[\"42\"]}}\n"
},
{
"path": "httptransport/api/v1/examples/bulk_delete.json",
"content": "[\n \"sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\"\n]\n"
},
{
"path": "httptransport/api/v1/examples/cpe.json",
"content": "\"cpe:/a:microsoft:internet_explorer:8.0.6001:beta\"\n\"cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*\"\n"
},
{
"path": "httptransport/api/v1/examples/digest.json",
"content": "\"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\"\n\"sha512:27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd\"\n\"blake3:6e46dd10defc9b56c29a6ec56b508c21f54c08192194e4df25bf36f0c9c3c279\"\n"
},
{
"path": "httptransport/api/v1/examples/distribution.json",
"content": "{\n \"id\": \"1\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"pretty_name\": \"Ubuntu 18.04.3 LTS\"\n}\n"
},
{
"path": "httptransport/api/v1/examples/environment.json",
"content": "{\n \"value\": {\n \"package_db\": \"var/lib/dpkg/status\",\n \"introduced_in\": \"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\",\n \"distribution_id\": \"1\"\n }\n}\n"
},
{
"path": "httptransport/api/v1/examples/manifest.json",
"content": "{\n \"hash\": \"sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\",\n \"layers\": [\n {\n \"hash\": \"sha256:2f077db56abccc19f16f140f629ae98e904b4b7d563957a7fc319bd11b82ba36\",\n \"uri\": \"https://storage.example.com/blob/2f077db56abccc19f16f140f629ae98e904b4b7d563957a7fc319bd11b82ba36\",\n \"headers\": {\n \"Authoriztion\": [\n \"Bearer hunter2\"\n ]\n }\n }\n ]\n}\n"
},
{
"path": "httptransport/api/v1/examples/notification_page.json",
"content": "{\n \"page\": {\n \"size\": 100,\n \"next\": \"1b4d0db2-e757-4150-bbbb-543658144205\"\n },\n \"notifications\": [\n {\n \"id\": \"5e4b387e-88d3-4364-86fd-063447a6fad2\",\n \"manifest\": \"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\",\n \"reason\": \"added\",\n \"vulnerability\": {\n \"name\": \"CVE-2009-5155\",\n \"fixed_in_version\": \"v0.0.1\",\n \"links\": \"http://example.com/CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\\\"\",\n \"normalized_severity\": \"Unknown\",\n \"package\": {\n \"id\": \"10\",\n \"name\": \"libapt-pkg5.0\",\n \"version\": \"1.6.11\",\n \"kind\": \"BINARY\",\n \"arch\": \"x86\",\n \"source\": {\n \"id\": \"9\",\n \"name\": \"apt\",\n \"version\": \"1.6.11\",\n \"kind\": \"SOURCE\",\n \"source\": null\n }\n },\n \"distribution\": {\n \"id\": \"1\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"pretty_name\": \"Ubuntu 18.04.3 LTS\"\n }\n }\n }\n ]\n}\n"
},
{
"path": "httptransport/api/v1/examples/package.json",
"content": "{\n \"id\": \"10\",\n \"name\": \"libapt-pkg5.0\",\n \"version\": \"1.6.11\",\n \"kind\": \"binary\",\n \"normalized_version\": \"\",\n \"arch\": \"x86\",\n \"module\": \"\",\n \"cpe\": \"\",\n \"source\": {\n \"id\": \"9\",\n \"name\": \"apt\",\n \"version\": \"1.6.11\",\n \"kind\": \"source\",\n \"source\": null\n }\n}\n"
},
{
"path": "httptransport/api/v1/examples/vulnerability.json",
"content": "{\n \"id\": \"356835\",\n \"updater\": \"ubuntu\",\n \"name\": \"CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\",\n \"links\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155 http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-5155.html https://sourceware.org/bugzilla/show_bug.cgi?id=11053 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238 https://sourceware.org/bugzilla/show_bug.cgi?id=18986\",\n \"severity\": \"Low\",\n \"normalized_severity\": \"Low\",\n \"package\": {\n \"id\": \"0\",\n \"name\": \"glibc\",\n \"version\": \"2.27-0ubuntu1\",\n \"kind\": \"binary\",\n \"source\": null\n },\n \"dist\": {\n \"id\": \"0\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"arch\": \"amd64\"\n },\n \"repo\": {\n \"id\": \"0\",\n \"name\": \"Ubuntu 18.04.3 LTS\"\n },\n \"issued\": \"2019-10-12T07:20:50.52Z\",\n \"fixed_in_version\": \"2.28-0ubuntu1\"\n}\n"
},
{
"path": "httptransport/api/v1/examples/vulnerability_summary.json",
"content": "{\n \"name\": \"CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\",\n \"normalized_severity\": \"Low\",\n \"fixed_in_version\": \"v0.0.1\",\n \"links\": \"http://link-to-advisory\",\n \"package\": {\n \"id\": \"0\",\n \"name\": \"glibc\",\n \"version\": \"v0.0.1-rc1\"\n },\n \"dist\": {\n \"id\": \"0\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\"\n },\n \"repo\": {\n \"id\": \"0\",\n \"name\": \"Ubuntu 18.04.3 LTS\"\n }\n}\n"
},
{
"path": "httptransport/api/v1/openapi.etag",
"content": "\"c8f7a50c0be60ee322a40f622e544801f5014effe8ff338ea35b18ed4c07806b\""
},
{
"path": "httptransport/api/v1/openapi.jq",
"content": "# vim: set expandtab ts=2 sw=2:\ninclude \"oapi\";\n\n# Some helper functions:\ndef example_ref($id): ref(\"examples/\\($id).json\"); # Files are local at build time.\ndef responses($r):\n{\n \"200\": {\n description: \"Success\",\n headers: {\n \"Clair-Error\": header_ref(\"Clair-Error\"),\n },\n },\n \"400\": response_ref(\"bad_request\"),\n \"415\": response_ref(\"unsupported_media_type\"),\n default: response_ref(\"oops\"),\n} * $r\n;\n\n# Some variables:\n\"/notifier/api/v1\" as $path_notif |\n\"/matcher/api/v1\" as $path_match |\n\"/indexer/api/v1\" as $path_index |\n\n# The OpenAPI object:\n{\n openapi: \"3.1.0\",\n info: {\n title: \"Clair Container Analyzer\",\n description: ([\n \"Clair is a set of cooperating microservices which can index and match a container image's content with known vulnerabilities.\",\n \"\",\n \"**Note:** Any endpoints tagged \\\"internal\\\" are documented for completeness but are considered exempt from versioning.\",\n \"\"] | join(\"\\n\") | sub(\"[[:space:]]*$\"; \"\")),\n version: \"1.2.0\",\n contact: {\n name: \"Clair Team\",\n url: \"http://github.com/quay/clair\",\n email: \"clair-devel@googlegroups.com\",\n },\n license: {\n name: \"Apache License 2.0\",\n url: \"http://www.apache.org/licenses/\",\n }\n },\n externalDocs: { url: \"https://quay.github.io/clair/\" },\n tags: ({\n indexer: \"Indexer service endpoints.\\n\\nThese are responsible for determining the contents of containers.\",\n matcher: \"Matcher service endpoints.\\n\\nThese are responsible for generating reports against current vulnerability data.\",\n notifier: \"Matcher service endpoints.\\n\\nThese are responsible for serving notifications.\",\n internal: \"These are internal endpoints, documented for completeness.\\n\\nThey are exempted from API stability guarentees.\",\n } | to_entries | map({name: .key, description: .value}) ),\n paths: {\n \"\\($path_notif)/notification/{id}\": {\n parameters: [ {\n in: \"path\",\n name: \"id\",\n required: true,\n schema: schema_ref(\"token\"),\n description: \"A notification ID returned by a callback\"\n } ],\n delete: {\n operationId: \"DeleteNotification\",\n responses: responses({\n \"200\": { description: \"Delete the notification referenced by the \\\"id\\\" parameter.\" },\n }),\n },\n get: {\n operationId: \"GetNotification\",\n parameters: [\n {\n in: \"query\",\n name: \"page_size\",\n schema: {\n type: \"integer\",\n default: 500,\n },\n description: \"The maximum number of notifications to deliver in a single page.\"\n },\n {\n in: \"query\",\n name: \"next\",\n schema: schema_ref(\"token\"),\n description: \"The next page to fetch via id. Typically this number is provided on initial response in the \\\"page.next\\\" field. The first request should omit this field.\"\n }\n ],\n responses: responses({\n \"200\": {\n description: \"A paginated list of notifications\",\n content: contenttype(\"notification_page\"),\n },\n \"304\": {\n description: \"Not Modified\",\n },\n })\n }\n },\n \"\\($path_index)/index_report\": {\n post: {\n operationId: \"Index\",\n requestBody: {\n description: \"Manifest to index.\",\n required: true,\n content: contenttype(\"manifest\"),\n },\n responses: (responses({\n \"201\": {\n description: \"IndexReport created.\\n\\nClients may want to avoid reading the body if simply submitting the manifest for later vulnerability reporting.\",\n content: contenttype(\"index_report\"),\n headers: {\n Location: header_ref(\"Location\"),\n Link: header_ref(\"Link\"),\n },\n links: {\n retrieve: {\n operationId: \"GetIndexReport\",\n parameters: {\n digest: \"$request.body#/hash\"\n },\n },\n delete: {\n operationId: \"DeleteManifest\",\n parameters: {\n digest: \"$request.body#/hash\"\n },\n },\n report: {\n operationId: \"GetVulnerabilityReport\",\n parameters: {\n digest: \"$request.body#/hash\"\n },\n },\n },\n },\n \"412\": {\n description: \"Precondition Failed\",\n },\n }) | del(.[\"200\"])),\n },\n delete: {\n operationId: \"DeleteManifests\",\n requestBody: {\n description: \"Array of manifest digests to delete.\",\n required: true,\n content: contenttype(\"bulk_delete\"),\n },\n responses: responses({\n \"200\": {\n description: \"Successfully deleted manifests.\",\n content: contenttype(\"bulk_delete\"),\n },\n }),\n }\n },\n \"\\($path_index)/index_report/{digest}\": {\n delete: {\n operationId: \"DeleteManifest\",\n responses: (responses({\"204\": {\n description: \"Success\",\n }}) |\n del(.[\"200\"])),\n },\n get: {\n operationId: \"GetIndexReport\",\n responses: responses({\n \"200\": {\n description: \"IndexReport retrieved\",\n content: contenttype(\"index_report\"),\n },\n \"404\": response_ref(\"not_found\"),\n }),\n },\n parameters: [ param_ref(\"digest\") ],\n },\n \"\\($path_index)/internal/affected_manifest\": {\n post: {\n operationId: \"AffectedManifests\",\n requestBody: {\n description: \"Array of vulnerability summaries to report on.\",\n required: true,\n content: contenttype(\"vulnerability_summaries\"),\n },\n responses: responses({\n \"200\": {\n description: \"The list of manifests and the corresponding vulnerabilities.\",\n content: contenttype(\"affected_manifests\"),\n },\n }),\n },\n },\n \"\\($path_index)/index_state\": {\n get: {\n operationId: \"IndexState\",\n responses: {\n \"200\": {\n description: \"Indexer State\",\n headers: {\n Etag: header_ref(\"Etag\"),\n },\n content: contenttype(\"index_state\"),\n },\n \"304\": {\n description: \"Not Modified\",\n },\n }\n }\n },\n \"\\($path_match)/vulnerability_report/{digest}\": {\n get: {\n operationId: \"GetVulnerabilityReport\",\n responses: (responses({\n \"201\": {\n description: \"Vulnerability Report Created\",\n content: contenttype(\"vulnerability_report\"),\n }\n ,\n \"404\": response_ref(\"not_found\"),\n }) | del(.[\"200\"])),\n },\n parameters: [ param_ref(\"digest\") ],\n },\n \"\\($path_match)/internal/update_operation\": {\n get: {\n operationId: \"GetUpdateOperation\",\n responses: responses({\n \"200\": {\n description: \"Update Operations, keyed by updater.\",\n content: contenttype(\"update_operations\"),\n },\n }),\n parameters: [\n {\n in: \"query\",\n name: \"kind\",\n schema: {\n enum:[\"vulnerability\", \"enrichment\"],\n default:\"vulnerability\",\n },\n description: \"The \\\"kind\\\" of updaters to query.\"\n },\n {\n in: \"query\",\n name: \"latest\",\n schema: {\n type:\"boolean\",\n default: false\n },\n description: \"Return only the latest Update Operations instead of all known Update Operations.\"\n }\n ],\n },\n },\n \"\\($path_match)/internal/update_operation/{digest}\": {\n delete: {\n operationId: \"DeleteUpdateOperation\",\n responses: (responses({})),\n },\n parameters: [ param_ref(\"digest\") ],\n },\n \"\\($path_match)/internal/update_diff\": {\n get: {\n operationId: \"GetUpdateDiff\",\n responses: responses({\n \"200\": {\n description: \"Changes between two Update Operations.\",\n content: contenttype(\"update_diff\"),\n },\n }),\n parameters: [\n {\n in: \"query\",\n name: \"cur\",\n schema: schema_ref(\"token\"),\n description: \"\\\"Current\\\" Update Operation ref.\"\n },\n {\n in: \"query\",\n name: \"prev\",\n required: true,\n schema: schema_ref(\"token\"),\n description: \"\\\"Previous\\\" Update Operation ref.\"\n }\n ],\n },\n },\n },\n security: [\n {},\n { PSK: [] }\n ],\n webhooks: {\n notification: {\n post: {\n tags: [\"notifier\"],\n description: \"If configured, Clair will issue webhooks when notifications are available for retrieval.\",\n requestBody: {\n content: contenttype(\"notification_webhook\"),\n },\n responses: {\n \"200\": {\n description: \"OK\",\n },\n },\n },\n },\n },\n components: {\n schemas: {\n # Anything here will get overwritten by standalone JSON Schema objects\n # if the keys are duplicated.\n #\n # Generally, anything that goes in a response/request body should have a\n # schema over in the types directory.\n token: {\n type: \"string\",\n description: \"An opaque token previously obtained from the service.\",\n },\n },\n responses: {\n bad_request: {\n description: \"Bad Request\",\n content: contenttype(\"error\"),\n },\n oops: {\n description: \"Internal Server Error\",\n content: contenttype(\"error\"),\n },\n not_found: {\n description: \"Not Found\",\n content: contenttype(\"error\"),\n },\n # Not expressible in OpenAPI:\n #method_not_allowed: {\n # description: \"Method Not Allowed\",\n # headers: {\n # Allow: header_ref(\"Allow\"),\n # },\n # content: contenttype(\"error\"),\n #},\n unsupported_media_type: {\n description: \"Unsupported Media Type\",\n content: contenttype(\"error\"),\n },\n },\n parameters: {\n digest: {\n description: \"OCI-compatible digest of a referred object.\",\n name: \"digest\",\n in: \"path\",\n schema: schema_ref(\"digest\"),\n required: true,\n }\n },\n headers: {\n # Only used for 415 Method Not Allowed responses, which aren't expressible in OpenAPI.\n #Allow: {\n # description: \"TKTK\",\n # style: \"simple\",\n # schema: { type: \"string\" },\n # required: true,\n #},\n \"Clair-Error\": {\n description: \"This is a trailer containing any errors encountered while writing the response.\",\n style: \"simple\",\n schema: { type: \"string\" },\n },\n Etag: {\n description: \"HTTP [ETag header](https://httpwg.org/specs/rfc9110.html#field.etag)\",\n style: \"simple\",\n schema: { type: \"string\" }\n },\n Link: {\n description: \"Web Linking [Link header](https://httpwg.org/specs/rfc8288.html#header)\",\n style: \"simple\",\n schema: { type: \"string\" },\n },\n Location: {\n description: \"HTTP [Location header](https://httpwg.org/specs/rfc9110.html#field.location)\",\n style: \"simple\",\n required: true,\n schema: { type: \"string\" },\n },\n },\n securitySchemes: {\n PSK: {\n type: \"http\",\n scheme: \"bearer\",\n bearerFormat: \"JWT with preshared key and allow-listed issuers\",\n description: \"Clair's authentication scheme.\\n\\nThis is a [JWT](https://datatracker.ietf.org/doc/html/rfc7519) signed with a configured pre-shared key containing an allowlisted `iss` claim.\",\n },\n },\n },\n}\n|\n# And now, a bunch of fixups:\ndef add_tags: # Match the path prefixes and add default tags.\n .paths |= with_entries(\n (\n if (.key|contains(\"internal\")) then\n \"internal\"\n elif (.key|startswith($path_index)) then\n \"indexer\"\n elif (.key|startswith($path_match)) then\n \"matcher\"\n elif (.key|startswith($path_notif)) then\n \"notifier\"\n else\n \"\"\n end\n ) as $k |\n if ($k==\"\") then\n .\n else\n (.value[]|select(objects)) |= . + {\n tags: ((.tags//[]) + [$k]),\n }\n end\n )\n;\ndef operation_metadata: # Slipstream some metadata into response objects.\n {\n AffectedManifests: {\n summary: \"Retrieve Manifests Affected by a Vulnerability\",\n description: \"The provided vulnerability summaries are attempted to be run \\\"backwards\\\" through the indexer to produce a set of manifests.\",\n },\n DeleteManifest: {\n summary: \"Delete an Indexed Manifest\",\n description: \"Given a Manifest's content addressable hash, any data related to it will be removed it it exists.\",\n },\n DeleteManifests: {\n summary: \"Delete Indexed Manifests\",\n description: \"Given a Manifest's content addressable hash, any data related to it will be removed if it exists.\",\n },\n DeleteNotification: {\n summary: \"Delete a Notification Set\",\n description: \"Issues a delete of the provided notification ID and all associated notifications.\\nAfter this delete clients will no longer be able to retrieve notifications.\",\n },\n DeleteUpdateOperation: {\n summary: \"Delete an Update Operation\",\n description: \"Issues a delete of the provided Update Operation ID and all associated data.\\nAfter this delete clients will no longer be able to generate a diff against this Update Operation.\",\n },\n GetIndexReport: {\n summary: \"Retrieve the IndexReport for a Manifest\",\n description: \"Given a Manifest's content addressable hash, an IndexReport will be retrieved if it exists.\",\n },\n GetNotification: {\n summary: \"Retrieve Pages of a Notification Set\",\n description: \"By performing a GET with an id as a path parameter, the client will retrieve a paginated response of notification objects.\",\n },\n GetUpdateDiff: {\n summary: \"Retrieve Vulnerability Changes Between Two Update Operations\",\n description: \"Given IDs for two Update Operations, this will return the difference between them. This is used in the notification flow.\",\n },\n GetUpdateOperation: {\n summary: \"Retrieve Update Operations\",\n description: \"Retrive all known or just the latest Update Operations.\",\n },\n GetVulnerabilityReport: {\n summary: \"Retrieve a VulnerabilityReport for a Manifest\",\n description: \"Given a Manifest's content addressable hash a VulnerabilityReport will be created. The Manifest **must** have been Indexed first via the Index endpoint.\",\n },\n Index: {\n summary: \"Index a Manifest\",\n description: \"By submitting a Manifest object to this endpoint Clair will fetch the layers, scan each layer's contents, and provide an index of discovered packages, repository and distribution information.\",\n },\n IndexState: {\n summary: \"Report the Indexer's State\",\n description: \"The index state endpoint returns a json structure indicating the indexer's internal configuration state.\\nA client may be interested in this as a signal that manifests may need to be re-indexed.\",\n },\n } as $m |\n ( .paths[][] | select(objects) ) |= (\n .operationId as $id |\n ($m[$id]?) as $m |\n if ($m) then\n . + $m\n else\n .\n end\n )\n;\n\nsort_paths |\ncontent_defaults |\nadd_tags |\noperation_metadata |\ncli_hints |\n.\n"
},
{
"path": "httptransport/api/v1/openapi.json",
"content": "{\n \"openapi\": \"3.1.0\",\n \"info\": {\n \"title\": \"Clair Container Analyzer\",\n \"description\": \"Clair is a set of cooperating microservices which can index and match a container image's content with known vulnerabilities.\\n\\n**Note:** Any endpoints tagged \\\"internal\\\" are documented for completeness but are considered exempt from versioning.\",\n \"version\": \"1.2.0\",\n \"contact\": {\n \"name\": \"Clair Team\",\n \"url\": \"http://github.com/quay/clair\",\n \"email\": \"clair-devel@googlegroups.com\"\n },\n \"license\": {\n \"name\": \"Apache License 2.0\",\n \"url\": \"http://www.apache.org/licenses/\"\n }\n },\n \"externalDocs\": {\n \"url\": \"https://quay.github.io/clair/\"\n },\n \"tags\": [\n {\n \"name\": \"indexer\",\n \"description\": \"Indexer service endpoints.\\n\\nThese are responsible for determining the contents of containers.\"\n },\n {\n \"name\": \"matcher\",\n \"description\": \"Matcher service endpoints.\\n\\nThese are responsible for generating reports against current vulnerability data.\"\n },\n {\n \"name\": \"notifier\",\n \"description\": \"Matcher service endpoints.\\n\\nThese are responsible for serving notifications.\"\n },\n {\n \"name\": \"internal\",\n \"description\": \"These are internal endpoints, documented for completeness.\\n\\nThey are exempted from API stability guarentees.\"\n }\n ],\n \"paths\": {\n \"/indexer/api/v1/index_report\": {\n \"post\": {\n \"operationId\": \"Index\",\n \"requestBody\": {\n \"description\": \"Manifest to index.\",\n \"required\": true,\n \"content\": {\n \"application/vnd.clair.manifest.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/manifest\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/manifest\"\n }\n }\n }\n },\n \"responses\": {\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n },\n \"201\": {\n \"description\": \"IndexReport created.\\n\\nClients may want to avoid reading the body if simply submitting the manifest for later vulnerability reporting.\",\n \"content\": {\n \"application/vnd.clair.index_report.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/index_report\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/index_report\"\n }\n }\n },\n \"headers\": {\n \"Location\": {\n \"$ref\": \"#/components/headers/Location\"\n },\n \"Link\": {\n \"$ref\": \"#/components/headers/Link\"\n }\n },\n \"links\": {\n \"retrieve\": {\n \"operationId\": \"GetIndexReport\",\n \"parameters\": {\n \"digest\": \"$request.body#/hash\"\n }\n },\n \"delete\": {\n \"operationId\": \"DeleteManifest\",\n \"parameters\": {\n \"digest\": \"$request.body#/hash\"\n }\n },\n \"report\": {\n \"operationId\": \"GetVulnerabilityReport\",\n \"parameters\": {\n \"digest\": \"$request.body#/hash\"\n }\n }\n }\n },\n \"412\": {\n \"description\": \"Precondition Failed\"\n }\n },\n \"tags\": [\n \"indexer\"\n ],\n \"summary\": \"Index a Manifest\",\n \"description\": \"By submitting a Manifest object to this endpoint Clair will fetch the layers, scan each layer's contents, and provide an index of discovered packages, repository and distribution information.\"\n },\n \"delete\": {\n \"operationId\": \"DeleteManifests\",\n \"requestBody\": {\n \"description\": \"Array of manifest digests to delete.\",\n \"required\": true,\n \"content\": {\n \"application/vnd.clair.bulk_delete.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/bulk_delete\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/bulk_delete\"\n }\n }\n }\n },\n \"responses\": {\n \"200\": {\n \"description\": \"Successfully deleted manifests.\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n },\n \"content\": {\n \"application/vnd.clair.bulk_delete.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/bulk_delete\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/bulk_delete\"\n }\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n }\n },\n \"tags\": [\n \"indexer\"\n ],\n \"summary\": \"Delete Indexed Manifests\",\n \"description\": \"Given a Manifest's content addressable hash, any data related to it will be removed if it exists.\"\n }\n },\n \"/indexer/api/v1/index_report/{digest}\": {\n \"delete\": {\n \"operationId\": \"DeleteManifest\",\n \"responses\": {\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n },\n \"204\": {\n \"description\": \"Success\"\n }\n },\n \"tags\": [\n \"indexer\"\n ],\n \"summary\": \"Delete an Indexed Manifest\",\n \"description\": \"Given a Manifest's content addressable hash, any data related to it will be removed it it exists.\"\n },\n \"get\": {\n \"operationId\": \"GetIndexReport\",\n \"responses\": {\n \"200\": {\n \"description\": \"IndexReport retrieved\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n },\n \"content\": {\n \"application/vnd.clair.index_report.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/index_report\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/index_report\"\n }\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n },\n \"404\": {\n \"$ref\": \"#/components/responses/not_found\"\n }\n },\n \"tags\": [\n \"indexer\"\n ],\n \"summary\": \"Retrieve the IndexReport for a Manifest\",\n \"description\": \"Given a Manifest's content addressable hash, an IndexReport will be retrieved if it exists.\"\n },\n \"parameters\": [\n {\n \"$ref\": \"#/components/parameters/digest\"\n }\n ]\n },\n \"/indexer/api/v1/index_state\": {\n \"get\": {\n \"operationId\": \"IndexState\",\n \"responses\": {\n \"200\": {\n \"description\": \"Indexer State\",\n \"headers\": {\n \"Etag\": {\n \"$ref\": \"#/components/headers/Etag\"\n }\n },\n \"content\": {\n \"application/vnd.clair.index_state.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/index_state\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/index_state\"\n }\n }\n }\n },\n \"304\": {\n \"description\": \"Not Modified\"\n }\n },\n \"tags\": [\n \"indexer\"\n ],\n \"summary\": \"Report the Indexer's State\",\n \"description\": \"The index state endpoint returns a json structure indicating the indexer's internal configuration state.\\nA client may be interested in this as a signal that manifests may need to be re-indexed.\"\n }\n },\n \"/indexer/api/v1/internal/affected_manifest\": {\n \"post\": {\n \"operationId\": \"AffectedManifests\",\n \"requestBody\": {\n \"description\": \"Array of vulnerability summaries to report on.\",\n \"required\": true,\n \"content\": {\n \"application/vnd.clair.vulnerability_summaries.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/vulnerability_summaries\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/vulnerability_summaries\"\n }\n }\n }\n },\n \"responses\": {\n \"200\": {\n \"description\": \"The list of manifests and the corresponding vulnerabilities.\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n },\n \"content\": {\n \"application/vnd.clair.affected_manifests.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/affected_manifests\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/affected_manifests\"\n }\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n }\n },\n \"tags\": [\n \"internal\"\n ],\n \"summary\": \"Retrieve Manifests Affected by a Vulnerability\",\n \"description\": \"The provided vulnerability summaries are attempted to be run \\\"backwards\\\" through the indexer to produce a set of manifests.\",\n \"x-cli-ignore\": true\n }\n },\n \"/matcher/api/v1/internal/update_diff\": {\n \"get\": {\n \"operationId\": \"GetUpdateDiff\",\n \"responses\": {\n \"200\": {\n \"description\": \"Changes between two Update Operations.\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n },\n \"content\": {\n \"application/vnd.clair.update_diff.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/update_diff\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/update_diff\"\n }\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n }\n },\n \"parameters\": [\n {\n \"in\": \"query\",\n \"name\": \"cur\",\n \"schema\": {\n \"$ref\": \"#/components/schemas/token\"\n },\n \"description\": \"\\\"Current\\\" Update Operation ref.\"\n },\n {\n \"in\": \"query\",\n \"name\": \"prev\",\n \"required\": true,\n \"schema\": {\n \"$ref\": \"#/components/schemas/token\"\n },\n \"description\": \"\\\"Previous\\\" Update Operation ref.\"\n }\n ],\n \"tags\": [\n \"internal\"\n ],\n \"summary\": \"Retrieve Vulnerability Changes Between Two Update Operations\",\n \"description\": \"Given IDs for two Update Operations, this will return the difference between them. This is used in the notification flow.\",\n \"x-cli-ignore\": true\n }\n },\n \"/matcher/api/v1/internal/update_operation\": {\n \"get\": {\n \"operationId\": \"GetUpdateOperation\",\n \"responses\": {\n \"200\": {\n \"description\": \"Update Operations, keyed by updater.\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n },\n \"content\": {\n \"application/vnd.clair.update_operations.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/update_operations\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/update_operations\"\n }\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n }\n },\n \"parameters\": [\n {\n \"in\": \"query\",\n \"name\": \"kind\",\n \"schema\": {\n \"enum\": [\n \"vulnerability\",\n \"enrichment\"\n ],\n \"default\": \"vulnerability\"\n },\n \"description\": \"The \\\"kind\\\" of updaters to query.\"\n },\n {\n \"in\": \"query\",\n \"name\": \"latest\",\n \"schema\": {\n \"type\": \"boolean\",\n \"default\": false\n },\n \"description\": \"Return only the latest Update Operations instead of all known Update Operations.\"\n }\n ],\n \"tags\": [\n \"internal\"\n ],\n \"summary\": \"Retrieve Update Operations\",\n \"description\": \"Retrive all known or just the latest Update Operations.\",\n \"x-cli-ignore\": true\n }\n },\n \"/matcher/api/v1/internal/update_operation/{digest}\": {\n \"delete\": {\n \"operationId\": \"DeleteUpdateOperation\",\n \"responses\": {\n \"200\": {\n \"description\": \"Success\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n }\n },\n \"tags\": [\n \"internal\"\n ],\n \"summary\": \"Delete an Update Operation\",\n \"description\": \"Issues a delete of the provided Update Operation ID and all associated data.\\nAfter this delete clients will no longer be able to generate a diff against this Update Operation.\",\n \"x-cli-ignore\": true\n },\n \"parameters\": [\n {\n \"$ref\": \"#/components/parameters/digest\"\n }\n ]\n },\n \"/matcher/api/v1/vulnerability_report/{digest}\": {\n \"get\": {\n \"operationId\": \"GetVulnerabilityReport\",\n \"responses\": {\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n },\n \"201\": {\n \"description\": \"Vulnerability Report Created\",\n \"content\": {\n \"application/vnd.clair.vulnerability_report.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/vulnerability_report\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/vulnerability_report\"\n }\n }\n }\n },\n \"404\": {\n \"$ref\": \"#/components/responses/not_found\"\n }\n },\n \"tags\": [\n \"matcher\"\n ],\n \"summary\": \"Retrieve a VulnerabilityReport for a Manifest\",\n \"description\": \"Given a Manifest's content addressable hash a VulnerabilityReport will be created. The Manifest **must** have been Indexed first via the Index endpoint.\"\n },\n \"parameters\": [\n {\n \"$ref\": \"#/components/parameters/digest\"\n }\n ]\n },\n \"/notifier/api/v1/notification/{id}\": {\n \"parameters\": [\n {\n \"in\": \"path\",\n \"name\": \"id\",\n \"required\": true,\n \"schema\": {\n \"$ref\": \"#/components/schemas/token\"\n },\n \"description\": \"A notification ID returned by a callback\"\n }\n ],\n \"delete\": {\n \"operationId\": \"DeleteNotification\",\n \"responses\": {\n \"200\": {\n \"description\": \"Delete the notification referenced by the \\\"id\\\" parameter.\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n }\n },\n \"tags\": [\n \"notifier\"\n ],\n \"summary\": \"Delete a Notification Set\",\n \"description\": \"Issues a delete of the provided notification ID and all associated notifications.\\nAfter this delete clients will no longer be able to retrieve notifications.\"\n },\n \"get\": {\n \"operationId\": \"GetNotification\",\n \"parameters\": [\n {\n \"in\": \"query\",\n \"name\": \"page_size\",\n \"schema\": {\n \"type\": \"integer\",\n \"default\": 500\n },\n \"description\": \"The maximum number of notifications to deliver in a single page.\"\n },\n {\n \"in\": \"query\",\n \"name\": \"next\",\n \"schema\": {\n \"$ref\": \"#/components/schemas/token\"\n },\n \"description\": \"The next page to fetch via id. Typically this number is provided on initial response in the \\\"page.next\\\" field. The first request should omit this field.\"\n }\n ],\n \"responses\": {\n \"200\": {\n \"description\": \"A paginated list of notifications\",\n \"headers\": {\n \"Clair-Error\": {\n \"$ref\": \"#/components/headers/Clair-Error\"\n }\n },\n \"content\": {\n \"application/vnd.clair.notification_page.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/notification_page\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/notification_page\"\n }\n }\n }\n },\n \"400\": {\n \"$ref\": \"#/components/responses/bad_request\"\n },\n \"415\": {\n \"$ref\": \"#/components/responses/unsupported_media_type\"\n },\n \"default\": {\n \"$ref\": \"#/components/responses/oops\"\n },\n \"304\": {\n \"description\": \"Not Modified\"\n }\n },\n \"tags\": [\n \"notifier\"\n ],\n \"summary\": \"Retrieve Pages of a Notification Set\",\n \"description\": \"By performing a GET with an id as a path parameter, the client will retrieve a paginated response of notification objects.\"\n }\n }\n },\n \"security\": [\n {},\n {\n \"PSK\": []\n }\n ],\n \"webhooks\": {\n \"notification\": {\n \"post\": {\n \"tags\": [\n \"notifier\"\n ],\n \"description\": \"If configured, Clair will issue webhooks when notifications are available for retrieval.\",\n \"requestBody\": {\n \"content\": {\n \"application/vnd.clair.notification_webhook.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/notification_webhook\"\n }\n }\n }\n },\n \"responses\": {\n \"200\": {\n \"description\": \"OK\"\n }\n }\n }\n }\n },\n \"components\": {\n \"schemas\": {\n \"token\": {\n \"type\": \"string\",\n \"description\": \"An opaque token previously obtained from the service.\"\n },\n \"affected_manifests\": {\n \"$id\": \"https://clairproject.org/api/http/v1/affected_manifests.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Affected Manifests\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nManifests affected by the specified vulnerability objects.\",\n \"properties\": {\n \"vulnerabilities\": {\n \"type\": \"object\",\n \"description\": \"Vulnerability objects.\",\n \"additionalProperties\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n },\n \"vulnerable_manifests\": {\n \"type\": \"object\",\n \"description\": \"Mapping of manifest digests to vulnerability identifiers.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\",\n \"description\": \"An identifier to be used in the \\\"vulnerabilities\\\" object.\"\n }\n }\n }\n },\n \"required\": [\n \"vulnerabilities\",\n \"vulnerable_manifests\"\n ],\n \"examples\": [\n {\n \"vulnerabilities\": {\n \"42\": {\n \"id\": \"42\"\n }\n },\n \"vulnerable_manifests\": {\n \"sha256:01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\": [\n \"42\"\n ]\n }\n }\n ]\n },\n \"bulk_delete\": {\n \"$id\": \"https://clairproject.org/api/http/v1/bulk_delete.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Bulk Delete\",\n \"type\": \"array\",\n \"description\": \"Array of manifest digests to delete from the system.\",\n \"items\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"Manifest digest to delete from the system.\"\n },\n \"examples\": [\n [\n \"sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\"\n ]\n ]\n },\n \"cpe\": {\n \"$id\": \"https://clairproject.org/api/http/v1/cpe.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Common Platform Enumeration Name\",\n \"description\": \"This is a CPE Name in either v2.2 \\\"URI\\\" form or v2.3 \\\"Formatted String\\\" form.\",\n \"$comment\": \"Clair only produces v2.3 CPE Names. Any v2.2 Names will be normalized into v2.3 form.\",\n \"oneOf\": [\n {\n \"description\": \"This is the CPE 2.2 regexp: https://cpe.mitre.org/specification/2.2/cpe-language_2.2.xsd\",\n \"type\": \"string\",\n \"pattern\": \"^[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\\\._\\\\-~%]*){0,6}$\"\n },\n {\n \"description\": \"This is the CPE 2.3 regexp: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd\",\n \"type\": \"string\",\n \"pattern\": \"^cpe:2\\\\.3:[aho\\\\*\\\\-](:(((\\\\?*|\\\\*?)([a-zA-Z0-9\\\\-\\\\._]|(\\\\\\\\[\\\\\\\\\\\\*\\\\?!\\\"#$$%&'\\\\(\\\\)\\\\+,/:;<=>@\\\\[\\\\]\\\\^`\\\\{\\\\|}~]))+(\\\\?*|\\\\*?))|[\\\\*\\\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\\\*\\\\-]))(:(((\\\\?*|\\\\*?)([a-zA-Z0-9\\\\-\\\\._]|(\\\\\\\\[\\\\\\\\\\\\*\\\\?!\\\"#$$%&'\\\\(\\\\)\\\\+,/:;<=>@\\\\[\\\\]\\\\^`\\\\{\\\\|}~]))+(\\\\?*|\\\\*?))|[\\\\*\\\\-])){4}$\"\n }\n ],\n \"examples\": [\n \"cpe:/a:microsoft:internet_explorer:8.0.6001:beta\",\n \"cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*\"\n ]\n },\n \"digest\": {\n \"$id\": \"https://clairproject.org/api/http/v1/digest.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Digest\",\n \"description\": \"A digest acts as a content identifier, enabling content addressability.\",\n \"type\": \"string\",\n \"anyOf\": [\n {\n \"$comment\": \"SHA256: MUST be implemented\",\n \"description\": \"SHA256\",\n \"type\": \"string\",\n \"pattern\": \"^sha256:[a-f0-9]{64}$\"\n },\n {\n \"$comment\": \"SHA512: MAY be implemented\",\n \"description\": \"SHA512\",\n \"type\": \"string\",\n \"pattern\": \"^sha512:[a-f0-9]{128}$\"\n },\n {\n \"$comment\": \"BLAKE3: MAY be implemented\",\n \"description\": \"BLAKE3\\n\\n**Currently not implemented.**\",\n \"type\": \"string\",\n \"pattern\": \"^blake3:[a-f0-9]{64}$\"\n }\n ],\n \"examples\": [\n \"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\",\n \"sha512:27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd\",\n \"blake3:6e46dd10defc9b56c29a6ec56b508c21f54c08192194e4df25bf36f0c9c3c279\"\n ]\n },\n \"distribution\": {\n \"$id\": \"https://clairproject.org/api/http/v1/distribution.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Distribution\",\n \"type\": \"object\",\n \"description\": \"Distribution is the accompanying system context of a Package.\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Distribution. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"did\": {\n \"description\": \"A lower-case string (no spaces or other characters outside of 0–9, a–z, \\\".\\\", \\\"_\\\", and \\\"-\\\") identifying the operating system, excluding any version information and suitable for processing by scripts or usage in generated filenames.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"A string identifying the operating system.\",\n \"type\": \"string\"\n },\n \"version\": {\n \"description\": \"A string identifying the operating system version, excluding any OS name information, possibly including a release code name, and suitable for presentation to the user.\",\n \"type\": \"string\"\n },\n \"version_code_name\": {\n \"description\": \"A lower-case string (no spaces or other characters outside of 0–9, a–z, \\\".\\\", \\\"_\\\", and \\\"-\\\") identifying the operating system release code name, excluding any OS name information or release version, and suitable for processing by scripts or usage in generated filenames.\",\n \"type\": \"string\"\n },\n \"version_id\": {\n \"description\": \"A lower-case string (mostly numeric, no spaces or other characters outside of 0–9, a–z, \\\".\\\", \\\"_\\\", and \\\"-\\\") identifying the operating system version, excluding any OS name information or release code name.\",\n \"type\": \"string\"\n },\n \"arch\": {\n \"description\": \"A string identifying the OS architecture.\",\n \"type\": \"string\"\n },\n \"cpe\": {\n \"description\": \"Common Platform Enumeration name.\",\n \"$ref\": \"cpe.schema.json\"\n },\n \"pretty_name\": {\n \"description\": \"A pretty operating system name in a format suitable for presentation to the user.\",\n \"type\": \"string\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\"\n ],\n \"examples\": [\n {\n \"id\": \"1\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"pretty_name\": \"Ubuntu 18.04.3 LTS\"\n }\n ]\n },\n \"environment\": {\n \"$id\": \"https://clairproject.org/api/http/v1/environment.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Environment\",\n \"type\": \"object\",\n \"description\": \"Environment describes the surrounding environment a package was discovered in.\",\n \"properties\": {\n \"package_db\": {\n \"description\": \"The database the associated Package was discovered in.\",\n \"type\": \"string\"\n },\n \"distribution_id\": {\n \"description\": \"The ID of the Distribution of the associated Package.\",\n \"type\": \"string\"\n },\n \"introduced_in\": {\n \"description\": \"The Layer the associated Package was introduced in.\",\n \"$ref\": \"digest.schema.json\"\n },\n \"repository_ids\": {\n \"description\": \"The IDs of the Repositories of the associated Package.\",\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n }\n },\n \"additionalProperties\": false,\n \"examples\": [\n {\n \"value\": {\n \"package_db\": \"var/lib/dpkg/status\",\n \"introduced_in\": \"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\",\n \"distribution_id\": \"1\"\n }\n }\n ]\n },\n \"error\": {\n \"$id\": \"https://clairproject.org/api/http/v1/error.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Error\",\n \"type\": \"object\",\n \"description\": \"A general error response.\",\n \"properties\": {\n \"code\": {\n \"type\": \"string\",\n \"description\": \"a code for this particular error\"\n },\n \"message\": {\n \"type\": \"string\",\n \"description\": \"a message with further detail\"\n }\n },\n \"required\": [\n \"message\"\n ]\n },\n \"index_report\": {\n \"$id\": \"https://clairproject.org/api/http/v1/index_report.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Index Report\",\n \"type\": \"object\",\n \"description\": \"An index of the contents of a Manifest.\",\n \"properties\": {\n \"manifest_hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The Manifest's digest.\"\n },\n \"state\": {\n \"type\": \"string\",\n \"description\": \"The current state of the index operation\"\n },\n \"err\": {\n \"type\": \"string\",\n \"description\": \"An error message on event of unsuccessful index\"\n },\n \"success\": {\n \"type\": \"boolean\",\n \"description\": \"A bool indicating succcessful index\"\n },\n \"packages\": {\n \"type\": \"object\",\n \"description\": \"A map of Package objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"package.schema.json\"\n }\n },\n \"distributions\": {\n \"type\": \"object\",\n \"description\": \"A map of Distribution objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"distribution.schema.json\"\n }\n },\n \"repository\": {\n \"type\": \"object\",\n \"description\": \"A map of Repository objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"repository.schema.json\"\n }\n },\n \"environments\": {\n \"type\": \"object\",\n \"description\": \"A map of Environment arrays indexed by a Package's identifier.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"environment.schema.json\"\n }\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"manifest_hash\",\n \"state\",\n \"success\"\n ]\n },\n \"index_state\": {\n \"$id\": \"https://clairproject.org/api/http/v1/index_state.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Index State\",\n \"type\": \"object\",\n \"description\": \"Information on the state of the indexer system.\",\n \"properties\": {\n \"state\": {\n \"type\": \"string\",\n \"description\": \"an opaque token\"\n }\n },\n \"required\": [\n \"state\"\n ]\n },\n \"layer\": {\n \"$id\": \"https://clairproject.org/api/http/v1/layer.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Layer\",\n \"type\": \"object\",\n \"description\": \"Layer is a description of a container layer. It should contain enough information to fetch the layer.\",\n \"properties\": {\n \"hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"Digest of the layer blob.\"\n },\n \"uri\": {\n \"type\": \"string\",\n \"description\": \"A URI indicating where the layer blob can be downloaded from.\"\n },\n \"headers\": {\n \"description\": \"Any additional HTTP-style headers needed for requesting layers.\",\n \"type\": \"object\",\n \"patternProperties\": {\n \"^[a-zA-Z0-9\\\\-_]+$\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n }\n }\n },\n \"media_type\": {\n \"description\": \"The OCI Layer media type for this layer.\",\n \"type\": \"string\",\n \"pattern\": \"^application/vnd\\\\.oci\\\\.image\\\\.layer\\\\.v1\\\\.tar(\\\\+(gzip|zstd))?$\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"hash\",\n \"uri\"\n ]\n },\n \"manifest\": {\n \"$id\": \"https://clairproject.org/api/http/v1/manifest.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Manifest\",\n \"type\": \"object\",\n \"description\": \"A description of an OCI Image Manifest.\",\n \"properties\": {\n \"hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The OCI Image Manifest's digest.\\n\\nThis is used as an identifier throughout the system. This **SHOULD** be the same as the OCI Image Manifest's digest, but this is not enforced.\"\n },\n \"layers\": {\n \"type\": \"array\",\n \"description\": \"The OCI Layers making up the Image, in order.\",\n \"items\": {\n \"$ref\": \"layer.schema.json\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"hash\"\n ],\n \"examples\": [\n {\n \"hash\": \"sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\",\n \"layers\": [\n {\n \"hash\": \"sha256:2f077db56abccc19f16f140f629ae98e904b4b7d563957a7fc319bd11b82ba36\",\n \"uri\": \"https://storage.example.com/blob/2f077db56abccc19f16f140f629ae98e904b4b7d563957a7fc319bd11b82ba36\",\n \"headers\": {\n \"Authoriztion\": [\n \"Bearer hunter2\"\n ]\n }\n }\n ]\n }\n ]\n },\n \"normalized_severity\": {\n \"$id\": \"https://clairproject.org/api/http/v1/normalized_severity.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Normalized Severity\",\n \"description\": \"Standardized severity values.\",\n \"enum\": [\n \"Unknown\",\n \"Negligible\",\n \"Low\",\n \"Medium\",\n \"High\",\n \"Critical\"\n ]\n },\n \"notification_page\": {\n \"$id\": \"https://clairproject.org/api/http/v1/notification_page.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Notification Page\",\n \"type\": \"object\",\n \"description\": \"A page description and list of notifications.\",\n \"properties\": {\n \"page\": {\n \"description\": \"An object informing the client the next page to retrieve.\",\n \"type\": \"object\",\n \"properties\": {\n \"size\": {\n \"description\": \"The number of notifications contained in this page.\",\n \"type\": \"integer\"\n },\n \"next\": {\n \"description\": \"The identififer to pass into the \\\"next\\\" parameter of a future GetNotification request.\\n\\nIf not present, there are no additional pages.\",\n \"type\": \"string\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"size\"\n ]\n },\n \"notifications\": {\n \"description\": \"Notifications within this page.\",\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"notification.schema.json\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"page\",\n \"notifications\"\n ],\n \"examples\": [\n {\n \"page\": {\n \"size\": 100,\n \"next\": \"1b4d0db2-e757-4150-bbbb-543658144205\"\n },\n \"notifications\": [\n {\n \"id\": \"5e4b387e-88d3-4364-86fd-063447a6fad2\",\n \"manifest\": \"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\",\n \"reason\": \"added\",\n \"vulnerability\": {\n \"name\": \"CVE-2009-5155\",\n \"fixed_in_version\": \"v0.0.1\",\n \"links\": \"http://example.com/CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\\\"\",\n \"normalized_severity\": \"Unknown\",\n \"package\": {\n \"id\": \"10\",\n \"name\": \"libapt-pkg5.0\",\n \"version\": \"1.6.11\",\n \"kind\": \"BINARY\",\n \"arch\": \"x86\",\n \"source\": {\n \"id\": \"9\",\n \"name\": \"apt\",\n \"version\": \"1.6.11\",\n \"kind\": \"SOURCE\",\n \"source\": null\n }\n },\n \"distribution\": {\n \"id\": \"1\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"pretty_name\": \"Ubuntu 18.04.3 LTS\"\n }\n }\n }\n ]\n }\n ]\n },\n \"notification\": {\n \"$id\": \"https://clairproject.org/api/http/v1/notification.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Notification\",\n \"type\": \"object\",\n \"description\": \"A change in a manifest affected by a vulnerability.\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique identifier for this notification.\",\n \"type\": \"string\"\n },\n \"manifest\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The digest of the manifest affected by the provided vulnerability.\"\n },\n \"reason\": {\n \"description\": \"The reason for the notifcation.\",\n \"enum\": [\n \"added\",\n \"removed\"\n ]\n },\n \"vulnerability\": {\n \"$ref\": \"vulnerability_summary.schema.json\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\",\n \"manifest\",\n \"reason\",\n \"vulnerability\"\n ]\n },\n \"notification_webhook\": {\n \"$id\": \"https://clairproject.org/api/http/v1/notification_webhook.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Notification Webhook\",\n \"type\": \"object\",\n \"description\": \"Webhook sent to a configured service to begin retrieving notifications.\",\n \"properties\": {\n \"notification_id\": {\n \"description\": \"Unique identifier for this notification.\",\n \"type\": \"string\"\n },\n \"callback\": {\n \"description\": \"A URL to retrieve paginated Notification objects.\",\n \"type\": \"string\",\n \"format\": \"uri\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"notification_id\",\n \"callback\"\n ]\n },\n \"package\": {\n \"$id\": \"https://clairproject.org/api/http/v1/package.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Package\",\n \"type\": \"object\",\n \"description\": \"Description of installed software.\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Package. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Identifier of this Package.\\n\\nThe uniqueness and scoping of this name depends on the packaging system.\",\n \"type\": \"string\"\n },\n \"version\": {\n \"description\": \"Version of this Package, as reported by the packaging system.\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"The \\\"kind\\\" of this Package.\",\n \"enum\": [\n \"BINARY\",\n \"SOURCE\"\n ],\n \"default\": \"BINARY\"\n },\n \"source\": {\n \"$ref\": \"#\",\n \"description\": \"Source Package that produced the current binary Package, if known.\"\n },\n \"normalized_version\": {\n \"description\": \"Normalized representation of the discoverd version.\\n\\nThe format is not specific, but is guarenteed to be forward compatible.\",\n \"type\": \"string\"\n },\n \"module\": {\n \"description\": \"An identifier for intra-Repository grouping of packages.\\n\\nLikely only relevant on rpm-based systems.\",\n \"type\": \"string\"\n },\n \"arch\": {\n \"description\": \"Native architecture for the Package.\",\n \"type\": \"string\",\n \"$comment\": \"This should become and enum in the future.\"\n },\n \"cpe\": {\n \"$ref\": \"cpe.schema.json\",\n \"description\": \"CPE Name for the Package.\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"name\",\n \"version\"\n ],\n \"examples\": [\n {\n \"id\": \"10\",\n \"name\": \"libapt-pkg5.0\",\n \"version\": \"1.6.11\",\n \"kind\": \"binary\",\n \"normalized_version\": \"\",\n \"arch\": \"x86\",\n \"module\": \"\",\n \"cpe\": \"\",\n \"source\": {\n \"id\": \"9\",\n \"name\": \"apt\",\n \"version\": \"1.6.11\",\n \"kind\": \"source\",\n \"source\": null\n }\n }\n ]\n },\n \"range\": {\n \"$id\": \"https://clairproject.org/api/http/v1/range.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Range\",\n \"type\": \"object\",\n \"description\": \"A range of versions.\",\n \"properties\": {\n \"[\": {\n \"type\": \"string\",\n \"description\": \"Lower bound, inclusive.\"\n },\n \")\": {\n \"type\": \"string\",\n \"description\": \"Upper bound, exclusive.\"\n }\n },\n \"minProperties\": 1,\n \"additionalProperties\": false\n },\n \"repository\": {\n \"$id\": \"https://clairproject.org/api/http/v1/repository.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Repository\",\n \"type\": \"object\",\n \"description\": \"Description of a software repository\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Repository. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Human-relevant name for the Repository.\",\n \"type\": \"string\"\n },\n \"key\": {\n \"description\": \"Machine-relevant name for the Repository.\",\n \"type\": \"string\"\n },\n \"uri\": {\n \"description\": \"URI describing the Repository.\",\n \"type\": \"string\",\n \"format\": \"uri\"\n },\n \"cpe\": {\n \"description\": \"CPE name for the Repository.\",\n \"$ref\": \"cpe.schema.json\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\"\n ]\n },\n \"update_diff\": {\n \"$id\": \"https://clairproject.org/api/http/v1/update_diff.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Update Difference\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nAn update difference describes changes between two Update Operations.\",\n \"properties\": {\n \"prev\": {\n \"description\": \"The previous Update Operation.\",\n \"$ref\": \"update_operation.schema.json\"\n },\n \"cur\": {\n \"description\": \"The current Update Operation.\",\n \"$ref\": \"update_operation.schema.json\"\n },\n \"added\": {\n \"description\": \"Vulnerabilities present in \\\"cur\\\", but not \\\"prev\\\".\",\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n },\n \"removed\": {\n \"description\": \"Vulnerabilities present in \\\"prev\\\", but not \\\"cur\\\".\",\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"cur\",\n \"added\",\n \"removed\"\n ]\n },\n \"update_operation\": {\n \"$id\": \"https://clairproject.org/api/http/v1/update_operation.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Update Operation\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nAn update operations describes an update of the internal vulnerability database.\",\n \"properties\": {\n \"ref\": {\n \"type\": \"string\",\n \"description\": \"A unique identifier for this update operation.\",\n \"format\": \"uuid\"\n },\n \"updater\": {\n \"description\": \"The \\\"updater\\\" component that was run.\",\n \"$comment\": \"This is not as useful as it could be: an end user needs to know too much about Clair(core)'s internals to make sense of it.\",\n \"type\": \"string\"\n },\n \"fingerprint\": {\n \"description\": \"The stored \\\"fingerprint\\\" of this run.\",\n \"type\": \"string\"\n },\n \"date\": {\n \"type\": \"string\",\n \"description\": \"When this operation was run.\",\n \"format\": \"date-time\"\n },\n \"kind\": {\n \"description\": \"The kind of data this operation updated.\",\n \"enum\": [\n \"vulnerability\",\n \"enrichment\"\n ]\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"ref\",\n \"updater\",\n \"fingerprint\",\n \"date\",\n \"kind\"\n ]\n },\n \"update_operations\": {\n \"$id\": \"https://clairproject.org/api/http/v1/update_operations.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Update Operations\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nA mapping of updater id to Update Operation(s).\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"update_operation.schema.json\"\n }\n }\n },\n \"vulnerability_core\": {\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_core.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Core\",\n \"type\": \"object\",\n \"description\": \"The core elements of vulnerabilities in the Clair system.\",\n \"properties\": {\n \"name\": {\n \"type\": \"string\",\n \"description\": \"Human-readable name, as presented in the vendor data.\"\n },\n \"fixed_in_version\": {\n \"type\": \"string\",\n \"description\": \"Version string, as presented in the vendor data.\"\n },\n \"severity\": {\n \"type\": \"string\",\n \"description\": \"Severity, as presented in the vendor data.\"\n },\n \"normalized_severity\": {\n \"$ref\": \"normalized_severity.schema.json\",\n \"description\": \"A well defined set of severity strings guaranteed to be present.\"\n },\n \"range\": {\n \"$ref\": \"range.schema.json\",\n \"description\": \"Range of versions the vulnerability applies to.\"\n },\n \"arch_op\": {\n \"description\": \"Flag indicating how the referenced package's \\\"arch\\\" member should be interpreted.\",\n \"enum\": [\n \"equals\",\n \"not equals\",\n \"pattern match\"\n ]\n },\n \"package\": {\n \"$ref\": \"package.schema.json\",\n \"description\": \"A package description\"\n },\n \"distribution\": {\n \"$ref\": \"distribution.schema.json\",\n \"description\": \"A distribution description\"\n },\n \"repository\": {\n \"$ref\": \"repository.schema.json\",\n \"description\": \"A repository description\"\n }\n },\n \"required\": [\n \"name\",\n \"normalized_severity\"\n ],\n \"dependentRequired\": {\n \"package\": [\n \"arch_op\"\n ]\n },\n \"anyOf\": [\n {\n \"required\": [\n \"package\"\n ]\n },\n {\n \"required\": [\n \"repository\"\n ]\n },\n {\n \"required\": [\n \"distribution\"\n ]\n }\n ]\n },\n \"vulnerability_report\": {\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_report.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Report\",\n \"type\": \"object\",\n \"description\": \"A report with discovered packages, package environments, and package vulnerabilities within a Manifest.\",\n \"properties\": {\n \"manifest_hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The Manifest's digest.\"\n },\n \"packages\": {\n \"type\": \"object\",\n \"description\": \"A map of Package objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"package.schema.json\"\n }\n },\n \"distributions\": {\n \"type\": \"object\",\n \"description\": \"A map of Distribution objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"distribution.schema.json\"\n }\n },\n \"repository\": {\n \"type\": \"object\",\n \"description\": \"A map of Repository objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"repository.schema.json\"\n }\n },\n \"environments\": {\n \"type\": \"object\",\n \"description\": \"A map of Environment arrays indexed by a Package's identifier.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"environment.schema.json\"\n }\n }\n },\n \"vulnerabilities\": {\n \"type\": \"object\",\n \"description\": \"A map of Vulnerabilities indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n },\n \"package_vulnerabilities\": {\n \"type\": \"object\",\n \"description\": \"A mapping of Vulnerability identifier lists indexed by Package identifier.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n }\n },\n \"enrichments\": {\n \"type\": \"object\",\n \"description\": \"A mapping of extra \\\"enrichment\\\" data by type\",\n \"additionalProperties\": {\n \"type\": \"array\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"distributions\",\n \"environments\",\n \"manifest_hash\",\n \"packages\",\n \"package_vulnerabilities\",\n \"vulnerabilities\"\n ]\n },\n \"vulnerability\": {\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability\",\n \"type\": \"object\",\n \"description\": \"Description of a software flaw.\",\n \"$ref\": \"vulnerability_core.schema.json\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Vulnerabiltity. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"updater\": {\n \"description\": \"The updater component this Vulnerability came from.\",\n \"type\": \"string\"\n },\n \"description\": {\n \"description\": \"A human-readable description of the vulnerability.\",\n \"type\": \"string\"\n },\n \"issued\": {\n \"description\": \"The datetime this Vulnerability was issued, if known.\",\n \"type\": \"string\",\n \"format\": \"date-time\"\n },\n \"links\": {\n \"description\": \"Space-separated URIs to more information.\",\n \"type\": \"string\"\n }\n },\n \"unevaluatedProperties\": false,\n \"required\": [\n \"id\",\n \"updater\"\n ],\n \"examples\": [\n {\n \"id\": \"356835\",\n \"updater\": \"ubuntu\",\n \"name\": \"CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\",\n \"links\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155 http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-5155.html https://sourceware.org/bugzilla/show_bug.cgi?id=11053 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238 https://sourceware.org/bugzilla/show_bug.cgi?id=18986\",\n \"severity\": \"Low\",\n \"normalized_severity\": \"Low\",\n \"package\": {\n \"id\": \"0\",\n \"name\": \"glibc\",\n \"version\": \"2.27-0ubuntu1\",\n \"kind\": \"binary\",\n \"source\": null\n },\n \"dist\": {\n \"id\": \"0\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\",\n \"arch\": \"amd64\"\n },\n \"repo\": {\n \"id\": \"0\",\n \"name\": \"Ubuntu 18.04.3 LTS\"\n },\n \"issued\": \"2019-10-12T07:20:50.52Z\",\n \"fixed_in_version\": \"2.28-0ubuntu1\"\n }\n ]\n },\n \"vulnerability_summaries\": {\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_summaries.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Summaries\",\n \"type\": \"array\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nThis is an array of pseudo-Vulnerability objects used for reverse-lookup.\",\n \"items\": {\n \"description\": \"Summary vulnerability objects.\",\n \"$ref\": \"vulnerability_summary.schema.json\"\n }\n },\n \"vulnerability_summary\": {\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_summary.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Summary\",\n \"type\": \"object\",\n \"description\": \"A summary of a vulnerability.\",\n \"$ref\": \"vulnerability_core.schema.json\",\n \"unevaluatedProperties\": false,\n \"examples\": [\n {\n \"name\": \"CVE-2009-5155\",\n \"description\": \"In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\",\n \"normalized_severity\": \"Low\",\n \"fixed_in_version\": \"v0.0.1\",\n \"links\": \"http://link-to-advisory\",\n \"package\": {\n \"id\": \"0\",\n \"name\": \"glibc\",\n \"version\": \"v0.0.1-rc1\"\n },\n \"dist\": {\n \"id\": \"0\",\n \"did\": \"ubuntu\",\n \"name\": \"Ubuntu\",\n \"version\": \"18.04.3 LTS (Bionic Beaver)\",\n \"version_code_name\": \"bionic\",\n \"version_id\": \"18.04\"\n },\n \"repo\": {\n \"id\": \"0\",\n \"name\": \"Ubuntu 18.04.3 LTS\"\n }\n }\n ]\n }\n },\n \"responses\": {\n \"bad_request\": {\n \"description\": \"Bad Request\",\n \"content\": {\n \"application/vnd.clair.error.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n }\n }\n },\n \"oops\": {\n \"description\": \"Internal Server Error\",\n \"content\": {\n \"application/vnd.clair.error.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n }\n }\n },\n \"not_found\": {\n \"description\": \"Not Found\",\n \"content\": {\n \"application/vnd.clair.error.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n }\n }\n },\n \"unsupported_media_type\": {\n \"description\": \"Unsupported Media Type\",\n \"content\": {\n \"application/vnd.clair.error.v1+json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n },\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"#/components/schemas/error\"\n }\n }\n }\n }\n },\n \"parameters\": {\n \"digest\": {\n \"description\": \"OCI-compatible digest of a referred object.\",\n \"name\": \"digest\",\n \"in\": \"path\",\n \"schema\": {\n \"$ref\": \"#/components/schemas/digest\"\n },\n \"required\": true\n }\n },\n \"headers\": {\n \"Clair-Error\": {\n \"description\": \"This is a trailer containing any errors encountered while writing the response.\",\n \"style\": \"simple\",\n \"schema\": {\n \"type\": \"string\"\n }\n },\n \"Etag\": {\n \"description\": \"HTTP [ETag header](https://httpwg.org/specs/rfc9110.html#field.etag)\",\n \"style\": \"simple\",\n \"schema\": {\n \"type\": \"string\"\n }\n },\n \"Link\": {\n \"description\": \"Web Linking [Link header](https://httpwg.org/specs/rfc8288.html#header)\",\n \"style\": \"simple\",\n \"schema\": {\n \"type\": \"string\"\n }\n },\n \"Location\": {\n \"description\": \"HTTP [Location header](https://httpwg.org/specs/rfc9110.html#field.location)\",\n \"style\": \"simple\",\n \"required\": true,\n \"schema\": {\n \"type\": \"string\"\n }\n }\n },\n \"securitySchemes\": {\n \"PSK\": {\n \"type\": \"http\",\n \"scheme\": \"bearer\",\n \"bearerFormat\": \"JWT with preshared key and allow-listed issuers\",\n \"description\": \"Clair's authentication scheme.\\n\\nThis is a [JWT](https://datatracker.ietf.org/doc/html/rfc7519) signed with a configured pre-shared key containing an allowlisted `iss` claim.\"\n }\n }\n }\n}\n"
},
{
"path": "httptransport/api/v1/openapi.yaml",
"content": "openapi: 3.1.0\ninfo:\n title: Clair Container Analyzer\n description: |-\n Clair is a set of cooperating microservices which can index and match a container image's content with known vulnerabilities.\n\n **Note:** Any endpoints tagged \"internal\" are documented for completeness but are considered exempt from versioning.\n version: 1.2.0\n contact:\n name: Clair Team\n url: http://github.com/quay/clair\n email: clair-devel@googlegroups.com\n license:\n name: Apache License 2.0\n url: http://www.apache.org/licenses/\nexternalDocs:\n url: https://quay.github.io/clair/\ntags:\n - name: indexer\n description: |-\n Indexer service endpoints.\n\n These are responsible for determining the contents of containers.\n - name: matcher\n description: |-\n Matcher service endpoints.\n\n These are responsible for generating reports against current vulnerability data.\n - name: notifier\n description: |-\n Matcher service endpoints.\n\n These are responsible for serving notifications.\n - name: internal\n description: |-\n These are internal endpoints, documented for completeness.\n\n They are exempted from API stability guarentees.\npaths:\n /indexer/api/v1/index_report:\n post:\n operationId: Index\n requestBody:\n description: Manifest to index.\n required: true\n content:\n application/vnd.clair.manifest.v1+json:\n schema:\n $ref: '#/components/schemas/manifest'\n application/json:\n schema:\n $ref: '#/components/schemas/manifest'\n responses:\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n \"201\":\n description: |-\n IndexReport created.\n\n Clients may want to avoid reading the body if simply submitting the manifest for later vulnerability reporting.\n content:\n application/vnd.clair.index_report.v1+json:\n schema:\n $ref: '#/components/schemas/index_report'\n application/json:\n schema:\n $ref: '#/components/schemas/index_report'\n headers:\n Location:\n $ref: '#/components/headers/Location'\n Link:\n $ref: '#/components/headers/Link'\n links:\n retrieve:\n operationId: GetIndexReport\n parameters:\n digest: $request.body#/hash\n delete:\n operationId: DeleteManifest\n parameters:\n digest: $request.body#/hash\n report:\n operationId: GetVulnerabilityReport\n parameters:\n digest: $request.body#/hash\n \"412\":\n description: Precondition Failed\n tags:\n - indexer\n summary: Index a Manifest\n description: By submitting a Manifest object to this endpoint Clair will fetch the layers, scan each layer's contents, and provide an index of discovered packages, repository and distribution information.\n delete:\n operationId: DeleteManifests\n requestBody:\n description: Array of manifest digests to delete.\n required: true\n content:\n application/vnd.clair.bulk_delete.v1+json:\n schema:\n $ref: '#/components/schemas/bulk_delete'\n application/json:\n schema:\n $ref: '#/components/schemas/bulk_delete'\n responses:\n \"200\":\n description: Successfully deleted manifests.\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n content:\n application/vnd.clair.bulk_delete.v1+json:\n schema:\n $ref: '#/components/schemas/bulk_delete'\n application/json:\n schema:\n $ref: '#/components/schemas/bulk_delete'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n tags:\n - indexer\n summary: Delete Indexed Manifests\n description: Given a Manifest's content addressable hash, any data related to it will be removed if it exists.\n /indexer/api/v1/index_report/{digest}:\n delete:\n operationId: DeleteManifest\n responses:\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n \"204\":\n description: Success\n tags:\n - indexer\n summary: Delete an Indexed Manifest\n description: Given a Manifest's content addressable hash, any data related to it will be removed it it exists.\n get:\n operationId: GetIndexReport\n responses:\n \"200\":\n description: IndexReport retrieved\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n content:\n application/vnd.clair.index_report.v1+json:\n schema:\n $ref: '#/components/schemas/index_report'\n application/json:\n schema:\n $ref: '#/components/schemas/index_report'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n \"404\":\n $ref: '#/components/responses/not_found'\n tags:\n - indexer\n summary: Retrieve the IndexReport for a Manifest\n description: Given a Manifest's content addressable hash, an IndexReport will be retrieved if it exists.\n parameters:\n - $ref: '#/components/parameters/digest'\n /indexer/api/v1/index_state:\n get:\n operationId: IndexState\n responses:\n \"200\":\n description: Indexer State\n headers:\n Etag:\n $ref: '#/components/headers/Etag'\n content:\n application/vnd.clair.index_state.v1+json:\n schema:\n $ref: '#/components/schemas/index_state'\n application/json:\n schema:\n $ref: '#/components/schemas/index_state'\n \"304\":\n description: Not Modified\n tags:\n - indexer\n summary: Report the Indexer's State\n description: |-\n The index state endpoint returns a json structure indicating the indexer's internal configuration state.\n A client may be interested in this as a signal that manifests may need to be re-indexed.\n /indexer/api/v1/internal/affected_manifest:\n post:\n operationId: AffectedManifests\n requestBody:\n description: Array of vulnerability summaries to report on.\n required: true\n content:\n application/vnd.clair.vulnerability_summaries.v1+json:\n schema:\n $ref: '#/components/schemas/vulnerability_summaries'\n application/json:\n schema:\n $ref: '#/components/schemas/vulnerability_summaries'\n responses:\n \"200\":\n description: The list of manifests and the corresponding vulnerabilities.\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n content:\n application/vnd.clair.affected_manifests.v1+json:\n schema:\n $ref: '#/components/schemas/affected_manifests'\n application/json:\n schema:\n $ref: '#/components/schemas/affected_manifests'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n tags:\n - internal\n summary: Retrieve Manifests Affected by a Vulnerability\n description: The provided vulnerability summaries are attempted to be run \"backwards\" through the indexer to produce a set of manifests.\n x-cli-ignore: true\n /matcher/api/v1/internal/update_diff:\n get:\n operationId: GetUpdateDiff\n responses:\n \"200\":\n description: Changes between two Update Operations.\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n content:\n application/vnd.clair.update_diff.v1+json:\n schema:\n $ref: '#/components/schemas/update_diff'\n application/json:\n schema:\n $ref: '#/components/schemas/update_diff'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n parameters:\n - in: query\n name: cur\n schema:\n $ref: '#/components/schemas/token'\n description: '\"Current\" Update Operation ref.'\n - in: query\n name: prev\n required: true\n schema:\n $ref: '#/components/schemas/token'\n description: '\"Previous\" Update Operation ref.'\n tags:\n - internal\n summary: Retrieve Vulnerability Changes Between Two Update Operations\n description: Given IDs for two Update Operations, this will return the difference between them. This is used in the notification flow.\n x-cli-ignore: true\n /matcher/api/v1/internal/update_operation:\n get:\n operationId: GetUpdateOperation\n responses:\n \"200\":\n description: Update Operations, keyed by updater.\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n content:\n application/vnd.clair.update_operations.v1+json:\n schema:\n $ref: '#/components/schemas/update_operations'\n application/json:\n schema:\n $ref: '#/components/schemas/update_operations'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n parameters:\n - in: query\n name: kind\n schema:\n enum:\n - vulnerability\n - enrichment\n default: vulnerability\n description: The \"kind\" of updaters to query.\n - in: query\n name: latest\n schema:\n type: boolean\n default: false\n description: Return only the latest Update Operations instead of all known Update Operations.\n tags:\n - internal\n summary: Retrieve Update Operations\n description: Retrive all known or just the latest Update Operations.\n x-cli-ignore: true\n /matcher/api/v1/internal/update_operation/{digest}:\n delete:\n operationId: DeleteUpdateOperation\n responses:\n \"200\":\n description: Success\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n tags:\n - internal\n summary: Delete an Update Operation\n description: |-\n Issues a delete of the provided Update Operation ID and all associated data.\n After this delete clients will no longer be able to generate a diff against this Update Operation.\n x-cli-ignore: true\n parameters:\n - $ref: '#/components/parameters/digest'\n /matcher/api/v1/vulnerability_report/{digest}:\n get:\n operationId: GetVulnerabilityReport\n responses:\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n \"201\":\n description: Vulnerability Report Created\n content:\n application/vnd.clair.vulnerability_report.v1+json:\n schema:\n $ref: '#/components/schemas/vulnerability_report'\n application/json:\n schema:\n $ref: '#/components/schemas/vulnerability_report'\n \"404\":\n $ref: '#/components/responses/not_found'\n tags:\n - matcher\n summary: Retrieve a VulnerabilityReport for a Manifest\n description: Given a Manifest's content addressable hash a VulnerabilityReport will be created. The Manifest **must** have been Indexed first via the Index endpoint.\n parameters:\n - $ref: '#/components/parameters/digest'\n /notifier/api/v1/notification/{id}:\n parameters:\n - in: path\n name: id\n required: true\n schema:\n $ref: '#/components/schemas/token'\n description: A notification ID returned by a callback\n delete:\n operationId: DeleteNotification\n responses:\n \"200\":\n description: Delete the notification referenced by the \"id\" parameter.\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n tags:\n - notifier\n summary: Delete a Notification Set\n description: |-\n Issues a delete of the provided notification ID and all associated notifications.\n After this delete clients will no longer be able to retrieve notifications.\n get:\n operationId: GetNotification\n parameters:\n - in: query\n name: page_size\n schema:\n type: integer\n default: 500\n description: The maximum number of notifications to deliver in a single page.\n - in: query\n name: next\n schema:\n $ref: '#/components/schemas/token'\n description: The next page to fetch via id. Typically this number is provided on initial response in the \"page.next\" field. The first request should omit this field.\n responses:\n \"200\":\n description: A paginated list of notifications\n headers:\n Clair-Error:\n $ref: '#/components/headers/Clair-Error'\n content:\n application/vnd.clair.notification_page.v1+json:\n schema:\n $ref: '#/components/schemas/notification_page'\n application/json:\n schema:\n $ref: '#/components/schemas/notification_page'\n \"400\":\n $ref: '#/components/responses/bad_request'\n \"415\":\n $ref: '#/components/responses/unsupported_media_type'\n default:\n $ref: '#/components/responses/oops'\n \"304\":\n description: Not Modified\n tags:\n - notifier\n summary: Retrieve Pages of a Notification Set\n description: By performing a GET with an id as a path parameter, the client will retrieve a paginated response of notification objects.\nsecurity:\n - {}\n - PSK: []\nwebhooks:\n notification:\n post:\n tags:\n - notifier\n description: If configured, Clair will issue webhooks when notifications are available for retrieval.\n requestBody:\n content:\n application/vnd.clair.notification_webhook.v1+json:\n schema:\n $ref: '#/components/schemas/notification_webhook'\n responses:\n \"200\":\n description: OK\ncomponents:\n schemas:\n token:\n type: string\n description: An opaque token previously obtained from the service.\n affected_manifests:\n $id: https://clairproject.org/api/http/v1/affected_manifests.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Affected Manifests\n type: object\n description: |-\n **This is an internal type, documented for completeness.**\n\n Manifests affected by the specified vulnerability objects.\n properties:\n vulnerabilities:\n type: object\n description: Vulnerability objects.\n additionalProperties:\n $ref: vulnerability.schema.json\n vulnerable_manifests:\n type: object\n description: Mapping of manifest digests to vulnerability identifiers.\n additionalProperties:\n type: array\n items:\n type: string\n description: An identifier to be used in the \"vulnerabilities\" object.\n required:\n - vulnerabilities\n - vulnerable_manifests\n examples:\n - vulnerabilities:\n \"42\":\n id: \"42\"\n vulnerable_manifests:\n sha256:01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b:\n - \"42\"\n bulk_delete:\n $id: https://clairproject.org/api/http/v1/bulk_delete.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Bulk Delete\n type: array\n description: Array of manifest digests to delete from the system.\n items:\n $ref: digest.schema.json\n description: Manifest digest to delete from the system.\n examples:\n - - sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\n cpe:\n $id: https://clairproject.org/api/http/v1/cpe.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Common Platform Enumeration Name\n description: This is a CPE Name in either v2.2 \"URI\" form or v2.3 \"Formatted String\" form.\n $comment: Clair only produces v2.3 CPE Names. Any v2.2 Names will be normalized into v2.3 form.\n oneOf:\n - description: 'This is the CPE 2.2 regexp: https://cpe.mitre.org/specification/2.2/cpe-language_2.2.xsd'\n type: string\n pattern: ^[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6}$\n - description: 'This is the CPE 2.3 regexp: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd'\n type: string\n pattern: ^cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#$$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#$$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){4}$\n examples:\n - cpe:/a:microsoft:internet_explorer:8.0.6001:beta\n - cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*\n digest:\n $id: https://clairproject.org/api/http/v1/digest.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Digest\n description: A digest acts as a content identifier, enabling content addressability.\n type: string\n anyOf:\n - $comment: 'SHA256: MUST be implemented'\n description: SHA256\n type: string\n pattern: ^sha256:[a-f0-9]{64}$\n - $comment: 'SHA512: MAY be implemented'\n description: SHA512\n type: string\n pattern: ^sha512:[a-f0-9]{128}$\n - $comment: 'BLAKE3: MAY be implemented'\n description: |-\n BLAKE3\n\n **Currently not implemented.**\n type: string\n pattern: ^blake3:[a-f0-9]{64}$\n examples:\n - sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\n - sha512:27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd\n - blake3:6e46dd10defc9b56c29a6ec56b508c21f54c08192194e4df25bf36f0c9c3c279\n distribution:\n $id: https://clairproject.org/api/http/v1/distribution.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Distribution\n type: object\n description: Distribution is the accompanying system context of a Package.\n properties:\n id:\n description: Unique ID for this Distribution. May be unique to the response document, not the whole system.\n type: string\n did:\n description: A lower-case string (no spaces or other characters outside of 0–9, a–z, \".\", \"_\", and \"-\") identifying the operating system, excluding any version information and suitable for processing by scripts or usage in generated filenames.\n type: string\n name:\n description: A string identifying the operating system.\n type: string\n version:\n description: A string identifying the operating system version, excluding any OS name information, possibly including a release code name, and suitable for presentation to the user.\n type: string\n version_code_name:\n description: A lower-case string (no spaces or other characters outside of 0–9, a–z, \".\", \"_\", and \"-\") identifying the operating system release code name, excluding any OS name information or release version, and suitable for processing by scripts or usage in generated filenames.\n type: string\n version_id:\n description: A lower-case string (mostly numeric, no spaces or other characters outside of 0–9, a–z, \".\", \"_\", and \"-\") identifying the operating system version, excluding any OS name information or release code name.\n type: string\n arch:\n description: A string identifying the OS architecture.\n type: string\n cpe:\n description: Common Platform Enumeration name.\n $ref: cpe.schema.json\n pretty_name:\n description: A pretty operating system name in a format suitable for presentation to the user.\n type: string\n additionalProperties: false\n required:\n - id\n examples:\n - id: \"1\"\n did: ubuntu\n name: Ubuntu\n version: 18.04.3 LTS (Bionic Beaver)\n version_code_name: bionic\n version_id: \"18.04\"\n pretty_name: Ubuntu 18.04.3 LTS\n environment:\n $id: https://clairproject.org/api/http/v1/environment.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Environment\n type: object\n description: Environment describes the surrounding environment a package was discovered in.\n properties:\n package_db:\n description: The database the associated Package was discovered in.\n type: string\n distribution_id:\n description: The ID of the Distribution of the associated Package.\n type: string\n introduced_in:\n description: The Layer the associated Package was introduced in.\n $ref: digest.schema.json\n repository_ids:\n description: The IDs of the Repositories of the associated Package.\n type: array\n items:\n type: string\n additionalProperties: false\n examples:\n - value:\n package_db: var/lib/dpkg/status\n introduced_in: sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\n distribution_id: \"1\"\n error:\n $id: https://clairproject.org/api/http/v1/error.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Error\n type: object\n description: A general error response.\n properties:\n code:\n type: string\n description: a code for this particular error\n message:\n type: string\n description: a message with further detail\n required:\n - message\n index_report:\n $id: https://clairproject.org/api/http/v1/index_report.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Index Report\n type: object\n description: An index of the contents of a Manifest.\n properties:\n manifest_hash:\n $ref: digest.schema.json\n description: The Manifest's digest.\n state:\n type: string\n description: The current state of the index operation\n err:\n type: string\n description: An error message on event of unsuccessful index\n success:\n type: boolean\n description: A bool indicating succcessful index\n packages:\n type: object\n description: A map of Package objects indexed by a document-local identifier.\n additionalProperties:\n $ref: package.schema.json\n distributions:\n type: object\n description: A map of Distribution objects indexed by a document-local identifier.\n additionalProperties:\n $ref: distribution.schema.json\n repository:\n type: object\n description: A map of Repository objects indexed by a document-local identifier.\n additionalProperties:\n $ref: repository.schema.json\n environments:\n type: object\n description: A map of Environment arrays indexed by a Package's identifier.\n additionalProperties:\n type: array\n items:\n $ref: environment.schema.json\n additionalProperties: false\n required:\n - manifest_hash\n - state\n - success\n index_state:\n $id: https://clairproject.org/api/http/v1/index_state.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Index State\n type: object\n description: Information on the state of the indexer system.\n properties:\n state:\n type: string\n description: an opaque token\n required:\n - state\n layer:\n $id: https://clairproject.org/api/http/v1/layer.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Layer\n type: object\n description: Layer is a description of a container layer. It should contain enough information to fetch the layer.\n properties:\n hash:\n $ref: digest.schema.json\n description: Digest of the layer blob.\n uri:\n type: string\n description: A URI indicating where the layer blob can be downloaded from.\n headers:\n description: Any additional HTTP-style headers needed for requesting layers.\n type: object\n patternProperties:\n ^[a-zA-Z0-9\\-_]+$:\n type: array\n items:\n type: string\n media_type:\n description: The OCI Layer media type for this layer.\n type: string\n pattern: ^application/vnd\\.oci\\.image\\.layer\\.v1\\.tar(\\+(gzip|zstd))?$\n additionalProperties: false\n required:\n - hash\n - uri\n manifest:\n $id: https://clairproject.org/api/http/v1/manifest.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Manifest\n type: object\n description: A description of an OCI Image Manifest.\n properties:\n hash:\n $ref: digest.schema.json\n description: |-\n The OCI Image Manifest's digest.\n\n This is used as an identifier throughout the system. This **SHOULD** be the same as the OCI Image Manifest's digest, but this is not enforced.\n layers:\n type: array\n description: The OCI Layers making up the Image, in order.\n items:\n $ref: layer.schema.json\n additionalProperties: false\n required:\n - hash\n examples:\n - hash: sha256:fc84b5febd328eccaa913807716887b3eb5ed08bc22cc6933a9ebf82766725e3\n layers:\n - hash: sha256:2f077db56abccc19f16f140f629ae98e904b4b7d563957a7fc319bd11b82ba36\n uri: https://storage.example.com/blob/2f077db56abccc19f16f140f629ae98e904b4b7d563957a7fc319bd11b82ba36\n headers:\n Authoriztion:\n - Bearer hunter2\n normalized_severity:\n $id: https://clairproject.org/api/http/v1/normalized_severity.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Normalized Severity\n description: Standardized severity values.\n enum:\n - Unknown\n - Negligible\n - Low\n - Medium\n - High\n - Critical\n notification_page:\n $id: https://clairproject.org/api/http/v1/notification_page.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Notification Page\n type: object\n description: A page description and list of notifications.\n properties:\n page:\n description: An object informing the client the next page to retrieve.\n type: object\n properties:\n size:\n description: The number of notifications contained in this page.\n type: integer\n next:\n description: |-\n The identififer to pass into the \"next\" parameter of a future GetNotification request.\n\n If not present, there are no additional pages.\n type: string\n additionalProperties: false\n required:\n - size\n notifications:\n description: Notifications within this page.\n type: array\n items:\n $ref: notification.schema.json\n additionalProperties: false\n required:\n - page\n - notifications\n examples:\n - page:\n size: 100\n next: 1b4d0db2-e757-4150-bbbb-543658144205\n notifications:\n - id: 5e4b387e-88d3-4364-86fd-063447a6fad2\n manifest: sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\n reason: added\n vulnerability:\n name: CVE-2009-5155\n fixed_in_version: v0.0.1\n links: http://example.com/CVE-2009-5155\n description: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\"\n normalized_severity: Unknown\n package:\n id: \"10\"\n name: libapt-pkg5.0\n version: 1.6.11\n kind: BINARY\n arch: x86\n source:\n id: \"9\"\n name: apt\n version: 1.6.11\n kind: SOURCE\n source: null\n distribution:\n id: \"1\"\n did: ubuntu\n name: Ubuntu\n version: 18.04.3 LTS (Bionic Beaver)\n version_code_name: bionic\n version_id: \"18.04\"\n pretty_name: Ubuntu 18.04.3 LTS\n notification:\n $id: https://clairproject.org/api/http/v1/notification.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Notification\n type: object\n description: A change in a manifest affected by a vulnerability.\n properties:\n id:\n description: Unique identifier for this notification.\n type: string\n manifest:\n $ref: digest.schema.json\n description: The digest of the manifest affected by the provided vulnerability.\n reason:\n description: The reason for the notifcation.\n enum:\n - added\n - removed\n vulnerability:\n $ref: vulnerability_summary.schema.json\n additionalProperties: false\n required:\n - id\n - manifest\n - reason\n - vulnerability\n notification_webhook:\n $id: https://clairproject.org/api/http/v1/notification_webhook.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Notification Webhook\n type: object\n description: Webhook sent to a configured service to begin retrieving notifications.\n properties:\n notification_id:\n description: Unique identifier for this notification.\n type: string\n callback:\n description: A URL to retrieve paginated Notification objects.\n type: string\n format: uri\n additionalProperties: false\n required:\n - notification_id\n - callback\n package:\n $id: https://clairproject.org/api/http/v1/package.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Package\n type: object\n description: Description of installed software.\n properties:\n id:\n description: Unique ID for this Package. May be unique to the response document, not the whole system.\n type: string\n name:\n description: |-\n Identifier of this Package.\n\n The uniqueness and scoping of this name depends on the packaging system.\n type: string\n version:\n description: Version of this Package, as reported by the packaging system.\n type: string\n kind:\n description: The \"kind\" of this Package.\n enum:\n - BINARY\n - SOURCE\n default: BINARY\n source:\n $ref: '#'\n description: Source Package that produced the current binary Package, if known.\n normalized_version:\n description: |-\n Normalized representation of the discoverd version.\n\n The format is not specific, but is guarenteed to be forward compatible.\n type: string\n module:\n description: |-\n An identifier for intra-Repository grouping of packages.\n\n Likely only relevant on rpm-based systems.\n type: string\n arch:\n description: Native architecture for the Package.\n type: string\n $comment: This should become and enum in the future.\n cpe:\n $ref: cpe.schema.json\n description: CPE Name for the Package.\n additionalProperties: false\n required:\n - name\n - version\n examples:\n - id: \"10\"\n name: libapt-pkg5.0\n version: 1.6.11\n kind: binary\n normalized_version: \"\"\n arch: x86\n module: \"\"\n cpe: \"\"\n source:\n id: \"9\"\n name: apt\n version: 1.6.11\n kind: source\n source: null\n range:\n $id: https://clairproject.org/api/http/v1/range.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Range\n type: object\n description: A range of versions.\n properties:\n '[':\n type: string\n description: Lower bound, inclusive.\n ):\n type: string\n description: Upper bound, exclusive.\n minProperties: 1\n additionalProperties: false\n repository:\n $id: https://clairproject.org/api/http/v1/repository.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Repository\n type: object\n description: Description of a software repository\n properties:\n id:\n description: Unique ID for this Repository. May be unique to the response document, not the whole system.\n type: string\n name:\n description: Human-relevant name for the Repository.\n type: string\n key:\n description: Machine-relevant name for the Repository.\n type: string\n uri:\n description: URI describing the Repository.\n type: string\n format: uri\n cpe:\n description: CPE name for the Repository.\n $ref: cpe.schema.json\n additionalProperties: false\n required:\n - id\n update_diff:\n $id: https://clairproject.org/api/http/v1/update_diff.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Update Difference\n type: object\n description: |-\n **This is an internal type, documented for completeness.**\n\n An update difference describes changes between two Update Operations.\n properties:\n prev:\n description: The previous Update Operation.\n $ref: update_operation.schema.json\n cur:\n description: The current Update Operation.\n $ref: update_operation.schema.json\n added:\n description: Vulnerabilities present in \"cur\", but not \"prev\".\n type: array\n items:\n $ref: vulnerability.schema.json\n removed:\n description: Vulnerabilities present in \"prev\", but not \"cur\".\n type: array\n items:\n $ref: vulnerability.schema.json\n additionalProperties: false\n required:\n - cur\n - added\n - removed\n update_operation:\n $id: https://clairproject.org/api/http/v1/update_operation.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Update Operation\n type: object\n description: |-\n **This is an internal type, documented for completeness.**\n\n An update operations describes an update of the internal vulnerability database.\n properties:\n ref:\n type: string\n description: A unique identifier for this update operation.\n format: uuid\n updater:\n description: The \"updater\" component that was run.\n $comment: 'This is not as useful as it could be: an end user needs to know too much about Clair(core)''s internals to make sense of it.'\n type: string\n fingerprint:\n description: The stored \"fingerprint\" of this run.\n type: string\n date:\n type: string\n description: When this operation was run.\n format: date-time\n kind:\n description: The kind of data this operation updated.\n enum:\n - vulnerability\n - enrichment\n additionalProperties: false\n required:\n - ref\n - updater\n - fingerprint\n - date\n - kind\n update_operations:\n $id: https://clairproject.org/api/http/v1/update_operations.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Update Operations\n type: object\n description: |-\n **This is an internal type, documented for completeness.**\n\n A mapping of updater id to Update Operation(s).\n additionalProperties:\n type: array\n items:\n $ref: update_operation.schema.json\n vulnerability_core:\n $id: https://clairproject.org/api/http/v1/vulnerability_core.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Vulnerability Core\n type: object\n description: The core elements of vulnerabilities in the Clair system.\n properties:\n name:\n type: string\n description: Human-readable name, as presented in the vendor data.\n fixed_in_version:\n type: string\n description: Version string, as presented in the vendor data.\n severity:\n type: string\n description: Severity, as presented in the vendor data.\n normalized_severity:\n $ref: normalized_severity.schema.json\n description: A well defined set of severity strings guaranteed to be present.\n range:\n $ref: range.schema.json\n description: Range of versions the vulnerability applies to.\n arch_op:\n description: Flag indicating how the referenced package's \"arch\" member should be interpreted.\n enum:\n - equals\n - not equals\n - pattern match\n package:\n $ref: package.schema.json\n description: A package description\n distribution:\n $ref: distribution.schema.json\n description: A distribution description\n repository:\n $ref: repository.schema.json\n description: A repository description\n required:\n - name\n - normalized_severity\n dependentRequired:\n package:\n - arch_op\n anyOf:\n - required:\n - package\n - required:\n - repository\n - required:\n - distribution\n vulnerability_report:\n $id: https://clairproject.org/api/http/v1/vulnerability_report.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Vulnerability Report\n type: object\n description: A report with discovered packages, package environments, and package vulnerabilities within a Manifest.\n properties:\n manifest_hash:\n $ref: digest.schema.json\n description: The Manifest's digest.\n packages:\n type: object\n description: A map of Package objects indexed by a document-local identifier.\n additionalProperties:\n $ref: package.schema.json\n distributions:\n type: object\n description: A map of Distribution objects indexed by a document-local identifier.\n additionalProperties:\n $ref: distribution.schema.json\n repository:\n type: object\n description: A map of Repository objects indexed by a document-local identifier.\n additionalProperties:\n $ref: repository.schema.json\n environments:\n type: object\n description: A map of Environment arrays indexed by a Package's identifier.\n additionalProperties:\n type: array\n items:\n $ref: environment.schema.json\n vulnerabilities:\n type: object\n description: A map of Vulnerabilities indexed by a document-local identifier.\n additionalProperties:\n $ref: vulnerability.schema.json\n package_vulnerabilities:\n type: object\n description: A mapping of Vulnerability identifier lists indexed by Package identifier.\n additionalProperties:\n type: array\n items:\n type: string\n enrichments:\n type: object\n description: A mapping of extra \"enrichment\" data by type\n additionalProperties:\n type: array\n additionalProperties: false\n required:\n - distributions\n - environments\n - manifest_hash\n - packages\n - package_vulnerabilities\n - vulnerabilities\n vulnerability:\n $id: https://clairproject.org/api/http/v1/vulnerability.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Vulnerability\n type: object\n description: Description of a software flaw.\n $ref: vulnerability_core.schema.json\n properties:\n id:\n description: Unique ID for this Vulnerabiltity. May be unique to the response document, not the whole system.\n type: string\n updater:\n description: The updater component this Vulnerability came from.\n type: string\n description:\n description: A human-readable description of the vulnerability.\n type: string\n issued:\n description: The datetime this Vulnerability was issued, if known.\n type: string\n format: date-time\n links:\n description: Space-separated URIs to more information.\n type: string\n unevaluatedProperties: false\n required:\n - id\n - updater\n examples:\n - id: \"356835\"\n updater: ubuntu\n name: CVE-2009-5155\n description: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\n links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155 http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-5155.html https://sourceware.org/bugzilla/show_bug.cgi?id=11053 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238 https://sourceware.org/bugzilla/show_bug.cgi?id=18986\n severity: Low\n normalized_severity: Low\n package:\n id: \"0\"\n name: glibc\n version: 2.27-0ubuntu1\n kind: binary\n source: null\n dist:\n id: \"0\"\n did: ubuntu\n name: Ubuntu\n version: 18.04.3 LTS (Bionic Beaver)\n version_code_name: bionic\n version_id: \"18.04\"\n arch: amd64\n repo:\n id: \"0\"\n name: Ubuntu 18.04.3 LTS\n issued: \"2019-10-12T07:20:50.52Z\"\n fixed_in_version: 2.28-0ubuntu1\n vulnerability_summaries:\n $id: https://clairproject.org/api/http/v1/vulnerability_summaries.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Vulnerability Summaries\n type: array\n description: |-\n **This is an internal type, documented for completeness.**\n\n This is an array of pseudo-Vulnerability objects used for reverse-lookup.\n items:\n description: Summary vulnerability objects.\n $ref: vulnerability_summary.schema.json\n vulnerability_summary:\n $id: https://clairproject.org/api/http/v1/vulnerability_summary.schema.json\n $schema: https://json-schema.org/draft/2020-12/schema\n title: Vulnerability Summary\n type: object\n description: A summary of a vulnerability.\n $ref: vulnerability_core.schema.json\n unevaluatedProperties: false\n examples:\n - name: CVE-2009-5155\n description: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\n normalized_severity: Low\n fixed_in_version: v0.0.1\n links: http://link-to-advisory\n package:\n id: \"0\"\n name: glibc\n version: v0.0.1-rc1\n dist:\n id: \"0\"\n did: ubuntu\n name: Ubuntu\n version: 18.04.3 LTS (Bionic Beaver)\n version_code_name: bionic\n version_id: \"18.04\"\n repo:\n id: \"0\"\n name: Ubuntu 18.04.3 LTS\n responses:\n bad_request:\n description: Bad Request\n content:\n application/vnd.clair.error.v1+json:\n schema:\n $ref: '#/components/schemas/error'\n application/json:\n schema:\n $ref: '#/components/schemas/error'\n oops:\n description: Internal Server Error\n content:\n application/vnd.clair.error.v1+json:\n schema:\n $ref: '#/components/schemas/error'\n application/json:\n schema:\n $ref: '#/components/schemas/error'\n not_found:\n description: Not Found\n content:\n application/vnd.clair.error.v1+json:\n schema:\n $ref: '#/components/schemas/error'\n application/json:\n schema:\n $ref: '#/components/schemas/error'\n unsupported_media_type:\n description: Unsupported Media Type\n content:\n application/vnd.clair.error.v1+json:\n schema:\n $ref: '#/components/schemas/error'\n application/json:\n schema:\n $ref: '#/components/schemas/error'\n parameters:\n digest:\n description: OCI-compatible digest of a referred object.\n name: digest\n in: path\n schema:\n $ref: '#/components/schemas/digest'\n required: true\n headers:\n Clair-Error:\n description: This is a trailer containing any errors encountered while writing the response.\n style: simple\n schema:\n type: string\n Etag:\n description: HTTP [ETag header](https://httpwg.org/specs/rfc9110.html#field.etag)\n style: simple\n schema:\n type: string\n Link:\n description: Web Linking [Link header](https://httpwg.org/specs/rfc8288.html#header)\n style: simple\n schema:\n type: string\n Location:\n description: HTTP [Location header](https://httpwg.org/specs/rfc9110.html#field.location)\n style: simple\n required: true\n schema:\n type: string\n securitySchemes:\n PSK:\n type: http\n scheme: bearer\n bearerFormat: JWT with preshared key and allow-listed issuers\n description: |-\n Clair's authentication scheme.\n\n This is a [JWT](https://datatracker.ietf.org/doc/html/rfc7519) signed with a configured pre-shared key containing an allowlisted `iss` claim.\n"
},
{
"path": "httptransport/auth.go",
"content": "package httptransport\n\nimport (\n\t\"errors\"\n\t\"net/http\"\n\n\t\"github.com/quay/clair/config\"\n\n\t\"github.com/quay/clair/v4/middleware/auth\"\n)\n\n// AuthHandler returns an http.Handler wrapping the provided Handler, as\n// described by the provided Config.\nfunc authHandler(cfg *config.Config, next http.Handler) (http.Handler, error) {\n\tvar checks []auth.Checker\n\n\t// Keep this ordered \"best\" to \"worst\".\n\tswitch {\n\tcase cfg.Auth.PSK != nil:\n\t\tcfg := cfg.Auth.PSK\n\t\tissuers := make([]string, 0, 1+len(cfg.Issuer))\n\t\tissuers = append(issuers, IntraserviceIssuer)\n\t\tissuers = append(issuers, cfg.Issuer...)\n\n\t\tpsk, err := auth.NewPSK(cfg.Key, issuers)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tchecks = append(checks, psk)\n\tcase cfg.Auth.Keyserver != nil:\n\t\treturn nil, errors.New(\"quay keyserver support has been removed\")\n\tdefault:\n\t\treturn next, nil\n\t}\n\n\treturn auth.Handler(next, checks...), nil\n}\n"
},
{
"path": "httptransport/auth_test.go",
"content": "package httptransport\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore/test\"\n\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\ntype authTestcase struct {\n\tClaims *jwt.Claims\n\tConfigMod func(*testing.T, *config.Config)\n\tConfig config.Config\n\tName string\n\tShouldFail bool\n}\n\nvar defaultClaims = jwt.Claims{\n\tIssuer: IntraserviceIssuer,\n}\n\nfunc (tc *authTestcase) Run(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\t// Generate a nonce to return upon request.\n\t\tb := make([]byte, 16)\n\t\tif _, err := io.ReadFull(rand.Reader, b); err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t\tnonce := hex.EncodeToString(b)\n\n\t\t// Return the nonce when called.\n\t\tnext := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tif a := r.Header.Get(\"authorization\"); a != \"\" {\n\t\t\t\tt.Logf(\"Authorization: %s\", a)\n\t\t\t}\n\t\t\tfmt.Fprint(w, nonce)\n\t\t})\n\n\t\t// Create a handler that has auth according to the config.\n\t\th, err := authHandler(&tc.Config, next)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\t// Wire up the handler to a test server.\n\t\tsrv := httptest.NewUnstartedServer(h)\n\t\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\t\tsrv.Start()\n\t\tdefer srv.Close()\n\n\t\ttc.Config.Matcher.IndexerAddr = srv.URL\n\t\t// Modify the config, if present\n\t\tif f := tc.ConfigMod; f != nil {\n\t\t\tf(t, &tc.Config)\n\t\t}\n\n\t\t// Use a default intraservice claim if not set.\n\t\tif tc.Claims == nil {\n\t\t\ttc.Claims = &defaultClaims\n\t\t}\n\t\ts, err := httputil.NewSigner(ctx, &tc.Config, *tc.Claims)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL, nil)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif err := s.Sign(ctx, req); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif t.Failed() {\n\t\t\tt.FailNow()\n\t\t}\n\n\t\t// Make the request.\n\t\tres, err := srv.Client().Do(req)\n\t\tif err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t\tdefer res.Body.Close()\n\t\twantStatus := http.StatusOK\n\t\tif tc.ShouldFail {\n\t\t\twantStatus = http.StatusUnauthorized\n\t\t}\n\t\tt.Logf(\"status code: %v\", res.StatusCode)\n\t\tif res.StatusCode != wantStatus {\n\t\t\tt.Fail()\n\t\t}\n\t\tvar buf bytes.Buffer\n\t\tif _, err := io.Copy(&buf, res.Body); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\t// Compare the nonce.\n\t\tgot, want := buf.String(), nonce\n\t\tt.Logf(\"http request, got: %q want: %q\", got, want)\n\t\tif got != want && !tc.ShouldFail {\n\t\t\tt.Fail()\n\t\t}\n\t}\n}\n\n// TestAuth tests configuring both http server and client.\nfunc TestAuth(t *testing.T) {\n\tfakeKey := []byte(\"deadbeef\")\n\ttt := []authTestcase{\n\t\t{Name: \"None\"},\n\t\t{\n\t\t\tName: \"PSK\",\n\t\t\tConfig: config.Config{\n\t\t\t\tAuth: config.Auth{\n\t\t\t\t\tPSK: &config.AuthPSK{\n\t\t\t\t\t\tIssuer: []string{`sweet-bro`},\n\t\t\t\t\t\tKey: fakeKey,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"PSKMultipleIssuer\",\n\t\t\tConfig: config.Config{\n\t\t\t\tAuth: config.Auth{\n\t\t\t\t\tPSK: &config.AuthPSK{\n\t\t\t\t\t\tIssuer: []string{`sweet-bro`, `hella-jeff`, `geromy`},\n\t\t\t\t\t\tKey: fakeKey,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tClaims: &jwt.Claims{Issuer: `geromy`},\n\t\t},\n\t\t{\n\t\t\tName: \"PSKBadKey\",\n\t\t\tConfig: config.Config{\n\t\t\t\tAuth: config.Auth{\n\t\t\t\t\tPSK: &config.AuthPSK{\n\t\t\t\t\t\tIssuer: []string{`sweet-bro`},\n\t\t\t\t\t\tKey: fakeKey,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tShouldFail: true,\n\t\t\tConfigMod: func(_ *testing.T, cfg *config.Config) { cfg.Auth.PSK.Key = []byte(\"badbeef\") },\n\t\t},\n\t\t{\n\t\t\tName: \"PSKFail\",\n\t\t\tConfig: config.Config{\n\t\t\t\tAuth: config.Auth{\n\t\t\t\t\tPSK: &config.AuthPSK{\n\t\t\t\t\t\tIssuer: []string{`sweet-bro`},\n\t\t\t\t\t\tKey: fakeKey,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tShouldFail: true,\n\t\t\tConfigMod: func(_ *testing.T, cfg *config.Config) { cfg.Auth.PSK = nil },\n\t\t},\n\t}\n\n\tctx := test.Logging(t)\n\tfor _, tc := range tt {\n\t\tt.Run(tc.Name, tc.Run(ctx))\n\t}\n}\n"
},
{
"path": "httptransport/client/httpclient.go",
"content": "package client\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\t\"sync/atomic\"\n\n\t\"github.com/quay/claircore/libvuln/driver\"\n)\n\n// UoCache caches an UpdateOperation map when the server provides a conditional\n// response.\ntype uoCache struct {\n\tsync.RWMutex\n\tuo map[string][]driver.UpdateOperation\n\tvalidator string\n}\n\n// Set persists the update operations map and its associated validator string\n// used in conditional requests.\n//\n// It is safe for concurrent use.\nfunc (c *uoCache) Set(m map[string][]driver.UpdateOperation, v string) {\n\tc.Lock()\n\tdefer c.Unlock()\n\tc.uo = m\n\tc.validator = v\n}\n\n// Copy returns a copy of the cache contents to the caller.\n//\n// It is safe for concurrent use.\nfunc (c *uoCache) Copy() map[string][]driver.UpdateOperation {\n\tm := map[string][]driver.UpdateOperation{}\n\tc.RLock()\n\tdefer c.RUnlock()\n\tfor u, ops := range c.uo {\n\t\to := make([]driver.UpdateOperation, len(ops))\n\t\tcopy(o, ops)\n\t\tm[u] = o\n\t}\n\treturn m\n}\n\nfunc newOUCache() *uoCache {\n\treturn &uoCache{\n\t\tRWMutex: sync.RWMutex{},\n\t}\n}\n\n// HTTP implements access to clair interfaces over HTTP\ntype HTTP struct {\n\tdiffValidator atomic.Value\n\taddr *url.URL\n\tc *http.Client\n\tuoCache *uoCache\n\tuoLatestCache *uoCache\n\tsigner Signer\n}\n\n// DefaultAddr is used if the WithAddr Option isn't provided to New.\n//\n// This uses the default service port, and should just work if a containerized\n// deployment has a service configured that hairpins and routes correctly.\nconst DefaultAddr = `http://clair:6060/`\n\n// NewHTTP is a constructor for an HTTP client.\nfunc NewHTTP(ctx context.Context, opt ...Option) (*HTTP, error) {\n\taddr, err := url.Parse(DefaultAddr)\n\tif err != nil {\n\t\tpanic(\"programmer error\") // Why didn't the DefaultAddr parse?\n\t}\n\n\tc := &HTTP{\n\t\taddr: addr,\n\t\tc: http.DefaultClient,\n\t\tuoCache: newOUCache(),\n\t\tuoLatestCache: newOUCache(),\n\t}\n\tc.diffValidator.Store(\"\")\n\n\tfor _, o := range opt {\n\t\tif err := o(c); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\treturn c, nil\n}\n\n// Option sets an option on an HTTP.\ntype Option func(*HTTP) error\n\n// WithAddr sets the address to talk to.\n//\n// The client doesn't support providing multiple addresses, so the provided\n// address should most likely have some form of load balancing or routing.\n//\n// The provided URL should not include the `/api/v1` prefix.\nfunc WithAddr(root string) Option {\n\tu, err := url.Parse(root)\n\treturn func(s *HTTP) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ts.addr = u\n\t\treturn nil\n\t}\n}\n\n// WithClient sets the http.Client used for requests.\n//\n// If WithClient is not supplied to NewHTTP, http.DefaultClient is used.\nfunc WithClient(c *http.Client) Option {\n\treturn func(s *HTTP) error {\n\t\ts.c = c\n\t\treturn nil\n\t}\n}\n\nfunc WithSigner(v Signer) Option {\n\treturn func(s *HTTP) error {\n\t\ts.signer = v\n\t\treturn nil\n\t}\n}\n\ntype Signer interface {\n\tSign(context.Context, *http.Request) error\n}\n\nfunc (s *HTTP) sign(ctx context.Context, req *http.Request) error {\n\tif s.signer == nil {\n\t\treturn nil\n\t}\n\treturn s.signer.Sign(ctx, req)\n}\n"
},
{
"path": "httptransport/client/indexer.go",
"content": "package client\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"path\"\n\n\t\"github.com/quay/claircore\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/httptransport\"\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/internal/codec\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\nvar _ indexer.Service = (*HTTP)(nil)\n\nfunc (s *HTTP) AffectedManifests(ctx context.Context, v []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\tu, err := s.addr.Parse(httptransport.AffectedManifestAPIPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse api address: %v\", err)\n\t}\n\trd := codec.JSONReader(struct {\n\t\tV []claircore.Vulnerability `json:\"vulnerabilities\"`\n\t}{\n\t\tv,\n\t})\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, u.String(), rd)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tif err := s.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\treq.Header.Set(\"content-type\", `application/json`)\n\tresp, err := s.c.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, &clairerror.ErrRequestFail{\n\t\t\tCode: resp.StatusCode,\n\t\t\tStatus: resp.Status,\n\t\t}\n\t}\n\n\tvar a claircore.AffectedManifests\n\tswitch ct := req.Header.Get(\"content-type\"); ct {\n\tcase \"\", `application/json`:\n\t\tdec := codec.GetDecoder(resp.Body)\n\t\tdefer codec.PutDecoder(dec)\n\t\tif err := dec.Decode(&a); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unrecognized content-type %q\", ct)\n\t}\n\treturn &a, nil\n}\n\n// Index receives a Manifest and returns a IndexReport providing the indexed\n// items in the resulting image.\n//\n// Index blocks until completion. An error is returned if the index operation\n// could not start. If an error occurs during the index operation the error will\n// be preset on the IndexReport.Err field of the returned IndexReport.\nfunc (s *HTTP) Index(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error) {\n\tu, err := s.addr.Parse(httptransport.IndexAPIPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, u.String(), codec.JSONReader(manifest))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tif err := s.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\treq.Header.Set(\"content-type\", `application/json`)\n\tresp, err := s.c.Do(req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to do request: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, &clairerror.ErrRequestFail{\n\t\t\tCode: resp.StatusCode,\n\t\t\tStatus: resp.Status,\n\t\t}\n\t}\n\n\tvar ir claircore.IndexReport\n\tswitch ct := resp.Header.Get(\"content-type\"); ct {\n\tcase \"\", `application/json`:\n\t\tdec := codec.GetDecoder(resp.Body)\n\t\tdefer codec.PutDecoder(dec)\n\t\tif err := dec.Decode(&ir); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unrecognized content-type %q\", ct)\n\t}\n\treturn &ir, nil\n}\n\n// IndexReport retrieves a IndexReport given a manifest hash string\nfunc (s *HTTP) IndexReport(ctx context.Context, manifest claircore.Digest) (*claircore.IndexReport, bool, error) {\n\tu, err := s.addr.Parse(path.Join(httptransport.IndexReportAPIPath, manifest.String()))\n\tif err != nil {\n\t\treturn nil, false, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\tif err != nil {\n\t\treturn nil, false, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tif err := s.sign(ctx, req); err != nil {\n\t\treturn nil, false, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tresp, err := s.c.Do(req)\n\tif err != nil {\n\t\treturn nil, false, fmt.Errorf(\"failed to do request: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\tswitch resp.StatusCode {\n\tcase http.StatusOK:\n\tcase http.StatusNotFound:\n\t\treturn nil, false, nil\n\tdefault:\n\t\treturn nil, false, &clairerror.ErrIndexReportRetrieval{\n\t\t\tE: &clairerror.ErrRequestFail{\n\t\t\t\tCode: resp.StatusCode,\n\t\t\t\tStatus: resp.Status,\n\t\t\t},\n\t\t}\n\t}\n\n\tir := &claircore.IndexReport{}\n\tdec := codec.GetDecoder(resp.Body)\n\tdefer codec.PutDecoder(dec)\n\tif err := dec.Decode(ir); err != nil {\n\t\treturn nil, false, &clairerror.ErrBadIndexReport{E: err}\n\t}\n\treturn ir, true, nil\n}\n\nfunc (s *HTTP) State(ctx context.Context) (string, error) {\n\tu, err := s.addr.Parse(httptransport.IndexStateAPIPath)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tif err := s.sign(ctx, req); err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tresp, err := s.c.Do(req)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to do request: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\tbuf := &bytes.Buffer{}\n\tif _, err := buf.ReadFrom(resp.Body); err != nil {\n\t\treturn \"\", err\n\t}\n\treturn buf.String(), nil\n}\n\n// DeleteManifests deletes the specified manifests.\n//\n// Passing a digest of an unknown manifest is not an error.\nfunc (s *HTTP) DeleteManifests(ctx context.Context, d ...claircore.Digest) ([]claircore.Digest, error) {\n\t// This implementation always uses the bulk delete endpoint.\n\tu, err := s.addr.Parse(httptransport.IndexAPIPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodDelete, u.String(), codec.JSONReader(d))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tif err := s.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tresp, err := s.c.Do(req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to do request: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"unexpected response status: %v\", resp.Status)\n\t}\n\tvar ret []claircore.Digest\n\tdec := codec.GetDecoder(resp.Body)\n\tdefer codec.PutDecoder(dec)\n\tif err := dec.Decode(&ret); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to decode response: %w\", err)\n\t}\n\treturn ret, nil\n}\n"
},
{
"path": "httptransport/client/matcher.go",
"content": "package client\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/httptransport\"\n\t\"github.com/quay/clair/v4/internal/codec\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\nvar _ matcher.Service = (*HTTP)(nil)\n\nfunc (c *HTTP) Scan(ctx context.Context, ir *claircore.IndexReport) (*claircore.VulnerabilityReport, error) {\n\tu, err := c.addr.Parse(httptransport.VulnerabilityReportPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, u.String(), codec.JSONReader(ir))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tif err := c.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\treq.Header.Set(\"content-type\", `application/json`)\n\tresp, err := c.c.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, &clairerror.ErrRequestFail{\n\t\t\tCode: resp.StatusCode,\n\t\t\tStatus: resp.Status,\n\t\t}\n\t}\n\n\tvar vr claircore.VulnerabilityReport\n\tswitch ct := req.Header.Get(\"content-type\"); ct {\n\tcase \"\", `application/json`:\n\t\tdec := codec.GetDecoder(resp.Body)\n\t\tdefer codec.PutDecoder(dec)\n\t\tif err := dec.Decode(&vr); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unrecognized content-type %q\", ct)\n\t}\n\treturn &vr, nil\n}\n\n// DeleteUpdateOperations attempts to delete the referenced update operations.\nfunc (c *HTTP) DeleteUpdateOperations(ctx context.Context, ref ...uuid.UUID) (int64, error) {\n\tu, err := c.addr.Parse(httptransport.UpdateOperationDeleteAPIPath)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\t// Spawn a few requests that will write their result into \"errs\".\n\t//\n\t// These'll most likely be multiplexed and to the same host, so pick a nice\n\t// lowish number like 4.\n\t//\n\t// Don't use an errgroup because we want to actually issue all the DELETEs,\n\t// not stop all requests on the first error.\n\tvar wg sync.WaitGroup\n\titem := make(chan int)\n\terrs := make([]error, len(ref))\n\tfor i := 0; i < 4; i++ {\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\tfor i := range item {\n\t\t\t\tu, err := u.Parse(ref[i].String())\n\t\t\t\tif err != nil {\n\t\t\t\t\terrs[i] = err\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodDelete, u.String(), nil)\n\t\t\t\tif err != nil {\n\t\t\t\t\terrs[i] = err\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif err := c.sign(ctx, req); err != nil {\n\t\t\t\t\terrs[i] = fmt.Errorf(\"failed to create request: %v\", err)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tres, err := c.c.Do(req)\n\t\t\t\tif err != nil {\n\t\t\t\t\terrs[i] = err\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tdefer res.Body.Close()\n\t\t\t\tif got, want := res.StatusCode, http.StatusOK; got != want {\n\t\t\t\t\terrs[i] = fmt.Errorf(\"%v: unexpected status: %s\", u.Path, res.Status)\n\t\t\t\t}\n\t\t\t}\n\t\t}()\n\t}\n\tfor i, lim := 0, len(ref); i < lim; i++ {\n\t\titem <- i\n\t}\n\tclose(item)\n\twg.Wait()\n\n\tvar b strings.Builder\n\tvar errd bool\n\tdeleted := int64(len(ref))\n\tfor _, err := range errs {\n\t\tif err != nil {\n\t\t\tdeleted--\n\t\t\tif errd {\n\t\t\t\tb.WriteByte('\\n')\n\t\t\t}\n\t\t\tb.WriteString(err.Error())\n\t\t\terrd = true\n\t\t}\n\t}\n\n\tif errd {\n\t\treturn deleted, errors.New(\"deletion errors: \" + b.String())\n\t}\n\treturn deleted, nil\n}\n\n// LatestUpdateOperation shouldn't be used by client code and is implemented\n// only to satisfy the matcher.Differ interface.\nfunc (c *HTTP) LatestUpdateOperation(_ context.Context, _ driver.UpdateKind) (uuid.UUID, error) {\n\treturn uuid.Nil, nil\n}\n\n// UpdateOperations returns all the known UpdateOperations per updater.\nfunc (c *HTTP) UpdateOperations(ctx context.Context, k driver.UpdateKind, updaters ...string) (map[string][]driver.UpdateOperation, error) {\n\tu, err := c.addr.Parse(httptransport.UpdateOperationAPIPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tv := url.Values{}\n\tv.Add(\"kind\", string(k))\n\tu.RawQuery = v.Encode()\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif err := c.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\treturn c.updateOperations(ctx, req, c.uoCache)\n}\n\n// LatestUpdateOperations returns the most recent UpdateOperation per updater.\nfunc (c *HTTP) LatestUpdateOperations(ctx context.Context, k driver.UpdateKind) (map[string][]driver.UpdateOperation, error) {\n\tu, err := c.addr.Parse(httptransport.UpdateOperationAPIPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tv := url.Values{}\n\tv.Add(\"latest\", \"true\")\n\tv.Add(\"kind\", string(k))\n\tu.RawQuery = v.Encode()\n\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// check the cache validator and pass our ouCache to\n\t// updateOperations\n\tc.uoLatestCache.RLock()\n\tif c.uoLatestCache.validator != \"\" {\n\t\treq.Header.Set(\"if-none-match\", c.uoLatestCache.validator)\n\t}\n\tc.uoLatestCache.RUnlock()\n\treturn c.updateOperations(ctx, req, c.uoLatestCache)\n}\n\n// updateOperations is a private method implementing the common bits for retrieving UpdateOperations\n//\n// an ouCache is passed in by the caller to cache any responses providing an etag.\n// if a subsequent response provides a StatusNotModified status, the map of UpdateOprations is served from cache.\nfunc (c *HTTP) updateOperations(ctx context.Context, req *http.Request, cache *uoCache) (map[string][]driver.UpdateOperation, error) {\n\tif err := c.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\tres, err := c.c.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer res.Body.Close()\n\tswitch res.StatusCode {\n\tcase http.StatusOK:\n\t\tm := make(map[string][]driver.UpdateOperation)\n\t\tdec := codec.GetDecoder(res.Body)\n\t\tdefer codec.PutDecoder(dec)\n\t\tif err := dec.Decode(&m); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\t// check for etag, if exists store the value and add returned map\n\t\t// to cache\n\t\tif v := res.Header.Get(\"etag\"); v != \"\" && !strings.HasPrefix(v, \"W/\") {\n\t\t\tcache.Set(m, v)\n\t\t}\n\t\treturn cache.Copy(), nil\n\tcase http.StatusNotModified:\n\t\treturn cache.Copy(), nil\n\tdefault:\n\t}\n\treturn nil, fmt.Errorf(\"%v: unexpected status: %s\", req.URL.Path, res.Status)\n}\n\n// UpdateDiff reports the diff of two update operations, identified by the\n// provided refs.\n//\n// \"Prev\" may be passed uuid.Nil if the client's last known state has been\n// forgotten by the server.\nfunc (c *HTTP) UpdateDiff(ctx context.Context, prev, cur uuid.UUID) (*driver.UpdateDiff, error) {\n\tu, err := c.addr.Parse(httptransport.UpdateDiffAPIPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tv := req.URL.Query()\n\tif prev != uuid.Nil {\n\t\tv.Set(\"prev\", prev.String())\n\t}\n\tv.Set(\"cur\", cur.String())\n\treq.URL.RawQuery = v.Encode()\n\tif err := c.sign(ctx, req); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to create request: %v\", err)\n\t}\n\n\tres, err := c.c.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer res.Body.Close()\n\tif res.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"%v: unexpected status: %s\", u.Path, res.Status)\n\t}\n\td := driver.UpdateDiff{}\n\tdec := codec.GetDecoder(res.Body)\n\tdefer codec.PutDecoder(dec)\n\tif err := dec.Decode(&d); err != nil {\n\t\treturn nil, err\n\t}\n\treturn &d, nil\n}\n\n// Initialized is present to fulfill the interface, but isn't exposed as part of\n// the HTTP API. This method is stubbed out.\nfunc (c *HTTP) Initialized(_ context.Context) (bool, error) {\n\treturn true, nil\n}\n"
},
{
"path": "httptransport/client/matcher_test.go",
"content": "package client_test\n\nimport (\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"path\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\n\t\"github.com/quay/clair/v4/httptransport\"\n\t\"github.com/quay/clair/v4/httptransport/client\"\n)\n\n// TestDiffer puts the Differ methods of the client through its paces.\nfunc TestDiffer(t *testing.T) {\n\tctx := t.Context()\n\n\tt.Run(\"OK\", func(t *testing.T) {\n\t\tt.Run(\"Delete\", func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t// Generate a set of refs.\n\t\t\trefs := make([]uuid.UUID, 10)\n\t\t\texpected := make(map[string]struct{}, 10)\n\t\t\tfor i := range refs {\n\t\t\t\tid := uuid.New()\n\t\t\t\trefs[i] = id\n\t\t\t\texpected[id.String()] = struct{}{}\n\t\t\t}\n\n\t\t\t// Spin up a server that mocks a delete call.\n\t\t\tsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tif r.Method != http.MethodDelete {\n\t\t\t\t\tw.WriteHeader(http.StatusMethodNotAllowed)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif !strings.HasPrefix(r.URL.Path, httptransport.UpdateOperationAPIPath) {\n\t\t\t\t\tw.WriteHeader(http.StatusNotFound)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tgot := path.Base(r.URL.Path)\n\t\t\t\tt.Logf(\"got: %s\", got)\n\t\t\t\tif _, ok := expected[got]; !ok {\n\t\t\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tw.WriteHeader(http.StatusOK)\n\t\t\t}))\n\t\t\tdefer srv.Close()\n\n\t\t\t// Create a client.\n\t\t\tc, err := client.NewHTTP(ctx, client.WithAddr(srv.URL))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\n\t\t\t// Do the call.\n\t\t\tdeleted, err := c.DeleteUpdateOperations(ctx, refs...)\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif deleted != int64(len(refs)) {\n\t\t\t\tt.Errorf(\"got: %v, want: %v\", deleted, len(refs))\n\t\t\t}\n\t\t})\n\n\t\tt.Run(\"Latest\", func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t// Generate a set of names and refs.\n\t\t\twant := make(map[string][]driver.UpdateOperation)\n\t\t\tfor i := 0; i < 10; i++ {\n\t\t\t\twant[strconv.Itoa(i)] = []driver.UpdateOperation{\n\t\t\t\t\t{\n\t\t\t\t\t\tRef: uuid.New(),\n\t\t\t\t\t\tDate: time.Now(),\n\t\t\t\t\t\tFingerprint: \"xyz\",\n\t\t\t\t\t\tUpdater: \"test-updater\",\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t}\n\t\t\tvalidator := `\"validator\"`\n\n\t\t\t// Spin up a server that mocks a latest call.\n\t\t\tsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tif r.Method != http.MethodGet {\n\t\t\t\t\tw.WriteHeader(http.StatusMethodNotAllowed)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif !strings.HasPrefix(r.URL.Path, httptransport.UpdateOperationAPIPath) {\n\t\t\t\t\tw.WriteHeader(http.StatusNotFound)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif v := r.Header.Get(\"If-None-Match\"); v != \"\" && v == validator {\n\t\t\t\t\tw.WriteHeader(http.StatusNotModified)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tw.Header().Set(\"etag\", validator)\n\n\t\t\t\tif err := json.NewEncoder(w).Encode(want); err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t}\n\t\t\t}))\n\t\t\tdefer srv.Close()\n\n\t\t\t// Create a client.\n\t\t\tc, err := client.NewHTTP(ctx, client.WithAddr(srv.URL))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\n\t\t\tt.Run(\"Initial\", func(t *testing.T) {\n\t\t\t\t// Do the call.\n\t\t\t\tgot, err := c.LatestUpdateOperations(ctx, driver.VulnerabilityKind)\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t}\n\t\t\t\tif !cmp.Equal(got, want) {\n\t\t\t\t\tt.Error(cmp.Diff(got, want))\n\t\t\t\t}\n\t\t\t})\n\t\t\t// second attempt will be served from cache\n\t\t\tt.Run(\"Second\", func(t *testing.T) {\n\t\t\t\t// Do the call.\n\t\t\t\tgot, err := c.LatestUpdateOperations(ctx, driver.VulnerabilityKind)\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t}\n\t\t\t\tif !cmp.Equal(got, want) {\n\t\t\t\t\tt.Error(cmp.Diff(got, want))\n\t\t\t\t}\n\t\t\t})\n\t\t})\n\n\t\tt.Run(\"Diff\", func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t// Create two refs and a delta between them.\n\t\t\tprev, cur := uuid.New(), uuid.New()\n\t\t\twant := &driver.UpdateDiff{\n\t\t\t\tPrev: driver.UpdateOperation{Ref: prev},\n\t\t\t\tCur: driver.UpdateOperation{Ref: cur},\n\t\t\t\tAdded: nil,\n\t\t\t\tRemoved: nil,\n\t\t\t}\n\n\t\t\t// Spin up a server that mocks the diff call.\n\t\t\tsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tif r.Method != http.MethodGet {\n\t\t\t\t\tw.WriteHeader(http.StatusMethodNotAllowed)\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tprevStr, curStr := r.FormValue(\"prev\"), r.FormValue(\"cur\")\n\t\t\t\tif got, want := prevStr, prev.String(); got != want {\n\t\t\t\t\tt.Errorf(\"got: %q, want: %q\", got, want)\n\t\t\t\t}\n\t\t\t\tif got, want := curStr, cur.String(); got != want {\n\t\t\t\t\tt.Errorf(\"got: %q, want: %q\", got, want)\n\t\t\t\t}\n\t\t\t\tif t.Failed() {\n\t\t\t\t\tw.WriteHeader(http.StatusBadRequest)\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tif err := json.NewEncoder(w).Encode(want); err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t}\n\t\t\t}))\n\t\t\tdefer srv.Close()\n\n\t\t\t// Create a client.\n\t\t\tc, err := client.NewHTTP(ctx, client.WithAddr(srv.URL))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\n\t\t\t// Do the call.\n\t\t\tgot, err := c.UpdateDiff(ctx, prev, cur)\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif !cmp.Equal(got, want) {\n\t\t\t\tt.Error(cmp.Diff(got, want))\n\t\t\t}\n\t\t})\n\t})\n}\n"
},
{
"path": "httptransport/common.go",
"content": "package httptransport\n\nimport (\n\tcrand \"crypto/rand\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"mime\"\n\t\"net/http\"\n\t\"path\"\n\t\"runtime/pprof\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/toolkit/log\"\n\t\"go.opentelemetry.io/otel/trace\"\n)\n\n// GetDigest removes the last path element and parses it as a digest.\nfunc getDigest(_ http.ResponseWriter, r *http.Request) (d claircore.Digest, err error) {\n\tdStr := path.Base(r.URL.Path)\n\tif dStr == \"\" {\n\t\treturn d, errors.New(\"provide a single manifest hash\")\n\t}\n\treturn claircore.ParseDigest(dStr)\n}\n\n// PickContentType sets the response's \"Content-Type\" header.\n//\n// If \"Accept\" headers are not present in the request, the first element of the\n// \"allow\" slice is used.\n//\n// If \"Accept\" headers are present, the first (ordered by \"q\" value) media type\n// in the \"allow\" slice is chosen. If there are no common media types, \"415\n// Unsupported Media Type\" is written and ErrMediaType is reported.\nfunc pickContentType(w http.ResponseWriter, r *http.Request, allow []string) error {\n\t// There's no canonical algorithm for this, it's all server-dependent\n\t// behavior. Our algorithm is:\n\t//\n\t//\t- Parse the Accept header(s) as MIME media types joined by commas.\n\t//\t- Stable sort according to the \"q\" parameter, defaulting to 1.0 if\n\t//\t omitted (as specified)\n\t//\t- Pick the first match.\n\t//\n\t// BUG(hank) Content type negotiation does an O(n*m) comparison driven on\n\t// user input, which may be a DoS issue.\n\tas, ok := r.Header[\"Accept\"]\n\tif !ok {\n\t\tw.Header().Set(\"content-type\", allow[0])\n\t\treturn nil\n\t}\n\tvar acceptable []accept\n\tfor _, part := range as {\n\t\tfor _, s := range strings.Split(part, \",\") {\n\t\t\ta := accept{}\n\t\t\tmt, p, err := mime.ParseMediaType(strings.TrimSpace(s))\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\ta.Q = 1.0\n\t\t\tif qs, ok := p[\"q\"]; ok {\n\t\t\t\ta.Q, _ = strconv.ParseFloat(qs, 64)\n\t\t\t}\n\t\t\ttyp := strings.Split(mt, \"/\")\n\t\t\ta.Type = typ[0]\n\t\t\ta.Subtype = typ[1]\n\t\t\tacceptable = append(acceptable, a)\n\t\t}\n\t}\n\tif len(acceptable) == 0 {\n\t\tw.Header().Set(\"content-type\", allow[0])\n\t\treturn nil\n\t}\n\tsort.SliceStable(acceptable, func(i, j int) bool { return acceptable[i].Q > acceptable[j].Q })\n\tfor _, l := range acceptable {\n\t\tfor _, a := range allow {\n\t\t\tif l.Match(a) {\n\t\t\t\tw.Header().Set(\"content-type\", a)\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\tw.WriteHeader(http.StatusUnsupportedMediaType)\n\treturn ErrMediaType\n}\n\n// ErrMediaType is returned if no common media types can be found for a given\n// request.\nvar ErrMediaType = errors.New(\"no common media type\")\n\ntype accept struct {\n\tType, Subtype string\n\tQ float64\n}\n\n// Match reports whether the type in the \"accept\" struct matches the provided\n// media type, honoring wildcards.\n//\n// Match panics if the provided media type is not well-formed.\nfunc (a *accept) Match(mt string) bool {\n\tif a.Type == \"*\" && a.Subtype == \"*\" {\n\t\treturn true\n\t}\n\ti := strings.IndexByte(mt, '/')\n\tif i == -1 {\n\t\t// Programmer error -- inputs to this function should be static strings.\n\t\tpanic(fmt.Sprintf(\"bad media type: %q\", mt))\n\t}\n\tt, s := mt[:i], mt[i+1:]\n\treturn a.Type == t && (a.Subtype == s || a.Subtype == \"*\")\n}\n\nvar idPool = sync.Pool{\n\tNew: func() interface{} {\n\t\tb := make([]byte, 8)\n\t\tif _, err := crand.Read(b); err != nil {\n\t\t\tpanic(err) // ???\n\t\t}\n\t\ts := binary.LittleEndian.Uint64(b)\n\t\tsrc := rand.NewSource(int64(s))\n\t\treturn rand.New(src)\n\t},\n}\n\n// WithRequestID sets up a per-request ID and annotates the logging context and\n// profile labels.\nfunc withRequestID(r *http.Request) *http.Request {\n\tconst key = `request_id`\n\tconst profile = `profile_id`\n\tctx := r.Context()\n\tsctx := trace.SpanContextFromContext(ctx)\n\tvar tid string\n\tif sctx.HasTraceID() {\n\t\ttid = sctx.TraceID().String()\n\t} else {\n\t\trng := idPool.Get().(*rand.Rand)\n\t\tdefer idPool.Put(rng)\n\t\ttid = fmt.Sprintf(\"%016x\", rng.Uint64())\n\t}\n\tctx = log.With(ctx, key, tid)\n\tctx = pprof.WithLabels(ctx, pprof.Labels(profile, tid))\n\treturn r.WithContext(ctx)\n}\n"
},
{
"path": "httptransport/concurrentlimit.go",
"content": "package httptransport\n\nimport (\n\t\"log/slog\"\n\t\"net/http\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n\t\"golang.org/x/sync/semaphore\"\n)\n\nvar concurrentLimitedCounter = promauto.NewCounterVec(\n\tprometheus.CounterOpts{\n\t\tNamespace: metricNamespace,\n\t\tSubsystem: metricSubsystem,\n\t\tName: \"concurrencylimited_total\",\n\t\tHelp: \"Total number of requests that have been concurrency limited.\",\n\t},\n\t[]string{\"endpoint\", \"method\"},\n)\n\n// LimitHandler is a wrapper to help with concurrency limiting. This is slightly\n// more complicated than the naive approach to allow for filtering on multiple\n// aspects of the request.\n//\n// \"Check\" and \"Next\" need to be populated.\ntype limitHandler struct {\n\t// The Check func inspects the request, and returns the semaphore to use and\n\t// the endpoint to use in metrics. If a nil is returned, the request is\n\t// allowed.\n\tCheck func(*http.Request) (*semaphore.Weighted, string)\n\t// Next is the Handler to forward requests to, if allowed.\n\tNext http.Handler\n}\n\nfunc (l *limitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tsem, endpt := l.Check(r)\n\tif sem != nil {\n\t\tif !sem.TryAcquire(1) {\n\t\t\tconcurrentLimitedCounter.WithLabelValues(endpt, r.Method).Add(1)\n\t\t\tctx := r.Context()\n\t\t\tslog.InfoContext(ctx, \"rate limited HTTP request\",\n\t\t\t\t\"remote_addr\", r.RemoteAddr,\n\t\t\t\t\"method\", r.Method,\n\t\t\t\t\"request_uri\", r.RequestURI,\n\t\t\t\t\"status\", http.StatusTooManyRequests)\n\n\t\t\tapiError(ctx, w, http.StatusTooManyRequests, \"server handling too many requests\")\n\t\t}\n\t\tdefer sem.Release(1)\n\t}\n\tl.Next.ServeHTTP(w, r)\n}\n"
},
{
"path": "httptransport/concurrentlimit_test.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"testing\"\n\n\t\"github.com/quay/claircore/test\"\n\t\"golang.org/x/sync/semaphore\"\n\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\nfunc TestConcurrentRequests(t *testing.T) {\n\tctx := test.Logging(t)\n\tsem := semaphore.NewWeighted(1)\n\t// Ret controls when the http server returns.\n\t// Ready is strobed once the first request is seen.\n\tret, ready := make(chan struct{}), make(chan struct{})\n\tct := new(int64)\n\tvar once sync.Once\n\tsrv := httptest.NewUnstartedServer(&limitHandler{\n\t\tCheck: func(_ *http.Request) (*semaphore.Weighted, string) {\n\t\t\treturn sem, \"\"\n\t\t},\n\t\tNext: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {\n\t\t\tatomic.AddInt64(ct, 1)\n\t\t\tonce.Do(func() { close(ready) })\n\t\t\t<-ret\n\t\t\tw.WriteHeader(http.StatusNoContent)\n\t\t}),\n\t})\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\tc := srv.Client()\n\n\tdone := make(chan struct{})\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL, nil)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\t// Long-poll goroutine.\n\tgo func() {\n\t\tdefer close(done)\n\t\tres, err := c.Do(req)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t\treturn\n\t\t}\n\t\tdefer res.Body.Close()\n\t\tif got, want := res.StatusCode, http.StatusNoContent; got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t}()\n\n\t// Wait for the above goroutine to hit the handler.\n\t<-ready\n\tfor i := 0; i < 10; i++ {\n\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL, nil)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%d: %v\", i, err)\n\t\t}\n\t\tres, err := c.Do(req)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%d: %v\", i, err)\n\t\t}\n\t\tres.Body.Close()\n\t\tif got, want := res.StatusCode, http.StatusTooManyRequests; got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t}\n\tclose(ret)\n\t<-done\n\tif got, want := *ct, int64(1); got != want {\n\t\tt.Errorf(\"got: %d requests, want: %d requests\", got, want)\n\t}\n}\n"
},
{
"path": "httptransport/discoveryhandler.go",
"content": "package httptransport\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t_ \"embed\" // for json and etag\n\t\"encoding/json\"\n\t\"errors\"\n\t\"io\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/middleware/compress\"\n)\n\n//go:generate env -C api zsh ./openapi.zsh\n\nvar (\n\t//go:embed api/v1/openapi.json\n\topenapiJSON []byte\n\t//go:embed api/v1/openapi.yaml\n\topenapiYAML []byte\n\t//go:embed api/v1/openapi.etag\n\topenapiEtag string\n\n\t// Compacted version of [openapiJSON] for the wire.\n\t//\n\t// Doing this means we can keep a nicer-diffing version checked in.\n\tcompactOpenapiJSON = sync.OnceValue(func() []byte {\n\t\tvar buf bytes.Buffer\n\t\tbuf.Grow(len(openapiJSON))\n\t\tif err := json.Compact(&buf, openapiJSON); err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\tb := buf.Bytes()\n\t\treturn slices.Clip(b)\n\t})\n)\n\n// DiscoveryHandler serves the embedded OpenAPI spec.\nfunc DiscoveryHandler(_ context.Context, prefix string, topt otelhttp.Option) http.Handler {\n\tallow := []string{\n\t\t`application/openapi+json`, `application/openapi+yaml`, // New types: https://datatracker.ietf.org/doc/draft-ietf-httpapi-rest-api-mediatypes/\n\t\t`application/json`, `application/yaml`, // Format types.\n\t\t`application/vnd.oai.openapi+json`, `application/vnd.oai.openapi+yaml`, // Older vendor-tree types.\n\t}\n\t// These functions are written back-to-front.\n\tvar inner http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tctx := r.Context()\n\t\tif r.Method != http.MethodGet {\n\t\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"endpoint only allows GET\")\n\t\t}\n\t\tswitch err := pickContentType(w, r, allow); {\n\t\tcase errors.Is(err, nil):\n\t\tcase errors.Is(err, ErrMediaType):\n\t\t\tapiError(ctx, w, http.StatusUnsupportedMediaType, \"unable to negotiate common media type for %v\", allow)\n\t\tdefault:\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"unexpected error: %v\", err)\n\t\t}\n\t\th := w.Header()\n\t\tkind := h.Get(`Content-Type`)\n\t\tvar src *bytes.Reader\n\t\tswitch kind[len(kind)-4:] {\n\t\tcase \"json\":\n\t\t\tsrc = bytes.NewReader(compactOpenapiJSON())\n\t\tcase \"yaml\":\n\t\t\tsrc = bytes.NewReader(openapiYAML)\n\t\tdefault:\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"unexpected error: unknown content-type kind: %q\", kind)\n\t\t}\n\t\th.Set(\"Etag\", openapiEtag)\n\t\tvar err error\n\t\tdefer writerError(w, &err)()\n\t\t_, err = io.Copy(w, src)\n\t})\n\tinner = otelhttp.NewHandler(\n\t\tcompress.Handler(discoverywrapper.wrap(prefix, inner)),\n\t\t\"discovery\",\n\t\totelhttp.WithMessageEvents(otelhttp.ReadEvents, otelhttp.WriteEvents),\n\t\ttopt,\n\t)\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tstart := time.Now()\n\t\tr = withRequestID(r)\n\t\tctx := r.Context()\n\t\tvar status int\n\t\tvar length int64\n\t\tw = httputil.ResponseRecorder(&status, &length, w)\n\t\tdefer func() {\n\t\t\tswitch err := http.NewResponseController(w).Flush(); {\n\t\t\tcase errors.Is(err, nil):\n\t\t\tcase errors.Is(err, http.ErrNotSupported):\n\t\t\t\t// Skip\n\t\t\tdefault:\n\t\t\t\tslog.WarnContext(ctx, \"unable to flush http response\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t}\n\t\t\tslog.InfoContext(ctx, \"handled HTTP request\",\n\t\t\t\t\"remote_addr\", r.RemoteAddr,\n\t\t\t\t\"method\", r.Method,\n\t\t\t\t\"request_uri\", r.RequestURI,\n\t\t\t\t\"status\", status,\n\t\t\t\t\"written\", length,\n\t\t\t\t\"duration\", time.Since(start))\n\t\t}()\n\t\tinner.ServeHTTP(w, r)\n\t})\n}\n\nfunc init() {\n\tdiscoverywrapper.init(\"discovery\")\n}\n\nvar discoverywrapper wrapper\n"
},
{
"path": "httptransport/discoveryhandler_test.go",
"content": "package httptransport\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/quay/claircore/test\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\t\"go.opentelemetry.io/otel/trace/noop\"\n)\n\nfunc TestDiscovery(t *testing.T) {\n\tt.Run(\"Endpoint\", func(t *testing.T) {\n\t\tctx := test.Logging(t)\n\t\th := DiscoveryHandler(ctx, OpenAPIV1Path, otelhttp.WithTracerProvider(noop.NewTracerProvider()))\n\n\t\tr := httptest.NewRecorder()\n\t\treq := httptest.NewRequest(\"GET\", OpenAPIV1Path, nil).WithContext(ctx)\n\t\treq.Header.Set(\"Accept\", \"application/yaml; q=0.4, application/json; q=0.4, application/vnd.oai.openapi+json; q=0.6, application/openapi+json\")\n\t\th.ServeHTTP(r, req)\n\n\t\tresp := r.Result()\n\t\tif resp.StatusCode != http.StatusOK {\n\t\t\tt.Fatalf(\"got status code: %v want status code: %v\", resp.StatusCode, http.StatusOK)\n\t\t}\n\t\tif got, want := resp.Header.Get(\"content-type\"), \"application/openapi+json\"; got != want {\n\t\t\tt.Errorf(\"got: %q, want: %q\", got, want)\n\t\t}\n\n\t\tbuf, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to ready response body: %v\", err)\n\t\t}\n\n\t\tm := make(map[string]any)\n\t\terr = json.Unmarshal(buf, &m)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to json parse returned bytes: %v\", err)\n\t\t}\n\n\t\tif _, ok := m[\"openapi\"]; !ok {\n\t\t\tt.Fatalf(\"returned json did not container openapi key at the root\")\n\t\t}\n\t\tt.Logf(\"openapi verion: %v\", m[\"openapi\"])\n\t})\n\n\tt.Run(\"Failure\", func(t *testing.T) {\n\t\tctx := test.Logging(t)\n\t\th := DiscoveryHandler(ctx, OpenAPIV1Path, otelhttp.WithTracerProvider(noop.NewTracerProvider()))\n\n\t\tr := httptest.NewRecorder()\n\t\t// Needed because handlers exit the goroutine.\n\t\tdone := make(chan struct{})\n\t\tgo func() {\n\t\t\tdefer close(done)\n\t\t\treq := httptest.NewRequest(\"GET\", OpenAPIV1Path, nil).WithContext(ctx)\n\t\t\treq.Header.Set(\"Accept\", \"application/xml\")\n\t\t\th.ServeHTTP(r, req)\n\t\t}()\n\t\t<-done\n\n\t\tresp := r.Result()\n\t\tt.Log(resp.Status)\n\t\tif got, want := resp.StatusCode, http.StatusUnsupportedMediaType; got != want {\n\t\t\tt.Errorf(\"got status code: %v want status code: %v\", got, want)\n\t\t}\n\t})\n}\n"
},
{
"path": "httptransport/error.go",
"content": "package httptransport\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net/http\"\n)\n\n// StatusClientClosedRequest is a nonstandard HTTP status code used when the\n// client has gone away.\n//\n// This convention is cribbed from Nginx.\nconst statusClientClosedRequest = 499\n\n// ApiError writes an untyped (that is, \"application/json\") error with the\n// provided HTTP status code and message.\n//\n// ApiError does not return, but instead causes the goroutine to exit.\nfunc apiError(ctx context.Context, w http.ResponseWriter, code int, f string, v ...interface{}) {\n\tconst errheader = `Clair-Error`\n\tdisconnect := false\n\tselect {\n\tcase <-ctx.Done():\n\t\tdisconnect = true\n\tdefault:\n\t}\n\tif l := slog.Default(); l.Enabled(ctx, slog.LevelDebug) {\n\t\tl.DebugContext(ctx, \"http error response\",\n\t\t\t\"disconnect\", disconnect,\n\t\t\t\"code\", code,\n\t\t\t\"message\", fmt.Sprintf(f, v...))\n\t}\n\tif disconnect {\n\t\t// Exit immediately if there's no client to read the response, anyway.\n\t\tw.WriteHeader(statusClientClosedRequest)\n\t\tpanic(http.ErrAbortHandler)\n\t}\n\n\th := w.Header()\n\th.Del(\"link\")\n\th.Set(\"content-type\", \"application/json\")\n\th.Set(\"x-content-type-options\", \"nosniff\")\n\th.Set(\"trailer\", errheader)\n\tw.WriteHeader(code)\n\n\tvar buf bytes.Buffer\n\tbuf.WriteString(`{\"code\":\"`)\n\tswitch code {\n\tcase http.StatusBadRequest:\n\t\tbuf.WriteString(\"bad-request\")\n\tcase http.StatusMethodNotAllowed:\n\t\tbuf.WriteString(\"method-not-allowed\")\n\tcase http.StatusNotFound:\n\t\tbuf.WriteString(\"not-found\")\n\tcase http.StatusTooManyRequests:\n\t\tbuf.WriteString(\"too-many-requests\")\n\tdefault:\n\t\tbuf.WriteString(\"internal-error\")\n\t}\n\tbuf.WriteByte('\"')\n\tif f != \"\" {\n\t\tbuf.WriteString(`,\"message\":`)\n\t\tb, _ := json.Marshal(fmt.Sprintf(f, v...)) // OK use of encoding/json.\n\t\tbuf.Write(b)\n\t}\n\tbuf.WriteByte('}')\n\n\tif _, err := buf.WriteTo(w); err != nil {\n\t\th.Set(errheader, err.Error())\n\t}\n\tswitch err := http.NewResponseController(w).Flush(); {\n\tcase errors.Is(err, nil):\n\tcase errors.Is(err, http.ErrNotSupported):\n\t\t// Skip\n\tdefault:\n\t\tslog.WarnContext(ctx, \"unable to flush http response\",\n\t\t\t\"reason\", err)\n\t}\n\tpanic(http.ErrAbortHandler)\n}\n"
},
{
"path": "httptransport/error_test.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/quay/claircore/test\"\n\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\nfunc TestClientDisconnect(t *testing.T) {\n\tvar status int\n\t// Bunch of sequencing events:\n\treqStart := make(chan struct{})\n\treqDone := make(chan struct{})\n\thandlerDone := make(chan struct{})\n\n\t// Server side:\n\t//\t- Emit reqStart once the request is received.\n\t//\t- Emit handlerDone once the request is done and \"status\" should be populated.\n\tsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tdefer func() { close(handlerDone) }()\n\t\tw = httputil.ResponseRecorder(&status, nil, w)\n\t\tctx := test.Logging(t, r.Context()) // The error handler emits logs.\n\t\tclose(reqStart)\n\t\t<-ctx.Done()\n\t\tapiError(ctx, w, http.StatusOK, \"hello from the handler\")\n\t}))\n\tt.Cleanup(srv.Close)\n\n\tctx, done := context.WithCancel(context.Background())\n\t// Closing \"done\" will cancel the client connection.\n\treq, err := http.NewRequestWithContext(ctx, \"GET\", srv.URL+\"/\", nil)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\t// Emit reqDone when the client connection is done.\n\tgo func() {\n\t\t_, err = srv.Client().Do(req)\n\t\tclose(reqDone)\n\t}()\n\n\t<-reqStart\n\tdone()\n\t<-reqDone\n\tt.Logf(\"got request error: %v\", err)\n\tif err == nil {\n\t\tt.Error(\"expected non-nil error\")\n\t}\n\n\t<-handlerDone\n\tif got, want := status, statusClientClosedRequest; got != want {\n\t\tt.Errorf(\"bad status code recorded: got: %d, want: %d\", got, want)\n\t}\n}\n"
},
{
"path": "httptransport/gone.go",
"content": "package httptransport\n\nimport \"net/http\"\n\nvar gone = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\tconst msg = `{\"code\":\"gone\",\"message\":\"endpoint removed\"}`\n\thttp.Error(w, msg, http.StatusGone)\n})\n"
},
{
"path": "httptransport/indexer_v1.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"path\"\n\t\"time\"\n\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/pkg/tarfs\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/internal/codec\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/middleware/compress\"\n)\n\n// NewIndexerV1 returns an http.Handler serving the Indexer V1 API rooted at\n// \"prefix\".\nfunc NewIndexerV1(_ context.Context, prefix string, srv indexer.Service, topt otelhttp.Option) (*IndexerV1, error) {\n\tprefix = path.Join(\"/\", prefix) // Ensure the prefix is rooted and cleaned.\n\tm := http.NewServeMux()\n\th := IndexerV1{\n\t\tinner: otelhttp.NewHandler(\n\t\t\tcompress.Handler(m),\n\t\t\t\"indexerv1\",\n\t\t\totelhttp.WithMessageEvents(otelhttp.ReadEvents, otelhttp.WriteEvents),\n\t\t\ttopt,\n\t\t),\n\t\tsrv: srv,\n\t}\n\tp := path.Join(prefix, \"index_report\")\n\tm.Handle(p, indexerv1wrapper.wrapFunc(p, h.indexReport))\n\tp += \"/\"\n\tm.Handle(p, indexerv1wrapper.wrapFunc(path.Join(p, \":digest\"), h.indexReportOne))\n\tp = path.Join(prefix, \"index_state\")\n\tm.Handle(p, indexerv1wrapper.wrapFunc(p, h.indexState))\n\tp = path.Join(prefix, \"internal\", \"affected_manifest\") + \"/\"\n\tm.Handle(p, indexerv1wrapper.wrapFunc(p, h.affectedManifests))\n\n\treturn &h, nil\n}\n\n// IndexerV1 is a consolidated Indexer endpoint.\ntype IndexerV1 struct {\n\tinner http.Handler\n\tsrv indexer.Service\n}\n\nvar _ http.Handler = (*IndexerV1)(nil)\n\n// ServeHTTP implements http.Handler.\nfunc (h *IndexerV1) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tstart := time.Now()\n\tr = withRequestID(r)\n\tctx := r.Context()\n\tvar status int\n\tvar length int64\n\tw = httputil.ResponseRecorder(&status, &length, w)\n\tdefer func() {\n\t\tswitch err := http.NewResponseController(w).Flush(); {\n\t\tcase errors.Is(err, nil):\n\t\tcase errors.Is(err, http.ErrNotSupported): // Skip\n\t\tdefault:\n\t\t\tslog.WarnContext(ctx, \"unable to flush http response\",\n\t\t\t\t\"reason\", err)\n\t\t}\n\t\tslog.InfoContext(ctx, \"handled HTTP request\",\n\t\t\t\"remote_addr\", r.RemoteAddr,\n\t\t\t\"method\", r.Method,\n\t\t\t\"request_uri\", r.RequestURI,\n\t\t\t\"status\", status,\n\t\t\t\"written\", length,\n\t\t\t\"duration\", time.Since(start))\n\t}()\n\th.inner.ServeHTTP(w, r)\n}\n\nfunc (h *IndexerV1) indexReport(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tswitch r.Method {\n\tcase http.MethodPost:\n\tcase http.MethodDelete:\n\tdefault:\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"method disallowed: %s\", r.Method)\n\t}\n\tdefer r.Body.Close()\n\tdec := codec.GetDecoder(r.Body)\n\tdefer codec.PutDecoder(dec)\n\tswitch r.Method {\n\tcase http.MethodPost:\n\t\tstate, err := h.srv.State(ctx)\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not retrieve indexer state: %v\", err)\n\t\t}\n\t\tvar m claircore.Manifest\n\t\tif err := dec.Decode(&m); err != nil {\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"failed to deserialize manifest: %v\", err)\n\t\t}\n\t\tif m.Hash.String() == \"\" || len(m.Layers) == 0 {\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"bogus manifest\")\n\t\t}\n\t\tnext := path.Join(r.URL.Path, m.Hash.String())\n\n\t\tw.Header().Add(\"link\", fmt.Sprintf(linkIndex, next))\n\t\tw.Header().Add(\"link\", fmt.Sprintf(linkReport, path.Join(VulnerabilityReportPath, m.Hash.String())))\n\t\tvalidator := `\"` + state + `\"`\n\t\tif unmodified(r, validator) {\n\t\t\tw.WriteHeader(http.StatusPreconditionFailed)\n\t\t\treturn\n\t\t}\n\n\t\t// TODO Do we need some sort of background context embedded in the HTTP\n\t\t// struct?\n\t\treport, err := h.srv.Index(ctx, &m)\n\t\tswitch {\n\t\tcase errors.Is(err, nil):\n\t\tcase errors.Is(err, tarfs.ErrFormat):\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"failed to start scan: %v\", err)\n\t\tdefault:\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"failed to start scan: %v\", err)\n\t\t}\n\n\t\tw.Header().Set(\"etag\", validator)\n\t\tw.Header().Set(\"location\", next)\n\t\tdefer writerError(w, &err)()\n\t\tw.WriteHeader(http.StatusCreated)\n\t\tenc := codec.GetEncoder(w)\n\t\tdefer codec.PutEncoder(enc)\n\t\terr = enc.Encode(report)\n\tcase http.MethodDelete:\n\t\tvar ds []claircore.Digest\n\t\tif err := dec.Decode(&ds); err != nil {\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"failed to deserialize bulk delete: %v\", err)\n\t\t}\n\t\tds, err := h.srv.DeleteManifests(ctx, ds...)\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not delete manifests: %v\", err)\n\t\t}\n\t\tslog.DebugContext(ctx, \"manifests deleted\",\n\t\t\t\"count\", len(ds))\n\t\tdefer writerError(w, &err)()\n\t\tw.WriteHeader(http.StatusOK)\n\t\tenc := codec.GetEncoder(w)\n\t\tdefer codec.PutEncoder(enc)\n\t\terr = enc.Encode(ds)\n\t}\n}\n\nconst (\n\tlinkIndex = `<%s>; rel=\"https://projectquay.io/clair/v1/index_report\"`\n\tlinkReport = `<%s>; rel=\"https://projectquay.io/clair/v1/vulnerability_report\"`\n)\n\nfunc (h *IndexerV1) indexReportOne(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tswitch r.Method {\n\tcase http.MethodGet:\n\tcase http.MethodDelete:\n\tdefault:\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"method disallowed: %s\", r.Method)\n\t}\n\td, err := getDigest(w, r)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed path: %v\", err)\n\t}\n\tswitch r.Method {\n\tcase http.MethodGet:\n\t\tallow := []string{\"application/vnd.clair.index_report.v1+json\", \"application/json\"}\n\t\tswitch err := pickContentType(w, r, allow); {\n\t\tcase errors.Is(err, nil): // OK\n\t\tcase errors.Is(err, ErrMediaType):\n\t\t\tapiError(ctx, w, http.StatusUnsupportedMediaType, \"unable to negotiate common media type for %v\", allow)\n\t\tdefault:\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed request: %v\", err)\n\t\t}\n\n\t\tstate, err := h.srv.State(ctx)\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not retrieve indexer state: %v\", err)\n\t\t}\n\t\tvalidator := `\"` + state + `\"`\n\t\tif unmodified(r, validator) {\n\t\t\tw.WriteHeader(http.StatusNotModified)\n\t\t\treturn\n\t\t}\n\n\t\treport, ok, err := h.srv.IndexReport(ctx, d)\n\t\tif !ok {\n\t\t\tapiError(ctx, w, http.StatusNotFound, \"index report not found\")\n\t\t}\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not retrieve index report: %v\", err)\n\t\t}\n\n\t\tw.Header().Add(\"etag\", validator)\n\t\tdefer writerError(w, &err)()\n\t\tenc := codec.GetEncoder(w)\n\t\tdefer codec.PutEncoder(enc)\n\t\terr = enc.Encode(report)\n\tcase http.MethodDelete:\n\t\tif _, err := h.srv.DeleteManifests(ctx, d); err != nil {\n\t\t\tapiError(ctx, w, http.StatusInternalServerError, \"unable to delete manifest: %v\", err)\n\t\t}\n\t\tw.WriteHeader(http.StatusNoContent)\n\t}\n}\n\nfunc (h *IndexerV1) indexState(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tif r.Method != http.MethodGet {\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"method disallowed: %s\", r.Method)\n\t}\n\tallow := []string{\"application/vnd.clair.index_state.v1+json\", \"application/json\"}\n\tswitch err := pickContentType(w, r, allow); {\n\tcase errors.Is(err, nil): // OK\n\tcase errors.Is(err, ErrMediaType):\n\t\tapiError(ctx, w, http.StatusUnsupportedMediaType, \"unable to negotiate common media type for %v\", allow)\n\tdefault:\n\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed request: %v\", err)\n\t}\n\ts, err := h.srv.State(ctx)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not retrieve indexer state: %v\", err)\n\t}\n\n\ttag := `\"` + s + `\"`\n\tw.Header().Add(\"etag\", tag)\n\n\tif unmodified(r, tag) {\n\t\tw.WriteHeader(http.StatusNotModified)\n\t\treturn\n\t}\n\n\tdefer writerError(w, &err)()\n\t// TODO(hank) Don't use an encoder to write out like 40 bytes of json.\n\tenc := codec.GetEncoder(w)\n\tdefer codec.PutEncoder(enc)\n\terr = enc.Encode(struct {\n\t\tState string `json:\"state\"`\n\t}{\n\t\tState: s,\n\t})\n}\n\nfunc (h *IndexerV1) affectedManifests(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tif r.Method != http.MethodPost {\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"method disallowed: %s\", r.Method)\n\t}\n\tallow := []string{\"application/vnd.clair.affected_manifests.v1+json\", \"application/json\"}\n\tswitch err := pickContentType(w, r, allow); {\n\tcase errors.Is(err, nil): // OK\n\tcase errors.Is(err, ErrMediaType):\n\t\tapiError(ctx, w, http.StatusUnsupportedMediaType, \"unable to negotiate common media type for %v\", allow)\n\tdefault:\n\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed request: %v\", err)\n\t}\n\n\tvar vulnerabilities struct {\n\t\tV []claircore.Vulnerability `json:\"vulnerabilities\"`\n\t}\n\tdec := codec.GetDecoder(r.Body)\n\tdefer codec.PutDecoder(dec)\n\tif err := dec.Decode(&vulnerabilities); err != nil {\n\t\tapiError(ctx, w, http.StatusBadRequest, \"failed to deserialize vulnerabilities: %v\", err)\n\t}\n\n\taffected, err := h.srv.AffectedManifests(ctx, vulnerabilities.V)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not retrieve affected manifests: %v\", err)\n\t}\n\n\tdefer writerError(w, &err)\n\tenc := codec.GetEncoder(w)\n\tdefer codec.PutEncoder(enc)\n\terr = enc.Encode(affected)\n}\n\nfunc init() {\n\tindexerv1wrapper.init(\"indexerv1\")\n}\n\nvar indexerv1wrapper wrapper\n"
},
{
"path": "httptransport/indexer_v1_test.go",
"content": "package httptransport\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/pkg/tarfs\"\n\t\"github.com/quay/claircore/test\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\t\"go.opentelemetry.io/otel/trace\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\nfunc TestIndexReportBadLayer(t *testing.T) {\n\tctx := test.Logging(t)\n\n\ti := &indexer.Mock{\n\t\tState_: func(ctx context.Context) (string, error) {\n\t\t\treturn `deadbeef`, nil\n\t\t},\n\t\tIndex_: func(ctx context.Context, m *claircore.Manifest) (*claircore.IndexReport, error) {\n\t\t\treturn nil, tarfs.ErrFormat\n\t\t},\n\t}\n\tv1, err := NewIndexerV1(ctx, \"\", i, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tsrv := httptest.NewUnstartedServer(v1)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\tt.Run(\"Report\", func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\tconst path = `/index_report`\n\t\tt.Run(\"POST\", func(t *testing.T) {\n\t\t\tconst body = `{\"hash\":\"sha256:0000000000000000000000000000000000000000000000000000000000000000\",` +\n\t\t\t\t`\"layers\":[{}]}`\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, srv.URL+path, strings.NewReader(body))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusBadRequest\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t})\n}\n\nfunc TestIndexerV1(t *testing.T) {\n\tctx := test.Logging(t)\n\n\tdigest := claircore.MustParseDigest(\"sha256:0000000000000000000000000000000000000000000000000000000000000000\")\n\ti := &indexer.Mock{\n\t\tState_: func(ctx context.Context) (string, error) {\n\t\t\treturn `deadbeef`, nil\n\t\t},\n\t\tDeleteManifests_: func(_ context.Context, ds ...claircore.Digest) ([]claircore.Digest, error) {\n\t\t\tfor _, d := range ds {\n\t\t\t\tif got, want := d.String(), digest.String(); got != want {\n\t\t\t\t\treturn nil, fmt.Errorf(\"unexpected digest: %v\", d)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn ds, nil\n\t\t},\n\t\tIndex_: func(ctx context.Context, m *claircore.Manifest) (*claircore.IndexReport, error) {\n\t\t\treturn new(claircore.IndexReport), nil\n\t\t},\n\t\tIndexReport_: func(_ context.Context, d claircore.Digest) (*claircore.IndexReport, bool, error) {\n\t\t\tif got, want := d.String(), digest.String(); got != want {\n\t\t\t\treturn nil, false, fmt.Errorf(\"unexpected digest: %v\", d)\n\t\t\t}\n\t\t\treturn new(claircore.IndexReport), true, nil\n\t\t},\n\t\tAffectedManifests_: func(_ context.Context, _ []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\treturn new(claircore.AffectedManifests), nil\n\t\t},\n\t}\n\n\tv1, err := NewIndexerV1(ctx, \"\", i, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tsrv := httptest.NewUnstartedServer(v1)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\n\tt.Run(\"State\", func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\tconst path = `/index_state`\n\t\tt.Run(\"GET\", func(t *testing.T) {\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL+path, nil)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusOK\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t})\n\tt.Run(\"Report\", func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\tconst path = `/index_report`\n\t\tt.Run(\"POST\", func(t *testing.T) {\n\t\t\tconst body = `{\"hash\":\"sha256:0000000000000000000000000000000000000000000000000000000000000000\",` +\n\t\t\t\t`\"layers\":[{}]}`\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, srv.URL+path, strings.NewReader(body))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusCreated\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t\tt.Run(\"DELETE\", func(t *testing.T) {\n\t\t\tconst body = `[\"sha256:0000000000000000000000000000000000000000000000000000000000000000\"]`\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodDelete, srv.URL+path, strings.NewReader(body))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tdefer res.Body.Close()\n\t\t\tvar buf bytes.Buffer\n\t\t\tgot, want := res.StatusCode, http.StatusOK\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t\tif _, err := io.Copy(&buf, res.Body); err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\t// Should get back what we put in, so this is a little hack.\n\t\t\tif got, want := buf.String(), body; got != want {\n\t\t\t\tt.Errorf(\"got: %q, want: %q\", got, want)\n\t\t\t}\n\t\t})\n\t\tt.Run(\"GET\", func(t *testing.T) {\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL+path, nil)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusMethodNotAllowed\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t})\n\tt.Run(\"ReportOne\", func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\tconst path = `/index_report/sha256:0000000000000000000000000000000000000000000000000000000000000000`\n\t\tt.Run(\"DELETE\", func(t *testing.T) {\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodDelete, srv.URL+path, nil)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusNoContent\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t\tt.Run(\"GET\", func(t *testing.T) {\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL+path, nil)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusOK\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t})\n\tt.Run(\"AffectedManifests\", func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\tconst path = `/internal/affected_manifest/`\n\t\tt.Run(\"POST\", func(t *testing.T) {\n\t\t\tconst body = `{\"vulnerabilities\":[]}`\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, srv.URL+path, strings.NewReader(body))\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tres, err := srv.Client().Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatal(err)\n\t\t\t}\n\t\t\tgot, want := res.StatusCode, http.StatusOK\n\t\t\tt.Logf(\"got: %d, want: %d\", got, want)\n\t\t\tif got != want {\n\t\t\t\tt.Error()\n\t\t\t}\n\t\t})\n\t})\n}\n"
},
{
"path": "httptransport/instrumentation.go",
"content": "package httptransport\n\nimport (\n\t\"errors\"\n\t\"log/slog\"\n\t\"net/http\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promhttp\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n)\n\nconst (\n\tmetricNamespace = `clair`\n\tmetricSubsystem = `http`\n)\n\ntype wrapper struct {\n\tRequestCount *prometheus.CounterVec\n\tRequestSize *prometheus.HistogramVec\n\tResponseSize *prometheus.HistogramVec\n\tRequestDuration *prometheus.HistogramVec\n\tInFlight *prometheus.GaugeVec\n}\n\n// InitRegisterer registers with the provided [prometheus.Registerer].\n//\n// The [*wrapper.init] method is short for\n//\n//\t(*wrapper).initRegisterer(name, prometheus.DefaultRegisterer)\nfunc (m *wrapper) initRegisterer(name string, reg prometheus.Registerer) {\n\tif m.RequestCount == nil {\n\t\tm.RequestCount = prometheus.NewCounterVec(\n\t\t\tprometheus.CounterOpts{\n\t\t\t\tNamespace: metricNamespace,\n\t\t\t\tSubsystem: metricSubsystem,\n\t\t\t\tName: name + \"_request_total\",\n\t\t\t\tHelp: \"A total count of http requests for the given path\",\n\t\t\t},\n\t\t\t[]string{\"handler\", \"code\", \"method\"},\n\t\t)\n\t}\n\tif m.RequestSize == nil {\n\t\tm.RequestSize = prometheus.NewHistogramVec(\n\t\t\tprometheus.HistogramOpts{\n\t\t\t\tNamespace: metricNamespace,\n\t\t\t\tSubsystem: metricSubsystem,\n\t\t\t\tName: name + \"_request_size_bytes\",\n\t\t\t\tHelp: \"Distribution of request sizes for the given path\",\n\t\t\t},\n\t\t\t[]string{\"handler\", \"code\", \"method\"},\n\t\t)\n\t}\n\tif m.ResponseSize == nil {\n\t\tm.ResponseSize = prometheus.NewHistogramVec(\n\t\t\tprometheus.HistogramOpts{\n\t\t\t\tNamespace: metricNamespace,\n\t\t\t\tSubsystem: metricSubsystem,\n\t\t\t\tName: name + \"_response_size_bytes\",\n\t\t\t\tHelp: \"Distribution of response sizes for the given path\",\n\t\t\t}, []string{\"handler\", \"code\", \"method\"},\n\t\t)\n\t}\n\tif m.RequestDuration == nil {\n\t\tm.RequestDuration = prometheus.NewHistogramVec(\n\t\t\tprometheus.HistogramOpts{\n\t\t\t\tNamespace: metricNamespace,\n\t\t\t\tSubsystem: metricSubsystem,\n\t\t\t\tName: name + \"_request_duration_seconds\",\n\t\t\t\tHelp: \"Distribution of request durations for the given path\",\n\t\t\t\t// These are roughly exponential from 0.5 to 300 seconds\n\t\t\t\tBuckets: []float64{0.5, 0.7, 1.1, 1.7, 2.7, 4.2, 6.5, 10, 15, 23, 36, 54, 83, 128, 196, 300},\n\t\t\t}, []string{\"handler\", \"code\", \"method\"},\n\t\t)\n\t}\n\tif m.InFlight == nil {\n\t\tm.InFlight = prometheus.NewGaugeVec(\n\t\t\tprometheus.GaugeOpts{\n\t\t\t\tNamespace: metricNamespace,\n\t\t\t\tSubsystem: metricSubsystem,\n\t\t\t\tName: name + \"_in_flight_requests\",\n\t\t\t\tHelp: \"Gauge of requests in flight\",\n\t\t\t},\n\t\t\t[]string{\"handler\"},\n\t\t)\n\t}\n\treg.MustRegister(m.RequestCount, m.RequestSize, m.ResponseSize, m.RequestDuration, m.InFlight)\n}\n\nfunc (m *wrapper) init(name string) {\n\tm.initRegisterer(name, prometheus.DefaultRegisterer)\n}\n\nfunc (m *wrapper) wrap(tag string, h http.Handler) http.Handler {\n\t// Stack all these metrics handlers.\n\th = promhttp.InstrumentHandlerCounter(m.RequestCount.MustCurryWith(prometheus.Labels{\"handler\": tag}),\n\t\tpromhttp.InstrumentHandlerRequestSize(m.RequestSize.MustCurryWith(prometheus.Labels{\"handler\": tag}),\n\t\t\tpromhttp.InstrumentHandlerResponseSize(m.ResponseSize.MustCurryWith(prometheus.Labels{\"handler\": tag}),\n\t\t\t\tpromhttp.InstrumentHandlerDuration(m.RequestDuration.MustCurryWith(prometheus.Labels{\"handler\": tag}),\n\t\t\t\t\tpromhttp.InstrumentHandlerInFlight(m.InFlight.WithLabelValues(tag),\n\t\t\t\t\t\tcatchAbort(h))))))\n\treturn otelhttp.NewHandler(h, tag)\n}\n\nfunc (m *wrapper) wrapFunc(tag string, h http.HandlerFunc) http.Handler {\n\treturn m.wrap(tag, h)\n}\n\n// Make sure the prom instrumentation works.\n// This can get reworked when the metrics are reworked to be otel native.\nfunc catchAbort(h http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tdefer func() {\n\t\t\trec := recover()\n\t\t\tif rec == nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif err, ok := rec.(error); ok && errors.Is(err, http.ErrAbortHandler) {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t\tslog.WarnContext(r.Context(), \"handler panicked; please file a bug\",\n\t\t\t\t\"panic\", rec)\n\t\t}()\n\t\th.ServeHTTP(w, r)\n\t})\n}\n"
},
{
"path": "httptransport/instrumentation_test.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/testutil\"\n\t\"github.com/quay/claircore/test\"\n)\n\nfunc TestMetric(t *testing.T) {\n\tctx := test.Logging(t)\n\twant := strings.NewReader(`\n# HELP clair_http_test_request_total A total count of http requests for the given path\n# TYPE clair_http_test_request_total counter\nclair_http_test_request_total{code=\"200\",handler=\"ok\",method=\"get\"} 1\nclair_http_test_request_total{code=\"504\",handler=\"err\",method=\"get\"} 1\nclair_http_test_request_total{code=\"500\",handler=\"err\",method=\"get\"} 1\n`)\n\n\treg := prometheus.NewRegistry()\n\tvar wr wrapper\n\twr.initRegisterer(\"test\", reg)\n\tm := http.NewServeMux()\n\tm.Handle(\"/ok\",\n\t\twr.wrapFunc(\"ok\", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tfmt.Fprintln(w, \"ok\")\n\t\t})))\n\tm.Handle(\"/err\",\n\t\twr.wrapFunc(\"err\", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tif err := r.ParseForm(); err != nil {\n\t\t\t\tpanic(err)\n\t\t\t}\n\t\t\tif r.Form.Has(\"panic\") {\n\t\t\t\tpanic(\"we're just normal men\")\n\t\t\t}\n\t\t\tapiError(r.Context(), w, http.StatusGatewayTimeout, \"expected error\")\n\t\t})))\n\n\tsrv := httptest.NewUnstartedServer(m)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\n\t// Create a scope for doing the actual requests.\n\t//\n\t// Doing this and having the server teardown run synchronously should be\n\t// enough time to ensure the metrics are actually collected.\n\tfunc() {\n\t\tsrv.Start()\n\t\tdefer srv.Close()\n\n\t\tc := srv.Client()\n\t\tfor _, p := range []string{\"ok\", \"err\", \"err?panic=1\"} {\n\t\t\tu := srv.URL + \"/\" + p\n\t\t\tt.Logf(\"making request: %q\", u)\n\t\t\tres, err := c.Get(u)\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tt.Logf(\"got status: %q\", res.Status)\n\t\t}\n\t}()\n\n\tif err := testutil.GatherAndCompare(reg, want, \"clair_http_test_request_total\"); err != nil {\n\t\tt.Error(err)\n\t} else {\n\t\tt.Log(\"metrics OK\")\n\t}\n}\n"
},
{
"path": "httptransport/matcher_v1.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"net/http/httptrace\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\tindexerController \"github.com/quay/claircore/indexer/controller\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\toteltrace \"go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/internal/codec\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/matcher\"\n\t\"github.com/quay/clair/v4/middleware/compress\"\n)\n\n// NewMatcherV1 returns an http.Handler serving the Matcher V1 API rooted at\n// \"prefix\".\nfunc NewMatcherV1(_ context.Context, prefix string, srv matcher.Service, indexerSrv indexer.Service, cacheAge time.Duration, topt otelhttp.Option) *MatcherV1 {\n\tprefix = path.Join(\"/\", prefix) // Ensure the prefix is rooted and cleaned.\n\tm := http.NewServeMux()\n\th := MatcherV1{\n\t\tinner: otelhttp.NewHandler(\n\t\t\tcompress.Handler(m),\n\t\t\t\"matcherv1\",\n\t\t\totelhttp.WithMessageEvents(otelhttp.ReadEvents, otelhttp.WriteEvents),\n\t\t\ttopt,\n\t\t),\n\t\tsrv: srv,\n\t\tindexerSrv: indexerSrv,\n\t\tCache: cacheAge,\n\t}\n\tp := path.Join(prefix, \"vulnerability_report\") + \"/\"\n\tm.Handle(p, matcherv1wrapper.wrapFunc(p, h.vulnerabilityReport))\n\tp = path.Join(prefix, \"internal\", \"update_operation\")\n\tm.Handle(p, matcherv1wrapper.wrapFunc(p, h.updateOperationHandlerGet))\n\tp = path.Join(prefix, \"internal\", \"update_operation\") + \"/\"\n\tm.Handle(p, matcherv1wrapper.wrapFunc(p, h.updateOperationHandlerDelete))\n\tp = path.Join(prefix, \"internal\", \"update_diff\")\n\tm.Handle(p, matcherv1wrapper.wrapFunc(p, h.updateDiffHandler))\n\n\treturn &h\n}\n\n// MatcherV1 is a consolidated Matcher endpoint.\ntype MatcherV1 struct {\n\tinner http.Handler\n\tsrv matcher.Service\n\tindexerSrv indexer.Service\n\tCache time.Duration\n}\n\nvar _ http.Handler = (*MatcherV1)(nil)\n\n// ServeHTTP implements http.Handler.\nfunc (h *MatcherV1) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tstart := time.Now()\n\tr = withRequestID(r)\n\tctx := r.Context()\n\tvar status int\n\tvar length int64\n\tw = httputil.ResponseRecorder(&status, &length, w)\n\tdefer func() {\n\t\tswitch err := http.NewResponseController(w).Flush(); {\n\t\tcase errors.Is(err, nil):\n\t\tcase errors.Is(err, http.ErrNotSupported): // Skip\n\t\tdefault:\n\t\t\tslog.WarnContext(ctx, \"unable to flush http response\",\n\t\t\t\t\"reason\", err)\n\t\t}\n\t\tslog.InfoContext(ctx, \"handled HTTP request\",\n\t\t\t\"remote_addr\", r.RemoteAddr,\n\t\t\t\"method\", r.Method,\n\t\t\t\"request_uri\", r.RequestURI,\n\t\t\t\"status\", status,\n\t\t\t\"written\", length,\n\t\t\t\"duration\", time.Since(start))\n\t}()\n\th.inner.ServeHTTP(w, r)\n}\n\n// TODO(hank) All of these handlers need to do content negotiation.\n\nfunc (h *MatcherV1) vulnerabilityReport(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tif r.Method != http.MethodGet {\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"endpoint only allows GET\")\n\t}\n\tctx, done := context.WithCancel(ctx)\n\tdefer done()\n\tctx = httptrace.WithClientTrace(ctx, oteltrace.NewClientTrace(ctx))\n\n\tmanifestStr := path.Base(r.URL.Path)\n\tif manifestStr == \"\" {\n\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed path. provide a single manifest hash\")\n\t}\n\tmanifest, err := claircore.ParseDigest(manifestStr)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed path: %v\", err)\n\t}\n\n\tinitd, err := h.srv.Initialized(ctx)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"initialization error: %v\", err)\n\t}\n\tif !initd {\n\t\tw.WriteHeader(http.StatusAccepted)\n\t\treturn\n\t}\n\n\tindexReport, ok, err := h.indexerSrv.IndexReport(ctx, manifest)\n\t// check err first\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"experienced a server side error: %v\", err)\n\t}\n\t// now check present and finished only after confirming no err\n\tif !ok || indexReport.State != indexerController.IndexFinished.String() {\n\t\tapiError(ctx, w, http.StatusNotFound, \"index report for manifest %q not found\", manifest.String())\n\t\treturn\n\t}\n\n\tvulnReport, err := h.srv.Scan(ctx, indexReport)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"failed to start scan: %v\", err)\n\t}\n\n\tw.Header().Set(\"content-type\", \"application/vnd.clair.index_report.v1+json\")\n\tsetCacheControl(w, h.Cache)\n\n\tdefer writerError(w, &err)()\n\tenc := codec.GetEncoder(w)\n\tdefer codec.PutEncoder(enc)\n\terr = enc.Encode(vulnReport)\n}\n\nfunc (h *MatcherV1) updateDiffHandler(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tif r.Method != http.MethodGet {\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"endpoint only allows GET\")\n\t}\n\t// prev param is optional.\n\tvar prev uuid.UUID\n\tvar err error\n\tif param := r.URL.Query().Get(\"prev\"); param != \"\" {\n\t\tprev, err = uuid.Parse(param)\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"could not parse \\\"prev\\\" query param into uuid\")\n\t\t}\n\t}\n\n\t// cur param is required\n\tvar cur uuid.UUID\n\tvar param string\n\tif param = r.URL.Query().Get(\"cur\"); param == \"\" {\n\t\tapiError(ctx, w, http.StatusBadRequest, \"\\\"cur\\\" query param is required\")\n\t}\n\tif cur, err = uuid.Parse(param); err != nil {\n\t\tapiError(ctx, w, http.StatusBadRequest, \"could not parse \\\"cur\\\" query param into uuid\")\n\t}\n\n\tdiff, err := h.srv.UpdateDiff(ctx, prev, cur)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not get update operations: %v\", err)\n\t}\n\n\tdefer writerError(w, &err)()\n\tenc := codec.GetEncoder(w)\n\tdefer codec.PutEncoder(enc)\n\terr = enc.Encode(&diff)\n}\n\nfunc (h *MatcherV1) updateOperationHandlerGet(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tswitch r.Method {\n\tcase http.MethodGet:\n\tdefault:\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"method disallowed: %s\", r.Method)\n\t}\n\n\tkind := driver.VulnerabilityKind\n\tswitch k := r.URL.Query().Get(\"kind\"); k {\n\tcase \"enrichment\":\n\t\tkind = driver.EnrichmentKind\n\tcase \"\", \"vulnerability\":\n\t\t// Leave as default\n\tdefault:\n\t\tapiError(ctx, w, http.StatusBadRequest, \"unknown kind: %q\", k)\n\t}\n\n\t// handle conditional request. this is an optimization\n\tif ref, err := h.srv.LatestUpdateOperation(ctx, kind); err == nil {\n\t\tvalidator := `\"` + ref.String() + `\"`\n\t\tif unmodified(r, validator) {\n\t\t\tw.WriteHeader(http.StatusNotModified)\n\t\t\treturn\n\t\t}\n\t\tw.Header().Set(\"etag\", validator)\n\t}\n\n\tlatest := r.URL.Query().Get(\"latest\")\n\n\tvar uos map[string][]driver.UpdateOperation\n\tvar err error\n\tif b, _ := strconv.ParseBool(latest); b {\n\t\tuos, err = h.srv.LatestUpdateOperations(ctx, kind)\n\t} else {\n\t\tuos, err = h.srv.UpdateOperations(ctx, kind)\n\t}\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not get update operations: %v\", err)\n\t}\n\n\tdefer writerError(w, &err)()\n\tenc := codec.GetEncoder(w)\n\tdefer codec.PutEncoder(enc)\n\terr = enc.Encode(&uos)\n}\n\nfunc (h *MatcherV1) updateOperationHandlerDelete(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tswitch r.Method {\n\tcase http.MethodDelete:\n\tdefault:\n\t\tapiError(ctx, w, http.StatusMethodNotAllowed, \"method disallowed: %s\", r.Method)\n\t}\n\n\tpath := r.URL.Path\n\tid := filepath.Base(path)\n\tuuid, err := uuid.Parse(id)\n\tif err != nil {\n\t\tslog.WarnContext(ctx, \"could not deserialize manifest\", \"reason\", err)\n\t\tapiError(ctx, w, http.StatusBadRequest, \"could not deserialize manifest: %v\", err)\n\t}\n\n\t_, err = h.srv.DeleteUpdateOperations(ctx, uuid)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not get update operations: %v\", err)\n\t}\n\t// TODO(hank) This should return HTTP 204.\n}\n\nfunc init() {\n\tmatcherv1wrapper.init(\"matcherv1\")\n}\n\nvar matcherv1wrapper wrapper\n"
},
{
"path": "httptransport/matcher_v1_test.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"path\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"github.com/quay/claircore/test\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\t\"go.opentelemetry.io/otel/trace\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\n// TestUpdateDiffHandler is a parallel harness for testing a UpdateDiff handler.\nfunc TestUpdateDiffHandler(t *testing.T) {\n\tt.Run(\"Matcher\", testUpdateDiffMatcher)\n\tt.Run(\"Params\", testUpdateDiffHandlerParams)\n\tt.Run(\"Methods\", testUpdateDiffHandlerMethods)\n}\n\n// TestUpdateDiffMatcher confirms the UpdateDiff handler provides\n// the correct status codes when a matcher returns an error or success\nfunc testUpdateDiffMatcher(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Parallel()\n\tmOK := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn nil, nil\n\t\t},\n\t}\n\thOK := NewMatcherV1(ctx, \"\", mOK, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tmErr := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn nil, fmt.Errorf(\"expected error\")\n\t\t},\n\t}\n\thErr := NewMatcherV1(ctx, \"\", mErr, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\n\tsrvOK := httptest.NewUnstartedServer(hOK)\n\tsrvOK.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrvOK.Start()\n\tdefer srvOK.Close()\n\n\tsrvErr := httptest.NewUnstartedServer(hErr)\n\tsrvErr.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrvErr.Start()\n\tdefer srvErr.Close()\n\n\t// test matcher returns nil error\n\turl, err := url.Parse(srvOK.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test server URL into *net/URL\")\n\t}\n\turl.Path = path.Join(\"/\", \"internal\", \"update_diff\")\n\tq := url.Query()\n\tq.Set(\"cur\", \"892737b2-a616-4113-a7a9-137139c8f91e\")\n\turl.RawQuery = q.Encode()\n\tt.Log(url)\n\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, url.String(), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to construct request: %v\", err)\n\t}\n\tresp, err := srvOK.Client().Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to do request: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\tgot, want := resp.StatusCode, http.StatusOK\n\tif got != want {\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\tt.Log(\"could not read body of unexpected response\")\n\t\t}\n\t\tt.Logf(\"unexpected response body: %s\", string(body))\n\t\tt.Fatalf(\"got: %v, want: %v\", got, want)\n\t}\n\n\t// test matcher returns error\n\turl, err = url.Parse(srvErr.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test server URL into *net/URL\")\n\t}\n\turl.Path = path.Join(\"/\", \"internal\", \"update_diff\")\n\tq = url.Query()\n\tq.Set(\"cur\", \"892737b2-a616-4113-a7a9-137139c8f91e\")\n\turl.RawQuery = q.Encode()\n\tt.Log(url)\n\n\treq, err = httputil.NewRequestWithContext(ctx, http.MethodGet, url.String(), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to construct request: %v\", err)\n\t}\n\tresp, err = srvErr.Client().Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to do request: %v\", err)\n\t}\n\tgot, want = resp.StatusCode, http.StatusInternalServerError\n\tif got != want {\n\t\tt.Fatalf(\"got: %v, want: %v\", got, want)\n\t}\n}\n\n// TestUpdateDiffHandlerParams confirms the UpdateDiff handler\n// returns correct status codes given a set or url parameters\nfunc testUpdateDiffHandlerParams(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Parallel()\n\ttable := []struct {\n\t\tname string\n\t\tcur string\n\t\tprev string\n\t\tstatusCode int\n\t}{\n\t\t{\n\t\t\tname: \"no params\",\n\t\t\tcur: \"\",\n\t\t\tprev: \"\",\n\t\t\tstatusCode: http.StatusBadRequest,\n\t\t},\n\t\t{\n\t\t\tname: \"missing prev\",\n\t\t\tcur: \"892737b2-a616-4113-a7a9-137139c8f91e\",\n\t\t\tprev: \"\",\n\t\t\tstatusCode: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tname: \"missing cur\",\n\t\t\tcur: \"\",\n\t\t\tprev: \"892737b2-a616-4113-a7a9-137139c8f91e\",\n\t\t\tstatusCode: http.StatusBadRequest,\n\t\t},\n\t\t{\n\t\t\tname: \"all params\",\n\t\t\tcur: \"6ea97b35-d886-4845-8ba2-5a4b0a074bfe\",\n\t\t\tprev: \"892737b2-a616-4113-a7a9-137139c8f91e\",\n\t\t\tstatusCode: http.StatusOK,\n\t\t},\n\t}\n\n\tmOK := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn nil, nil\n\t\t},\n\t}\n\th := NewMatcherV1(ctx, \"\", mOK, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tsrv := httptest.NewUnstartedServer(h)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\n\tc := srv.Client()\n\tu, err := url.Parse(srv.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test server URL into *net/URL\")\n\t}\n\tu.Path = path.Join(\"/\", \"internal\", \"update_diff\")\n\n\tfor _, test := range table {\n\t\tt.Run(test.name, func(t *testing.T) {\n\t\t\tq := u.Query()\n\t\t\tq.Set(\"cur\", test.cur)\n\t\t\tq.Set(\"prev\", test.cur)\n\t\t\tu.RawQuery = q.Encode()\n\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to construct request: %v\", err)\n\t\t\t}\n\t\t\tresp, err := c.Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to do request: %v\", err)\n\t\t\t}\n\t\t\tgot, want := resp.StatusCode, test.statusCode\n\t\t\tif got != want {\n\t\t\t\tt.Fatalf(\"got: %v, want: %v\", got, want)\n\t\t\t}\n\t\t})\n\t}\n}\n\n// TestUpdateDiffHandlerMethods confirms the UpdateDiffHandler responds correctly\n// to unaccepted HTTP methods.\nfunc testUpdateDiffHandlerMethods(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Parallel()\n\tmOK := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn nil, nil\n\t\t},\n\t}\n\th := NewMatcherV1(ctx, \"\", mOK, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tsrv := httptest.NewUnstartedServer(h)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\n\tc := srv.Client()\n\n\tu, err := url.Parse(srv.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test server URL into *net/URL\")\n\t}\n\tu.Path = path.Join(\"/\", \"internal\", \"update_diff\")\n\n\tfor _, m := range []string{\n\t\thttp.MethodConnect,\n\t\thttp.MethodHead,\n\t\thttp.MethodOptions,\n\t\thttp.MethodPatch,\n\t\thttp.MethodPost,\n\t\thttp.MethodPut,\n\t\thttp.MethodTrace,\n\t} {\n\t\treq, err := httputil.NewRequestWithContext(ctx, m, u.String(), nil)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t\t}\n\t\tresp, err := c.Do(req)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t\t}\n\t\tif resp.StatusCode != http.StatusMethodNotAllowed {\n\t\t\tt.Fatalf(\"method: %v got: %v want: %v\", m, resp.Status, http.StatusMethodNotAllowed)\n\t\t}\n\t}\n}\n\n// TestUpdateOperationHandler is a parallel harness for testing a UpdateOperation handler.\nfunc TestUpdateOperationHandler(t *testing.T) {\n\tt.Run(\"Methods\", testUpdateOperationHandlerMethods)\n\tt.Run(\"GetAndDelete\", testUpdateOperationHandlerGet)\n\tt.Run(\"Errors\", testUpdateOperationHandlerErrors)\n}\n\n// testUpdateOperationHandlerErrors confirms the handler perfoms the correct\n// actions when a matcher.Differ is failing.\nfunc testUpdateOperationHandlerErrors(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Parallel()\n\n\tid := uuid.New().String()\n\tErrExpected := fmt.Errorf(\"expected error\")\n\tm := &matcher.Mock{\n\t\tDeleteUpdateOperations_: func(context.Context, ...uuid.UUID) (int64, error) { return 0, ErrExpected },\n\t\t// this will not immediately fail the handler\n\t\tLatestUpdateOperation_: func(context.Context, driver.UpdateKind) (uuid.UUID, error) {\n\t\t\treturn uuid.Nil, ErrExpected\n\t\t},\n\t\tLatestUpdateOperations_: func(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn nil, ErrExpected\n\t\t},\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn nil, ErrExpected\n\t\t},\n\t}\n\th := NewMatcherV1(ctx, \"\", m, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tsrv := httptest.NewUnstartedServer(h)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\tc := srv.Client()\n\n\t// perform get with failing differ\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL+path.Join(\"/\", \"internal\", \"update_operation\"), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t}\n\tresp, err := c.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusInternalServerError {\n\t\tt.Fatalf(\"got: %v, want: %v\", resp.StatusCode, http.StatusInternalServerError)\n\t}\n\n\t// perform delete with failing differ\n\tu := srv.URL + path.Join(\"/\", \"internal\", \"update_operation\") + \"/\" + id\n\treq, err = httputil.NewRequestWithContext(ctx, http.MethodDelete, u, nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t}\n\tresp, err = c.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusInternalServerError {\n\t\tt.Fatalf(\"got: %v, want: %v\", resp.StatusCode, http.StatusInternalServerError)\n\t}\n}\n\n// testUpdateOperationHandlerMethods confirms the handler only responds\n// to the desired methods.\nfunc testUpdateOperationHandlerMethods(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Parallel()\n\th := NewMatcherV1(ctx, \"\", &matcher.Mock{}, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tsrv := httptest.NewUnstartedServer(h)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\tc := srv.Client()\n\n\tfor _, m := range []string{\n\t\thttp.MethodConnect,\n\t\thttp.MethodHead,\n\t\thttp.MethodOptions,\n\t\thttp.MethodPatch,\n\t\thttp.MethodPost,\n\t\thttp.MethodPut,\n\t\thttp.MethodTrace,\n\t} {\n\t\treq, err := httputil.NewRequestWithContext(ctx, m, srv.URL+path.Join(\"/\", \"internal\", \"update_operation\"), nil)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t\t}\n\t\tresp, err := c.Do(req)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t\t}\n\t\tif resp.StatusCode != http.StatusMethodNotAllowed {\n\t\t\tt.Fatalf(\"method: %v got: %v want: %v\", m, resp.Status, http.StatusMethodNotAllowed)\n\t\t}\n\t}\n}\n\n// testUpdateOperationHandlerGet confirms the handler performs the correct\n// actions on GET.\nfunc testUpdateOperationHandlerGet(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Parallel()\n\n\tid := uuid.New()\n\tidStr := \"\\\"\" + id.String() + \"\\\"\"\n\tvar called bool\n\tvar latestCalled bool\n\tm := &matcher.Mock{\n\t\tLatestUpdateOperation_: func(context.Context, driver.UpdateKind) (uuid.UUID, error) {\n\t\t\treturn id, nil\n\t\t},\n\t\tLatestUpdateOperations_: func(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error) {\n\t\t\tlatestCalled = true\n\t\t\treturn nil, nil\n\t\t},\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\tcalled = true\n\t\t\treturn nil, nil\n\t\t},\n\t}\n\th := NewMatcherV1(ctx, \"\", m, &indexer.Mock{}, time.Second*10, otelhttp.WithTracerProvider(trace.NewNoopTracerProvider()))\n\tsrv := httptest.NewUnstartedServer(h)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\tsrv.Start()\n\tdefer srv.Close()\n\tc := srv.Client()\n\n\t// get without latest param\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL+path.Join(\"/\", \"internal\", \"update_operation\"), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t}\n\tresp, err := c.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusOK {\n\t\tt.Fatalf(\"got: %v, want: %v\", resp.StatusCode, http.StatusOK)\n\t}\n\tif !called {\n\t\tt.Fatalf(\"got: %v, want: %v\", called, true)\n\t}\n\tetag := resp.Header.Get(\"etag\")\n\tif etag != idStr {\n\t\tt.Fatalf(\"got: %v, want: %v\", etag, id.String())\n\t}\n\n\t// get with latest param\n\tu, _ := url.Parse(srv.URL)\n\tu.Path = path.Join(\"/\", \"internal\", \"update_operation\")\n\tq := u.Query()\n\tq.Add(\"latest\", \"true\")\n\tu.RawQuery = q.Encode()\n\n\treq, err = httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t}\n\tresp, err = c.Do(req)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t}\n\tif resp.StatusCode != http.StatusOK {\n\t\tt.Fatalf(\"got: %v, want: %v\", resp.StatusCode, http.StatusOK)\n\t}\n\tif !latestCalled {\n\t\tt.Fatalf(\"got: %v, want: %v\", latestCalled, true)\n\t}\n\tetag = resp.Header.Get(\"etag\")\n\tif etag != idStr {\n\t\tt.Fatalf(\"got: %v, want: %v\", etag, id.String())\n\t}\n}\n"
},
{
"path": "httptransport/notification_v1.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\n\t\"github.com/quay/clair/v4/internal/codec\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/middleware/compress\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nconst defaultPageSize = 500\n\ntype notificationResponse struct {\n\tPage notifier.Page `json:\"page\"`\n\tNotifications []notifier.Notification `json:\"notifications\"`\n}\n\n// NotificationV1 is a Notification endpoint.\ntype NotificationV1 struct {\n\tinner http.Handler\n\tserv notifier.Service\n}\n\nvar _ http.Handler = (*NotificationV1)(nil)\n\n// NewNotificationV1 returns an http.Handler serving the Notification V1 API rooted at\n// \"prefix\".\nfunc NewNotificationV1(_ context.Context, prefix string, srv notifier.Service, topt otelhttp.Option) (*NotificationV1, error) {\n\tprefix = path.Join(\"/\", prefix) // Ensure the prefix is rooted and cleaned.\n\tm := http.NewServeMux()\n\th := NotificationV1{\n\t\tinner: otelhttp.NewHandler(\n\t\t\tcompress.Handler(m),\n\t\t\t\"notificationv1\",\n\t\t\totelhttp.WithMessageEvents(otelhttp.ReadEvents, otelhttp.WriteEvents),\n\t\t\ttopt,\n\t\t),\n\t\tserv: srv,\n\t}\n\tp := path.Join(prefix, \"notification\") + \"/\"\n\tm.Handle(p, notificationv1wrapper.wrapFunc(path.Join(p, \":id\"), h.serveHTTP))\n\treturn &h, nil\n}\n\n// ServeHTTP implements http.Handler.\nfunc (h *NotificationV1) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tstart := time.Now()\n\tr = withRequestID(r)\n\tctx := r.Context()\n\tvar status int\n\tvar length int64\n\tw = httputil.ResponseRecorder(&status, &length, w)\n\tdefer func() {\n\t\tswitch err := http.NewResponseController(w).Flush(); {\n\t\tcase errors.Is(err, nil):\n\t\tcase errors.Is(err, http.ErrNotSupported): // Skip\n\t\tdefault:\n\t\t\tslog.WarnContext(ctx, \"unable to flush http response\", \"reason\", err)\n\t\t}\n\t\tslog.InfoContext(ctx, \"handled HTTP request\",\n\t\t\t\"remote_addr\", r.RemoteAddr,\n\t\t\t\"method\", r.Method,\n\t\t\t\"request_uri\", r.RequestURI,\n\t\t\t\"status\", status,\n\t\t\t\"written\", length,\n\t\t\t\"duration\", time.Since(start))\n\t}()\n\th.inner.ServeHTTP(w, r)\n}\n\nfunc (h *NotificationV1) serveHTTP(w http.ResponseWriter, r *http.Request) {\n\tswitch r.Method {\n\tcase http.MethodGet:\n\t\th.get(w, r)\n\tcase http.MethodDelete:\n\t\th.delete(w, r)\n\tdefault:\n\t\tapiError(r.Context(), w, http.StatusMethodNotAllowed, \"endpoint only allows GET or DELETE\")\n\t}\n}\n\nfunc (h *NotificationV1) delete(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tpath := r.URL.Path\n\tid := filepath.Base(path)\n\tnotificationID, err := uuid.Parse(id)\n\tif err != nil {\n\t\tslog.WarnContext(ctx, \"could not parse notification id\", \"reason\", err)\n\t\tapiError(ctx, w, http.StatusBadRequest, \"could not parse notification id: %v\", err)\n\t}\n\n\terr = h.serv.DeleteNotifications(ctx, notificationID)\n\tif err != nil {\n\t\tslog.WarnContext(ctx, \"could not delete notification\", \"reason\", err)\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"could not delete notification: %v\", err)\n\t}\n\t// TODO(hank) This should return HTTP 204.\n}\n\n// Get will return paginated notifications to the caller.\nfunc (h *NotificationV1) get(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\tpath := r.URL.Path\n\tid := filepath.Base(path)\n\tnotificationID, err := uuid.Parse(id)\n\tif err != nil {\n\t\tslog.WarnContext(ctx, \"could not parse notification id\", \"reason\", err)\n\t\tapiError(ctx, w, http.StatusBadRequest, \"could not parse notification id: %v\", err)\n\t}\n\n\t// optional page_size parameter\n\tvar pageSize int\n\tif param := r.URL.Query().Get(\"page_size\"); param != \"\" {\n\t\tp, err := strconv.ParseInt(param, 10, 64)\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"could not parse %q query param into integer\", \"page_size\")\n\t\t}\n\t\tpageSize = int(p)\n\t}\n\tif pageSize == 0 {\n\t\tpageSize = defaultPageSize\n\t}\n\n\t// optional page parameter\n\tvar next *uuid.UUID\n\tif param := r.URL.Query().Get(\"next\"); param != \"\" {\n\t\tn, err := uuid.Parse(param)\n\t\tif err != nil {\n\t\t\tapiError(ctx, w, http.StatusBadRequest, \"could not parse %q query param into integer\", \"next\")\n\t\t}\n\t\tif n != uuid.Nil {\n\t\t\tnext = &n\n\t\t}\n\t}\n\n\tallow := []string{\"application/vnd.clair.notification_page.v1+json\", \"application/json\"}\n\tswitch err := pickContentType(w, r, allow); {\n\tcase errors.Is(err, nil): // OK\n\tcase errors.Is(err, ErrMediaType):\n\t\tapiError(ctx, w, http.StatusUnsupportedMediaType, \"unable to negotiate common media type for %v\", allow)\n\tdefault:\n\t\tapiError(ctx, w, http.StatusBadRequest, \"malformed request: %v\", err)\n\t}\n\n\tinP := ¬ifier.Page{\n\t\tSize: pageSize,\n\t\tNext: next,\n\t}\n\tnotifications, outP, err := h.serv.Notifications(ctx, notificationID, inP)\n\tif err != nil {\n\t\tapiError(ctx, w, http.StatusInternalServerError, \"failed to retrieve notifications: %v\", err)\n\t}\n\n\tresponse := notificationResponse{\n\t\tPage: outP,\n\t\tNotifications: notifications,\n\t}\n\n\tdefer writerError(w, &err)()\n\tenc := codec.GetEncoder(w)\n\tdefer codec.PutEncoder(enc)\n\terr = enc.Encode(&response)\n}\n\nfunc init() {\n\tnotificationv1wrapper.init(\"notificationv1\")\n}\n\nvar notificationv1wrapper wrapper\n"
},
{
"path": "httptransport/notification_v1_test.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore/test\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\t\"go.opentelemetry.io/otel/trace\"\n\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/notifier\"\n\t\"github.com/quay/clair/v4/notifier/service\"\n)\n\n// TestUpdateOperationHandler is a parallel harness for testing a UpdateOperation handler.\nfunc TestNotificationsHandler(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Run(\"Methods\", testNotificationsHandlerMethods(ctx))\n\tt.Run(\"Get\", testNotificationHandlerGet(ctx))\n\tt.Run(\"GetParams\", testNotificationHandlerGetParams(ctx))\n\tt.Run(\"Delete\", testNotificationHandlerDelete(ctx))\n}\n\nvar notifierTraceOpt = otelhttp.WithTracerProvider(trace.NewNoopTracerProvider())\n\n// testNotificationHandlerDelete confirms the handler performs a delete\n// correctly\nfunc testNotificationHandlerDelete(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tt.Parallel()\n\t\tctx := test.Logging(t, ctx)\n\t\tnoteID := uuid.New()\n\n\t\tnm := &service.Mock{\n\t\t\tDeleteNotifications_: func(ctx context.Context, id uuid.UUID) error {\n\t\t\t\tif !cmp.Equal(id, noteID) {\n\t\t\t\t\tt.Fatalf(\"got: %v, want: %v\", id, noteID)\n\t\t\t\t}\n\t\t\t\treturn nil\n\t\t\t},\n\t\t}\n\n\t\th, err := NewNotificationV1(ctx, `/notifier/api/v1/`, nm, notifierTraceOpt)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trr := httptest.NewRecorder()\n\t\tu, _ := url.Parse(\"http://clair-notifier/notifier/api/v1/notification/\" + noteID.String())\n\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\th.delete(rr, req)\n\t\tres := rr.Result()\n\t\tif res.StatusCode != http.StatusOK {\n\t\t\tt.Fatalf(\"got: %v, wanted: %v\", res.StatusCode, http.StatusOK)\n\t\t}\n\t}\n}\n\n// testNotificationHandlerGet confirms the Get handler works correctly\nfunc testNotificationHandlerGet(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tt.Parallel()\n\t\tctx := test.Logging(t, ctx)\n\t\tvar (\n\t\t\tnextID = uuid.New()\n\t\t\tinPageWant = notifier.Page{\n\t\t\t\tSize: 500,\n\t\t\t}\n\t\t\tnoteID = uuid.New()\n\t\t\toutPageWant = notifier.Page{\n\t\t\t\tSize: 500,\n\t\t\t\tNext: &nextID,\n\t\t\t}\n\t\t)\n\n\t\tnm := &service.Mock{\n\t\t\tNotifications_: func(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error) {\n\t\t\t\tif !cmp.Equal(id, noteID) {\n\t\t\t\t\tt.Fatalf(\"got: %v, wanted: %v\", id, noteID)\n\t\t\t\t}\n\t\t\t\tif !cmp.Equal(page, &inPageWant) {\n\t\t\t\t\tt.Fatalf(\"got: %v, wanted: %v\", page, inPageWant)\n\t\t\t\t}\n\t\t\t\treturn []notifier.Notification{}, notifier.Page{\n\t\t\t\t\tSize: inPageWant.Size,\n\t\t\t\t\tNext: &nextID,\n\t\t\t\t}, nil\n\t\t\t},\n\t\t}\n\n\t\th, err := NewNotificationV1(ctx, `/notifier/api/v1/`, nm, notifierTraceOpt)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trr := httptest.NewRecorder()\n\t\tu, _ := url.Parse(\"http://clair-notifier/notifier/api/v1/notification/\" + noteID.String())\n\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\th.get(rr, req)\n\t\tres := rr.Result()\n\t\tif res.StatusCode != http.StatusOK {\n\t\t\tt.Errorf(\"got: %v, wanted: %v\", res.StatusCode, http.StatusOK)\n\t\t}\n\t\tvar noteResp notificationResponse\n\t\tif err := json.NewDecoder(res.Body).Decode(¬eResp); err != nil {\n\t\t\tt.Errorf(\"failed to deserialize notification response: %v\", err)\n\t\t}\n\t\tif !cmp.Equal(noteResp.Page, outPageWant) {\n\t\t\tt.Errorf(\"got: %v, want: %v\", noteResp.Page, outPageWant)\n\t\t}\n\t}\n}\n\n// testNotificationHandlerGetParams confirms the Get handler works correctly\n// when parameters are present\nfunc testNotificationHandlerGetParams(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tt.Parallel()\n\t\tctx := test.Logging(t, ctx)\n\t\tconst (\n\t\t\tpageSizeParam = \"100\"\n\t\t\tpageParam = \"10\"\n\t\t)\n\t\tvar (\n\t\t\tnextID = uuid.New()\n\t\t\tinPageWant = notifier.Page{\n\t\t\t\tSize: 100,\n\t\t\t}\n\t\t\tnoteID = uuid.New()\n\t\t\toutPageWant = notifier.Page{\n\t\t\t\tSize: 100,\n\t\t\t\tNext: &nextID,\n\t\t\t}\n\t\t)\n\n\t\tnm := &service.Mock{\n\t\t\tNotifications_: func(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error) {\n\t\t\t\tif !cmp.Equal(id, noteID) {\n\t\t\t\t\tt.Fatalf(\"got: %v, wanted: %v\", id, noteID)\n\t\t\t\t}\n\t\t\t\tif !cmp.Equal(page, &inPageWant) {\n\t\t\t\t\tt.Fatalf(\"got: %v, wanted: %v\", page, inPageWant)\n\t\t\t\t}\n\t\t\t\treturn []notifier.Notification{}, notifier.Page{\n\t\t\t\t\tSize: inPageWant.Size,\n\t\t\t\t\tNext: &nextID,\n\t\t\t\t}, nil\n\t\t\t},\n\t\t}\n\n\t\th, err := NewNotificationV1(ctx, `/notifier/api/v1/`, nm, notifierTraceOpt)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\trr := httptest.NewRecorder()\n\t\tu, _ := url.Parse(\"http://clair-notifier/notifier/api/v1/notification/\" + noteID.String())\n\t\tv := url.Values{}\n\t\tv.Set(\"page_size\", pageSizeParam)\n\t\tv.Set(\"page\", pageParam)\n\t\tu.RawQuery = v.Encode()\n\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\th.get(rr, req)\n\t\tres := rr.Result()\n\t\tif res.StatusCode != http.StatusOK {\n\t\t\tt.Errorf(\"got: %v, wanted: %v\", res.StatusCode, http.StatusOK)\n\t\t}\n\t\tvar noteResp notificationResponse\n\t\tif err := json.NewDecoder(res.Body).Decode(¬eResp); err != nil {\n\t\t\tt.Errorf(\"failed to deserialize notification response: %v\", err)\n\t\t}\n\t\tif !cmp.Equal(noteResp.Page, outPageWant) {\n\t\t\tt.Errorf(\"got: %v, want: %v\", noteResp.Page, outPageWant)\n\t\t}\n\t}\n}\n\nfunc testNotificationsHandlerMethods(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tt.Parallel()\n\t\tctx := test.Logging(t, ctx)\n\t\th, err := NewNotificationV1(ctx, `/notifier/api/v1/`, &service.Mock{}, notifierTraceOpt)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tsrv := httptest.NewUnstartedServer(h)\n\t\tsrv.Config.BaseContext = func(_ net.Listener) context.Context { return ctx }\n\t\tsrv.Start()\n\t\tdefer srv.Close()\n\t\tc := srv.Client()\n\t\tu := srv.URL + `/notifier/api/v1/notification/` + uuid.Nil.String()\n\n\t\tfor _, m := range []string{\n\t\t\thttp.MethodConnect,\n\t\t\thttp.MethodHead,\n\t\t\thttp.MethodOptions,\n\t\t\thttp.MethodPatch,\n\t\t\thttp.MethodPost,\n\t\t\thttp.MethodPut,\n\t\t\thttp.MethodTrace,\n\t\t} {\n\t\t\treq, err := httputil.NewRequestWithContext(ctx, m, u, nil)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to create request: %v\", err)\n\t\t\t}\n\t\t\tresp, err := c.Do(req)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to make request: %v\", err)\n\t\t\t}\n\t\t\tif resp.StatusCode != http.StatusMethodNotAllowed {\n\t\t\t\tt.Errorf(\"method: %v got: %v want: %v\", m, resp.Status, http.StatusMethodNotAllowed)\n\t\t\t}\n\t\t}\n\t}\n}\n"
},
{
"path": "httptransport/robotshandler.go",
"content": "package httptransport\n\nimport (\n\t\"net/http\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/quay/clair/v4/cmd\"\n)\n\nvar startup = time.Now()\n\nconst robotstxt = \"User-agent: *\\nDisallow: /\\n\"\n\n// RobotsHandler provides a \"robots.txt\" endpoint.\nvar robotsHandler http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\th := w.Header()\n\th.Set(\"X-Content-Type-Options\", \"nosniff\")\n\th.Set(\"Content-Type\", \"text/plain; charset=utf-8\")\n\th.Set(\"Cache-Control\", \"no-store\")\n\td := cmd.CommitDate\n\tif d.IsZero() {\n\t\td = startup\n\t}\n\thttp.ServeContent(w, r, \"robots.txt\", d, strings.NewReader(robotstxt))\n})\n"
},
{
"path": "httptransport/robotshandler_test.go",
"content": "package httptransport\n\nimport (\n\t\"bytes\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/http/httputil\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n)\n\nfunc TestRobotsTXT(t *testing.T) {\n\tr := httptest.NewRequest(http.MethodGet, \"/robots.txt\", nil)\n\tw := httptest.NewRecorder()\n\trobotsHandler.ServeHTTP(w, r)\n\tres, err := httputil.DumpResponse(w.Result(), false)\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tt.Logf(\"response:\\n%s\", string(res))\n\n\tif got, want := w.Body.Bytes(), []byte(robotstxt); !bytes.Equal(got, want) {\n\t\tt.Error(cmp.Diff(string(got), string(want)))\n\t}\n}\n"
},
{
"path": "httptransport/server.go",
"content": "// Package httptransport contains the HTTP logic for implementing the Clair(v4)\n// HTTP API v1.\npackage httptransport\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/quay/clair/config\"\n\t\"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\"\n\t\"go.opentelemetry.io/otel\"\n\t\"golang.org/x/sync/semaphore\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// These are the various endpoints of the v1 API.\nconst (\n\tapiRoot = \"/api/v1/\"\n\tindexerRoot = \"/indexer\"\n\tmatcherRoot = \"/matcher\"\n\tnotifierRoot = \"/notifier\"\n\tinternalRoot = apiRoot + \"internal/\"\n\tIndexAPIPath = indexerRoot + apiRoot + \"index_report\"\n\tIndexReportAPIPath = indexerRoot + apiRoot + \"index_report/\"\n\tIndexStateAPIPath = indexerRoot + apiRoot + \"index_state\"\n\tAffectedManifestAPIPath = indexerRoot + internalRoot + \"affected_manifest/\"\n\tVulnerabilityReportPath = matcherRoot + apiRoot + \"vulnerability_report/\"\n\tUpdateOperationAPIPath = matcherRoot + internalRoot + \"update_operation\"\n\tUpdateOperationDeleteAPIPath = matcherRoot + internalRoot + \"update_operation/\"\n\tUpdateDiffAPIPath = matcherRoot + internalRoot + \"update_diff\"\n\tNotificationAPIPath = notifierRoot + apiRoot + \"notification/\"\n\tKeysAPIPath = notifierRoot + apiRoot + \"services/notifier/keys\"\n\tKeyByIDAPIPath = notifierRoot + apiRoot + \"services/notifier/keys/\"\n\tOpenAPIV1Path = \"/openapi/v1\"\n\t// TODO(hank) These are not actually used anymore. Is it worth keeping them\n\t// just to keep API compatibility/documentation?\n)\n\n// New configures an http.Handler serving the v1 API or a portion of it,\n// according to the passed Config object.\nfunc New(ctx context.Context, conf *config.Config, indexer indexer.Service, matcher matcher.Service, notifier notifier.Service) (http.Handler, error) {\n\tmux := http.NewServeMux()\n\ttraceOpt := otelhttp.WithTracerProvider(otel.GetTracerProvider())\n\n\tmux.Handle(OpenAPIV1Path, DiscoveryHandler(ctx, OpenAPIV1Path, traceOpt))\n\tslog.InfoContext(ctx, \"openapi discovery configured\", \"path\", OpenAPIV1Path)\n\n\t// NOTE(hank) My brain always wants to rewrite constructions like the\n\t// following as a switch, but this is actually cleaner as an \"if\" sequence.\n\n\tif conf.Mode == config.IndexerMode || conf.Mode == config.ComboMode {\n\t\tif indexer == nil {\n\t\t\treturn nil, fmt.Errorf(\"mode %q requires an indexer service\", conf.Mode)\n\t\t}\n\t\tprefix := indexerRoot + apiRoot\n\n\t\tv1, err := NewIndexerV1(ctx, prefix, indexer, traceOpt)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"indexer configuration: %w\", err)\n\t\t}\n\t\tvar sem *semaphore.Weighted\n\t\tif ct := conf.Indexer.IndexReportRequestConcurrency; ct > 0 {\n\t\t\tsem = semaphore.NewWeighted(int64(ct))\n\t\t}\n\t\trl := &limitHandler{\n\t\t\tCheck: func(r *http.Request) (*semaphore.Weighted, string) {\n\t\t\t\tif r.Method != http.MethodPost && r.URL.Path != IndexAPIPath {\n\t\t\t\t\treturn nil, \"\"\n\t\t\t\t}\n\t\t\t\t// Nil if the relevant config option isn't set.\n\t\t\t\treturn sem, IndexAPIPath\n\t\t\t},\n\t\t\tNext: v1,\n\t\t}\n\t\tmux.Handle(prefix, rl)\n\t}\n\tif conf.Mode == config.MatcherMode || conf.Mode == config.ComboMode {\n\t\tif indexer == nil || matcher == nil {\n\t\t\treturn nil, fmt.Errorf(\"mode %q requires both an indexer service and a matcher service\", conf.Mode)\n\t\t}\n\t\tprefix := matcherRoot + apiRoot\n\t\tv1 := NewMatcherV1(ctx, prefix, matcher, indexer, time.Duration(conf.Matcher.CacheAge), traceOpt)\n\t\tmux.Handle(prefix, v1)\n\t}\n\tif conf.Mode == config.NotifierMode || (conf.Mode == config.ComboMode && notifier != nil) {\n\t\tif notifier == nil {\n\t\t\treturn nil, fmt.Errorf(\"mode %q requires a notifier service\", conf.Mode)\n\t\t}\n\t\tprefix := notifierRoot + apiRoot\n\t\tv1, err := NewNotificationV1(ctx, prefix, notifier, traceOpt)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"notifier configuration: %w\", err)\n\t\t}\n\t\tmux.Handle(prefix, v1)\n\t}\n\tif conf.Mode == config.ComboMode && notifier == nil {\n\t\tslog.DebugContext(ctx, \"skipping unconfigured notifier\")\n\t}\n\t// Add endpoint authentication if configured to add auth. Must happen after\n\t// mux was configured for given mode.\n\tif conf.Auth.Any() {\n\t\th, err := authHandler(conf, mux)\n\t\tif err != nil {\n\t\t\tslog.WarnContext(ctx, \"received error configuring auth middleware\", \"reason\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tfinal := http.NewServeMux()\n\t\tfinal.Handle(\"/robots.txt\", robotsHandler)\n\t\tfinal.Handle(\"/\", h)\n\t\treturn final, nil\n\t}\n\tmux.Handle(\"/robots.txt\", robotsHandler)\n\treturn mux, nil\n}\n\n// IntraserviceIssuer is the issuer that will be used if Clair is configured to\n// mint its own JWTs.\nconst IntraserviceIssuer = `clair-intraservice`\n\n// Unmodified determines whether to return a conditional response.\nfunc unmodified(r *http.Request, v string) bool {\n\tif vs, ok := r.Header[\"If-None-Match\"]; ok {\n\t\tfor _, rv := range vs {\n\t\t\tif rv == v {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// WriterError is a helper that closes over an error that may be returned after\n// writing a response body starts.\n//\n// The normal error flow can't be used, because the HTTP status code will have\n// been sent and some amount of body data may have been written.\n//\n// To use this, make sure an error variable is predeclared and the returned\n// function is deferred:\n//\n//\tvar err error\n//\tdefer writerError(w, &err)()\n//\t_, err = fallibleWrite(w)\nfunc writerError(w http.ResponseWriter, e *error) func() {\n\tconst errHeader = `Clair-Error`\n\tw.Header().Add(\"trailer\", errHeader)\n\treturn func() {\n\t\tif *e == nil {\n\t\t\treturn\n\t\t}\n\t\tw.Header().Add(errHeader, (*e).Error())\n\t}\n}\n\n// SetCacheControl sets the \"Cache-Control\" header on the response.\nfunc setCacheControl(w http.ResponseWriter, age time.Duration) {\n\t// The odd format string means \"print float as wide as needed and to 0\n\t// precision.\"\n\tconst f = `max-age=%.f`\n\tw.Header().Set(\"cache-control\", fmt.Sprintf(f, age.Seconds()))\n}\n"
},
{
"path": "httptransport/server_test.go",
"content": "package httptransport\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"path\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"github.com/quay/claircore/test\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\n// TestUpdateEndpoints registers the handlers and tests that they're registered\n// at the correct endpoint.\nfunc TestUpdateEndpoints(t *testing.T) {\n\tm := &matcher.Mock{\n\t\tDeleteUpdateOperations_: func(context.Context, ...uuid.UUID) (int64, error) { return 0, nil },\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn nil, nil\n\t\t},\n\t\tLatestUpdateOperation_: func(context.Context, driver.UpdateKind) (uuid.UUID, error) { return uuid.Nil, nil },\n\t\tLatestUpdateOperations_: func(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error) { return nil, nil },\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) { return nil, nil },\n\t\tScan_: func(context.Context, *claircore.IndexReport) (*claircore.VulnerabilityReport, error) { return nil, nil },\n\t}\n\ti := &indexer.Mock{\n\t\tIndex_: func(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error) {\n\t\t\treturn nil, nil\n\t\t},\n\t\tIndexReport_: func(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error) {\n\t\t\treturn nil, true, nil\n\t\t},\n\t\tState_: func(ctx context.Context) (string, error) { return \"\", nil },\n\t\tAffectedManifests_: func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\treturn nil, nil\n\t\t},\n\t}\n\tctx := test.Logging(t)\n\th, err := New(ctx, &config.Config{Mode: config.MatcherMode}, i, m, nil)\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tsrv := httptest.NewUnstartedServer(h)\n\tsrv.Config.BaseContext = func(_ net.Listener) context.Context {\n\t\treturn ctx\n\t}\n\tsrv.Start()\n\tdefer srv.Close()\n\tu, err := url.Parse(srv.URL)\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tu.Path = path.Join(u.Path, UpdateOperationAPIPath, \"\")\n\tt.Log(u)\n\n\tres, err := srv.Client().Get(u.String())\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tif got, want := res.StatusCode, http.StatusOK; got != want {\n\t\tt.Errorf(\"got: %v, want: %v\", got, want)\n\t}\n}\n"
},
{
"path": "httptransport/types/v1/affected_manifests.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/affected_manifests.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Affected Manifests\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nManifests affected by the specified vulnerability objects.\",\n \"properties\": {\n \"vulnerabilities\": {\n \"type\": \"object\",\n \"description\": \"Vulnerability objects.\",\n \"additionalProperties\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n },\n \"vulnerable_manifests\": {\n \"type\": \"object\",\n \"description\": \"Mapping of manifest digests to vulnerability identifiers.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\",\n \"description\": \"An identifier to be used in the \\\"vulnerabilities\\\" object.\"\n }\n }\n }\n },\n \"required\": [\n \"vulnerabilities\",\n \"vulnerable_manifests\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/bulk_delete.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/bulk_delete.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Bulk Delete\",\n \"type\": \"array\",\n \"description\": \"Array of manifest digests to delete from the system.\",\n \"items\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"Manifest digest to delete from the system.\"\n }\n}\n"
},
{
"path": "httptransport/types/v1/cpe.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/cpe.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Common Platform Enumeration Name\",\n \"description\": \"This is a CPE Name in either v2.2 \\\"URI\\\" form or v2.3 \\\"Formatted String\\\" form.\",\n \"$comment\": \"Clair only produces v2.3 CPE Names. Any v2.2 Names will be normalized into v2.3 form.\",\n \"type\": \"string\",\n \"oneOf\": [\n {\n \"description\": \"This is the CPE 2.2 regexp: https://cpe.mitre.org/specification/2.2/cpe-language_2.2.xsd\",\n \"type\": \"string\",\n \"pattern\": \"^[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\\\._\\\\-~%]*){0,6}$\"\n },\n {\n \"description\": \"This is the CPE 2.3 regexp: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd\",\n \"type\": \"string\",\n \"pattern\": \"^cpe:2\\\\.3:[aho\\\\*\\\\-](:(((\\\\?*|\\\\*?)([a-zA-Z0-9\\\\-\\\\._]|(\\\\\\\\[\\\\\\\\\\\\*\\\\?!\\\"#$$%&'\\\\(\\\\)\\\\+,/:;<=>@\\\\[\\\\]\\\\^`\\\\{\\\\|}~]))+(\\\\?*|\\\\*?))|[\\\\*\\\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\\\*\\\\-]))(:(((\\\\?*|\\\\*?)([a-zA-Z0-9\\\\-\\\\._]|(\\\\\\\\[\\\\\\\\\\\\*\\\\?!\\\"#$$%&'\\\\(\\\\)\\\\+,/:;<=>@\\\\[\\\\]\\\\^`\\\\{\\\\|}~]))+(\\\\?*|\\\\*?))|[\\\\*\\\\-])){4}$\"\n }\n ]\n}\n"
},
{
"path": "httptransport/types/v1/digest.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/digest.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Digest\",\n \"description\": \"A digest acts as a content identifier, enabling content addressability.\",\n \"type\": \"string\",\n \"anyOf\": [\n {\n \"$comment\": \"SHA256: MUST be implemented\",\n \"description\": \"SHA256\",\n \"type\": \"string\",\n \"pattern\": \"^sha256:[a-f0-9]{64}$\"\n },\n {\n \"$comment\": \"SHA512: MAY be implemented\",\n \"description\": \"SHA512\",\n \"type\": \"string\",\n \"pattern\": \"^sha512:[a-f0-9]{128}$\"\n },\n {\n \"$comment\": \"BLAKE3: MAY be implemented\",\n \"description\": \"BLAKE3\\n\\n**Currently not implemented.**\",\n \"type\": \"string\",\n \"pattern\": \"^blake3:[a-f0-9]{64}$\"\n }\n ]\n}\n"
},
{
"path": "httptransport/types/v1/distribution.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/distribution.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Distribution\",\n \"type\": \"object\",\n \"description\": \"Distribution is the accompanying system context of a Package.\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Distribution. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"did\": {\n \"description\": \"A lower-case string (no spaces or other characters outside of 0–9, a–z, \\\".\\\", \\\"_\\\", and \\\"-\\\") identifying the operating system, excluding any version information and suitable for processing by scripts or usage in generated filenames.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"A string identifying the operating system.\",\n \"type\": \"string\"\n },\n \"version\": {\n \"description\": \"A string identifying the operating system version, excluding any OS name information, possibly including a release code name, and suitable for presentation to the user.\",\n \"type\": \"string\"\n },\n \"version_code_name\": {\n \"description\": \"A lower-case string (no spaces or other characters outside of 0–9, a–z, \\\".\\\", \\\"_\\\", and \\\"-\\\") identifying the operating system release code name, excluding any OS name information or release version, and suitable for processing by scripts or usage in generated filenames.\",\n \"type\": \"string\"\n },\n \"version_id\": {\n \"description\": \"A lower-case string (mostly numeric, no spaces or other characters outside of 0–9, a–z, \\\".\\\", \\\"_\\\", and \\\"-\\\") identifying the operating system version, excluding any OS name information or release code name.\",\n \"type\": \"string\"\n },\n \"arch\": {\n \"description\": \"A string identifying the OS architecture.\",\n \"type\": \"string\"\n },\n \"cpe\": {\n \"description\": \"Common Platform Enumeration name.\",\n \"$ref\": \"cpe.schema.json\"\n },\n \"pretty_name\": {\n \"description\": \"A pretty operating system name in a format suitable for presentation to the user.\",\n \"type\": \"string\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/environment.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/environment.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Environment\",\n \"type\": \"object\",\n \"description\": \"Environment describes the surrounding environment a package was discovered in.\",\n \"properties\": {\n \"package_db\": {\n \"description\": \"The database the associated Package was discovered in.\",\n \"type\": \"string\"\n },\n \"distribution_id\": {\n \"description\": \"The ID of the Distribution of the associated Package.\",\n \"type\": \"string\"\n },\n \"introduced_in\": {\n \"description\": \"The Layer the associated Package was introduced in.\",\n \"$ref\": \"digest.schema.json\"\n },\n \"repository_ids\": {\n \"description\": \"The IDs of the Repositories of the associated Package.\",\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n }\n },\n \"additionalProperties\": false\n}\n"
},
{
"path": "httptransport/types/v1/error.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/error.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Error\",\n \"type\": \"object\",\n \"description\": \"A general error response.\",\n \"properties\": {\n \"code\": {\n \"type\": \"string\",\n \"description\": \"a code for this particular error\"\n },\n \"message\": {\n \"type\": \"string\",\n \"description\": \"a message with further detail\"\n }\n },\n \"required\": [\n \"message\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/index_report.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/index_report.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Index Report\",\n \"type\": \"object\",\n \"description\": \"An index of the contents of a Manifest.\",\n \"properties\": {\n \"manifest_hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The Manifest's digest.\"\n },\n \"state\": {\n \"type\": \"string\",\n \"description\": \"The current state of the index operation\"\n },\n \"err\": {\n \"type\": \"string\",\n \"description\": \"An error message on event of unsuccessful index\"\n },\n \"success\": {\n \"type\": \"boolean\",\n \"description\": \"A bool indicating succcessful index\"\n },\n \"packages\": {\n \"type\": \"object\",\n \"description\": \"A map of Package objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"package.schema.json\"\n }\n },\n \"distributions\": {\n \"type\": \"object\",\n \"description\": \"A map of Distribution objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"distribution.schema.json\"\n }\n },\n \"repository\": {\n \"type\": \"object\",\n \"description\": \"A map of Repository objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"repository.schema.json\"\n }\n },\n \"environments\": {\n \"type\": \"object\",\n \"description\": \"A map of Environment arrays indexed by a Package's identifier.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"environment.schema.json\"\n }\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"manifest_hash\",\n \"state\",\n \"success\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/index_state.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/index_state.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Index State\",\n \"type\": \"object\",\n \"description\": \"Information on the state of the indexer system.\",\n \"properties\": {\n \"state\": {\n \"type\": \"string\",\n \"description\": \"an opaque token\"\n }\n },\n \"required\": [\n \"state\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/layer.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/layer.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Layer\",\n \"type\": \"object\",\n \"description\": \"Layer is a description of a container layer. It should contain enough information to fetch the layer.\",\n \"properties\": {\n \"hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"Digest of the layer blob.\"\n },\n \"uri\": {\n \"type\": \"string\",\n \"format\": \"uri\",\n \"description\": \"A URI indicating where the layer blob can be downloaded from.\"\n },\n \"headers\": {\n \"description\": \"Any additional HTTP-style headers needed for requesting layers.\",\n \"type\": \"object\",\n \"patternProperties\": {\n \"^[a-zA-Z0-9\\\\-_]+$\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n }\n }\n },\n \"media_type\": {\n \"description\": \"The OCI Layer media type for this layer.\",\n \"type\": \"string\",\n \"pattern\": \"^application/vnd\\\\.oci\\\\.image\\\\.layer\\\\.v1\\\\.tar(\\\\+(gzip|zstd))?$\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"hash\",\n \"uri\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/manifest.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/manifest.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Manifest\",\n \"type\": \"object\",\n \"description\": \"A description of an OCI Image Manifest.\",\n \"properties\": {\n \"hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The OCI Image Manifest's digest.\\n\\nThis is used as an identifier throughout the system. This **SHOULD** be the same as the OCI Image Manifest's digest, but this is not enforced.\"\n },\n \"layers\": {\n \"type\": \"array\",\n \"description\": \"The OCI Layers making up the Image, in order.\",\n \"items\": {\n \"$ref\": \"layer.schema.json\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"hash\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/normalized_severity.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/normalized_severity.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Normalized Severity\",\n \"description\": \"Standardized severity values.\",\n \"enum\": [\n \"Unknown\",\n \"Negligible\",\n \"Low\",\n \"Medium\",\n \"High\",\n \"Critical\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/notification.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/notification.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Notification\",\n \"type\": \"object\",\n \"description\": \"A change in a manifest affected by a vulnerability.\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique identifier for this notification.\",\n \"type\": \"string\"\n },\n \"manifest\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The digest of the manifest affected by the provided vulnerability.\"\n },\n \"reason\": {\n \"description\": \"The reason for the notifcation.\",\n \"enum\": [\n \"added\",\n \"removed\"\n ]\n },\n \"vulnerability\": {\n \"$ref\": \"vulnerability_summary.schema.json\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\",\n \"manifest\",\n \"reason\",\n \"vulnerability\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/notification_page.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/notification_page.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Notification Page\",\n \"type\": \"object\",\n \"description\": \"A page description and list of notifications.\",\n \"properties\": {\n \"page\": {\n \"description\": \"An object informing the client the next page to retrieve.\",\n \"type\": \"object\",\n \"properties\": {\n \"size\": {\n \"description\": \"The number of notifications contained in this page.\",\n \"type\": \"integer\"\n },\n \"next\": {\n \"description\": \"The identififer to pass into the \\\"next\\\" parameter of a future GetNotification request.\\n\\nIf not present, there are no additional pages.\",\n \"type\": \"string\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"size\"\n ]\n },\n \"notifications\": {\n \"description\": \"Notifications within this page.\",\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"notification.schema.json\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"page\",\n \"notifications\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/notification_webhook.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/notification_webhook.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Notification Webhook\",\n \"type\": \"object\",\n \"description\": \"Webhook sent to a configured service to begin retrieving notifications.\",\n \"properties\": {\n \"notification_id\": {\n \"description\": \"Unique identifier for this notification.\",\n \"type\": \"string\"\n },\n \"callback\": {\n \"description\": \"A URL to retrieve paginated Notification objects.\",\n \"type\": \"string\",\n \"format\": \"uri\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"notification_id\",\n \"callback\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/package.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/package.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Package\",\n \"type\": \"object\",\n \"description\": \"Description of installed software.\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Package. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Identifier of this Package.\\n\\nThe uniqueness and scoping of this name depends on the packaging system.\",\n \"type\": \"string\"\n },\n \"version\": {\n \"description\": \"Version of this Package, as reported by the packaging system.\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"The \\\"kind\\\" of this Package.\",\n \"enum\": [\n \"BINARY\",\n \"SOURCE\"\n ],\n \"default\": \"BINARY\"\n },\n \"source\": {\n \"$ref\": \"#\",\n \"description\": \"Source Package that produced the current binary Package, if known.\"\n },\n \"normalized_version\": {\n \"description\": \"Normalized representation of the discoverd version.\\n\\nThe format is not specific, but is guarenteed to be forward compatible.\",\n \"type\": \"string\"\n },\n \"module\": {\n \"description\": \"An identifier for intra-Repository grouping of packages.\\n\\nLikely only relevant on rpm-based systems.\",\n \"type\": \"string\"\n },\n \"arch\": {\n \"description\": \"Native architecture for the Package.\",\n \"type\": \"string\",\n \"$comment\": \"This should become and enum in the future.\"\n },\n \"cpe\": {\n \"$ref\": \"cpe.schema.json\",\n \"description\": \"CPE Name for the Package.\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"name\",\n \"version\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/range.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/range.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Range\",\n \"type\": \"object\",\n \"description\": \"A range of versions.\",\n \"properties\": {\n \"[\": {\n \"type\": \"string\",\n \"description\": \"Lower bound, inclusive.\"\n },\n \")\": {\n \"type\": \"string\",\n \"description\": \"Upper bound, exclusive.\"\n }\n },\n \"minProperties\": 1,\n \"additionalProperties\": false\n}\n"
},
{
"path": "httptransport/types/v1/repository.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/repository.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Repository\",\n \"type\": \"object\",\n \"description\": \"Description of a software repository\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Repository. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Human-relevant name for the Repository.\",\n \"type\": \"string\"\n },\n \"key\": {\n \"description\": \"Machine-relevant name for the Repository.\",\n \"type\": \"string\"\n },\n \"uri\": {\n \"description\": \"URI describing the Repository.\",\n \"type\": \"string\",\n \"format\": \"uri\"\n },\n \"cpe\": {\n \"description\": \"CPE name for the Repository.\",\n \"$ref\": \"cpe.schema.json\"\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/types.go",
"content": "// Package types provides JSON Schemas for the HTTP API.\npackage types\n\nimport (\n\t\"embed\"\n)\n\n//go:generate sh -euc \"for f in *.json; do <$DOLLAR{f} >$DOLLAR{f}_ jq -e .; mv $DOLLAR{f}_ $DOLLAR{f}; done\"\n\n//go:embed *.schema.json\nvar Schema embed.FS\n"
},
{
"path": "httptransport/types/v1/update_diff.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/update_diff.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Update Difference\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nAn update difference describes changes between two Update Operations.\",\n \"properties\": {\n \"prev\": {\n \"description\": \"The previous Update Operation.\",\n \"$ref\": \"update_operation.schema.json\"\n },\n \"cur\": {\n \"description\": \"The current Update Operation.\",\n \"$ref\": \"update_operation.schema.json\"\n },\n \"added\": {\n \"description\": \"Vulnerabilities present in \\\"cur\\\", but not \\\"prev\\\".\",\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n },\n \"removed\": {\n \"description\": \"Vulnerabilities present in \\\"prev\\\", but not \\\"cur\\\".\",\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"cur\",\n \"added\",\n \"removed\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/update_operation.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/update_operation.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Update Operation\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nAn update operations describes an update of the internal vulnerability database.\",\n \"properties\": {\n \"ref\": {\n \"type\": \"string\",\n \"description\": \"A unique identifier for this update operation.\"\n },\n \"updater\": {\n \"description\": \"The \\\"updater\\\" component that was run.\",\n \"$comment\": \"This is not as useful as it could be: an end user needs to know too much about Clair(core)'s internals to make sense of it.\",\n \"type\": \"string\"\n },\n \"fingerprint\": {\n \"description\": \"The stored \\\"fingerprint\\\" of this run.\",\n \"type\": \"string\"\n },\n \"date\": {\n \"type\": \"string\",\n \"description\": \"When this operation was run.\",\n \"format\": \"date-time\"\n },\n \"kind\": {\n \"description\": \"The kind of data this operation updated.\",\n \"enum\": [\n \"vulnerability\",\n \"enrichment\"\n ]\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"ref\",\n \"updater\",\n \"fingerprint\",\n \"date\",\n \"kind\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/update_operations.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/update_operations.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Update Operations\",\n \"type\": \"object\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nA mapping of updater id to Update Operation(s).\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"update_operation.schema.json\"\n }\n }\n}\n"
},
{
"path": "httptransport/types/v1/vulnerability.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability\",\n \"type\": \"object\",\n \"description\": \"Description of a software flaw.\",\n \"$ref\": \"vulnerability_core.schema.json\",\n \"properties\": {\n \"id\": {\n \"description\": \"Unique ID for this Vulnerabiltity. May be unique to the response document, not the whole system.\",\n \"type\": \"string\"\n },\n \"updater\": {\n \"description\": \"The updater component this Vulnerability came from.\",\n \"type\": \"string\"\n },\n \"description\": {\n \"description\": \"A human-readable description of the vulnerability.\",\n \"type\": \"string\"\n },\n \"issued\": {\n \"description\": \"The datetime this Vulnerability was issued, if known.\",\n \"type\": \"string\",\n \"format\": \"date-time\"\n },\n \"links\": {\n \"description\": \"Space-separated URIs to more information.\",\n \"type\": \"string\"\n }\n },\n \"unevaluatedProperties\": false,\n \"required\": [\n \"id\",\n \"updater\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/vulnerability_core.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_core.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Core\",\n \"type\": \"object\",\n \"description\": \"The core elements of vulnerabilities in the Clair system.\",\n \"properties\": {\n \"name\": {\n \"type\": \"string\",\n \"description\": \"Human-readable name, as presented in the vendor data.\"\n },\n \"fixed_in_version\": {\n \"type\": \"string\",\n \"description\": \"Version string, as presented in the vendor data.\"\n },\n \"severity\": {\n \"type\": \"string\",\n \"description\": \"Severity, as presented in the vendor data.\"\n },\n \"normalized_severity\": {\n \"$ref\": \"normalized_severity.schema.json\",\n \"description\": \"A well defined set of severity strings guaranteed to be present.\"\n },\n \"range\": {\n \"$ref\": \"range.schema.json\",\n \"description\": \"Range of versions the vulnerability applies to.\"\n },\n \"arch_op\": {\n \"description\": \"Flag indicating how the referenced package's \\\"arch\\\" member should be interpreted.\",\n \"enum\": [\n \"equals\",\n \"not equals\",\n \"pattern match\"\n ]\n },\n \"package\": {\n \"$ref\": \"package.schema.json\",\n \"description\": \"A package description\"\n },\n \"distribution\": {\n \"$ref\": \"distribution.schema.json\",\n \"description\": \"A distribution description\"\n },\n \"repository\": {\n \"$ref\": \"repository.schema.json\",\n \"description\": \"A repository description\"\n }\n },\n \"required\": [\n \"name\",\n \"normalized_severity\"\n ],\n \"dependentRequired\": {\n \"package\": [\n \"arch_op\"\n ]\n },\n \"anyOf\": [\n {\n \"required\": [\n \"package\"\n ]\n },\n {\n \"required\": [\n \"repository\"\n ]\n },\n {\n \"required\": [\n \"distribution\"\n ]\n }\n ]\n}\n"
},
{
"path": "httptransport/types/v1/vulnerability_report.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_report.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Report\",\n \"type\": \"object\",\n \"description\": \"A report with discovered packages, package environments, and package vulnerabilities within a Manifest.\",\n \"properties\": {\n \"manifest_hash\": {\n \"$ref\": \"digest.schema.json\",\n \"description\": \"The Manifest's digest.\"\n },\n \"packages\": {\n \"type\": \"object\",\n \"description\": \"A map of Package objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"package.schema.json\"\n }\n },\n \"distributions\": {\n \"type\": \"object\",\n \"description\": \"A map of Distribution objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"distribution.schema.json\"\n }\n },\n \"repository\": {\n \"type\": \"object\",\n \"description\": \"A map of Repository objects indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"repository.schema.json\"\n }\n },\n \"environments\": {\n \"type\": \"object\",\n \"description\": \"A map of Environment arrays indexed by a Package's identifier.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"$ref\": \"environment.schema.json\"\n }\n }\n },\n \"vulnerabilities\": {\n \"type\": \"object\",\n \"description\": \"A map of Vulnerabilities indexed by a document-local identifier.\",\n \"additionalProperties\": {\n \"$ref\": \"vulnerability.schema.json\"\n }\n },\n \"package_vulnerabilities\": {\n \"type\": \"object\",\n \"description\": \"A mapping of Vulnerability identifier lists indexed by Package identifier.\",\n \"additionalProperties\": {\n \"type\": \"array\",\n \"items\": {\n \"type\": \"string\"\n }\n }\n },\n \"enrichments\": {\n \"type\": \"object\",\n \"description\": \"A mapping of extra \\\"enrichment\\\" data by type\",\n \"additionalProperties\": {\n \"type\": \"array\"\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"distributions\",\n \"environments\",\n \"manifest_hash\",\n \"packages\",\n \"package_vulnerabilities\",\n \"vulnerabilities\"\n ]\n}\n"
},
{
"path": "httptransport/types/v1/vulnerability_summaries.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_summaries.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Summaries\",\n \"type\": \"array\",\n \"description\": \"**This is an internal type, documented for completeness.**\\n\\nThis is an array of pseudo-Vulnerability objects used for reverse-lookup.\",\n \"items\": {\n \"description\": \"Summary vulnerability objects.\",\n \"$ref\": \"vulnerability_summary.schema.json\"\n }\n}\n"
},
{
"path": "httptransport/types/v1/vulnerability_summary.schema.json",
"content": "{\n \"$id\": \"https://clairproject.org/api/http/v1/vulnerability_summary.schema.json\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"title\": \"Vulnerability Summary\",\n \"type\": \"object\",\n \"description\": \"A summary of a vulnerability.\",\n \"$ref\": \"vulnerability_core.schema.json\",\n \"unevaluatedProperties\": false\n}\n"
},
{
"path": "indexer/mock.go",
"content": "package indexer\n\nimport (\n\t\"context\"\n\n\t\"github.com/quay/claircore\"\n)\n\nvar _ Service = (*Mock)(nil)\n\n// Mock implements a mock indexer Service\n//\n// If a particular method is not provided an implementation to a constructed Mock\n// an \"unexpected call\" panic will occur.\ntype Mock struct {\n\tIndex_ func(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error)\n\tIndexReport_ func(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error)\n\tState_ func(ctx context.Context) (string, error)\n\tAffectedManifests_ func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error)\n\tDeleteManifests_ func(context.Context, ...claircore.Digest) ([]claircore.Digest, error)\n}\n\nfunc (i *Mock) Index(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error) {\n\tif i.Index_ == nil {\n\t\tpanic(\"mock indexer: unexpected call to Index\")\n\t}\n\treturn i.Index_(ctx, manifest)\n}\n\nfunc (i *Mock) IndexReport(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error) {\n\tif i.IndexReport_ == nil {\n\t\tpanic(\"mock indexer: unexpected call to IndexReport\")\n\t}\n\treturn i.IndexReport_(ctx, digest)\n}\n\nfunc (i *Mock) State(ctx context.Context) (string, error) {\n\tif i.State_ == nil {\n\t\tpanic(\"mock indexer: unexpected call to State\")\n\t}\n\treturn i.State_(ctx)\n}\n\nfunc (i *Mock) AffectedManifests(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\tif i.AffectedManifests_ == nil {\n\t\tpanic(\"mock indexer: unexpected call to AffectedManifests\")\n\t}\n\treturn i.AffectedManifests_(ctx, vulns)\n}\n\nfunc (i *Mock) DeleteManifests(ctx context.Context, d ...claircore.Digest) ([]claircore.Digest, error) {\n\tif i.DeleteManifests_ == nil {\n\t\tpanic(\"mock indexer: unexpected call to DeleteManifests\")\n\t}\n\treturn i.DeleteManifests_(ctx, d...)\n}\n"
},
{
"path": "indexer/service.go",
"content": "package indexer\n\nimport (\n\t\"context\"\n\n\t\"github.com/quay/claircore\"\n)\n\n// Service is an aggregate interface wrapping claircore.Libindex functionality.\n//\n// Implementation may use a local instance of claircore.Libindex or a remote\n// instance via http or grpc client.\ntype Service interface {\n\tIndexer\n\tReporter\n\tStater\n\tAffected\n}\n\n// StateReporter is an aggregate interface providing both a Reporter and\n// a Stater method set\ntype StateReporter interface {\n\tReporter\n\tStater\n}\n\n// StateIndexer is an aggregate interface providing both a Indexer\n// and a Stater method set\ntype StateIndexer interface {\n\tIndexer\n\tStater\n}\n\n// Indexer is an interface for computing a IndexReport given a Manifest.\ntype Indexer interface {\n\tIndex(ctx context.Context, manifest *claircore.Manifest) (*claircore.IndexReport, error)\n\tDeleteManifests(context.Context, ...claircore.Digest) ([]claircore.Digest, error)\n}\n\n// Reporter is an interface for retreiving an IndexReport given a manifest digest.\ntype Reporter interface {\n\tIndexReport(ctx context.Context, digest claircore.Digest) (*claircore.IndexReport, bool, error)\n}\n\n// Stater is an interface which provides a unique token symbolizing a Clair's state.\ntype Stater interface {\n\tState(ctx context.Context) (string, error)\n}\n\n// Affected is an interface for reporting the manifests affected by a set of vulnerabilities.\ntype Affected interface {\n\tAffectedManifests(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error)\n}\n"
},
{
"path": "initialize/auto/auto.go",
"content": "// Package auto does automatic detection and runtime configuration for certain\n// environments.\n//\n// All top-level functions are not safe to call concurrently.\npackage auto\n\nimport (\n\t\"context\"\n\t\"log/slog\"\n)\n\nvar msgs = []func(context.Context){}\n\nfunc init() {\n\tCPU()\n\tMemory()\n\tProfiling()\n}\n\n// PrintLogs uses slog to report any messages queued up from the runs of\n// functions since the last call to PrintLogs.\nfunc PrintLogs(ctx context.Context) {\n\tfor _, f := range msgs {\n\t\tf(ctx)\n\t}\n\tmsgs = msgs[:0]\n}\n\n// DebugLog is a helper to log static strings.\nfunc debugLog(m string) {\n\tmsgs = append(msgs, func(ctx context.Context) {\n\t\tslog.DebugContext(ctx, m)\n\t})\n}\n\n// InfoLog is a helper to log static strings.\nfunc infoLog(m string) {\n\tmsgs = append(msgs, func(ctx context.Context) {\n\t\tslog.InfoContext(ctx, m)\n\t})\n}\n"
},
{
"path": "initialize/auto/auto_test.go",
"content": "package auto\n\nimport (\n\t\"os\"\n\t\"testing\"\n)\n\nfunc TestMain(m *testing.M) {\n\t// Reset the logging slice, as the init function will have triggered and\n\t// written things into it.\n\tmsgs = msgs[:0]\n\tos.Exit(m.Run())\n}\n"
},
{
"path": "initialize/auto/cpu.go",
"content": "//go:build !linux\n// +build !linux\n\npackage auto\n\n// CPU is a no-op on this platform.\nfunc CPU() {}\n"
},
{
"path": "initialize/auto/cpu_linux.go",
"content": "package auto\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"io/fs\"\n\t\"log/slog\"\n\t\"os\"\n\t\"path\"\n\t\"runtime\"\n\t\"strconv\"\n)\n\n// CPU guesses a good number for GOMAXPROCS based on information gleaned from\n// the current process's cgroup.\nfunc CPU() {\n\tif os.Getenv(\"GOMAXPROCS\") != \"\" {\n\t\tinfoLog(\"GOMAXPROCS set in the environment, skipping auto detection\")\n\t\treturn\n\t}\n\troot := os.DirFS(\"/\")\n\tgmp, err := cgLookup(root)\n\tif err != nil {\n\t\tmsgs = append(msgs, func(ctx context.Context) {\n\t\t\tslog.ErrorContext(ctx, \"unable to guess GOMAXPROCS value\",\n\t\t\t\t\"reason\", err)\n\t\t})\n\t\treturn\n\t}\n\tprev := runtime.GOMAXPROCS(gmp)\n\tmsgs = append(msgs, func(ctx context.Context) {\n\t\tslog.InfoContext(ctx, \"set GOMAXPROCS value\",\n\t\t\t\"cur\", gmp,\n\t\t\t\"prev\", prev)\n\t})\n}\n\nfunc cgLookup(r fs.FS) (int, error) {\n\tconst usingDefault = \"no CPU quota set, using default\"\n\tvar gmp int\n\tb, err := fs.ReadFile(r, \"proc/self/cgroup\")\n\tswitch {\n\tcase err == nil:\n\tcase errors.Is(err, fs.ErrNotExist):\n\t\tdebugLog(\"cgroups seemingly not enabled\")\n\t\tinfoLog(usingDefault)\n\t\treturn gmp, nil\n\tdefault:\n\t\treturn gmp, err\n\t}\n\tvar q, p uint64 = 0, 1\n\ts := bufio.NewScanner(bytes.NewReader(b))\n\ts.Split(bufio.ScanLines)\n\tfor s.Scan() {\n\t\tsl := bytes.SplitN(s.Bytes(), []byte(\":\"), 3)\n\t\thid, ctls, pb := sl[0], sl[1], sl[2]\n\t\tif bytes.Equal(hid, []byte(\"0\")) && len(ctls) == 0 { // If cgroupsv2:\n\t\t\tdebugLog(\"found cgroups v2\")\n\t\t\tn := path.Join(\"sys/fs/cgroup\", string(pb), \"cpu.max\")\n\t\t\tb, err := fs.ReadFile(r, n)\n\t\t\tswitch {\n\t\t\tcase err == nil:\n\t\t\tcase errors.Is(err, fs.ErrNotExist):\n\t\t\t\tinfoLog(usingDefault)\n\t\t\t\treturn gmp, nil\n\t\t\tdefault:\n\t\t\t\treturn gmp, err\n\t\t\t}\n\t\t\tl := bytes.Fields(b)\n\t\t\tqt, per := string(l[0]), string(l[1])\n\t\t\tif qt == \"max\" {\n\t\t\t\t// No quota, so bail.\n\t\t\t\tinfoLog(usingDefault)\n\t\t\t\treturn gmp, nil\n\t\t\t}\n\t\t\tq, err = strconv.ParseUint(qt, 10, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn gmp, err\n\t\t\t}\n\t\t\tp, err = strconv.ParseUint(per, 10, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn gmp, err\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t\t// If here, we're doing cgroups v1.\n\t\tisCPU := false\n\t\tfor _, b := range bytes.Split(ctls, []byte(\",\")) {\n\t\t\tif bytes.Equal(b, []byte(\"cpu\")) {\n\t\t\t\tisCPU = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !isCPU {\n\t\t\t// This line is not the cpu group.\n\t\t\tcontinue\n\t\t}\n\t\tdebugLog(\"found cgroups v1 and cpu controller\")\n\t\tprefix := path.Join(\"sys/fs/cgroup\", string(ctls), string(pb))\n\t\t// Check for the existence of the named cgroup. If it doesn't exist,\n\t\t// look at the root of the controller. The named group not existing\n\t\t// probably means the process is in a container and is having remounting\n\t\t// tricks done. If, for some reason this is actually the root cgroup,\n\t\t// it'll be unlimited and fall back to the default.\n\t\tif _, err := fs.Stat(r, prefix); errors.Is(err, fs.ErrNotExist) {\n\t\t\tdebugLog(\"falling back to root hierarchy\")\n\t\t\tprefix = path.Join(\"sys/fs/cgroup\", string(ctls))\n\t\t}\n\n\t\tb, err = fs.ReadFile(r, path.Join(prefix, \"cpu.cfs_quota_us\"))\n\t\tif err != nil {\n\t\t\treturn gmp, err\n\t\t}\n\t\tqi, err := strconv.ParseInt(string(bytes.TrimSpace(b)), 10, 64)\n\t\tif err != nil {\n\t\t\treturn gmp, err\n\t\t}\n\t\tif qi == -1 {\n\t\t\t// No quota, so bail.\n\t\t\tinfoLog(usingDefault)\n\t\t\treturn gmp, nil\n\t\t}\n\t\tq = uint64(qi)\n\t\tb, err = fs.ReadFile(r, path.Join(prefix, \"cpu.cfs_period_us\"))\n\t\tif err != nil {\n\t\t\treturn gmp, err\n\t\t}\n\t\tp, err = strconv.ParseUint(string(bytes.TrimSpace(b)), 10, 64)\n\t\tif err != nil {\n\t\t\treturn gmp, err\n\t\t}\n\t\tbreak\n\t}\n\tif err := s.Err(); err != nil {\n\t\treturn gmp, err\n\t}\n\tgmp = int(q / p)\n\treturn gmp, nil\n}\n"
},
{
"path": "initialize/auto/cpu_linux_test.go",
"content": "//go:build linux\n// +build linux\n\npackage auto\n\nimport (\n\t\"context\"\n\t\"testing\"\n\t\"testing/fstest\"\n\n\t\"github.com/quay/claircore/test\"\n)\n\nvar (\n\tcgv1 = &fstest.MapFile{\n\t\tData: []byte(`11:pids:/user.slice/user-1000.slice/session-4.scope\n10:cpuset:/\n9:blkio:/user.slice\n8:hugetlb:/\n7:perf_event:/\n6:devices:/user.slice\n5:net_cls,net_prio:/\n4:cpu,cpuacct:/user.slice\n3:freezer:/\n2:memory:/user.slice/user-1000.slice/session-4.scope\n1:name=systemd:/user.slice/user-1000.slice/session-4.scope\n0::/user.slice/user-1000.slice/session-4.scope\n`),\n\t}\n\tcgv2 = &fstest.MapFile{\n\t\tData: []byte(\"0::/\\n\"),\n\t}\n)\n\ntype cgTestcase struct {\n\tIn fstest.MapFS\n\tErr error\n\tName string\n\tWant int\n}\n\nfunc (tc cgTestcase) Run(ctx context.Context, t *testing.T) {\n\tt.Run(tc.Name, func(t *testing.T) {\n\t\tctx := test.Logging(t)\n\t\tgmp, err := cgLookup(tc.In)\n\t\tif err != tc.Err {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := gmp, tc.Want; tc.Err == nil && got != want {\n\t\t\tt.Errorf(\"got: %v, want: %v\", got, want)\n\t\t}\n\t\tPrintLogs(ctx)\n\t})\n}\n\nfunc TestCPUDetection(t *testing.T) {\n\tctx := test.Logging(t)\n\tt.Run(\"V1\", func(t *testing.T) {\n\t\ttt := []cgTestcase{\n\t\t\t{\n\t\t\t\tName: \"NoLimit\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv1,\n\t\t\t\t\t\"sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"-1\\n\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tWant: 0,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"Limit1\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv1,\n\t\t\t\t\t\"sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"100000\\n\"),\n\t\t\t\t\t},\n\t\t\t\t\t\"sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"100000\\n\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tWant: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"RootFallback\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv1,\n\t\t\t\t\t\"sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"100000\\n\"),\n\t\t\t\t\t},\n\t\t\t\t\t\"sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"100000\\n\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tWant: 1,\n\t\t\t},\n\t\t}\n\t\tctx := test.Logging(t, ctx)\n\t\tfor _, tc := range tt {\n\t\t\ttc.Run(ctx, t)\n\t\t}\n\t})\n\tt.Run(\"V2\", func(t *testing.T) {\n\t\ttt := []cgTestcase{\n\t\t\t{\n\t\t\t\tName: \"NoLimit\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv2,\n\t\t\t\t\t\"sys/fs/cgroup/cpu.max\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"max 100000\\n\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tWant: 0,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"Limit4\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv2,\n\t\t\t\t\t\"sys/fs/cgroup/cpu.max\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"400000 100000\\n\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tWant: 4,\n\t\t\t},\n\t\t}\n\t\tctx := test.Logging(t, ctx)\n\t\tfor _, tc := range tt {\n\t\t\ttc.Run(ctx, t)\n\t\t}\n\t})\n}\n"
},
{
"path": "initialize/auto/memory.go",
"content": "//go:build !linux || (linux && !go1.19)\n\npackage auto\n\n// Memory is a no-op on this platform.\nfunc Memory() {}\n"
},
{
"path": "initialize/auto/memory_linux.go",
"content": "package auto\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"io/fs\"\n\t\"log/slog\"\n\t\"os\"\n\t\"path\"\n\t\"runtime/debug\"\n\t\"strconv\"\n)\n\n// Memory sets the runtime's memory limit based on information gleaned from the\n// current process's cgroup. See [debug.SetMemoryLimit] for details on the effects\n// of setting the limit. This does mean that attempting to run Clair in an aggressively\n// constrained environment may cause excessive CPU time spent in garbage\n// collection. Excessive GC can be prevented by increasing the resources allowed or\n// pacing Clair as a whole by reducing the CPU allocation or limiting the number of\n// concurrent requests.\n//\n// The process' \"memory.max\" limit (for cgroups v2) or\n// \"memory.limit_in_bytes\" (for cgroups v1) are the values consulted.\nfunc Memory() {\n\troot := os.DirFS(\"/\")\n\tlim, err := memLookup(root)\n\tswitch {\n\tcase err != nil:\n\t\tmsgs = append(msgs, func(ctx context.Context) {\n\t\t\tslog.ErrorContext(ctx, \"unable to guess memory limit\",\n\t\t\t\t\"reason\", err)\n\t\t})\n\t\treturn\n\tcase lim == doNothing:\n\t\tinfoLog(\"no memory limit configured\")\n\t\treturn\n\tcase lim == setMax:\n\t\tinfoLog(\"memory limit unset\")\n\t\treturn\n\t}\n\t// Following the GC guide and taking a haircut: https://tip.golang.org/doc/gc-guide#Suggested_uses\n\ttgt := lim - (lim / 20)\n\tdebug.SetMemoryLimit(tgt)\n\tmsgs = append(msgs, func(ctx context.Context) {\n\t\tslog.InfoContext(ctx, \"set memory limit\",\n\t\t\t\"lim\", lim,\n\t\t\t\"target\", tgt)\n\t})\n}\n\nconst (\n\tdoNothing = -1\n\tsetMax = -2\n)\n\nfunc memLookup(r fs.FS) (int64, error) {\n\tb, err := fs.ReadFile(r, \"proc/self/cgroup\")\n\tswitch {\n\tcase err == nil:\n\tcase errors.Is(err, fs.ErrNotExist):\n\t\tdebugLog(\"cgroups seemingly not enabled\")\n\t\treturn doNothing, nil\n\tdefault:\n\t\treturn 0, err\n\t}\n\ts := bufio.NewScanner(bytes.NewReader(b))\n\ts.Split(bufio.ScanLines)\n\tfor s.Scan() {\n\t\tsl := bytes.SplitN(s.Bytes(), []byte(\":\"), 3)\n\t\thid, ctls, pb := sl[0], sl[1], sl[2]\n\t\tif bytes.Equal(hid, []byte(\"0\")) && len(ctls) == 0 { // If cgroupsv2:\n\t\t\tdebugLog(\"found cgroups v2\")\n\t\t\tn := path.Join(\"sys/fs/cgroup\", string(pb), \"memory.max\")\n\t\t\tb, err := fs.ReadFile(r, n)\n\t\t\tswitch {\n\t\t\tcase errors.Is(err, nil):\n\t\t\tcase errors.Is(err, fs.ErrNotExist):\n\t\t\t\tdebugLog(`no \"memory.max\" file`)\n\t\t\t\treturn doNothing, nil\n\t\t\tdefault:\n\t\t\t\treturn 0, err\n\t\t\t}\n\t\t\tv := string(bytes.TrimSpace(b))\n\t\t\tif v == \"max\" { // No quota, so bail.\n\t\t\t\treturn setMax, nil\n\t\t\t}\n\t\t\treturn strconv.ParseInt(v, 10, 64)\n\t\t}\n\t\t// If here, we're doing cgroups v1.\n\t\tisMem := false\n\t\tfor _, b := range bytes.Split(ctls, []byte(\",\")) {\n\t\t\tif bytes.Equal(b, []byte(\"memory\")) {\n\t\t\t\tisMem = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !isMem { // This line is not the memory group.\n\t\t\tcontinue\n\t\t}\n\t\tdebugLog(\"found cgroups v1 and memory controller\")\n\t\tprefix := path.Join(\"sys/fs/cgroup\", string(ctls), string(pb))\n\t\t// Check for the existence of the named cgroup. If it doesn't exist,\n\t\t// look at the root of the controller. The named group not existing\n\t\t// probably means the process is in a container and is having remounting\n\t\t// tricks done. If, for some reason this is actually the root cgroup,\n\t\t// it'll be unlimited and fall back to the default.\n\t\tif _, err := fs.Stat(r, prefix); errors.Is(err, fs.ErrNotExist) {\n\t\t\tdebugLog(\"falling back to root hierarchy\")\n\t\t\tprefix = path.Join(\"sys/fs/cgroup\", string(ctls))\n\t\t}\n\n\t\tb, err = fs.ReadFile(r, path.Join(prefix, \"memory.limit_in_bytes\"))\n\t\tswitch {\n\t\tcase errors.Is(err, nil):\n\t\tcase errors.Is(err, fs.ErrNotExist):\n\t\t\tdebugLog(`no \"memory.limit_in_bytes\" file`)\n\t\t\treturn doNothing, nil\n\t\tdefault:\n\t\t\treturn 0, err\n\t\t}\n\t\tv := string(bytes.TrimSpace(b))\n\t\treturn strconv.ParseInt(v, 10, 64)\n\t}\n\tif err := s.Err(); err != nil {\n\t\treturn 0, err\n\t}\n\treturn 0, nil\n}\n"
},
{
"path": "initialize/auto/memory_linux_test.go",
"content": "//go:build linux && go1.19\n\npackage auto\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"testing\"\n\t\"testing/fstest\"\n\n\t\"github.com/quay/claircore/test\"\n)\n\ntype memTestcase struct {\n\tIn fstest.MapFS\n\tErr error\n\tName string\n\tWant int64\n}\n\nfunc (tc memTestcase) Run(ctx context.Context, t *testing.T) {\n\tt.Helper()\n\tt.Run(tc.Name, func(t *testing.T) {\n\t\tt.Helper()\n\t\tctx := test.Logging(t)\n\t\tlim, err := memLookup(tc.In)\n\t\tif err != tc.Err {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := lim, tc.Want; tc.Err == nil && got != want {\n\t\t\tt.Errorf(\"got: %v, want: %v\", got, want)\n\t\t}\n\t\tPrintLogs(ctx)\n\t})\n}\n\nfunc TestMemoryDetection(t *testing.T) {\n\tconst (\n\t\tlimInt = 268435456\n\t\tnoLimInt = -1\n\t)\n\tvar (\n\t\tlim = &fstest.MapFile{Data: []byte(fmt.Sprintln(limInt))}\n\t\tnoLim = &fstest.MapFile{Data: []byte(fmt.Sprintln(noLimInt))}\n\t)\n\tctx := test.Logging(t)\n\tt.Run(\"V1\", func(t *testing.T) {\n\t\ttt := []memTestcase{\n\t\t\t{\n\t\t\t\tName: \"NoLimit\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv1,\n\t\t\t\t\t\"sys/fs/cgroup/memory/user.slice/user-1000.slice/session-4.scope/memory.limit_in_bytes\": noLim,\n\t\t\t\t},\n\t\t\t\tWant: noLimInt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"RootFallback\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv1,\n\t\t\t\t\t\"sys/fs/cgroup/memory/memory.limit_in_bytes\": noLim,\n\t\t\t\t},\n\t\t\t\tWant: noLimInt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"256MiB\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv1,\n\t\t\t\t\t\"sys/fs/cgroup/memory/user.slice/user-1000.slice/session-4.scope/memory.limit_in_bytes\": lim,\n\t\t\t\t},\n\t\t\t\tWant: limInt,\n\t\t\t},\n\t\t}\n\t\tctx := test.Logging(t, ctx)\n\t\tfor _, tc := range tt {\n\t\t\ttc.Run(ctx, t)\n\t\t}\n\t})\n\tt.Run(\"V2\", func(t *testing.T) {\n\t\ttt := []memTestcase{\n\t\t\t{\n\t\t\t\tName: \"NoLimit\",\n\t\t\t\tIn: fstest.MapFS{\"proc/self/cgroup\": cgv2},\n\t\t\t\tWant: noLimInt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"LimitMax\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv2,\n\t\t\t\t\t\"sys/fs/cgroup/memory.max\": &fstest.MapFile{\n\t\t\t\t\t\tData: []byte(\"max\\n\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tWant: setMax,\n\t\t\t},\n\t\t\t{\n\t\t\t\tName: \"256MiB\",\n\t\t\t\tIn: fstest.MapFS{\n\t\t\t\t\t\"proc/self/cgroup\": cgv2,\n\t\t\t\t\t\"sys/fs/cgroup/memory.max\": lim,\n\t\t\t\t},\n\t\t\t\tWant: limInt,\n\t\t\t},\n\t\t}\n\t\tctx := test.Logging(t, ctx)\n\t\tfor _, tc := range tt {\n\t\t\ttc.Run(ctx, t)\n\t\t}\n\t})\n}\n"
},
{
"path": "initialize/auto/profiling.go",
"content": "package auto\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"os\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n)\n\n// Profiling enables block and mutex profiling.\n//\n// This function uses the magic environment variable \"CLAIRDEBUG\" to control the\n// values used. This escape hatch will go away in the future.\nfunc Profiling() {\n\t// Catch contention at a granularity of 1 microsecond.\n\tblockCur := 1000\n\t// Catch 1/10 mutex contention events.\n\tmutexCur := 10\n\tfromEnv := false\n\tif s, ok := os.LookupEnv(`CLAIRDEBUG`); ok {\n\t\tvar err error\n\t\tfor _, kv := range strings.Split(s, \",\") {\n\t\t\tk, v, ok := strings.Cut(kv, \"=\")\n\t\t\tif !ok {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tswitch k {\n\t\t\tcase \"blockprofile\":\n\t\t\t\tfromEnv = true\n\t\t\t\tblockCur, err = strconv.Atoi(v)\n\t\t\tcase \"mutexprofile\":\n\t\t\t\tfromEnv = true\n\t\t\t\tmutexCur, err = strconv.Atoi(v)\n\t\t\tdefault:\n\t\t\t}\n\t\t\tif err != nil {\n\t\t\t\tpanic(err)\n\t\t\t}\n\t\t}\n\t}\n\n\truntime.SetBlockProfileRate(blockCur)\n\tmutexPrev := runtime.SetMutexProfileFraction(mutexCur)\n\tmsgs = append(msgs, func(ctx context.Context) {\n\t\tslog.InfoContext(ctx, \"profiling rates configured\",\n\t\t\t\"from_env\", fromEnv,\n\t\t\t\"block_rate\", time.Duration(blockCur)*time.Nanosecond,\n\t\t\t\"prev_mutex_frac\", fmt.Sprintf(\"1/%d\", mutexPrev),\n\t\t\t\"cur_mutex_frac\", fmt.Sprintf(\"1/%d\", mutexCur))\n\t})\n}\n"
},
{
"path": "initialize/logging.go",
"content": "package initialize\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log/slog\"\n\n\t\"github.com/quay/clair/config\"\n\n\t\"github.com/quay/clair/v4/internal/logging\"\n)\n\n// Logging configures slog according to the provided configuration.\nfunc Logging(ctx context.Context, cfg *config.Config) error {\n\tswitch cfg.LogLevel {\n\tcase config.DebugColorLog:\n\t\topts := logging.DefaultOptions()\n\t\topts.ProseFormat = true\n\t\tlogging.SetLogger(opts)\n\t\tfallthrough\n\tcase config.DebugLog:\n\t\tlogging.Level.Set(slog.LevelDebug)\n\tcase config.InfoLog:\n\t\tlogging.Level.Set(slog.LevelInfo)\n\tcase config.WarnLog:\n\t\tlogging.Level.Set(slog.LevelWarn)\n\tcase config.ErrorLog:\n\t\tlogging.Level.Set(slog.LevelError)\n\tcase config.FatalLog:\n\t\tlogging.Level.Set(slog.LevelError + 4)\n\tcase config.PanicLog:\n\t\tlogging.Level.Set(slog.LevelError + 8)\n\tdefault:\n\t\treturn fmt.Errorf(\"unknown log level: %v\", cfg.LogLevel)\n\t}\n\n\tslog.DebugContext(ctx, \"logging configured\")\n\treturn nil\n}\n"
},
{
"path": "initialize/services.go",
"content": "package initialize\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"net/http/cookiejar\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore/datastore/postgres\"\n\t\"github.com/quay/claircore/enricher/cvss\"\n\t\"github.com/quay/claircore/libindex\"\n\t\"github.com/quay/claircore/libvuln\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"github.com/quay/claircore/pkg/ctxlock/v2\"\n\t\"golang.org/x/net/publicsuffix\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/httptransport\"\n\t\"github.com/quay/clair/v4/httptransport/client\"\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/matcher\"\n\t\"github.com/quay/clair/v4/notifier\"\n\tnotifierpg \"github.com/quay/clair/v4/notifier/postgres\"\n\t\"github.com/quay/clair/v4/notifier/service\"\n)\n\nconst (\n\t// NotifierIssuer is the value used for the issuer claim of any outgoing\n\t// HTTP requests the notifier makes, if PSK auth is configured.\n\tNotifierIssuer = `clair-notifier`\n)\n\nvar (\n\tintraserviceClaim = jwt.Claims{Issuer: httptransport.IntraserviceIssuer}\n\tnotifierClaim = jwt.Claims{Issuer: NotifierIssuer}\n)\n\n// Srv is a bundle of configured Services.\n//\n// The members are populated according to the configuration that was passed to\n// Services.\ntype Srv struct {\n\tIndexer indexer.Service\n\tMatcher matcher.Service\n\tNotifier notifier.Service\n}\n\n// Services configures the services needed for a given mode according to the\n// provided configuration.\nfunc Services(ctx context.Context, cfg *config.Config) (*Srv, error) {\n\tslog.InfoContext(ctx, \"begin service initialization\")\n\tdefer slog.InfoContext(ctx, \"end service initialization\")\n\n\tvar srv Srv\n\tvar err error\n\tswitch cfg.Mode {\n\tcase config.ComboMode:\n\t\tsrv.Indexer, err = localIndexer(ctx, cfg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsrv.Matcher, err = localMatcher(ctx, cfg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsrv.Notifier, err = localNotifier(ctx, cfg, srv.Indexer, srv.Matcher)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tcase config.IndexerMode:\n\t\tsrv.Indexer, err = localIndexer(ctx, cfg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tcase config.MatcherMode:\n\t\tsrv.Matcher, err = localMatcher(ctx, cfg)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsrv.Indexer, err = remoteIndexer(ctx, cfg, cfg.Matcher.IndexerAddr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tcase config.NotifierMode:\n\t\tsrv.Indexer, err = remoteIndexer(ctx, cfg, cfg.Notifier.IndexerAddr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsrv.Matcher, err = remoteMatcher(ctx, cfg, cfg.Notifier.MatcherAddr)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tsrv.Notifier, err = localNotifier(ctx, cfg, srv.Indexer, srv.Matcher)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"could not determine passed in mode: %v\", cfg.Mode)\n\t}\n\n\treturn &srv, nil\n}\n\n// BUG(hank) The various resources (database connections, lock services)\n// constructed in some internal functions are not properly cleaned up.\n\nfunc localIndexer(ctx context.Context, cfg *config.Config) (indexer.Service, error) {\n\tconst msg = \"failed to initialize indexer: \"\n\tmkErr := func(err error) *clairerror.ErrNotInitialized {\n\t\treturn &clairerror.ErrNotInitialized{Msg: msg + err.Error()}\n\t}\n\n\tpool, err := postgres.Connect(ctx, cfg.Indexer.ConnString, \"libindex\")\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tstore, err := postgres.InitPostgresIndexerStore(ctx, pool, cfg.Indexer.Migrations)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tlocker, err := ctxlock.New(ctx, pool)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\n\topts := libindex.Options{\n\t\tStore: store,\n\t\tLocker: locker,\n\t\tScanLockRetry: time.Duration(cfg.Indexer.ScanLockRetry) * time.Second,\n\t\tLayerScanConcurrency: cfg.Indexer.LayerScanConcurrency,\n\t}\n\tif cfg.Indexer.Scanner.Package != nil {\n\t\topts.ScannerConfig.Package = make(map[string]func(interface{}) error, len(cfg.Indexer.Scanner.Package))\n\t\tfor name, node := range cfg.Indexer.Scanner.Package {\n\t\t\tnode := node\n\t\t\topts.ScannerConfig.Package[name] = func(v interface{}) error {\n\t\t\t\tb, err := json.Marshal(node)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\treturn json.Unmarshal(b, v)\n\t\t\t}\n\t\t}\n\t}\n\tif cfg.Indexer.Scanner.Dist != nil {\n\t\topts.ScannerConfig.Dist = make(map[string]func(interface{}) error, len(cfg.Indexer.Scanner.Dist))\n\t\tfor name, node := range cfg.Indexer.Scanner.Dist {\n\t\t\tnode := node\n\t\t\topts.ScannerConfig.Dist[name] = func(v interface{}) error {\n\t\t\t\tb, err := json.Marshal(node)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\treturn json.Unmarshal(b, v)\n\t\t\t}\n\t\t}\n\t}\n\tif cfg.Indexer.Scanner.Repo != nil {\n\t\topts.ScannerConfig.Repo = make(map[string]func(interface{}) error, len(cfg.Indexer.Scanner.Repo))\n\t\tfor name, node := range cfg.Indexer.Scanner.Repo {\n\t\t\tnode := node\n\t\t\topts.ScannerConfig.Repo[name] = func(v interface{}) error {\n\t\t\t\tb, err := json.Marshal(node)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\treturn json.Unmarshal(b, v)\n\t\t\t}\n\t\t}\n\t}\n\tc, err := httputil.NewClient(ctx, cfg.Indexer.Airgap)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\n\topts.FetchArena = libindex.NewRemoteFetchArena(c, \"\")\n\n\ts, err := libindex.New(ctx, &opts, c)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\treturn s, nil\n}\n\nfunc remoteIndexer(ctx context.Context, cfg *config.Config, addr string) (indexer.Service, error) {\n\tconst msg = \"failed to initialize indexer client: \"\n\tmkErr := func(err error) *clairerror.ErrNotInitialized {\n\t\treturn &clairerror.ErrNotInitialized{Msg: msg + err.Error()}\n\t}\n\trc, err := remoteClient(ctx, cfg, intraserviceClaim, addr)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\treturn rc, nil\n}\n\nfunc remoteClient(ctx context.Context, cfg *config.Config, claim jwt.Claims, addr string) (*client.HTTP, error) {\n\tc, err := httputil.NewClient(ctx, false) // ???\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\topts := []client.Option{client.WithAddr(addr), client.WithClient(c)}\n\tif cfg.Auth.Any() {\n\t\ts, err := httputil.NewSigner(ctx, cfg, claim)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\topts = append(opts, client.WithSigner(s))\n\t}\n\treturn client.NewHTTP(ctx, opts...)\n}\n\nfunc localMatcher(ctx context.Context, cfg *config.Config) (matcher.Service, error) {\n\tconst msg = \"failed to initialize matcher: \"\n\tmkErr := func(err error) *clairerror.ErrNotInitialized {\n\t\treturn &clairerror.ErrNotInitialized{\n\t\t\tMsg: msg + err.Error(),\n\t\t}\n\t}\n\n\ttr := http.DefaultTransport.(*http.Transport).Clone()\n\t// Some servers return weak validators when the Content-Encoding is not\n\t// \"identity\". Setting this prevents automatically negotiating up to \"gzip\".\n\ttr.DisableCompression = true\n\tjar, err := cookiejar.New(&cookiejar.Options{\n\t\tPublicSuffixList: publicsuffix.List,\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcl := &http.Client{\n\t\tJar: jar,\n\t\tTransport: httputil.RateLimiter(tr),\n\t}\n\tupdaterConfigs := make(map[string]driver.ConfigUnmarshaler)\n\tfor name, node := range cfg.Updaters.Config {\n\t\tnode := node\n\t\tupdaterConfigs[name] = func(v interface{}) error {\n\t\t\tb, err := json.Marshal(node)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn json.Unmarshal(b, v)\n\t\t}\n\t}\n\tmatcherConfigs := make(map[string]driver.MatcherConfigUnmarshaler)\n\tfor name, node := range cfg.Matchers.Config {\n\t\tnode := node\n\t\tmatcherConfigs[name] = func(v interface{}) error {\n\t\t\tb, err := json.Marshal(node)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn json.Unmarshal(b, v)\n\t\t}\n\t}\n\tpool, err := postgres.Connect(ctx, cfg.Matcher.ConnString, \"libvuln\")\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tstore, err := postgres.InitPostgresMatcherStore(ctx, pool, cfg.Matcher.Migrations)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tlocker, err := ctxlock.New(ctx, pool)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\n\ters := []driver.Enricher{}\n\tif !cfg.Matcher.DisableEnrichment {\n\t\tslog.InfoContext(ctx, \"enrichment enabled\")\n\t\ters = append(ers, &cvss.Enricher{})\n\t}\n\n\ts, err := libvuln.New(ctx, &libvuln.Options{\n\t\tStore: store,\n\t\tLocker: locker,\n\t\tUpdaterSets: cfg.Updaters.Sets,\n\t\tUpdateInterval: time.Duration(cfg.Matcher.Period),\n\t\tUpdaterConfigs: updaterConfigs,\n\t\tUpdateRetention: cfg.Matcher.UpdateRetention,\n\t\tMatcherNames: cfg.Matchers.Names,\n\t\tMatcherConfigs: matcherConfigs,\n\t\tClient: cl,\n\t\tEnrichers: ers,\n\t})\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\treturn s, nil\n}\n\nfunc remoteMatcher(ctx context.Context, cfg *config.Config, addr string) (matcher.Service, error) {\n\tconst msg = \"failed to initialize matcher client: \"\n\tmkErr := func(err error) *clairerror.ErrNotInitialized {\n\t\treturn &clairerror.ErrNotInitialized{Msg: msg + err.Error()}\n\t}\n\trc, err := remoteClient(ctx, cfg, intraserviceClaim, addr)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\treturn rc, nil\n}\n\nfunc localNotifier(ctx context.Context, cfg *config.Config, i indexer.Service, m matcher.Service) (notifier.Service, error) {\n\tconst msg = \"failed to initialize notifier: \"\n\tmkErr := func(err error) *clairerror.ErrNotInitialized {\n\t\treturn &clairerror.ErrNotInitialized{\n\t\t\tMsg: msg + err.Error(),\n\t\t}\n\t}\n\n\tc, err := httputil.NewClient(ctx, false) // No airgap flag.\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tsigner, err := httputil.NewSigner(ctx, cfg, notifierClaim)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\n\tncfg := &cfg.Notifier\n\tpoolcfg, err := pgxpool.ParseConfig(ncfg.ConnString)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tif cfg.Notifier.Migrations {\n\t\tif err := notifierpg.Init(ctx, poolcfg.ConnConfig); err != nil {\n\t\t\treturn nil, mkErr(err)\n\t\t}\n\t}\n\tpool, err := pgxpool.NewWithConfig(ctx, poolcfg)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\tstore := notifierpg.NewStore(pool)\n\tlocks, err := ctxlock.New(ctx, pool)\n\tif err != nil {\n\t\treturn nil, mkErr(err)\n\t}\n\n\ts, err := service.New(ctx, store, locks, service.Opts{\n\t\tDeliveryInterval: time.Duration(cfg.Notifier.DeliveryInterval),\n\t\tIndexer: i,\n\t\tMatcher: m,\n\t\tClient: c,\n\t\tSigner: signer,\n\t\tPollInterval: time.Duration(cfg.Notifier.PollInterval),\n\t\tDisableSummary: cfg.Notifier.DisableSummary,\n\t\tWebhook: cfg.Notifier.Webhook,\n\t\tAMQP: cfg.Notifier.AMQP,\n\t\tSTOMP: cfg.Notifier.STOMP,\n\t})\n\tswitch {\n\tcase err == nil:\n\tcase errors.Is(err, service.ErrNoDelivery):\n\t\tslog.InfoContext(ctx, \"notifier disabled\", \"reason\", err)\n\t\treturn nil, nil\n\tdefault:\n\t\treturn nil, mkErr(err)\n\t}\n\tgo func() {\n\t\tif err := s.Run(ctx); err != context.Canceled {\n\t\t\tslog.ErrorContext(ctx, \"unexpected notifier error\", \"reason\", err)\n\t\t}\n\t}()\n\treturn s, nil\n}\n"
},
{
"path": "internal/codec/codec.go",
"content": "// Package codec is a unified place for configuring and allocating JSON encoders\n// and decoders.\npackage codec\n\nimport (\n\t\"io\"\n\t\"sync\"\n\n\t\"github.com/ugorji/go/codec\"\n)\n\nvar jsonHandle codec.JsonHandle\n\nfunc init() {\n\t// This is documented to cause \"smart buffering\".\n\tjsonHandle.WriterBufferSize = 4096\n\tjsonHandle.ReaderBufferSize = 4096\n\t// Force calling time.Time's Marshal function. This causes an allocation on\n\t// every time.Time value, but is the same behavior as the stdlib json\n\t// encoder. If we decide nulls are OK, this should get removed.\n\tjsonHandle.TimeNotBuiltin = true\n}\n\n// Encoder and decoder pools, to reuse if possible.\nvar (\n\tencPool = sync.Pool{\n\t\tNew: func() interface{} {\n\t\t\treturn codec.NewEncoder(nil, &jsonHandle)\n\t\t},\n\t}\n\tdecPool = sync.Pool{\n\t\tNew: func() interface{} {\n\t\t\treturn codec.NewDecoder(nil, &jsonHandle)\n\t\t},\n\t}\n)\n\n// Encoder encodes.\ntype Encoder = codec.Encoder\n\n// GetEncoder returns an encoder configured to write to w.\nfunc GetEncoder(w io.Writer) *Encoder {\n\te := encPool.Get().(*Encoder)\n\te.Reset(w)\n\treturn e\n}\n\n// PutEncoder returns an encoder to the pool.\nfunc PutEncoder(e *Encoder) {\n\te.Reset(nil)\n\tencPool.Put(e)\n}\n\n// Decoder decodes.\ntype Decoder = codec.Decoder\n\n// GetDecoder returns a decoder configured to read from r.\nfunc GetDecoder(r io.Reader) *Decoder {\n\td := decPool.Get().(*Decoder)\n\td.Reset(r)\n\treturn d\n}\n\n// PutDecoder returns a decoder to the pool.\nfunc PutDecoder(d *Decoder) {\n\td.Reset(nil)\n\tdecPool.Put(d)\n}\n"
},
{
"path": "internal/codec/codec_test.go",
"content": "package codec\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/go-cmp/cmp\"\n)\n\nfunc Example() {\n\tenc := GetEncoder(os.Stdout)\n\tdefer PutEncoder(enc)\n\tenc.MustEncode([]string{\"a\", \"slice\", \"of\", \"strings\"})\n\tfmt.Fprintln(os.Stdout)\n\tenc.MustEncode(nil)\n\tfmt.Fprintln(os.Stdout)\n\tenc.MustEncode(map[string]string{})\n\tfmt.Fprintln(os.Stdout)\n\t// Output: [\"a\",\"slice\",\"of\",\"strings\"]\n\t// null\n\t// {}\n}\n\nfunc BenchmarkDecode(b *testing.B) {\n\tb.ReportAllocs()\n\twant := map[string]string{\n\t\t\"a\": strings.Repeat(`A`, 2048),\n\t\t\"b\": strings.Repeat(`B`, 2048),\n\t\t\"c\": strings.Repeat(`C`, 2048),\n\t\t\"d\": strings.Repeat(`D`, 2048),\n\t}\n\tgot := make(map[string]string, len(want))\n\tb.ResetTimer()\n\n\tfor i := 0; i < b.N; i++ {\n\t\tdec := GetDecoder(JSONReader(want))\n\t\terr := dec.Decode(&got)\n\t\tPutDecoder(dec)\n\t\tif err != nil {\n\t\t\tb.Error(err)\n\t\t}\n\t\tif !cmp.Equal(got, want) {\n\t\t\tb.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\nfunc BenchmarkDecodeStdlib(b *testing.B) {\n\tb.ReportAllocs()\n\twant := map[string]string{\n\t\t\"a\": strings.Repeat(`A`, 2048),\n\t\t\"b\": strings.Repeat(`B`, 2048),\n\t\t\"c\": strings.Repeat(`C`, 2048),\n\t\t\"d\": strings.Repeat(`D`, 2048),\n\t}\n\tgot := make(map[string]string, len(want))\n\tb.ResetTimer()\n\n\tfor i := 0; i < b.N; i++ {\n\t\tx, err := json.Marshal(want)\n\t\tif err != nil {\n\t\t\tb.Error(err)\n\t\t}\n\t\tif err := json.Unmarshal(x, &got); err != nil {\n\t\t\tb.Error(err)\n\t\t}\n\t\tif !cmp.Equal(got, want) {\n\t\t\tb.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\nfunc TestTimeNotNull(t *testing.T) {\n\ttype s struct {\n\t\tTime time.Time\n\t}\n\tvar b bytes.Buffer\n\tenc := GetEncoder(&b)\n\tdefer PutEncoder(enc)\n\n\t// Example encoding of a populated time:\n\tif err := enc.Encode(s{Time: time.Unix(0, 0).UTC()}); err != nil {\n\t\tt.Error(err)\n\t}\n\tt.Log(b.String())\n\tb.Reset()\n\n\t// Now encode a zero time and make sure it's a string.\n\tif err := enc.Encode(s{}); err != nil {\n\t\tt.Error(err)\n\t}\n\tt.Log(b.String())\n\tif strings.Contains(b.String(), \"null\") {\n\t\tt.Error(\"wanted non-null encoding\")\n\t}\n}\n"
},
{
"path": "internal/codec/reader.go",
"content": "package codec\n\nimport \"io\"\n\n// JSONReader returns an io.ReadCloser backed by a pipe being fed by a JSON\n// encoder.\nfunc JSONReader(v interface{}) io.ReadCloser {\n\tr, w := io.Pipe()\n\t// This unsupervised goroutine should be fine, because the writer will error\n\t// once the reader is closed.\n\tgo func() {\n\t\tenc := GetEncoder(w)\n\t\tdefer PutEncoder(enc)\n\t\tdefer w.Close()\n\t\tif err := enc.Encode(v); err != nil {\n\t\t\tw.CloseWithError(err)\n\t\t}\n\t}()\n\treturn r\n}\n"
},
{
"path": "internal/httputil/client.go",
"content": "package httputil\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/cookiejar\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"syscall\"\n\n\t\"golang.org/x/net/publicsuffix\"\n\n\t\"github.com/quay/clair/v4/cmd\"\n)\n\n// NewClient constructs an [http.Client] that disallows access to public\n// networks, controlled by the localOnly flag.\n//\n// If disallowed, the reported error will be a [*net.AddrError] with the \"Err\"\n// value of \"disallowed by policy\".\nfunc NewClient(ctx context.Context, localOnly bool) (*http.Client, error) {\n\ttr := http.DefaultTransport.(*http.Transport).Clone()\n\tdialer := &net.Dialer{}\n\t// Set a control function if we're restricting subnets.\n\tif localOnly {\n\t\tdialer.Control = ctlLocalOnly\n\t}\n\ttr.DialContext = dialer.DialContext\n\n\tjar, err := cookiejar.New(&cookiejar.Options{\n\t\tPublicSuffixList: publicsuffix.List,\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &http.Client{\n\t\tTransport: tr,\n\t\tJar: jar,\n\t}, nil\n}\n\nfunc ctlLocalOnly(network, address string, _ syscall.RawConn) error {\n\t// Future-proof for QUIC by allowing UDP here.\n\tif !strings.HasPrefix(network, \"tcp\") && !strings.HasPrefix(network, \"udp\") {\n\t\treturn &net.AddrError{\n\t\t\tAddr: network + \"!\" + address,\n\t\t\tErr: \"disallowed by policy\",\n\t\t}\n\t}\n\thost, _, err := net.SplitHostPort(address)\n\tif err != nil {\n\t\treturn &net.AddrError{\n\t\t\tAddr: network + \"!\" + address,\n\t\t\tErr: \"martian address\",\n\t\t}\n\t}\n\taddr := net.ParseIP(host)\n\tif addr == nil {\n\t\treturn &net.AddrError{\n\t\t\tAddr: network + \"!\" + address,\n\t\t\tErr: \"martian address\",\n\t\t}\n\t}\n\tif !addr.IsPrivate() &&\n\t\t!addr.IsLoopback() &&\n\t\t!addr.IsLinkLocalUnicast() {\n\t\treturn &net.AddrError{\n\t\t\tAddr: network + \"!\" + address,\n\t\t\tErr: \"disallowed by policy\",\n\t\t}\n\t}\n\treturn nil\n}\n\n// NewRequestWithContext is a wrapper around [http.NewRequestWithContext] that\n// sets some defaults in the returned request.\nfunc NewRequestWithContext(ctx context.Context, method, url string, body io.Reader) (*http.Request, error) {\n\t// The one OK use of the normal function.\n\treq, err := http.NewRequestWithContext(ctx, method, url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tp, err := os.Executable()\n\tif err != nil {\n\t\tp = `clair?`\n\t} else {\n\t\tp = filepath.Base(p)\n\t}\n\treq.Header.Set(\"user-agent\", fmt.Sprintf(\"%s/%s\", p, cmd.Version))\n\treturn req, nil\n}\n"
},
{
"path": "internal/httputil/client_test.go",
"content": "package httputil\n\nimport (\n\t\"errors\"\n\t\"net\"\n\t\"testing\"\n)\n\nfunc TestLocalOnly(t *testing.T) {\n\ttt := []struct {\n\t\tNetwork string\n\t\tAddr string\n\t\tErr *net.AddrError\n\t}{\n\t\t{\n\t\t\tNetwork: \"tcp4\",\n\t\t\tAddr: \"192.168.0.1:443\",\n\t\t\tErr: nil,\n\t\t},\n\t\t{\n\t\t\tNetwork: \"tcp4\",\n\t\t\tAddr: \"127.0.0.1:443\",\n\t\t\tErr: nil,\n\t\t},\n\t\t{\n\t\t\tNetwork: \"tcp6\",\n\t\t\tAddr: \"[fe80::]:443\",\n\t\t\tErr: nil,\n\t\t},\n\t\t{\n\t\t\tNetwork: \"tcp4\",\n\t\t\tAddr: \"8.8.8.8:443\",\n\t\t\tErr: &net.AddrError{\n\t\t\t\tAddr: \"tcp4!8.8.8.8:443\",\n\t\t\t\tErr: \"disallowed by policy\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tNetwork: \"tcp6\",\n\t\t\tAddr: \"[2000::]:443\",\n\t\t\tErr: &net.AddrError{\n\t\t\t\tAddr: \"tcp6![2000::]:443\",\n\t\t\t\tErr: \"disallowed by policy\",\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tc := range tt {\n\t\tt.Logf(\"%s!%s\", tc.Network, tc.Addr)\n\t\tvar nErr *net.AddrError\n\t\tgot := ctlLocalOnly(tc.Network, tc.Addr, nil)\n\t\tif errors.As(got, &nErr) {\n\t\t\tif tc.Err.Err != nErr.Err || tc.Err.Addr != nErr.Addr {\n\t\t\t\tt.Errorf(\"got: %v, want: %v\", got, tc.Err)\n\t\t\t}\n\t\t}\n\t}\n}\n"
},
{
"path": "internal/httputil/ratelimiter.go",
"content": "package httputil\n\nimport (\n\t\"net/http\"\n\t\"sync\"\n\n\t\"golang.org/x/time/rate\"\n)\n\n// RateLimiter wraps the provided RoundTripper with a limiter allowing 10\n// requests/second/host.\n//\n// It responds to HTTP 429 responses by automatically decreasing the rate.\nfunc RateLimiter(next http.RoundTripper) http.RoundTripper {\n\treturn &ratelimiter{\n\t\trt: next,\n\t\tlm: sync.Map{},\n\t}\n}\n\n// Ratelimiter implements the limiting by using a concurrent map and Limiter\n// structs.\ntype ratelimiter struct {\n\tlm sync.Map\n\trt http.RoundTripper\n}\n\nconst rateCap = 10\n\n// RoundTrip implements http.RoundTripper.\nfunc (r *ratelimiter) RoundTrip(req *http.Request) (*http.Response, error) {\n\tkey := req.URL.Host\n\tli, ok := r.lm.Load(key)\n\tif !ok {\n\t\t// Limiter allows \"rateCap\" per sec, one at a time.\n\t\tl := rate.NewLimiter(rate.Limit(rateCap), 1)\n\t\tli, _ = r.lm.LoadOrStore(key, l)\n\t}\n\tl := li.(*rate.Limiter)\n\tif err := l.Wait(req.Context()); err != nil {\n\t\treturn nil, err\n\t}\n\tres, err := r.rt.RoundTrip(req)\n\t// This seems to be the contract that http.Transport implements.\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tswitch res.StatusCode {\n\tcase http.StatusOK:\n\t\t// Try increasing on OK.\n\t\tif lim := l.Limit(); lim < rateCap {\n\t\t\tl.SetLimit(lim + 1)\n\t\t}\n\tcase http.StatusTooManyRequests:\n\t\t// Try to allow some requests, eventually.\n\t\tl.SetLimit(detune(l.Limit()))\n\t}\n\treturn res, nil\n}\n\n// Detune reduces the rate.\nfunc detune(in rate.Limit) rate.Limit {\n\tif in <= 1 {\n\t\treturn in / 2\n\t}\n\treturn in - 1\n}\n"
},
{
"path": "internal/httputil/ratelimiter_test.go",
"content": "package httputil\n\nimport (\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n)\n\nfunc TestRate(t *testing.T) {\n\tconst nReq = 20\n\n\tvar wg sync.WaitGroup\n\twg.Add(nReq)\n\tbegin := make(chan struct{})\n\tvar last struct {\n\t\tsync.Mutex\n\t\tt time.Time\n\t}\n\tsrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {\n\t\tlast.Lock()\n\t\tlast.t = time.Now()\n\t\tlast.Unlock()\n\t\tw.WriteHeader(http.StatusOK)\n\t}))\n\tdefer srv.Close()\n\tcl := srv.Client()\n\tcl.Transport = RateLimiter(cl.Transport)\n\n\tfor i := 0; i < nReq; i++ {\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\t\t\t<-begin\n\t\t\tres, err := cl.Get(srv.URL)\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tres.Body.Close()\n\t\t}()\n\t}\n\n\tfirst := time.Now()\n\tclose(begin)\n\twg.Wait()\n\n\tt.Logf(\"begin: %v\", first)\n\tt.Logf(\"end: %v\", last.t)\n\trate := nReq / last.t.Sub(first).Seconds()\n\tt.Logf(\"rate: %v\", rate)\n\n\tif rate < (rateCap-1) || rate > (rateCap+1) {\n\t\tt.Error(\"rate outside acceptable bounds\")\n\t}\n}\n"
},
{
"path": "internal/httputil/responserecorder.go",
"content": "package httputil\n\nimport \"net/http\"\n\n// ResponseRecorder returns a ResponseWriter that records the HTTP status and\n// body length into the provided pointers, and returns another response writer\n// that understand the go 1.20 http `Unwrap` scheme.\nfunc ResponseRecorder(status *int, length *int64, w http.ResponseWriter) http.ResponseWriter {\n\t// Handle nils being passed, just to be nice.\n\tif length == nil {\n\t\tlength = new(int64)\n\t}\n\tif status == nil {\n\t\tstatus = new(int)\n\t}\n\treturn &responseRecord{\n\t\tResponseWriter: w,\n\t\tstatus: status,\n\t\tlength: length,\n\t}\n}\n\nvar _ http.ResponseWriter = (*responseRecord)(nil)\n\ntype responseRecord struct {\n\thttp.ResponseWriter\n\tstatus *int\n\tlength *int64\n\twritecall bool\n}\n\nfunc (r *responseRecord) Unwrap() http.ResponseWriter {\n\treturn r.ResponseWriter\n}\n\nfunc (r *responseRecord) WriteHeader(c int) {\n\tif r.writecall {\n\t\treturn\n\t}\n\t*r.status = c\n\tr.ResponseWriter.WriteHeader(c)\n\tr.writecall = true\n}\n\nfunc (r *responseRecord) Write(b []byte) (int, error) {\n\tr.WriteHeader(http.StatusOK)\n\tn, err := r.ResponseWriter.Write(b)\n\t*r.length += int64(n)\n\treturn n, err\n}\n"
},
{
"path": "internal/httputil/responserecorder_test.go",
"content": "package httputil\n\nimport (\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n)\n\nfunc TestResponseRecorder(t *testing.T) {\n\tt.Run(\"OK\", func(t *testing.T) {\n\t\tvar status int\n\t\tvar length int64\n\n\t\trec := httptest.NewRecorder()\n\t\tw := ResponseRecorder(&status, &length, rec)\n\n\t\tsz := 512\n\t\tif n, err := w.Write(make([]byte, sz)); err != nil || n != sz {\n\t\t\tt.Errorf(\"unexpected Write return: (%v, %v)\", n, err)\n\t\t}\n\t\tt.Logf(\"wrote %d bytes, status %q\", length, http.StatusText(status))\n\t\tif got, want := status, http.StatusOK; got != want {\n\t\t\tt.Errorf(\"bad status; got: %d, want: %d\", got, want)\n\t\t}\n\t\tif got, want := length, int64(sz); got != want {\n\t\t\tt.Errorf(\"bad length; got: %d, want: %d\", got, want)\n\t\t}\n\t})\n\n\tt.Run(\"Error\", func(t *testing.T) {\n\t\tvar status int\n\t\tvar length int64\n\t\tsc := http.StatusInternalServerError\n\n\t\trec := httptest.NewRecorder()\n\t\tw := ResponseRecorder(&status, &length, rec)\n\n\t\tsz := 512\n\t\tw.WriteHeader(sc)\n\t\tif n, err := w.Write(make([]byte, sz)); err != nil || n != sz {\n\t\t\tt.Errorf(\"unexpected Write return: (%v, %v)\", n, err)\n\t\t}\n\t\tt.Logf(\"wrote %d bytes, status %q\", length, http.StatusText(status))\n\t\tif got, want := status, sc; got != want {\n\t\t\tt.Errorf(\"bad status; got: %d, want: %d\", got, want)\n\t\t}\n\t\tif got, want := length, int64(sz); got != want {\n\t\t\tt.Errorf(\"bad length; got: %d, want: %d\", got, want)\n\t\t}\n\t})\n}\n"
},
{
"path": "internal/httputil/signer.go",
"content": "package httputil\n\nimport (\n\t\"context\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v3\"\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n\t\"github.com/quay/clair/config\"\n)\n\n// NewSigner constructs a signer according to the provided Config and claim.\n//\n// The returned Signer only adds headers for the hosts specified in the\n// following spots:\n//\n// - $.notifier.webhook.target\n// - $.notifier.indexer_addr\n// - $.notifier.matcher_addr\n// - $.matcher.indexer_addr\nfunc NewSigner(ctx context.Context, cfg *config.Config, cl jwt.Claims) (*Signer, error) {\n\ts := Signer{\n\t\tuse: make(map[string]struct{}),\n\t\tclaim: cl,\n\t}\n\tif cfg.Auth.PSK == nil {\n\t\tslog.DebugContext(ctx, \"authentication disabled\")\n\t\treturn &s, nil\n\t}\n\tif cfg.Notifier.Webhook != nil {\n\t\tif err := s.Add(ctx, cfg.Notifier.Webhook.Target); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tif err := s.Add(ctx, cfg.Notifier.IndexerAddr); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := s.Add(ctx, cfg.Notifier.MatcherAddr); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := s.Add(ctx, cfg.Matcher.IndexerAddr); err != nil {\n\t\treturn nil, err\n\t}\n\n\tsk := jose.SigningKey{\n\t\tAlgorithm: jose.HS256,\n\t\tKey: []byte(cfg.Auth.PSK.Key),\n\t}\n\tsigner, err := jose.NewSigner(sk, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ts.signer = signer\n\tif l := slog.Default(); l.Enabled(ctx, slog.LevelDebug) {\n\t\tas := make([]string, 0, len(s.use))\n\t\tfor a := range s.use {\n\t\t\tas = append(as, a)\n\t\t}\n\t\tl.DebugContext(ctx, \"enabling signing for authorities\",\n\t\t\t\"authorities\", as)\n\t}\n\treturn &s, nil\n}\n\n// Add marks the authority in \"uri\" as one that expects signed requests.\nfunc (s *Signer) Add(ctx context.Context, uri string) error {\n\tif uri == \"\" {\n\t\treturn nil\n\t}\n\tu, err := url.Parse(uri)\n\tif err != nil {\n\t\treturn err\n\t}\n\ta := u.Host\n\ts.use[a] = struct{}{}\n\treturn nil\n}\n\n// Signer signs requests.\ntype Signer struct {\n\tsigner jose.Signer\n\tuse map[string]struct{}\n\tclaim jwt.Claims\n}\n\n// Sign modifies the passed [http.Request] as needed.\nfunc (s *Signer) Sign(ctx context.Context, req *http.Request) error {\n\tif s == nil || s.signer == nil {\n\t\treturn nil\n\t}\n\thost := req.Host\n\tif host == \"\" {\n\t\thost = req.URL.Host\n\t}\n\tif _, ok := s.use[host]; !ok {\n\t\treturn nil\n\t}\n\tcl := s.claim\n\tnow := time.Now()\n\tcl.IssuedAt = jwt.NewNumericDate(now)\n\tcl.NotBefore = jwt.NewNumericDate(now.Add(-jwt.DefaultLeeway))\n\tcl.Expiry = jwt.NewNumericDate(now.Add(jwt.DefaultLeeway))\n\th, err := jwt.Signed(s.signer).Claims(&cl).CompactSerialize()\n\tif err != nil {\n\t\treturn err\n\t}\n\treq.Header.Add(\"authorization\", \"Bearer \"+h)\n\treturn nil\n}\n"
},
{
"path": "internal/logging/logging.go",
"content": "// Package logging holds the logging singletons for Clair.\n//\n// An init function sets the [slog] default Logger.\npackage logging\n\nimport (\n\t\"log/slog\"\n\t\"os\"\n\n\t\"github.com/quay/claircore/toolkit/log\"\n\t\"github.com/quay/zlog/v2\"\n)\n\nfunc init() {\n\tslog.SetLogLoggerLevel(slog.LevelDebug)\n\tSetLogger(DefaultOptions())\n}\n\n// Level is the [slog.Leveler] that the [zlog.Options] returned by\n// [DefaultOptions] points to.\nvar Level slog.LevelVar\n\n// DefaultOptions returns a default set of options for a zlog/v2 [slog.Handler].\nfunc DefaultOptions() *zlog.Options {\n\treturn &zlog.Options{\n\t\tLevel: &Level,\n\t\tContextKey: log.AttrsKey,\n\t\tLevelKey: log.LevelKey,\n\t}\n}\n\n// SetLogger configures the default [slog.Logger] to use a zlog-backed\n// [slog.Handler] writing to [os.Stderr] using the passed [zlog.Options].\nfunc SetLogger(opts *zlog.Options) {\n\tslog.SetDefault(slog.New(zlog.NewHandler(os.Stderr, opts)))\n}\n"
},
{
"path": "introspection/otlp.go",
"content": "package introspection\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"time\"\n\n\t\"github.com/quay/clair/config\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp\"\n\t\"google.golang.org/grpc/credentials\"\n)\n\n// This file holds all the OTLP weirdness.\n//\n// Most of the options are the same internally, but have a bunch of type ceremony around them to obfuscate this.\n\n// OtlpHooks is a hook structure for using the correct types with the various OTLP exporters.\n// The declared variables are largely duplicates, with the real logic living in [otlpHooks.Options].\n//\n// The type parameter \"O\" should really be a sum type, but that's currently inexpressible.\ntype otlpHooks[O any] struct {\n\tWithCompressor func(config.OTLPCompressor) O\n\tWithEndpoint func(string) O\n\tWithHeaders func(map[string]string) O\n\tWithInsecure func() O\n\tWithTimeout func(time.Duration) O\n\tWithTLSClientConfig func(*tls.Config) O\n\n\tWithURLPath func(string) O\n\n\tWithReconnectionPeriod func(time.Duration) O\n\tWithServiceConfig func(string) O\n}\n\n// Options returns the correct Options to pass into the constructor based on the receiver type.\n//\n// This function will panic if called in unexpected ways. To be safe:\n//\n// - Only use the provided instances ([omhHooks], [omgHooks], [othHooks], [otgHooks]).\n// - Read the implementation.\nfunc (h *otlpHooks[O]) Options(v any) (opts []O, err error) {\n\tswitch cfg := v.(type) {\n\t// Signal-specific options.\n\t//\n\t// Currently, none; recurse to the transport options.\n\tcase *config.MetricOTLPHTTP:\n\t\topts, err = h.Options(&cfg.OTLPHTTPCommon)\n\tcase *config.TraceOTLPHTTP:\n\t\topts, err = h.Options(&cfg.OTLPHTTPCommon)\n\tcase *config.MetricOTLPgRPC:\n\t\topts, err = h.Options(&cfg.OTLPgRPCCommon)\n\tcase *config.TraceOTLPgRPC:\n\t\topts, err = h.Options(&cfg.OTLPgRPCCommon)\n\n\t// Transport-specific options.\n\t//\n\t// Recurse to the common options then return the transport options, in case of some ordering oddness.\n\t// Will panic if called on the wrong receiver, as some of the members will (purposefully!) be nil.\n\tcase *config.OTLPHTTPCommon:\n\t\topts, err = h.Options(&cfg.OTLPCommon)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif p := cfg.URLPath; p != \"\" {\n\t\t\topts = append(opts, h.WithURLPath(p))\n\t\t}\n\tcase *config.OTLPgRPCCommon:\n\t\topts, err = h.Options(&cfg.OTLPCommon)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif r := cfg.Reconnect; r != nil {\n\t\t\topts = append(opts, h.WithReconnectionPeriod(time.Duration(*r)))\n\t\t}\n\t\tif srv := cfg.ServiceConfig; srv != \"\" {\n\t\t\topts = append(opts, h.WithServiceConfig(srv))\n\t\t}\n\n\t// Common options.\n\tcase *config.OTLPCommon:\n\t\tif e := cfg.Endpoint; e != \"\" {\n\t\t\topts = append(opts, h.WithEndpoint(e))\n\t\t}\n\t\topts = append(opts, h.WithCompressor(cfg.Compression))\n\t\tif len(cfg.Headers) != 0 {\n\t\t\topts = append(opts, h.WithHeaders(cfg.Headers))\n\t\t}\n\t\tif cfg.Insecure {\n\t\t\topts = append(opts, h.WithInsecure())\n\t\t}\n\t\tif t := cfg.Timeout; t != nil {\n\t\t\topts = append(opts, h.WithTimeout(time.Duration(*t)))\n\t\t}\n\t\tif tc := cfg.ClientTLS; tc != nil {\n\t\t\ttlscfg, err := tc.Config()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"TLS client configuration error: %w\", err)\n\t\t\t}\n\t\t\topts = append(opts, h.WithTLSClientConfig(tlscfg))\n\t\t}\n\n\t// Make the switch exhaustive.\n\tdefault:\n\t\tpanic(fmt.Sprintf(\"programmer error: unexpected type: %T\", v))\n\t}\n\treturn opts, nil\n}\n\n// In order, these instances are for:\n//\n// - Metrics HTTP\n// - Metrics gRPC\n// - Traces HTTP\n// - Traces gRPC\nvar (\n\tomhHooks = otlpHooks[otlpmetrichttp.Option]{\n\t\tWithCompressor: otlpCompressorHook(\n\t\t\totlpmetrichttp.WithCompression(otlpmetrichttp.NoCompression),\n\t\t\totlpmetrichttp.WithCompression(otlpmetrichttp.GzipCompression),\n\t\t),\n\t\tWithEndpoint: otlpmetrichttp.WithEndpoint,\n\t\tWithHeaders: otlpmetrichttp.WithHeaders,\n\t\tWithInsecure: otlpmetrichttp.WithInsecure,\n\t\tWithTimeout: otlpmetrichttp.WithTimeout,\n\t\tWithTLSClientConfig: otlpmetrichttp.WithTLSClientConfig,\n\t\tWithURLPath: otlpmetrichttp.WithURLPath,\n\t}\n\tomgHooks = otlpHooks[otlpmetricgrpc.Option]{\n\t\tWithCompressor: otlpCompressorHook(\n\t\t\totlpmetricgrpc.WithCompressor(\"none\"),\n\t\t\totlpmetricgrpc.WithCompressor(\"gzip\"),\n\t\t),\n\t\tWithEndpoint: otlpmetricgrpc.WithEndpoint,\n\t\tWithHeaders: otlpmetricgrpc.WithHeaders,\n\t\tWithInsecure: otlpmetricgrpc.WithInsecure,\n\t\tWithTimeout: otlpmetricgrpc.WithTimeout,\n\t\tWithTLSClientConfig: grpcTLSHook(otlpmetricgrpc.WithTLSCredentials),\n\t\tWithReconnectionPeriod: otlpmetricgrpc.WithReconnectionPeriod,\n\t\tWithServiceConfig: otlpmetricgrpc.WithServiceConfig,\n\t}\n\tothHooks = otlpHooks[otlptracehttp.Option]{\n\t\tWithCompressor: otlpCompressorHook(\n\t\t\totlptracehttp.WithCompression(otlptracehttp.NoCompression),\n\t\t\totlptracehttp.WithCompression(otlptracehttp.GzipCompression),\n\t\t),\n\t\tWithEndpoint: otlptracehttp.WithEndpoint,\n\t\tWithHeaders: otlptracehttp.WithHeaders,\n\t\tWithInsecure: otlptracehttp.WithInsecure,\n\t\tWithTimeout: otlptracehttp.WithTimeout,\n\t\tWithTLSClientConfig: otlptracehttp.WithTLSClientConfig,\n\t\tWithURLPath: otlptracehttp.WithURLPath,\n\t}\n\totgHooks = otlpHooks[otlptracegrpc.Option]{\n\t\tWithCompressor: otlpCompressorHook(\n\t\t\totlptracegrpc.WithCompressor(\"none\"),\n\t\t\totlptracegrpc.WithCompressor(\"gzip\"),\n\t\t),\n\t\tWithEndpoint: otlptracegrpc.WithEndpoint,\n\t\tWithHeaders: otlptracegrpc.WithHeaders,\n\t\tWithInsecure: otlptracegrpc.WithInsecure,\n\t\tWithTimeout: otlptracegrpc.WithTimeout,\n\t\tWithTLSClientConfig: grpcTLSHook(otlptracegrpc.WithTLSCredentials),\n\t\tWithReconnectionPeriod: otlptracegrpc.WithReconnectionPeriod,\n\t\tWithServiceConfig: otlptracegrpc.WithServiceConfig,\n\t}\n)\n\n// OtlpCompressorHook maps from the [config.OTLPCompressor] type to the correct option.\n//\n// The type parameter is too broad, see also [otlpHooks].\n// This function causes some extra garbage to be created.\n// Inlining and simplifying at use sites would prevent the options from being constructed until needed,\n// but consolidates the precedence and default logic.\nfunc otlpCompressorHook[O any](none, gzip O) func(config.OTLPCompressor) O {\n\treturn func(z config.OTLPCompressor) O {\n\t\tswitch z {\n\t\tcase config.OTLPCompressUnset: // Actual default:\n\t\t\tfallthrough\n\t\tcase config.OTLPCompressNone:\n\t\t\treturn none\n\t\tcase config.OTLPCompressGzip:\n\t\t\treturn gzip\n\t\tdefault:\n\t\t\tpanic(\"unreachable: exhaustive switch\")\n\t\t}\n\t}\n}\n\n// GrpcTLSHook maps a [tls.Config] to a correctly typed option.\n//\n// The type parameter is too broad, see also [otlpHooks].\nfunc grpcTLSHook[O any](f func(credentials.TransportCredentials) O) func(*tls.Config) O {\n\treturn func(c *tls.Config) O { return f(credentials.NewTLS(c)) }\n}\n"
},
{
"path": "introspection/server.go",
"content": "// Package introspection holds the implementation details for the\n// \"introspection\" HTTP server that Clair hosts.\npackage introspection\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/pprof\"\n\t\"time\"\n\n\tdeltapprof \"github.com/grafana/pyroscope-go/godeltaprof/http/pprof\"\n\t\"github.com/prometheus/client_golang/prometheus/promhttp\"\n\t\"github.com/quay/clair/config\"\n\t\"go.opentelemetry.io/otel\"\n\t\"go.opentelemetry.io/otel/exporters/jaeger\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc\"\n\t\"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp\"\n\t\"go.opentelemetry.io/otel/exporters/prometheus\"\n\t\"go.opentelemetry.io/otel/exporters/stdout/stdoutmetric\"\n\t\"go.opentelemetry.io/otel/exporters/stdout/stdouttrace\"\n\t\"go.opentelemetry.io/otel/sdk/metric\"\n\t\"go.opentelemetry.io/otel/sdk/resource\"\n\tsdktrace \"go.opentelemetry.io/otel/sdk/trace\"\n\tsemconv \"go.opentelemetry.io/otel/semconv/v1.27.0\"\n\n\t\"github.com/quay/clair/v4/health\"\n)\n\n// Valid backends for both metrics and traces.\nconst (\n\tStdout = \"stdout\"\n\tOTLP = \"otlp\"\n)\n\n// Valid backends for metrics.\nconst (\n\tProm = \"prometheus\"\n)\n\n// Valid backends for traces.\nconst (\n\tJaeger = \"jaeger\"\n)\n\n// Endpoints on the introspection HTTP server.\nconst (\n\tDefaultPromEndpoint = \"/metrics\"\n\tHealthEndpoint = \"/healthz\"\n\tReadyEndpoint = \"/readyz\"\n)\n\n// DefaultIntrospectionAddr is the default address if not provided in the configuration.\nconst DefaultIntrospectionAddr = \":8089\"\n\n// Server provides an HTTP server exposing Clair metrics and debugging information.\ntype Server struct {\n\t// configuration provided when starting Clair\n\tconf *config.Config\n\t// Server embeds a http.Server and http.ServeMux.\n\t// The http.Server will be configured with the ServeMux on successful\n\t// initialization.\n\t*http.Server\n\t*http.ServeMux\n\t// a health check function\n\thealth func() bool\n}\n\n// New constructs a [*Server], which has an embedded [*http.Server].\nfunc New(ctx context.Context, conf *config.Config, health func() bool) (*Server, error) {\n\tvar err error\n\tvar addr string\n\tif conf.IntrospectionAddr == \"\" {\n\t\taddr = DefaultIntrospectionAddr\n\t\tslog.InfoContext(ctx, \"no introspection address provided; using default\",\n\t\t\t\"address\", addr)\n\t} else {\n\t\taddr = conf.IntrospectionAddr\n\t}\n\n\ti := &Server{\n\t\tconf: conf,\n\t\tServer: &http.Server{\n\t\t\tAddr: addr,\n\t\t\tBaseContext: func(_ net.Listener) context.Context { return ctx },\n\t\t},\n\t\tServeMux: http.NewServeMux(),\n\t}\n\n\t// check for health\n\tif health == nil {\n\t\tslog.WarnContext(ctx, \"no health check configured; unconditionally reporting OK\")\n\t\ti.health = func() bool { return true }\n\t} else {\n\t\ti.health = health\n\t}\n\n\t// Configure metrics\n\tvar mr metric.Reader\n\tswitch conf.Metrics.Name {\n\tcase Stdout:\n\t\tvar ex metric.Exporter\n\t\tex, err = stdoutmetric.New()\n\t\tif err != nil {\n\t\t\tbreak\n\t\t}\n\t\tmr = metric.NewPeriodicReader(ex)\n\tcase Prom, \"\":\n\t\tendpoint := DefaultPromEndpoint\n\t\tif p := conf.Metrics.Prometheus.Endpoint; p != nil {\n\t\t\tendpoint = *p\n\t\t}\n\t\tslog.InfoContext(ctx, \"configuring prometheus\",\n\t\t\t\"endpoint\", endpoint,\n\t\t\t\"server\", i.Addr)\n\n\t\ti.Handle(endpoint, promhttp.Handler())\n\n\t\tmr, err = prometheus.New()\n\tcase OTLP:\n\t\tconf := i.conf.Trace.OTLP\n\t\tif conf.GRPC == nil && conf.HTTP == nil {\n\t\t\treturn nil, fmt.Errorf(`must define either \"grpc\" or \"http\" transport for otlp traces`)\n\t\t}\n\n\t\tvar ex metric.Exporter\n\t\tswitch {\n\t\tcase conf.GRPC != nil:\n\t\t\tvar opts []otlpmetricgrpc.Option\n\t\t\topts, err = omgHooks.Options(conf.GRPC)\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tex, err = otlpmetricgrpc.New(ctx, opts...)\n\t\tcase conf.HTTP != nil:\n\t\t\tvar opts []otlpmetrichttp.Option\n\t\t\topts, err = omhHooks.Options(conf.HTTP)\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tex, err = otlpmetrichttp.New(ctx, opts...)\n\t\tdefault:\n\t\t\tpanic(\"programmer error: exhaustive switch\")\n\t\t}\n\t\tif err != nil {\n\t\t\tbreak\n\t\t}\n\n\t\t// Print a warning as long as direct prometheus metrics exist in \"our\" packages.\n\t\tslog.WarnContext(ctx, \"OTLP metrics should be considered beta; metrics may be missing\")\n\t\tmr = metric.NewPeriodicReader(ex)\n\tdefault:\n\t\tslog.InfoContext(ctx, \"no metrics enabled\")\n\t}\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error configuring metrics: %w\", err)\n\t}\n\tif mr != nil {\n\t\tmp := metric.NewMeterProvider(\n\t\t\tmetric.WithReader(mr),\n\t\t\tmetric.WithResource(resource.NewWithAttributes(\n\t\t\t\tsemconv.SchemaURL,\n\t\t\t\tsemconv.ServiceNameKey.String(fmt.Sprintf(\"clairv4/%v\", i.conf.Mode)),\n\t\t\t)),\n\t\t)\n\t\totel.SetMeterProvider(mp)\n\t\ti.Server.RegisterOnShutdown(func() {\n\t\t\tctx, cancel := context.WithTimeout(ctx, 5*time.Second)\n\t\t\tdefer cancel()\n\t\t\tif err := mp.Shutdown(ctx); err != nil {\n\t\t\t\tslog.ErrorContext(ctx, \"error shutting down metric provider\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t}\n\t\t})\n\t}\n\n\t// configure tracing\n\t// sampler\n\tvar sampler sdktrace.Sampler\n\tswitch {\n\tcase i.conf.LogLevel == config.DebugLog || i.conf.LogLevel == config.DebugColorLog:\n\t\tsampler = sdktrace.AlwaysSample()\n\tcase i.conf.Trace.Probability != nil:\n\t\tp := *i.conf.Trace.Probability\n\t\tsampler = sdktrace.ParentBased(\n\t\t\tsdktrace.TraceIDRatioBased(p),\n\t\t)\n\tdefault:\n\t\tsampler = sdktrace.ParentBased(sdktrace.NeverSample())\n\t}\n\n\t// trace exporter\n\tvar exporter sdktrace.SpanExporter\n\tswitch conf.Trace.Name {\n\tcase Stdout:\n\t\texporter, err = stdouttrace.New()\n\tcase Jaeger:\n\t\tconf := i.conf.Trace.Jaeger\n\t\tvar mode string\n\t\tvar endpoint string\n\n\t\t// configure whether jaeger exporter pushes to an agent\n\t\t// or a collector\n\t\tswitch {\n\t\tcase conf.Agent.Endpoint != \"\":\n\t\t\tmode = \"agent\"\n\t\t\tendpoint = conf.Agent.Endpoint\n\t\tcase conf.Collector.Endpoint != \"\":\n\t\t\tmode = \"collector\"\n\t\t\tendpoint = conf.Collector.Endpoint\n\t\tdefault:\n\t\t\tmode = \"agent\"\n\t\t}\n\n\t\tvar e jaeger.EndpointOption\n\t\tswitch mode {\n\t\tcase \"agent\":\n\t\t\tslog.InfoContext(ctx, \"configuring jaeger exporter to push to agent\")\n\t\t\tvar opt []jaeger.AgentEndpointOption\n\t\t\tif endpoint != \"\" {\n\t\t\t\thost, port, err := net.SplitHostPort(endpoint)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, fmt.Errorf(\"error configuring jaeger tracing: %w\", err)\n\t\t\t\t}\n\t\t\t\tif host != \"\" {\n\t\t\t\t\topt = append(opt, jaeger.WithAgentHost(host))\n\t\t\t\t}\n\t\t\t\tif port != \"\" {\n\t\t\t\t\topt = append(opt, jaeger.WithAgentPort(port))\n\t\t\t\t}\n\t\t\t}\n\t\t\te = jaeger.WithAgentEndpoint(opt...)\n\t\tcase \"collector\":\n\t\t\tslog.InfoContext(ctx, \"configuring jaeger exporter to push to collector\")\n\t\t\tvar opt []jaeger.CollectorEndpointOption\n\t\t\tif endpoint != \"\" {\n\t\t\t\topt = append(opt, jaeger.WithEndpoint(endpoint))\n\t\t\t}\n\t\t\tu, p := conf.Collector.Username, conf.Collector.Password\n\t\t\tif u != nil {\n\t\t\t\topt = append(opt, jaeger.WithUsername(*u))\n\t\t\t}\n\t\t\tif p != nil {\n\t\t\t\topt = append(opt, jaeger.WithPassword(*p))\n\t\t\t}\n\t\t\te = jaeger.WithCollectorEndpoint(opt...)\n\t\t}\n\n\t\t// configure the exporter\n\t\texporter, err = jaeger.New(e)\n\tcase OTLP:\n\t\tconf := i.conf.Trace.OTLP\n\t\tif conf.GRPC == nil && conf.HTTP == nil {\n\t\t\treturn nil, fmt.Errorf(`must define either \"grpc\" or \"http\" transport for otlp traces`)\n\t\t}\n\n\t\tvar c otlptrace.Client\n\t\tswitch {\n\t\tcase conf.GRPC != nil:\n\t\t\tvar opts []otlptracegrpc.Option\n\t\t\topts, err = otgHooks.Options(conf.GRPC)\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tc = otlptracegrpc.NewClient(opts...)\n\t\tcase conf.HTTP != nil:\n\t\t\tvar opts []otlptracehttp.Option\n\t\t\topts, err = othHooks.Options(conf.HTTP)\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tc = otlptracehttp.NewClient(opts...)\n\t\tdefault:\n\t\t\tpanic(\"programmer error: exhaustive switch\")\n\t\t}\n\t\tif err != nil {\n\t\t\tbreak\n\t\t}\n\n\t\texporter, err = otlptrace.New(ctx, c)\n\tdefault:\n\t\tslog.InfoContext(ctx, \"no distributed tracing enabled\")\n\t}\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error configuring tracing: %w\", err)\n\t}\n\tif exporter != nil {\n\t\ttp := sdktrace.NewTracerProvider(\n\t\t\tsdktrace.WithSampler(sampler),\n\t\t\tsdktrace.WithBatcher(exporter),\n\t\t\tsdktrace.WithResource(resource.NewWithAttributes(\n\t\t\t\tsemconv.SchemaURL,\n\t\t\t\tsemconv.ServiceNameKey.String(fmt.Sprintf(\"clairv4/%v\", i.conf.Mode)),\n\t\t\t)),\n\t\t)\n\t\totel.SetTracerProvider(tp)\n\t\ti.Server.RegisterOnShutdown(func() {\n\t\t\tslog.InfoContext(ctx, \"shutting down trace provider\")\n\t\t\tctx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 5*time.Second)\n\t\t\tdefer cancel()\n\t\t\tif err := tp.Shutdown(ctx); err != nil {\n\t\t\t\tslog.ErrorContext(ctx, \"error shutting down trace provider\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t}\n\t\t})\n\t\tslog.InfoContext(ctx, \"distributed tracing configured\")\n\t}\n\n\t// configure diagnostics\n\terr = i.withDiagnostics(ctx)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error configuring diagnostics: %v\", err)\n\t}\n\tif err := i.withReady(ctx); err != nil {\n\t\treturn nil, fmt.Errorf(\"error configuring ready: %v\", err)\n\t}\n\n\t// attach Introspection to server, this works because we embed http.ServeMux\n\ti.Server.Handler = i\n\n\treturn i, nil\n}\n\n// WithDiagnostics enables healthz and pprof endpoints.\nfunc (i *Server) withDiagnostics(_ context.Context) error {\n\thealth := i.health\n\ti.HandleFunc(HealthEndpoint, func(w http.ResponseWriter, r *http.Request) {\n\t\tw.Header().Set(\"X-Content-Type-Options\", \"nosniff\")\n\t\tw.Header().Set(\"Content-Type\", \"text/plain; charset=utf-8\")\n\t\tif !health() {\n\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t\treturn\n\t\t}\n\t\tfmt.Fprint(w, `ok`)\n\t})\n\ti.HandleFunc(\"/debug/pprof/\", pprof.Index)\n\ti.HandleFunc(\"/debug/pprof/cmdline\", pprof.Cmdline)\n\ti.HandleFunc(\"/debug/pprof/profile\", pprof.Profile)\n\ti.HandleFunc(\"/debug/pprof/symbol\", pprof.Symbol)\n\ti.HandleFunc(\"/debug/pprof/trace\", pprof.Trace)\n\ti.HandleFunc(\"/debug/pprof/delta_heap\", deltapprof.Heap)\n\ti.HandleFunc(\"/debug/pprof/delta_block\", deltapprof.Block)\n\ti.HandleFunc(\"/debug/pprof/delta_mutex\", deltapprof.Mutex)\n\treturn nil\n}\n\nfunc (i *Server) withReady(_ context.Context) error {\n\ti.ServeMux.Handle(ReadyEndpoint, health.ReadinessHandler())\n\treturn nil\n}\n"
},
{
"path": "local-dev/clair/.gitignore",
"content": "quay.yaml\n"
},
{
"path": "local-dev/clair/config.yaml",
"content": "---\nlog_level: debug-color\nintrospection_addr: \":8089\"\nhttp_listen_addr: \":6060\"\nupdaters:\n sets:\n - ubuntu\n - debian\n - rhel-vex\n - alpine\n - osv\nauth:\n psk:\n key: 'c2VjcmV0'\n iss:\n - quay\n - clairctl\nindexer:\n connstring: host=clair-database user=clair dbname=indexer sslmode=disable\n scanlock_retry: 10\n layer_scan_concurrency: 5\n migrations: true\nmatcher:\n indexer_addr: http://clair-indexer:6060/\n connstring: host=clair-database user=clair dbname=matcher sslmode=disable\n max_conn_pool: 100\n migrations: true\nmatchers: {}\nnotifier:\n indexer_addr: http://clair-indexer:6060/\n matcher_addr: http://clair-matcher:6060/\n connstring: host=clair-database user=clair dbname=notifier sslmode=disable\n migrations: true\n delivery_interval: 1m\n poll_interval: 1m\n webhook:\n target: \"http://webhook-target/\"\n callback: \"http://clair-notifier:6060/notifier/api/v1/notification/\"\n # amqp:\n # direct: true\n # exchange:\n # name: \"\"\n # type: \"direct\"\n # durable: true\n # auto_delete: false\n # uris: [\"amqp://guest:guest@clair-rabbitmq:5672/\"]\n # routing_key: \"notifications\"\n # callback: \"http://clair-notifier/notifier/api/v1/notification\"\n# tracing and metrics config\ntrace:\n name: \"otlp\"\n# probability: 1\n otlp:\n http:\n endpoint: \"clair-jaeger:4318\"\n insecure: true\nmetrics:\n name: \"prometheus\"\n"
},
{
"path": "local-dev/clair/config.yaml.d/.gitignore",
"content": "*\n!.gitignore\n"
},
{
"path": "local-dev/clair/init.sql",
"content": "CREATE USER clair WITH PASSWORD 'clair';\nCREATE USER quay WITH PASSWORD 'quay';\nCREATE DATABASE indexer WITH OWNER clair;\nCREATE DATABASE matcher WITH OWNER clair;\nCREATE DATABASE notifier WITH OWNER clair;\nCREATE DATABASE quay WITH OWNER quay;\n\\connect matcher\nCREATE EXTENSION \"uuid-ossp\";\n\\connect notifier\nCREATE EXTENSION \"uuid-ossp\";\n\\connect quay\nCREATE EXTENSION \"pg_trgm\";\n"
},
{
"path": "local-dev/clair/quay.yaml.d/.gitignore",
"content": "*\n!.gitignore\n"
},
{
"path": "local-dev/grafana/provisioning/dashboards/clair.json",
"content": "{\n \"annotations\": {\n \"list\": [\n {\n \"builtIn\": 1,\n \"datasource\": \"-- Grafana --\",\n \"enable\": true,\n \"hide\": true,\n \"iconColor\": \"rgba(0, 211, 255, 1)\",\n \"name\": \"Annotations & Alerts\",\n \"target\": {\n \"limit\": 100,\n \"matchAny\": false,\n \"tags\": [],\n \"type\": \"dashboard\"\n },\n \"type\": \"dashboard\"\n }\n ]\n },\n \"editable\": true,\n \"gnetId\": null,\n \"graphTooltip\": 1,\n \"iteration\": 1694452951165,\n \"links\": [],\n \"panels\": [\n {\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 0\n },\n \"id\": 24,\n \"title\": \"Runtime metrics\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 1\n },\n \"id\": 26,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (scanned_before) (rate(claircore_indexer_scanned_manifests[$rate]))\",\n \"interval\": \"\",\n \"legendFormat\": \"{{scanned_before}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Previously scanned manifests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n }\n },\n \"mappings\": []\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 1\n },\n \"id\": 32,\n \"options\": {\n \"legend\": {\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"pieType\": \"pie\",\n \"reduceOptions\": {\n \"calcs\": [\n \"lastNotNull\"\n ],\n \"fields\": \"\",\n \"values\": false\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (scanned_before) (rate(claircore_indexer_scanned_manifests[$rate]))\",\n \"interval\": \"\",\n \"legendFormat\": \"{{scanned_before}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Previously scanned rate\",\n \"type\": \"piechart\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 9\n },\n \"id\": 35,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum (clair_cmd_version_info) by (job, goversion)\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{job}} - {{goversion}}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum (clair_cmd_version_info) by(job, version)\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{job}} clair - {{version}}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum (clair_cmd_version_info) by(job, claircore_version)\",\n \"interval\": \"\",\n \"legendFormat\": \"{{job}} claircore - {{claircore_version}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Versions\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 9\n },\n \"id\": 45,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_http_concurrencylimited_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"Endpoint: {{ endpoint }} Method: {{ method }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Ratelimiting / s\",\n \"type\": \"timeseries\"\n },\n {\n \"collapsed\": false,\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 17\n },\n \"id\": 18,\n \"panels\": [],\n \"title\": \"Database Indexer\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 7,\n \"w\": 24,\n \"x\": 0,\n \"y\": 18\n },\n \"id\": 20,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_setindexreport_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"IndexReport: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_layerscanned_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"LayerScanned: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_manifestscanned_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"ManifestScanned: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_persistmanifest_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"PersistManifest: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_registerscanners_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"RegisterScanners: {{instance }}: {{ query }}\",\n \"refId\": \"E\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_indexer_setindexreport_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"SetIndexReport: {{instance }}: {{ query }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"Database query count (indexer)\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 0,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 22,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"repeat\": null,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_setindexreport_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Set index_report query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 4,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 48,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_layerscanned_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"B\"\n }\n ],\n \"title\": \"Layer scanned query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 8,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 51,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_persistmanifest_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Persist manifest query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 12,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 52,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_manifestscanned_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"C\"\n }\n ],\n \"title\": \"Manifest scanned query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 16,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 53,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_registerscanners_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Register scanners query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 20,\n \"y\": 25\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 54,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_indexer_setindexfinished_duration_seconds_bucket[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"Set index finished query duration\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"transformations\": [\n {\n \"id\": \"groupBy\",\n \"options\": {\n \"fields\": {\n \"IndexReport\": {\n \"aggregations\": [\n \"lastNotNull\"\n ],\n \"operation\": null\n },\n \"LayerScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"ManifestScanned\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"PersistManifest\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"RegisterScanners\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"SetIndexReport\": {\n \"aggregations\": [],\n \"operation\": null\n },\n \"Time\": {\n \"aggregations\": [\n \"sum\"\n ],\n \"operation\": null\n }\n }\n }\n }\n ],\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 24,\n \"x\": 0,\n \"y\": 33\n },\n \"id\": 63,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_idle_conns{application_name=\\\"libindex\\\"})\",\n \"interval\": \"\",\n \"legendFormat\": \"idle\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_max_conns{application_name=\\\"libindex\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"max\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_total_conns{application_name=\\\"libindex\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"total\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_acquired_conns{application_name=\\\"libindex\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"acquired\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Connections (Indexer)\",\n \"type\": \"timeseries\"\n },\n {\n \"collapsed\": false,\n \"datasource\": null,\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 41\n },\n \"id\": 50,\n \"panels\": [],\n \"title\": \"Database matcher\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 7,\n \"w\": 24,\n \"x\": 0,\n \"y\": 42\n },\n \"id\": 21,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getvulnerabilities_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"VulnStoreGet: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getlatestrefs_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GetLatestRefs: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getlatestupdateref_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GetLatestUpdateRef: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_getupdateoperations_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GetUpdateOperations: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_updatevulnerabilities_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"UpdateVulnerabilities: {{instance }}: {{ query }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Database query count (matcher)\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 0,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 33,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getvulnerabilities_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Get vulnerabilities latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 4,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 55,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getlatestrefs_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"B\"\n }\n ],\n \"title\": \"Get latest refs latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 8,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 56,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getlatestupdateref_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"C\"\n }\n ],\n \"title\": \"Get latest update refs latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 12,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 57,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_getupdateoperations_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Get update operations latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 4,\n \"x\": 16,\n \"y\": 49\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 58,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_updatevulnerabilities_duration_seconds_bucket[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Update vulnerabilities latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 7,\n \"w\": 24,\n \"x\": 0,\n \"y\": 57\n },\n \"id\": 43,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(claircore_vulnstore_gc_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"GarbageCollection: {{instance }}: {{ query }}\",\n \"refId\": \"E\"\n }\n ],\n \"title\": \"Database query count GC\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 24,\n \"x\": 0,\n \"y\": 64\n },\n \"id\": 64,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_idle_conns{application_name=\\\"libvuln\\\"})\",\n \"interval\": \"\",\n \"legendFormat\": \"idle\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_max_conns{application_name=\\\"libvuln\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"max\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_total_conns{application_name=\\\"libvuln\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"total\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"sum by (application_name) (pgxpool_acquired_conns{application_name=\\\"libvuln\\\"})\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"acquired\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Connections (Matcher)\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 72\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 44,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_gc_duration_seconds_bucket{query=\\\"updateOps\\\"}[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"GC - updateOps latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 72\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 59,\n \"legend\": {\n \"show\": false\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(claircore_vulnstore_gc_duration_seconds_bucket{query=\\\"deleteVulns\\\"}[$rate])) by (le)\",\n \"format\": \"heatmap\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"F\"\n }\n ],\n \"title\": \"GC - deleteVulns latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": 0,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"collapsed\": true,\n \"datasource\": null,\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 80\n },\n \"id\": 61,\n \"panels\": [\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 20\n },\n \"id\": 36,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_created_total[$rate])\",\n \"interval\": \"\",\n \"legendFormat\": \"CreatedTotal: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_failed_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierFailed: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_putreceipt_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierPutReceipt: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"rate(clair_notifier_receiptbyuoid_total[$rate])\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierReceiptByUOID: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Database query count (notifier)\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 30,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 20\n },\n \"id\": 38,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_created_duration_seconds_bucket[$rate]))\",\n \"interval\": \"\",\n \"legendFormat\": \"CreatedTotal: {{instance }}: {{ query }}\",\n \"refId\": \"A\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_failed_duration_seconds_bucket[$rate]))\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierFailed: {{instance }}: {{ query }}\",\n \"refId\": \"B\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_putreceipt_duration_seconds_bucket[$rate]))\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierPutReceipt: {{instance }}: {{ query }}\",\n \"refId\": \"C\"\n },\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($dbquantile, rate(clair_notifier_receiptbyuoid_duration_seconds_bucket[$rate]))\",\n \"hide\": false,\n \"interval\": \"\",\n \"legendFormat\": \"NotifierReceiptByUOID: {{instance }}: {{ query }}\",\n \"refId\": \"D\"\n }\n ],\n \"title\": \"Database query duration (notifier) (p$dbquantile)\",\n \"type\": \"timeseries\"\n }\n ],\n \"title\": \"Database - Notifier\",\n \"type\": \"row\"\n },\n {\n \"collapsed\": false,\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 81\n },\n \"id\": 2,\n \"panels\": [],\n \"title\": \"API Requests\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 82\n },\n \"id\": 4,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_matcherv1_request_total{handler=\\\"/matcher/api/v1/vulnerability_report/\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Vulnerability Report Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateOranges\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 82\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 15,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"repeat\": null,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(rate(clair_http_matcherv1_request_duration_seconds_bucket{handler=\\\"/matcher/api/v1/vulnerability_report/\\\"}[5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"\",\n \"intervalFactor\": 1,\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Vulnerability Report Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"middle\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 90\n },\n \"id\": 7,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{handler=\\\"/indexer/api/v1/index_report\\\", method=\\\"post\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Create Index Report Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 90\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 14,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"post\\\", handler=\\\"/indexer/api/v1/index_report\\\", code=\\\"201\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Create Index Report Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"stepBefore\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 98\n },\n \"id\": 6,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{handler=\\\"/indexer/api/v1/index_state\\\", method=\\\"get\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"\",\n \"legendFormat\": \"Status {{code}}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Indexer State Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 98\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 47,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"get\\\", handler=\\\"/indexer/api/v1/index_state\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Indexer State Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 106\n },\n \"id\": 5,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{method=\\\"get\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 106\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 46,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"get\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 114\n },\n \"id\": 66,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report\\\"}[$rate]))\",\n \"hide\": false,\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"B\"\n }\n ],\n \"title\": \"Index Report Bulk Deletion Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 114\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 67,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Bulk Deletion Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 122\n },\n \"id\": 68,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_indexerv1_request_total{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Deletion Requests / s\",\n \"type\": \"timeseries\"\n },\n {\n \"cards\": {\n \"cardPadding\": null,\n \"cardRound\": null\n },\n \"color\": {\n \"cardColor\": \"#b4ff00\",\n \"colorScale\": \"linear\",\n \"colorScheme\": \"interpolateGreys\",\n \"exponent\": 0.5,\n \"mode\": \"opacity\"\n },\n \"dataFormat\": \"tsbuckets\",\n \"datasource\": \"$datasource\",\n \"description\": \"\",\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 122\n },\n \"heatmap\": {},\n \"hideZeroBuckets\": true,\n \"highlightCards\": true,\n \"id\": 69,\n \"legend\": {\n \"show\": true\n },\n \"maxDataPoints\": 50,\n \"reverseYBuckets\": false,\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum(increase(clair_http_indexerv1_request_duration_seconds_bucket{method=\\\"delete\\\", handler=\\\"/indexer/api/v1/index_report/:digest\\\"} [5m])) by (le)\",\n \"format\": \"heatmap\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"{{ le }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Index Report Deletion Request Latency\",\n \"tooltip\": {\n \"show\": true,\n \"showHistogram\": false\n },\n \"type\": \"heatmap\",\n \"xAxis\": {\n \"show\": true\n },\n \"xBucketNumber\": null,\n \"xBucketSize\": null,\n \"yAxis\": {\n \"decimals\": null,\n \"format\": \"s\",\n \"logBase\": 1,\n \"max\": null,\n \"min\": null,\n \"show\": true,\n \"splitFactor\": null\n },\n \"yBucketBound\": \"auto\",\n \"yBucketNumber\": null,\n \"yBucketSize\": null\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 130\n },\n \"id\": 41,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_notifier_api_v1_notification_request_total{method=\\\"get\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }} \",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Get Notifications Requests\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"Seconds\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 30,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 130\n },\n \"id\": 40,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($apiquantile, rate(clair_http_notifier_api_v1_notification_request_duration_seconds_bucket[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Get Notification Request Latency (p$apiquantile)\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 138\n },\n \"id\": 39,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (code) (rate(clair_http_notifier_api_v1_notification_request_total{method=\\\"delete\\\"}[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"Status {{ code }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Delete Notification Requests\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"Seconds\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 30,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 138\n },\n \"id\": 42,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"histogram_quantile($apiquantile, rate(clair_http_notifier_api_v1_notification_request_duration_seconds_bucket[$rate]))\",\n \"instant\": false,\n \"interval\": \"1\",\n \"legendFormat\": \"\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Delete Notification Request Latency (p$apiquantile)\",\n \"type\": \"timeseries\"\n },\n {\n \"collapsed\": false,\n \"datasource\": \"$datasource\",\n \"gridPos\": {\n \"h\": 1,\n \"w\": 24,\n \"x\": 0,\n \"y\": 146\n },\n \"id\": 9,\n \"panels\": [],\n \"title\": \"Memory metrics\",\n \"type\": \"row\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 0,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n }\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 0,\n \"y\": 147\n },\n \"id\": 11,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (job)(go_goroutines)\",\n \"interval\": \"\",\n \"legendFormat\": \"{{ job }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Goroutine count\",\n \"type\": \"timeseries\"\n },\n {\n \"datasource\": \"$datasource\",\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"custom\": {\n \"axisLabel\": \"\",\n \"axisPlacement\": \"auto\",\n \"barAlignment\": 0,\n \"drawStyle\": \"line\",\n \"fillOpacity\": 10,\n \"gradientMode\": \"none\",\n \"hideFrom\": {\n \"legend\": false,\n \"tooltip\": false,\n \"viz\": false\n },\n \"lineInterpolation\": \"linear\",\n \"lineWidth\": 1,\n \"pointSize\": 5,\n \"scaleDistribution\": {\n \"type\": \"linear\"\n },\n \"showPoints\": \"auto\",\n \"spanNulls\": false,\n \"stacking\": {\n \"group\": \"A\",\n \"mode\": \"none\"\n },\n \"thresholdsStyle\": {\n \"mode\": \"off\"\n }\n },\n \"mappings\": [],\n \"thresholds\": {\n \"mode\": \"absolute\",\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": null\n },\n {\n \"color\": \"red\",\n \"value\": 80\n }\n ]\n },\n \"unit\": \"bytes\"\n },\n \"overrides\": []\n },\n \"gridPos\": {\n \"h\": 8,\n \"w\": 12,\n \"x\": 12,\n \"y\": 147\n },\n \"id\": 12,\n \"options\": {\n \"legend\": {\n \"calcs\": [],\n \"displayMode\": \"list\",\n \"placement\": \"bottom\"\n },\n \"tooltip\": {\n \"mode\": \"single\"\n }\n },\n \"targets\": [\n {\n \"exemplar\": true,\n \"expr\": \"sum by (job)(go_memstats_heap_inuse_bytes)\",\n \"interval\": \"\",\n \"legendFormat\": \"{{ job }}\",\n \"refId\": \"A\"\n }\n ],\n \"title\": \"Memory\",\n \"type\": \"timeseries\"\n }\n ],\n \"refresh\": false,\n \"schemaVersion\": 30,\n \"style\": \"dark\",\n \"tags\": [],\n \"templating\": {\n \"list\": [\n {\n \"auto\": false,\n \"auto_count\": 30,\n \"auto_min\": \"10s\",\n \"current\": {\n \"selected\": false,\n \"text\": \"1m\",\n \"value\": \"1m\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"label\": null,\n \"name\": \"rate\",\n \"options\": [\n {\n \"selected\": true,\n \"text\": \"1m\",\n \"value\": \"1m\"\n },\n {\n \"selected\": false,\n \"text\": \"5m\",\n \"value\": \"5m\"\n },\n {\n \"selected\": false,\n \"text\": \"10m\",\n \"value\": \"10m\"\n },\n {\n \"selected\": false,\n \"text\": \"30m\",\n \"value\": \"30m\"\n },\n {\n \"selected\": false,\n \"text\": \"1h\",\n \"value\": \"1h\"\n },\n {\n \"selected\": false,\n \"text\": \"6h\",\n \"value\": \"6h\"\n },\n {\n \"selected\": false,\n \"text\": \"12h\",\n \"value\": \"12h\"\n },\n {\n \"selected\": false,\n \"text\": \"1d\",\n \"value\": \"1d\"\n },\n {\n \"selected\": false,\n \"text\": \"7d\",\n \"value\": \"7d\"\n },\n {\n \"selected\": false,\n \"text\": \"14d\",\n \"value\": \"14d\"\n },\n {\n \"selected\": false,\n \"text\": \"30d\",\n \"value\": \"30d\"\n }\n ],\n \"query\": \"1m,5m,10m,30m,1h,6h,12h,1d,7d,14d,30d\",\n \"refresh\": 2,\n \"skipUrlSync\": false,\n \"type\": \"interval\"\n },\n {\n \"allValue\": null,\n \"current\": {\n \"selected\": false,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"includeAll\": false,\n \"label\": \"Database Latency Quantile\",\n \"multi\": false,\n \"name\": \"dbquantile\",\n \"options\": [\n {\n \"selected\": true,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n {\n \"selected\": false,\n \"text\": \"0.90\",\n \"value\": \"0.90\"\n },\n {\n \"selected\": false,\n \"text\": \"0.5\",\n \"value\": \"0.5\"\n },\n {\n \"selected\": false,\n \"text\": \"0.20\",\n \"value\": \"0.20\"\n },\n {\n \"selected\": false,\n \"text\": \"0\",\n \"value\": \"0\"\n }\n ],\n \"query\": \"0.95,0.90,0.5,0.20,0\",\n \"queryValue\": \"\",\n \"skipUrlSync\": false,\n \"type\": \"custom\"\n },\n {\n \"allValue\": null,\n \"current\": {\n \"selected\": true,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"includeAll\": false,\n \"label\": \"API Latency Quantile\",\n \"multi\": false,\n \"name\": \"apiquantile\",\n \"options\": [\n {\n \"selected\": true,\n \"text\": \"0.95\",\n \"value\": \"0.95\"\n },\n {\n \"selected\": false,\n \"text\": \"0.90\",\n \"value\": \"0.90\"\n },\n {\n \"selected\": false,\n \"text\": \"0.5\",\n \"value\": \"0.5\"\n },\n {\n \"selected\": false,\n \"text\": \"0.20\",\n \"value\": \"0.20\"\n },\n {\n \"selected\": false,\n \"text\": \"0\",\n \"value\": \"0\"\n }\n ],\n \"query\": \"0.95,0.90,0.5,0.20,0\",\n \"queryValue\": \"\",\n \"skipUrlSync\": false,\n \"type\": \"custom\"\n },\n {\n \"current\": {\n \"selected\": true,\n \"text\": \"Prometheus\",\n \"value\": \"Prometheus\"\n },\n \"description\": null,\n \"error\": null,\n \"hide\": 0,\n \"includeAll\": false,\n \"label\": null,\n \"multi\": false,\n \"name\": \"datasource\",\n \"options\": [],\n \"query\": \"prometheus\",\n \"queryValue\": \"\",\n \"refresh\": 1,\n \"regex\": \"/(^clair|^app-sre-stage-01|^Prometheus$|^appsre)(?!.*cluster)/\",\n \"skipUrlSync\": false,\n \"type\": \"datasource\"\n }\n ]\n },\n \"time\": {\n \"from\": \"now-1h\",\n \"to\": \"now\"\n },\n \"timepicker\": {},\n \"timezone\": \"\",\n \"title\": \"Clair V4\",\n \"uid\": \"I1JBFlRnz\",\n \"version\": 4\n}\n"
},
{
"path": "local-dev/grafana/provisioning/dashboards/dashboard.yml",
"content": "apiVersion: 1\n\nproviders:\n- name: 'Prometheus'\n orgId: 1\n folder: ''\n type: file\n disableDeletion: false\n editable: true\n options:\n path: /etc/grafana/provisioning/dashboards"
},
{
"path": "local-dev/grafana/provisioning/dashboards/database.json",
"content": "{\n \"id\": null,\n \"title\": \"PostgreSQL Performance Dashboard\",\n \"uid\": \"postgres-performance-dashboard4\",\n \"tags\": [\"postgres\", \"database\", \"performance\", \"new\"],\n \"timezone\": \"browser\",\n \"schemaVersion\": 30,\n \"version\": 1,\n \"refresh\": \"30s\",\n \"time\": {\n \"from\": \"now-1h\",\n \"to\": \"now\"\n },\n \"templating\": {\n \"list\": [\n {\n \"name\": \"datasource\",\n \"type\": \"datasource\",\n \"query\": \"prometheus\",\n \"current\": {\n \"selected\": false,\n \"text\": \"Prometheus\",\n \"value\": \"Prometheus\"\n },\n \"hide\": 0,\n \"includeAll\": false,\n \"multi\": false,\n \"refresh\": 1\n },\n {\n \"name\": \"instance\",\n \"type\": \"query\",\n \"query\": \"label_values(pg_up, instance)\",\n \"current\": {\n \"selected\": true,\n \"text\": \"All\",\n \"value\": \"$__all\"\n },\n \"hide\": 0,\n \"includeAll\": true,\n \"multi\": true,\n \"refresh\": 1,\n \"allValue\": \".*\",\n \"datasource\": \"$datasource\"\n }\n ]\n },\n \"graphTooltip\": 2,\n \"panels\": [\n {\n \"title\": \"Overview\",\n \"type\": \"row\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 0,\n \"w\": 24,\n \"h\": 1\n },\n \"id\": 100\n },\n {\n \"title\": \"Database Status\",\n \"type\": \"stat\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 1,\n \"w\": 4,\n \"h\": 4\n },\n \"id\": 101,\n \"targets\": [\n {\n \"expr\": \"pg_up{instance=~\\\"$instance\\\"}\",\n \"legendFormat\": \"Database Status\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"thresholds\"\n },\n \"thresholds\": {\n \"steps\": [\n {\n \"color\": \"red\",\n \"value\": 0\n },\n {\n \"color\": \"green\",\n \"value\": 1\n }\n ]\n },\n \"mappings\": [\n {\n \"options\": {\n \"0\": {\n \"text\": \"DOWN\"\n },\n \"1\": {\n \"text\": \"UP\"\n }\n },\n \"type\": \"value\"\n }\n ]\n }\n },\n \"options\": {\n \"reduceOptions\": {\n \"values\": false,\n \"calcs\": [\"lastNotNull\"],\n \"fields\": \"\"\n },\n \"orientation\": \"auto\",\n \"textMode\": \"auto\",\n \"colorMode\": \"background\"\n }\n },\n {\n \"title\": \"Total Databases\",\n \"type\": \"stat\",\n \"gridPos\": {\n \"x\": 4,\n \"y\": 1,\n \"w\": 4,\n \"h\": 4\n },\n \"id\": 102,\n \"targets\": [\n {\n \"expr\": \"count(pg_stat_database_numbackends{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"})\",\n \"legendFormat\": \"Databases\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n }\n }\n }\n },\n {\n \"title\": \"Total Connections\",\n \"type\": \"stat\",\n \"gridPos\": {\n \"x\": 8,\n \"y\": 1,\n \"w\": 4,\n \"h\": 4\n },\n \"id\": 103,\n \"targets\": [\n {\n \"expr\": \"sum(pg_stat_database_numbackends{instance=~\\\"$instance\\\"})\",\n \"legendFormat\": \"Connections\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n }\n }\n }\n },\n {\n \"title\": \"Queries Per Second\",\n \"type\": \"stat\",\n \"gridPos\": {\n \"x\": 12,\n \"y\": 1,\n \"w\": 4,\n \"h\": 4\n },\n \"id\": 104,\n \"targets\": [\n {\n \"expr\": \"sum(rate(pg_stat_database_xact_commit{instance=~\\\"$instance\\\"}[5m]) + rate(pg_stat_database_xact_rollback{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"QPS\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"palette-classic\"\n },\n \"unit\": \"ops\"\n }\n }\n },\n {\n \"title\": \"Active Queries\",\n \"type\": \"stat\",\n \"gridPos\": {\n \"x\": 16,\n \"y\": 1,\n \"w\": 8,\n \"h\": 4\n },\n \"id\": 105,\n \"targets\": [\n {\n \"expr\": \"sum by (datname) (pg_stat_activity_count{instance=~\\\"$instance\\\", state=\\\"active\\\"})\",\n \"legendFormat\": \"{{datname}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"color\": {\n \"mode\": \"thresholds\"\n },\n \"thresholds\": {\n \"steps\": [\n {\n \"color\": \"green\",\n \"value\": 0\n },\n {\n \"color\": \"yellow\",\n \"value\": 10\n },\n {\n \"color\": \"red\",\n \"value\": 25\n }\n ]\n },\n \"unit\": \"short\"\n }\n }\n },\n {\n \"title\": \"Connections & Activity\",\n \"type\": \"row\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 5,\n \"w\": 24,\n \"h\": 1\n },\n \"id\": 200\n },\n {\n \"title\": \"Active Connections by Database\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 6,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 201,\n \"targets\": [\n {\n \"expr\": \"pg_stat_database_numbackends{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}\",\n \"legendFormat\": \"{{datname}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"custom\": {\n \"drawStyle\": \"line\",\n \"lineInterpolation\": \"linear\",\n \"fillOpacity\": 10,\n \"stacking\": {\n \"mode\": \"none\"\n }\n }\n }\n }\n },\n {\n \"title\": \"Connection States\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 12,\n \"y\": 6,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 202,\n \"targets\": [\n {\n \"expr\": \"sum by (state) (pg_stat_activity_count{instance=~\\\"$instance\\\"})\",\n \"legendFormat\": \"{{state}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"custom\": {\n \"drawStyle\": \"line\",\n \"lineInterpolation\": \"linear\",\n \"fillOpacity\": 10,\n \"stacking\": {\n \"mode\": \"normal\"\n }\n }\n }\n }\n },\n {\n \"title\": \"Max Connections vs Current\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 14,\n \"w\": 24,\n \"h\": 6\n },\n \"id\": 203,\n \"targets\": [\n {\n \"expr\": \"pg_settings_max_connections{instance=~\\\"$instance\\\"}\",\n \"legendFormat\": \"Max Connections\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"sum(pg_stat_database_numbackends{instance=~\\\"$instance\\\"})\",\n \"legendFormat\": \"Current Connections\",\n \"refId\": \"B\"\n }\n ]\n },\n \n \n {\n \"title\": \"Transaction Activity\",\n \"type\": \"row\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 20,\n \"w\": 24,\n \"h\": 1\n },\n \"id\": 300\n },\n {\n \"title\": \"Transactions per Second\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 21,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 301,\n \"targets\": [\n {\n \"expr\": \"sum(rate(pg_stat_database_xact_commit{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Commits/sec\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_database_xact_rollback{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Rollbacks/sec\",\n \"refId\": \"B\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"unit\": \"reqps\"\n }\n }\n },\n {\n \"title\": \"Transaction Activity by Database\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 12,\n \"y\": 21,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 302,\n \"targets\": [\n {\n \"expr\": \"rate(pg_stat_database_xact_commit{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}[5m])\",\n \"legendFormat\": \"{{datname}} commits\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"rate(pg_stat_database_xact_rollback{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}[5m])\",\n \"legendFormat\": \"{{datname}} rollbacks\",\n \"refId\": \"B\"\n }\n ]\n },\n {\n \"title\": \"Deadlocks\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 29,\n \"w\": 8,\n \"h\": 6\n },\n \"id\": 303,\n \"targets\": [\n {\n \"expr\": \"rate(pg_stat_database_deadlocks{instance=~\\\"$instance\\\"}[5m])\",\n \"legendFormat\": \"{{datname}}\",\n \"refId\": \"A\"\n }\n ]\n },\n {\n \"title\": \"Conflicts\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 8,\n \"y\": 29,\n \"w\": 8,\n \"h\": 6\n },\n \"id\": 304,\n \"targets\": [\n {\n \"expr\": \"rate(pg_stat_database_conflicts{instance=~\\\"$instance\\\"}[5m])\",\n \"legendFormat\": \"{{datname}}\",\n \"refId\": \"A\"\n }\n ]\n },\n {\n \"title\": \"Temporary Files\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 16,\n \"y\": 29,\n \"w\": 8,\n \"h\": 6\n },\n \"id\": 305,\n \"targets\": [\n {\n \"expr\": \"rate(pg_stat_database_temp_files{instance=~\\\"$instance\\\"}[5m])\",\n \"legendFormat\": \"{{datname}} Files\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"rate(pg_stat_database_temp_bytes{instance=~\\\"$instance\\\"}[5m])\",\n \"legendFormat\": \"{{datname}} Bytes\",\n \"refId\": \"B\"\n }\n ]\n },\n {\n \"title\": \"I/O & Performance\",\n \"type\": \"row\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 35,\n \"w\": 24,\n \"h\": 1\n },\n \"id\": 400\n },\n {\n \"title\": \"Disk I/O - Blocks Read vs Hit\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 36,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 401,\n \"targets\": [\n {\n \"expr\": \"sum(rate(pg_stat_database_blks_read{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Blocks Read from Disk\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_database_blks_hit{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Blocks Hit from Cache\",\n \"refId\": \"B\"\n }\n ]\n },\n {\n \"title\": \"Buffer Cache Hit Ratio by Database\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 12,\n \"y\": 36,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 402,\n \"targets\": [\n {\n \"expr\": \"rate(pg_stat_database_blks_hit{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}[5m]) / (rate(pg_stat_database_blks_hit{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}[5m]) + rate(pg_stat_database_blks_read{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}[5m])) * 100\",\n \"legendFormat\": \"{{datname}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"unit\": \"percent\",\n \"min\": 0,\n \"max\": 100\n }\n }\n },\n {\n \"title\": \"Tuple Activity\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 44,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 403,\n \"targets\": [\n {\n \"expr\": \"sum(rate(pg_stat_database_tup_returned{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Rows Returned\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_database_tup_fetched{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Rows Fetched\",\n \"refId\": \"B\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_database_tup_inserted{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Rows Inserted\",\n \"refId\": \"C\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_database_tup_updated{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Rows Updated\",\n \"refId\": \"D\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_database_tup_deleted{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Rows Deleted\",\n \"refId\": \"E\"\n }\n ]\n },\n {\n \"title\": \"Sequential vs Index Scans\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 12,\n \"y\": 44,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 404,\n \"targets\": [\n {\n \"expr\": \"sum(rate(pg_stat_user_tables_seq_scan{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Sequential Scans\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"sum(rate(pg_stat_user_tables_idx_scan{instance=~\\\"$instance\\\"}[5m]))\",\n \"legendFormat\": \"Index Scans\",\n \"refId\": \"B\"\n }\n ]\n },\n {\n \"title\": \"Locks & Blocking\",\n \"type\": \"row\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 52,\n \"w\": 24,\n \"h\": 1\n },\n \"id\": 500\n },\n {\n \"title\": \"Lock Types\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 53,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 501,\n \"targets\": [\n {\n \"expr\": \"pg_locks_count{instance=~\\\"$instance\\\"}\",\n \"legendFormat\": \"{{mode}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"custom\": {\n \"stacking\": {\n \"mode\": \"normal\"\n }\n }\n }\n }\n },\n {\n \"title\": \"Lock Waits\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 12,\n \"y\": 53,\n \"w\": 12,\n \"h\": 8\n },\n \"id\": 502,\n \"targets\": [\n {\n \"expr\": \"pg_stat_activity_count{instance=~\\\"$instance\\\", state=\\\"active\\\", wait_event_type=\\\"Lock\\\"}\",\n \"legendFormat\": \"Waiting for Locks\",\n \"refId\": \"A\"\n }\n ]\n },\n {\n \"title\": \"System Resources\",\n \"type\": \"row\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 61,\n \"w\": 24,\n \"h\": 1\n },\n \"id\": 600\n },\n {\n \"title\": \"Memory Usage\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 0,\n \"y\": 62,\n \"w\": 8,\n \"h\": 8\n },\n \"id\": 601,\n \"targets\": [\n {\n \"expr\": \"process_resident_memory_bytes{instance=~\\\"$instance\\\"}\",\n \"legendFormat\": \"Resident Memory\",\n \"refId\": \"A\"\n },\n {\n \"expr\": \"process_virtual_memory_bytes{instance=~\\\"$instance\\\"}\",\n \"legendFormat\": \"Virtual Memory\",\n \"refId\": \"B\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"unit\": \"bytes\"\n }\n }\n },\n {\n \"title\": \"CPU Usage\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 8,\n \"y\": 62,\n \"w\": 8,\n \"h\": 8\n },\n \"id\": 602,\n \"targets\": [\n {\n \"expr\": \"rate(process_cpu_seconds_total{instance=~\\\"$instance\\\"}[5m]) * 100\",\n \"legendFormat\": \"{{job}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"unit\": \"percent\",\n \"min\": 0,\n \"max\": 100\n }\n }\n },\n {\n \"title\": \"Database Size\",\n \"type\": \"timeseries\",\n \"gridPos\": {\n \"x\": 16,\n \"y\": 62,\n \"w\": 8,\n \"h\": 8\n },\n \"id\": 603,\n \"targets\": [\n {\n \"expr\": \"pg_database_size_bytes{instance=~\\\"$instance\\\", datname!=\\\"template0\\\", datname!=\\\"template1\\\"}\",\n \"legendFormat\": \"{{datname}}\",\n \"refId\": \"A\"\n }\n ],\n \"fieldConfig\": {\n \"defaults\": {\n \"unit\": \"bytes\"\n }\n }\n }\n ]\n }\n"
},
{
"path": "local-dev/grafana/provisioning/datasources/datasource.yml",
"content": "---\n# config file version\napiVersion: 1\n\n# list of datasources that should be deleted from the database\ndeleteDatasources:\n - name: Prometheus\n orgId: 1\n\n# list of datasources to insert/update depending\n# whats available in the database\ndatasources:\n # name of the datasource. Required\n- name: Prometheus\n # datasource type. Required\n type: prometheus\n # access mode. direct or proxy. Required\n access: proxy\n # org id. will default to orgId 1 if not specified\n orgId: 1\n # url\n url: http://clair-prometheus:9090/prom/\n # mark as default datasource. Max one per org\n isDefault: true\n version: 1\n editable: false\n- name: Pyroscope\n type: pyroscope-datasource\n access: proxy\n orgId: 1\n url: http://clair-pyroscope:4040/\n jsonData:\n path: http://clair-pyroscope:4040/\n editable: false\n- name: Jaeger\n type: jaeger\n access: proxy\n orgId: 1\n url: http://clair-jaeger:16686/jaeger/\n editable: false\n"
},
{
"path": "local-dev/pgadmin/passfile.txt",
"content": "# hostname:port:database:username:password\nclair-database:5432:notifier:clair:clair\nclair-database:5432:matcher:clair:clair\nclair-database:5432:indexer:clair:clair\n"
},
{
"path": "local-dev/pgadmin/servers.json",
"content": "{\n \"Servers\": {\n \"1\": {\n \"Name\": \"clair\",\n \"Group\": \"Servers\",\n \"Port\": 5432,\n \"Username\": \"postgres\",\n \"Host\": \"clair-database\",\n \"SSLMode\": \"disable\",\n \"MaintenanceDB\": \"postgres\",\n \"PassFile\": \"/pgadmin4/config/passfile.txt\"\n }\n }\n}\n"
},
{
"path": "local-dev/prometheus/prometheus.yml",
"content": "# global config\n---\nglobal:\n scrape_interval: 4s\n evaluation_interval: 30s\n # scrape_timeout is set to the global default (10s).\nscrape_configs:\n - job_name: indexer\n metrics_path: \"/metrics\"\n static_configs:\n - targets: ['clair-indexer:8089']\n\n - job_name: matcher\n metrics_path: \"/metrics\"\n static_configs:\n - targets: ['clair-matcher:8089']\n\n - job_name: clair-notifier\n metrics_path: \"/metrics\"\n static_configs:\n - targets: ['clair-notifier:8089']\n\n - job_name: notifier\n metrics_path: \"/metrics\"\n static_configs:\n - targets: ['notifier:8089']\n\n - job_name: indexer-quay\n metrics_path: \"/metrics\"\n static_configs:\n - targets: ['indexer-quay:8089']\n\n - job_name: postgres\n metrics_path: \"/metrics\"\n static_configs:\n - targets: ['clair-postgres-exporter:9187']\n\n"
},
{
"path": "local-dev/pyroscope/server.yml",
"content": "---\nanalytics-opt-out: 'true'\nbase-url: /pyroscope\ndisable-pprof-endpoint: 'true'\nscrape-configs:\n- job-name: pyroscope\n scrape-interval: 10s\n scrape-timeout: 15s\n enabled-profiles: [cpu, mem, goroutines, mutex, block]\n use-delta-profiles: true\n static-configs:\n - application: clair-indexer\n spy-name: gospy\n targets:\n - clair-indexer:8089\n - application: clair-matcher\n spy-name: gospy\n targets:\n - clair-matcher:8089\n"
},
{
"path": "local-dev/quay/config.yaml",
"content": "SUPER_USERS:\n- admin\nAUTHENTICATION_TYPE: Database\nBUILDLOGS_REDIS:\n host: clair-redis\n port: 6379\nDATABASE_SECRET_KEY: '30060361640793187613697366923211113205676925445650250274752125083971638376224'\nDB_URI: postgresql://quay@clair-database/quay\nDEFAULT_TAG_EXPIRATION: 2w\nDISTRIBUTED_STORAGE_CONFIG:\n default:\n - LocalStorage\n - storage_path: /datastorage/registry\nDISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []\nDISTRIBUTED_STORAGE_PREFERENCE:\n- default\nENTERPRISE_LOGO_URL: /static/img/quay-horizontal-color.svg\nEXTERNAL_TLS_TERMINATION: true\nFEATURE_ACI_CONVERSION: false\nFEATURE_ANONYMOUS_ACCESS: true\nFEATURE_APP_REGISTRY: false\nFEATURE_APP_SPECIFIC_TOKENS: true\nFEATURE_BUILD_SUPPORT: false\nFEATURE_CHANGE_TAG_EXPIRATION: true\nFEATURE_DIRECT_LOGIN: true\nFEATURE_MAILING: false\nFEATURE_PARTIAL_USER_AUTOCOMPLETE: true\nFEATURE_REPO_MIRROR: false\nFEATURE_REQUIRE_TEAM_INVITE: true\nFEATURE_RESTRICTED_V1_PUSH: false\nFEATURE_SECURITY_NOTIFICATIONS: true\nFEATURE_SECURITY_SCANNER: true\nFEATURE_USERNAME_CONFIRMATION: true\nFEATURE_USER_CREATION: true\nFEATURE_USER_LOG_ACCESS: true\nGITHUB_LOGIN_CONFIG: {}\nGITHUB_TRIGGER_CONFIG: {}\nGITLAB_TRIGGER_KIND: {}\nGPG2_PRIVATE_KEY_FILENAME: signing-private.gpg\nGPG2_PUBLIC_KEY_FILENAME: signing-public.gpg\nLOG_ARCHIVE_LOCATION: default\nMAIL_DEFAULT_SENDER: support@quay.io\nMAIL_PORT: 587\nMAIL_USE_TLS: true\nPREFERRED_URL_SCHEME: http\nREGISTRY_TITLE: Local Testing Quay\nREGISTRY_TITLE_SHORT: Test Quay\nREPO_MIRROR_SERVER_HOSTNAME: null\nREPO_MIRROR_TLS_VERIFY: true\nSECURITY_SCANNER_V4_ENDPOINT: http://clair-traefik:6060\nSECURITY_SCANNER_ISSUER_NAME: quay\nSECURITY_SCANNER_V4_PSK: 'c2VjcmV0'\nSERVER_HOSTNAME: clair-quay:8080\nSETUP_COMPLETE: true\nSIGNING_ENGINE: gpg2\nTAG_EXPIRATION_OPTIONS:\n- 0s\n- 1d\n- 1w\n- 2w\n- 4w\nTEAM_RESYNC_STALE_TIME: 60m\nTESTING: false\nUSERFILES_LOCATION: default\nUSERFILES_PATH: userfiles/\nUSER_EVENTS_REDIS:\n host: quay-redis\n port: 6379\nUSE_CDN: false\n"
},
{
"path": "local-dev/traefik/config/clair.yaml",
"content": "---\nhttp:\n routers:\n indexer:\n entryPoints: [clair]\n rule: 'PathPrefix(`/indexer`)'\n service: indexer\n matcher:\n entryPoints: [clair]\n rule: 'PathPrefix(`/matcher`)'\n service: matcher\n notifier:\n entryPoints: [clair]\n rule: 'PathPrefix(`/notifier`)'\n service: notifier\n services:\n indexer:\n loadBalancer:\n servers:\n - url: \"http://clair-indexer:6060/\"\n healthCheck:\n path: /healthz\n port: 8089\n matcher:\n loadBalancer:\n servers:\n - url: \"http://clair-matcher:6060/\"\n healthCheck:\n path: /healthz\n port: 8089\n notifier:\n loadBalancer:\n servers:\n - url: \"http://clair-notifier:6060/\"\n healthCheck:\n path: /healthz\n port: 8089\n"
},
{
"path": "local-dev/traefik/config/dashboard.yaml",
"content": "---\nhttp:\n routers:\n api:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/api`) || PathPrefix(`/dashboard`)'\n service: 'api@internal'\n dashboard-redirect:\n entryPoints: [traefik]\n rule: 'Path(`/`)'\n middlewares: [dashboard-redirect]\n service: 'api@internal'\n middlewares:\n dashboard-redirect:\n redirectRegex:\n regex: '.*'\n replacement: '${1}/dashboard/'\n"
},
{
"path": "local-dev/traefik/config/grafana.yaml",
"content": "---\nhttp:\n routers:\n grafana:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/grafana`)'\n service: grafana\n services:\n grafana:\n loadBalancer:\n servers:\n - url: \"http://clair-grafana:3000/\"\n healthCheck:\n path: /grafana/api/health\n"
},
{
"path": "local-dev/traefik/config/jaeger.yaml",
"content": "---\nhttp:\n routers:\n jaeger:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/jaeger`)'\n service: jaeger\n services:\n jaeger:\n loadBalancer:\n servers:\n - url: \"http://clair-jaeger:16686/\"\n healthCheck:\n path: /\n"
},
{
"path": "local-dev/traefik/config/pgadmin.yaml",
"content": "---\nhttp:\n routers:\n pgadmin:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/pgadmin`)'\n service: pgadmin\n services:\n pgadmin:\n loadBalancer:\n servers:\n - url: \"http://clair-pgadmin/\"\n healthCheck:\n path: /pgadmin\n"
},
{
"path": "local-dev/traefik/config/postgresql.yaml",
"content": "---\ntcp:\n routers:\n postgresql:\n entryPoints: [postgresql]\n service: postgresql\n # Traefik docs say this hack is needed if not using TLS.\n rule: 'HostSNI(`*`)'\n services:\n postgresql:\n loadBalancer:\n servers:\n - address: 'clair-database:5432'\n"
},
{
"path": "local-dev/traefik/config/prom.yaml",
"content": "---\nhttp:\n routers:\n prom:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/prom`)'\n service: prom\n services:\n prom:\n loadBalancer:\n servers:\n - url: \"http://clair-prometheus:9090/\"\n healthCheck:\n path: /prom/-/healthy\n"
},
{
"path": "local-dev/traefik/config/pyroscope.yaml",
"content": "---\nhttp:\n routers:\n pyroscope:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/pyroscope`)'\n service: pyroscope\n middlewares:\n - pyroscope-stripprefix\n middlewares:\n pyroscope-stripprefix:\n stripPrefix:\n prefixes:\n - /pyroscope\n services:\n pyroscope:\n loadBalancer:\n servers:\n - url: \"http://clair-pyroscope:4040/\"\n healthCheck:\n path: /\n"
},
{
"path": "local-dev/traefik/config/quay.yaml",
"content": "---\nhttp:\n routers:\n quay:\n entryPoints: [quay]\n rule: 'PathPrefix(`/`)'\n service: quay\n quay-api:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/v2`)'\n service: quay\n services:\n quay:\n loadBalancer:\n passHostHeader: false\n servers:\n - url: \"http://clair-quay:8080/\"\n healthCheck:\n path: /health\n port: 8080\n"
},
{
"path": "local-dev/traefik/config/rabbitmq.yaml",
"content": "---\nhttp:\n routers:\n rabbitmq:\n entryPoints: [traefik]\n rule: 'PathPrefix(`/rabbitmq`)'\n middlewares:\n - rewrite-api\n - rewrite\n service: rabbitmq\n services:\n rabbitmq:\n loadBalancer:\n servers:\n - url: \"http://clair-rabbitmq:15672/\"\n healthCheck:\n path: /\n middlewares:\n rewrite-api:\n replacePathRegex:\n regex: '^/rabbitmq/api/(.*?)/(.*)'\n replacement: '/api/%2F/$2'\n rewrite:\n replacePathRegex:\n regex: '^/rabbitmq/(.*)$'\n replacement: '/$1'\n"
},
{
"path": "local-dev/traefik/traefik.yaml",
"content": "---\nglobal:\n sendAnonymousUsage: false\napi:\n insecure: false\n dashboard: true\nentryPoints:\n traefik:\n address: ':8080'\n quay:\n address: ':8443'\n clair:\n address: ':6060'\n postgresql:\n address: ':5432'\nproviders:\n file:\n directory: /etc/traefik/config\nmetrics:\n prometheus:\n addServicesLabels: true\ntracing:\n otlp:\n http:\n endpoint: http://clair-jaeger:4318/v1/traces\naccessLog: {}\n"
},
{
"path": "matcher/mock.go",
"content": "package matcher\n\nimport (\n\t\"context\"\n\t\"sync\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n)\n\nvar _ Service = (*Mock)(nil)\n\n// Mock implements a mock matcher service\n//\n// If a method is not provided to a constructed Mock a panic\n// will occur on call.\ntype Mock struct {\n\tDeleteUpdateOperations_ func(context.Context, ...uuid.UUID) (int64, error)\n\tUpdateOperations_ func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error)\n\tLatestUpdateOperation_ func(context.Context, driver.UpdateKind) (uuid.UUID, error)\n\tLatestUpdateOperations_ func(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error)\n\tUpdateDiff_ func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error)\n\tScan_ func(context.Context, *claircore.IndexReport) (*claircore.VulnerabilityReport, error)\n\tInitialized_ func(context.Context) (bool, error)\n\t// TestUOs provide memory for the mock.\n\t// usage of this field can be dictated by the test case's needs.\n\tsync.Mutex\n\tTestUOs map[string][]driver.UpdateOperation\n}\n\n// DeleteUpdateOperations marks the provided refs as seen and processed.\nfunc (d *Mock) DeleteUpdateOperations(ctx context.Context, refs ...uuid.UUID) (int64, error) {\n\tif d.DeleteUpdateOperations_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to DeleteUpdateOperations\")\n\t}\n\treturn d.DeleteUpdateOperations_(ctx, refs...)\n}\n\n// UpdateDiff reports the differences between the provided refs.\n//\n// \"Prev\" can be `uuid.Nil` to indicate \"earliest known ref.\"\nfunc (d *Mock) UpdateDiff(ctx context.Context, prev uuid.UUID, cur uuid.UUID) (*driver.UpdateDiff, error) {\n\tif d.UpdateDiff_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to UpdateDiff\")\n\t}\n\treturn d.UpdateDiff_(ctx, prev, cur)\n}\n\n// UpdateOperations returns all the known UpdateOperations per updater.\nfunc (d *Mock) UpdateOperations(ctx context.Context, k driver.UpdateKind, updaters ...string) (map[string][]driver.UpdateOperation, error) {\n\tif d.UpdateOperations_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to UpdateOperations\")\n\t}\n\treturn d.UpdateOperations_(ctx, k, updaters...)\n}\n\n// LatestUpdateOperations returns the most recent UpdateOperation per updater.\nfunc (d *Mock) LatestUpdateOperations(ctx context.Context, k driver.UpdateKind) (map[string][]driver.UpdateOperation, error) {\n\tif d.LatestUpdateOperations_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to LatestUpdateOperations\")\n\t}\n\treturn d.LatestUpdateOperations_(ctx, k)\n}\n\n// LatestUpdateOperation returns a ref for the most recent update operation\n// across all updaters.\nfunc (d *Mock) LatestUpdateOperation(ctx context.Context, k driver.UpdateKind) (uuid.UUID, error) {\n\tif d.LatestUpdateOperation_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to LatestUpdateOperation\")\n\t}\n\treturn d.LatestUpdateOperation_(ctx, k)\n}\n\nfunc (d *Mock) Scan(ctx context.Context, ir *claircore.IndexReport) (*claircore.VulnerabilityReport, error) {\n\tif d.Scan_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to Scan\")\n\t}\n\treturn d.Scan_(ctx, ir)\n}\n\nfunc (d *Mock) Initialized(ctx context.Context) (bool, error) {\n\tif d.Initialized_ == nil {\n\t\tpanic(\"mock matcher: unexpected call to Initialized\")\n\t}\n\treturn d.Initialized_(ctx)\n}\n"
},
{
"path": "matcher/service.go",
"content": "package matcher\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n)\n\n// Service is an aggregate interface wrapping claircore.Libvuln functionality.\n//\n// Implementation may use a local instance of claircore.Libindex or a remote\n// instance via http or grpc client.\ntype Service interface {\n\tScanner\n\tDiffer\n}\n\n// Scanner is an interface providing a claircore.VulnerabilityReport given a claircore.IndexReport\ntype Scanner interface {\n\tInitialized(context.Context) (bool, error)\n\tScan(ctx context.Context, ir *claircore.IndexReport) (*claircore.VulnerabilityReport, error)\n}\n\n// Differ is an interface providing information on update operations.\ntype Differ interface {\n\t// DeleteUpdateOperations marks the provided refs as seen and processed.\n\tDeleteUpdateOperations(context.Context, ...uuid.UUID) (int64, error)\n\t// UpdateDiff reports the differences between the provided refs.\n\t//\n\t// \"Prev\" can be `uuid.Nil` to indicate \"earliest known ref.\"\n\tUpdateDiff(_ context.Context, prev, cur uuid.UUID) (*driver.UpdateDiff, error)\n\t// UpdateOperations returns all the known UpdateOperations per updater.\n\tUpdateOperations(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error)\n\t// LatestUpdateOperations returns the most recent UpdateOperation per updater.\n\tLatestUpdateOperations(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error)\n\t// LatestUpdateOperation returns a ref for the most recent update operation\n\t// across all updaters.\n\tLatestUpdateOperation(context.Context, driver.UpdateKind) (uuid.UUID, error)\n}\n"
},
{
"path": "middleware/auth/handler.go",
"content": "package auth\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"strings\"\n)\n\n// Checker is an interface that reports whether the passed request should be\n// allowed to continue.\ntype Checker interface {\n\tCheck(context.Context, *http.Request) bool\n}\n\ntype handler struct {\n\tauth Checker\n\tnext http.Handler\n}\n\nfunc (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tif !h.auth.Check(r.Context(), r) {\n\t\tw.WriteHeader(http.StatusUnauthorized)\n\t\treturn\n\t}\n\th.next.ServeHTTP(w, r)\n}\n\n// Handler returns a http.Handler that gates access to the passed Handler behind\n// the passed Checker.\nfunc Handler(h http.Handler, f ...Checker) http.Handler {\n\tr := &handler{\n\t\tauth: fail{},\n\t\tnext: h,\n\t}\n\tif len(f) == 1 {\n\t\tr.auth = f[0]\n\t} else {\n\t\tr.auth = any(f)\n\t}\n\treturn r\n}\n\n// Any attempts all Checkers in order and reports true if any succeeds.\ntype any []Checker\n\n// Check implements Checker.\nfunc (a any) Check(ctx context.Context, r *http.Request) bool {\n\tfor _, c := range a {\n\t\tif ok := c.Check(ctx, r); ok {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// Fail is a Checker that always fails.\ntype fail struct{}\n\n// Check implements Checker.\nfunc (fail) Check(_ context.Context, _ *http.Request) bool { return false }\n\nfunc fromHeader(r *http.Request) (string, bool) {\n\ths, ok := r.Header[\"Authorization\"]\n\tif !ok {\n\t\treturn \"\", false\n\t}\n\tfor _, h := range hs {\n\t\tif strings.HasPrefix(h, \"Bearer \") {\n\t\t\treturn strings.TrimPrefix(h, \"Bearer \"), true\n\t\t}\n\t}\n\treturn \"\", false\n}\n"
},
{
"path": "middleware/auth/httpauth_psk.go",
"content": "package auth\n\nimport (\n\t\"context\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n)\n\n// PSK implements the AuthCheck interface.\n//\n// When Check is called the JWT on the incoming http request\n// will be validated against a pre-shared-key.\ntype PSK struct {\n\tkey []byte\n\tiss []string\n}\n\n// NewPSK returns an instance of a PSK\nfunc NewPSK(key []byte, issuer []string) (*PSK, error) {\n\treturn &PSK{\n\t\tkey: key,\n\t\tiss: issuer,\n\t}, nil\n}\n\n// Check implements AuthCheck\nfunc (p *PSK) Check(ctx context.Context, r *http.Request) bool {\n\twt, ok := fromHeader(r)\n\tif !ok {\n\t\tslog.DebugContext(ctx, \"failed to retrieve jwt from header\")\n\t\treturn false\n\t}\n\ttok, err := jwt.ParseSigned(wt)\n\tif err != nil {\n\t\tslog.DebugContext(ctx, \"failed to parse jwt\", \"reason\", err)\n\t\treturn false\n\t}\n\tcl := jwt.Claims{}\n\tif err := tok.Claims(p.key, &cl); err != nil {\n\t\tslog.DebugContext(ctx, \"failed to parse jwt\", \"reason\", err)\n\t\treturn false\n\t}\n\n\tlog := slog.With(\"iss\", cl.Issuer)\n\tif err := cl.ValidateWithLeeway(jwt.Expected{\n\t\tTime: time.Now(),\n\t}, 15*time.Second); err != nil {\n\t\tlog.DebugContext(ctx, \"could not validate claims\", \"reason\", err)\n\t\treturn false\n\t}\n\n\tfor i, iss := range p.iss {\n\t\tif iss == cl.Issuer {\n\t\t\tbreak\n\t\t}\n\t\tif i == len(p.iss)-1 {\n\t\t\tslog.DebugContext(ctx, \"could not verify issuer\", \"reason\", err)\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n"
},
{
"path": "middleware/auth/httpauth_psk_test.go",
"content": "package auth\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"reflect\"\n\t\"strings\"\n\t\"testing\"\n\t\"testing/quick\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v3\"\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n\n\t\"github.com/quay/clair/v4/internal/httputil\"\n)\n\ntype pskTestcase struct {\n\tkey []byte\n\tissuer []string\n\tnonce string\n\talg jose.SignatureAlgorithm\n}\n\nfunc (tc *pskTestcase) String() string {\n\treturn fmt.Sprintf(\"\\nalg:\\t%s\\nkey:\\t%x\\nissuer:\\t%s\\nnonce:\\t%s\",\n\t\ttc.alg, tc.key, tc.issuer, tc.nonce)\n}\n\nvar signAlgo = []jose.SignatureAlgorithm{\n\tjose.HS256,\n\tjose.HS384,\n\tjose.HS512,\n}\n\n// implements the Generate interface from testing/quick package.\nfunc (tc *pskTestcase) Generate(rand *rand.Rand, sz int) reflect.Value {\n\tb := make([]byte, sz)\n\tt := &pskTestcase{\n\t\tkey: make([]byte, sz),\n\t\talg: signAlgo[rand.Intn(len(signAlgo))],\n\t\tissuer: make([]string, 0),\n\t}\n\tswitch n, err := rand.Read(t.key); {\n\tcase n != sz:\n\t\tpanic(fmt.Errorf(\"read %d, expected %d\", n, sz))\n\tcase err != nil:\n\t\tpanic(err)\n\t}\n\n\tswitch n, err := rand.Read(b); {\n\tcase n != sz:\n\t\tpanic(fmt.Errorf(\"read %d, expected %d\", n, sz))\n\tcase err != nil:\n\t\tpanic(err)\n\tdefault:\n\t\tt.issuer = append(t.issuer, base64.StdEncoding.EncodeToString(b))\n\t}\n\n\tswitch n, err := rand.Read(b); {\n\tcase n != sz:\n\t\tpanic(fmt.Errorf(\"read %d, expected %d\", n, sz))\n\tcase err != nil:\n\t\tpanic(err)\n\tdefault:\n\t\tt.nonce = base64.StdEncoding.EncodeToString(b)\n\t}\n\n\treturn reflect.ValueOf(t)\n}\n\nfunc (tc *pskTestcase) Handler(t *testing.T) http.Handler {\n\taf, err := NewPSK(tc.key, tc.issuer)\n\tif err != nil {\n\t\tt.Error(err)\n\t\treturn nil\n\t}\n\th := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tah := strings.TrimPrefix(r.Header.Get(\"authorization\"), \"Bearer \")\n\t\tt.Logf(\"got jwt: %s\", ah)\n\t\tfmt.Fprint(w, tc.nonce)\n\t})\n\treturn Handler(h, af)\n}\n\n// Roundtrips returns a function suitable for passing to quick.Check.\nfunc roundtrips(t *testing.T) func(*pskTestcase) bool {\n\treturn func(tc *pskTestcase) bool {\n\t\tctx := context.Background()\n\t\tt.Log(tc)\n\t\t// Set up the jwt signer.\n\t\tsk := jose.SigningKey{\n\t\t\tAlgorithm: tc.alg,\n\t\t\tKey: tc.key,\n\t\t}\n\t\ts, err := jose.NewSigner(sk, nil)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t\treturn false\n\t\t}\n\t\tnow := time.Now()\n\n\t\t// Mint the jwt.\n\t\ttok, err := jwt.Signed(s).Claims(&jwt.Claims{\n\t\t\tIssuer: tc.issuer[0],\n\t\t\tExpiry: jwt.NewNumericDate(now.Add(time.Minute)),\n\t\t\tIssuedAt: jwt.NewNumericDate(now),\n\t\t\tNotBefore: jwt.NewNumericDate(now),\n\t\t}).CompactSerialize()\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t\treturn false\n\t\t}\n\n\t\t// Set up the http server.\n\t\th := tc.Handler(t)\n\t\tif t.Failed() {\n\t\t\treturn false\n\t\t}\n\t\tsrv := httptest.NewServer(h)\n\t\tdefer srv.Close()\n\n\t\t// Mint a request.\n\t\treq, err := httputil.NewRequestWithContext(ctx, http.MethodGet, srv.URL, nil)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t\treturn false\n\t\t}\n\t\treq.Header.Set(\"authorization\", \"Bearer \"+tok)\n\n\t\t// Execute the request and read back the body.\n\t\tres, err := srv.Client().Do(req)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t\treturn false\n\t\t}\n\t\tdefer res.Body.Close()\n\t\tif res.StatusCode != http.StatusOK {\n\t\t\tt.Error(fmt.Errorf(\"unexpected response: %d %s\", res.StatusCode, res.Status))\n\t\t\treturn false\n\t\t}\n\t\tbuf := &bytes.Buffer{}\n\t\tif _, err := buf.ReadFrom(res.Body); err != nil {\n\t\t\tt.Error(err)\n\t\t\treturn false\n\t\t}\n\n\t\t// Compare the body read to the nonce we were expecting.\n\t\tt.Logf(\"\\nread:\\t%s\", buf.String())\n\t\tif got, want := buf.String(), tc.nonce; got != want {\n\t\t\tt.Error(fmt.Errorf(\"got: %q, want: %q\", got, want))\n\t\t\treturn false\n\t\t}\n\t\treturn true\n\t}\n}\n\n// TestPSKAuth generates random keys and checks signing with it.\nfunc TestPSKAuth(t *testing.T) {\n\tt.Parallel()\n\t// Generate random keys and check them via the roundtrips function.\n\tcfg := quick.Config{}\n\tif err := quick.Check(roundtrips(t), &cfg); err != nil {\n\t\tt.Fatal(err)\n\t}\n}\n"
},
{
"path": "middleware/compress/handler.go",
"content": "// Package compress implements an RFC9110 compliant handler for the\n// \"Accept-Encoding\" header.\n//\n// This package supports \"identity\", \"gzip\", \"deflate\", and \"zstd\".\npackage compress\n\nimport (\n\t\"errors\"\n\t\"io\"\n\t\"mime\"\n\t\"net/http\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/klauspost/compress/flate\"\n\t\"github.com/klauspost/compress/gzip\"\n\t\"github.com/klauspost/compress/zstd\"\n)\n\n// Handler wraps the provided http.Handler and provides transparent body\n// compression based on a Request's \"Accept-Encoding\" header.\n//\n// Each handler instance pools its own compressors.\nfunc Handler(next http.Handler) http.Handler {\n\th := handler{\n\t\tnext: next,\n\t}\n\th.zstd.New = func() interface{} {\n\t\tw, err := zstd.NewWriter(nil, zstd.WithEncoderLevel(zstd.SpeedFastest))\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\treturn w\n\t}\n\th.gzip.New = func() interface{} {\n\t\tw, err := gzip.NewWriterLevel(nil, gzip.BestSpeed)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\treturn w\n\t}\n\th.flate.New = func() interface{} {\n\t\tw, err := flate.NewWriter(nil, flate.BestSpeed)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\treturn w\n\t}\n\n\treturn &h\n}\n\nvar _ http.Handler = (*handler)(nil)\n\n// Handler performs transparent HTTP body compression.\ntype handler struct {\n\tzstd, gzip, flate sync.Pool\n\tnext http.Handler\n}\n\n// ParseAccept parses an \"Accept-Encoding\" header.\n//\n// Reports a sorted list of encodings and a map of disallowed encodings.\n// Reports nil if no selections were present.\nfunc parseAccept(h string) ([]accept, map[string]struct{}) {\n\tsegs := strings.Split(h, \",\")\n\tret := make([]accept, 0, len(segs))\n\tnok := make(map[string]struct{})\n\tfor _, s := range segs {\n\t\ta := accept{}\n\t\tt, param, err := mime.ParseMediaType(s)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\ta.Type = t\n\t\tif q, ok := param[\"q\"]; ok {\n\t\t\tif q == \"0\" {\n\t\t\t\tnok[t] = struct{}{}\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tqv, err := strconv.ParseFloat(param[\"q\"], 64)\n\t\t\tif err != nil {\n\t\t\t\tnok[t] = struct{}{}\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\ta.Q = qv\n\t\t}\n\t\tret = append(ret, a)\n\t}\n\n\tsort.SliceStable(ret, func(i, j int) bool {\n\t\treturn ret[i].Q > ret[j].Q\n\t})\n\treturn ret, nok\n}\n\ntype accept struct {\n\tType string\n\tQ float64\n}\n\n// ServeHTTP implements http.Handler.\nfunc (c *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tv, ok := r.Header[\"Accept-Encoding\"]\n\tif !ok { // No header, use \"identity\".\n\t\tc.next.ServeHTTP(w, r)\n\t\treturn\n\t}\n\tae, nok := parseAccept(v[0])\n\tvar zw zwriter\n\t// Find the first accept-encoding we support. See\n\t// https://www.rfc-editor.org/rfc/rfc9110.html#section-12.5.3 for all the\n\t// semantics.\n\t//\n\t// NB The \"identity\" encoding shouldn't show up in the Content-Encoding\n\t// response header.\n\tfor _, a := range ae {\n\t\tswitch a.Type {\n\t\tcase \"gzip\", \"x-gzip\":\n\t\t\tw.Header().Set(\"content-encoding\", \"gzip\")\n\t\t\tgz := c.gzip.Get().(*gzip.Writer)\n\t\t\tgz.Reset(w)\n\t\t\tdefer c.gzip.Put(gz)\n\t\t\tzw = gz\n\t\tcase \"deflate\":\n\t\t\tw.Header().Set(\"content-encoding\", \"deflate\")\n\t\t\tz := c.flate.Get().(*flate.Writer)\n\t\t\tz.Reset(w)\n\t\t\tdefer c.flate.Put(z)\n\t\t\tzw = z\n\t\tcase \"zstd\":\n\t\t\tw.Header().Set(\"content-encoding\", \"zstd\")\n\t\t\ts := c.zstd.Get().(*zstd.Encoder)\n\t\t\ts.Reset(w)\n\t\t\tdefer c.zstd.Put(s)\n\t\t\tzw = s\n\t\tcase \"identity\":\n\t\t\tw.Header().Set(\"accept-encoding\", acceptable)\n\t\tcase \"*\":\n\t\t\t// If we hit a star, it's technically OK to return any encoding not\n\t\t\t// already specified. So, attempt to use gzip and then identity and\n\t\t\t// give up.\n\t\t\t// Clients that do extremely weird things like\n\t\t\t//\t*;q=1.0, gzip;q=0.1, identity;q=0.1\"\n\t\t\t// deserve extremely weird replies.\n\t\t\t_, gznok := nok[\"gzip\"]\n\t\t\t_, idnok := nok[\"identity\"]\n\t\t\tswitch {\n\t\t\tcase !gznok:\n\t\t\t\tw.Header().Set(\"content-encoding\", \"gzip\")\n\t\t\t\tgz := c.gzip.Get().(*gzip.Writer)\n\t\t\t\tgz.Reset(w)\n\t\t\t\tdefer c.gzip.Put(gz)\n\t\t\t\tzw = gz\n\t\t\tcase !idnok:\n\t\t\t\t// \"Identity\" isn't not OK, so fallthrough.\n\t\t\tdefault:\n\t\t\t\tw.Header().Set(\"accept-encoding\", acceptable)\n\t\t\t\tw.WriteHeader(http.StatusUnsupportedMediaType)\n\t\t\t\treturn\n\t\t\t}\n\t\tdefault:\n\t\t\tcontinue\n\t\t}\n\t\tbreak\n\t}\n\t// Now \"zw\" should be populated if it can be.\n\tif zw == nil {\n\t\tw.Header().Set(\"accept-encoding\", acceptable)\n\t\t// If it's not, we need to make sure identity or \"any\" aren't\n\t\t// disallowed.\n\t\t_, idnok := nok[\"identity\"]\n\t\t_, anynok := nok[\"*\"]\n\t\tif idnok || anynok {\n\t\t\tw.WriteHeader(http.StatusUnsupportedMediaType)\n\t\t\treturn\n\t\t}\n\t\t// Couldn't pick something, fall back to identity.\n\t\tc.next.ServeHTTP(w, r)\n\t\treturn\n\t}\n\t// Do some setup so we can see the error, albeit as a trailer.\n\tconst errHeader = `Clair-Error`\n\tw.Header().Add(\"trailer\", errHeader)\n\tdefer func() {\n\t\tif err := zw.Close(); err != nil {\n\t\t\tw.Header().Add(errHeader, err.Error())\n\t\t}\n\t}()\n\tnext := compressWriter{\n\t\tResponseWriter: w,\n\t\tzwriter: zw,\n\t}\n\tc.next.ServeHTTP(&next, r)\n}\n\n// Acceptable is a preformatted list of acceptable encodings.\nconst acceptable = `zstd, gzip, deflate`\n\n// CompressWriter is compressing http.ResponseWriter that understands the go1.20\n// ResponseController scheme.\ntype compressWriter struct {\n\thttp.ResponseWriter\n\tzwriter\n}\n\ntype zwriter interface {\n\tio.WriteCloser\n\tFlush() error\n}\n\nvar _ http.ResponseWriter = (*compressWriter)(nil)\n\nfunc (c *compressWriter) Unwrap() http.ResponseWriter {\n\treturn c.ResponseWriter\n}\nfunc (c *compressWriter) Write(b []byte) (int, error) {\n\treturn c.zwriter.Write(b)\n}\nfunc (c *compressWriter) FlushError() error {\n\tzFlush := c.zwriter.Flush()\n\thttpFlush := http.NewResponseController(c.ResponseWriter).Flush()\n\tif errors.Is(httpFlush, http.ErrNotSupported) {\n\t\thttpFlush = nil\n\t}\n\treturn errors.Join(zFlush, httpFlush)\n}\n"
},
{
"path": "middleware/compress/handler_test.go",
"content": "package compress\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"sync\"\n\t\"testing\"\n\n\t\"github.com/klauspost/compress/flate\"\n\t\"github.com/klauspost/compress/gzip\"\n\t\"github.com/klauspost/compress/zstd\"\n)\n\nvar (\n\tsetupOnce sync.Once\n\tsetupErr error\n\ttesthandler http.Handler\n\tbody []byte\n)\n\nfunc setupHandler(t *testing.T) {\n\tconst writeSz = 1024 * 1024\n\tsetupOnce.Do(func() {\n\t\tbody = make([]byte, writeSz)\n\t\tif _, err := io.ReadFull(rand.Reader, body); err != nil {\n\t\t\tsetupErr = err\n\t\t\treturn\n\t\t}\n\t\ttesthandler = Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\trd := bytes.NewReader(body)\n\t\t\tif _, err := io.Copy(w, rd); err != nil {\n\t\t\t\tpanic(err)\n\t\t\t}\n\t\t}))\n\t})\n\tif setupErr != nil {\n\t\tt.Fatal(setupErr)\n\t}\n}\n\ntype mkFunc func(io.Reader) (io.ReadCloser, error)\n\nfunc testencoding(t *testing.T, enc string, status int, mk mkFunc) {\n\tt.Helper()\n\tsetupHandler(t)\n\tsrv := httptest.NewServer(testhandler)\n\tt.Cleanup(srv.Close)\n\treq, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL+`/`+enc, nil)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\treq.Header.Set(\"accept-encoding\", enc)\n\tt.Logf(\"Accept-Encoding: %q\", enc)\n\tres, err := srv.Client().Do(req)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tt.Cleanup(func() {\n\t\tif err := res.Body.Close(); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t})\n\tif ce := res.Header.Get(\"content-encoding\"); ce != \"\" {\n\t\tt.Logf(\"Content-Encoding: %q\", ce)\n\t}\n\tif ae := res.Header.Get(\"accept-encoding\"); ae != \"\" {\n\t\tt.Logf(\"Accept-Encoding: %q\", ae)\n\t}\n\tt.Logf(\"got: %s, want: %d %s\", res.Status, status, http.StatusText(status))\n\tif got, want := res.StatusCode, status; got != want {\n\t\tt.Fail()\n\t}\n\tif status != http.StatusOK {\n\t\tt.Log(\"non-200 status expected, skipping body check\")\n\t\treturn\n\t}\n\tz, err := mk(res.Body)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tt.Cleanup(func() {\n\t\tif err := z.Close(); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t})\n\tvar got bytes.Buffer\n\tif _, err := got.ReadFrom(z); err != nil {\n\t\tt.Error(err)\n\t}\n\tif !bytes.Equal(got.Bytes(), body) {\n\t\tt.Error(\"body not correct\")\n\t}\n\tt.Log(\"body OK\")\n}\n\nfunc TestCompressor(t *testing.T) {\n\ttt := []struct {\n\t\tName string\n\t\tEnc string\n\t\tMk mkFunc\n\t\tStatus int\n\t}{\n\t\t{\n\t\t\tName: \"Empty\",\n\t\t\tEnc: ``,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return io.NopCloser(r), nil },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"Identity\",\n\t\t\tEnc: `identity`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return io.NopCloser(r), nil },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"Gzip\",\n\t\t\tEnc: `gzip`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"Deflate\",\n\t\t\tEnc: `deflate`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return flate.NewReader(r), nil },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"Zstd\",\n\t\t\tEnc: `zstd`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) {\n\t\t\t\tz, err := zstd.NewReader(r)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t\treturn z.IOReadCloser(), nil\n\t\t\t},\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t// The examples in the RFC:\n\t\t{\n\t\t\tName: \"RFC9110\",\n\t\t\tEnc: `compress, gzip`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"RFC9110\",\n\t\t\tEnc: ``,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return io.NopCloser(r), nil },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"RFC9110\",\n\t\t\tEnc: `*`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"RFC9110\",\n\t\t\tEnc: `compress;q=0.5, gzip;q=1.0`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"RFC9110\",\n\t\t\tEnc: `gzip;q=1.0, identity; q=0.5, *;q=0`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"OldGzip\",\n\t\t\tEnc: `x-gzip, *;q=0`,\n\t\t\tMk: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },\n\t\t\tStatus: http.StatusOK,\n\t\t},\n\t\t{\n\t\t\tName: \"Unacceptable\",\n\t\t\tEnc: `test, *;q=0`,\n\t\t\tStatus: http.StatusUnsupportedMediaType,\n\t\t},\n\t}\n\n\tfor _, tc := range tt {\n\t\tt.Run(tc.Name, func(t *testing.T) {\n\t\t\ttestencoding(t, tc.Enc, tc.Status, tc.Mk)\n\t\t})\n\t}\n}\n"
},
{
"path": "notifier/amqp/deliverer.go",
"content": "package amqp\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"path\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\tamqp \"github.com/rabbitmq/amqp091-go\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// Deliverer is an AMQP deliverer which publishes a notifier.Callback to the\n// the broker.\n//\n// It's an error to configure this deliverer with an Exchange that does not exist.\n// Administrators should configure the Exchange, Queue, and Bindings before starting\n// this deliverer.\ntype Deliverer struct {\n\tcallback *url.URL\n\tfo failOver\n\troutingKey string\n\texchange config.Exchange\n\trollup int\n\tdirect bool\n}\n\nfunc New(conf *config.AMQP) (*Deliverer, error) {\n\tvar d Deliverer\n\tif err := d.load(conf); err != nil {\n\t\treturn nil, err\n\t}\n\treturn &d, nil\n}\n\nfunc (d *Deliverer) load(conf *config.AMQP) error {\n\tvar err error\n\tif !conf.Direct {\n\t\td.callback, err = url.Parse(conf.Callback)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif conf.TLS != nil {\n\t\td.fo.tls, err = conf.TLS.Config()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// Copy everything else out of the config:\n\td.direct = conf.Direct\n\td.rollup = conf.Rollup\n\td.exchange = conf.Exchange\n\td.routingKey = conf.RoutingKey\n\td.fo.uris = make([]*url.URL, len(conf.URIs))\n\tfor i, u := range conf.URIs {\n\t\td.fo.uris[i], err = url.Parse(u)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\td.fo.exchange = &d.exchange\n\treturn nil\n}\n\nfunc (d *Deliverer) Name() string {\n\treturn fmt.Sprintf(\"amqp-%s\", d.exchange.Name)\n}\n\nfunc (d *Deliverer) Deliver(ctx context.Context, nID uuid.UUID) error {\n\tconn, err := d.fo.Connection(ctx)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\tdefer conn.Close()\n\n\tch, err := conn.Channel()\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\tdefer ch.Close()\n\n\tcallback := *d.callback\n\tcallback.Path = path.Join(callback.Path, nID.String())\n\n\tcb := notifier.Callback{\n\t\tNotificationID: nID,\n\t\tCallback: callback,\n\t}\n\tb, err := json.Marshal(&cb)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\tmsg := amqp.Publishing{\n\t\tContentType: \"application/json\",\n\t\tAppId: \"clairV4-notifier\",\n\t\tBody: b,\n\t}\n\terr = ch.Publish(\n\t\td.exchange.Name,\n\t\td.routingKey,\n\t\tfalse,\n\t\tfalse,\n\t\tmsg,\n\t)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/amqp/deliverer_integration_test.go",
"content": "package amqp\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore/test\"\n\t\"github.com/quay/claircore/test/integration\"\n\tamqp \"github.com/rabbitmq/amqp091-go\"\n\t\"golang.org/x/sync/errgroup\"\n)\n\nconst (\n\tdefaultRabbitMQURI = \"amqp://guest:guest@localhost:5672/\"\n)\n\n// TestDeliverer delivery confirms a notification\n// callback is successfully delivered to the amqp broker.\nfunc TestDeliverer(t *testing.T) {\n\tintegration.Skip(t)\n\tctx := test.Logging(t)\n\tconst (\n\t\tcallback = \"http://clair-notifier/notifier/api/v1/notification\"\n\t)\n\tvar (\n\t\turi = os.Getenv(\"RABBITMQ_CONNECTION_STRING\")\n\t\tqueueAndKey = uuid.New().String()\n\t\t// our test assumes a default exchange\n\t\tconf = config.AMQP{\n\t\t\tCallback: callback,\n\t\t\tExchange: config.Exchange{\n\t\t\t\tName: \"\",\n\t\t\t\tType: \"direct\",\n\t\t\t\tDurable: true,\n\t\t\t\tAutoDelete: false,\n\t\t\t},\n\t\t\tRoutingKey: queueAndKey,\n\t\t}\n\t)\n\tif uri == \"\" {\n\t\turi = defaultRabbitMQURI\n\t}\n\tt.Logf(\"using uri: %q\", uri)\n\n\tconf.URIs = []string{\n\t\t// give a few bogus URIs to confirm failover mechanisms are working\n\t\t\"amqp://guest:guest@nohost1:5672/\",\n\t\t\"amqp://guest:guest@nohost2:5672/\",\n\t\t\"amqp://guest:guest@nohost3:5672/\",\n\t\turi,\n\t}\n\n\tconn, err := amqp.Dial(uri)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to connect to broker at %v: %v\", uri, err)\n\t}\n\tdefer conn.Close()\n\n\tch, err := conn.Channel()\n\tif err != nil {\n\t\tt.Fatalf(\"failed to obtain channel from broker %v: %v\", uri, err)\n\t}\n\tdefer ch.Close()\n\n\t// this queue will autobind to the default \"direct\" exchange\n\t// and the queue name may be used as the routing key.\n\t_, err = ch.QueueDeclare(\n\t\tqueueAndKey,\n\t\ttrue,\n\t\tfalse,\n\t\tfalse,\n\t\tfalse,\n\t\tnil,\n\t)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to declare queue: %v\", err)\n\t}\n\n\t// test parallel usage\n\tg := errgroup.Group{}\n\tfor i := 0; i < 4; i++ {\n\t\tg.Go(func() error {\n\t\t\tnoteID := uuid.New()\n\t\t\td, err := New(&conf)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"could not create deliverer: %v\", err)\n\t\t\t}\n\t\t\t// we simply need to check for an error. amqp\n\t\t\t// will error if message cannot be delivered to broker\n\t\t\terr = d.Deliver(ctx, noteID)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to deliver message: %v\", err)\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t}\n\tif err := g.Wait(); err != nil {\n\t\tt.Fatalf(\"test failed: %v\", err)\n\t}\n\n\t// create consumer\n\tconsumerConn, err := amqp.Dial(uri)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create consumer connection: %v\", err)\n\t}\n\tdefer consumerConn.Close()\n\n\tconsumerCh, err := consumerConn.Channel()\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create consumer channel: %v\", err)\n\t}\n\tdefer consumerCh.Close()\n\n\tmsgs, err := consumerCh.Consume(\n\t\tqueueAndKey,\n\t\t\"test\",\n\t\tfalse,\n\t\tfalse,\n\t\tfalse,\n\t\tfalse,\n\t\tnil,\n\t)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to start consuming messages: %v\", err)\n\t}\n\n\t// read messages\n\tfor i := 0; i < 4; i++ {\n\t\tm := <-msgs\n\t\tif m.ContentType != \"application/json\" {\n\t\t\tt.Errorf(\"msg content type mismatch: expected %s, got %s\", \"application/json\", m.ContentType)\n\t\t}\n\t\tif m.AppId != \"clairV4-notifier\" {\n\t\t\tt.Errorf(\"msg app ID mismatch: expected %s, got %s\", \"clairV4-notifier\", m.AppId)\n\t\t}\n\t\tvar msgBody map[string]string\n\t\tif err = json.Unmarshal(m.Body, &msgBody); err != nil {\n\t\t\tt.Errorf(\"cannot unmarshall msg body into map: %v\", err)\n\t\t}\n\t\tnid, ok := msgBody[\"notification_id\"]\n\t\tif !ok {\n\t\t\tt.Errorf(\"cannot find \\\"notification_id\\\" key in msg body\")\n\t\t}\n\t\tcb, ok := msgBody[\"callback\"]\n\t\tif !ok {\n\t\t\tt.Errorf(\"cannot find \\\"callback\\\" key in msg body\")\n\t\t}\n\t\tif cb != fmt.Sprintf(\"%s/%s\", callback, nid) {\n\t\t\tt.Errorf(\"callback mismatch: expected: %s, got %s\", fmt.Sprintf(\"%s/%s\", callback, nid), cb)\n\t\t}\n\t\tm.Ack(false)\n\t}\n\n\t// check if msgs channel is empty\n\tselect {\n\tcase m := <-msgs:\n\t\tt.Fatalf(\"there is still msg in msgs channel: %#v\", m)\n\tcase <-time.After(1 * time.Millisecond): // no msg found, as expected\n\t}\n}\n"
},
{
"path": "notifier/amqp/directdeliverer.go",
"content": "package amqp\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\tamqp \"github.com/rabbitmq/amqp091-go\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// DirectDeliverer is an AMQP deliverer which publishes notifications\n// directly to the broker.\n//\n// It's an error to configure this deliverer with an exchange that does not exist.\n// Administrators should configure the Exchange, Queue, and Bindings before starting\n// this deliverer.\ntype DirectDeliverer struct {\n\tn []notifier.Notification\n\tDeliverer\n}\n\nfunc NewDirectDeliverer(conf *config.AMQP) (*DirectDeliverer, error) {\n\tvar d DirectDeliverer\n\tif err := d.load(conf); err != nil {\n\t\treturn nil, err\n\t}\n\td.n = make([]notifier.Notification, 0, 1024)\n\treturn &d, nil\n}\n\nfunc (d *DirectDeliverer) Name() string {\n\treturn fmt.Sprintf(\"amqp-direct-%s\", d.exchange.Name)\n}\n\n// Notifications will copy the provided notifications into a buffer for AMQP\n// delivery.\nfunc (d *DirectDeliverer) Notifications(ctx context.Context, n []notifier.Notification) error {\n\t// if we can reslice instead of allocate do so.\n\tif len(n) <= len(d.n) {\n\t\td.n = d.n[:len(n)]\n\t\tcopy(d.n, n)\n\t\treturn nil\n\t}\n\ttmp := make([]notifier.Notification, len(n))\n\tcopy(tmp, n)\n\td.n = tmp\n\treturn nil\n}\n\nfunc (d *DirectDeliverer) Deliver(ctx context.Context, _ uuid.UUID) error {\n\tconn, err := d.fo.Connection(ctx)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\tdefer conn.Close()\n\n\tch, err := conn.Channel()\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\tdefer ch.Close()\n\n\terr = ch.Tx()\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\t// TODO: can tx.Rollback be safely defered?\n\n\t// block loop publishing smaller blocks of max(rollup) length via reslicing.\n\trollup := d.rollup\n\tif rollup == 0 {\n\t\trollup++\n\t}\n\n\tvar buf bytes.Buffer\n\tenc := json.NewEncoder(&buf)\n\tvar currentBlock []notifier.Notification\n\tfor bs, be := 0, rollup; bs < len(d.n); bs, be = be, be+rollup {\n\t\tbuf.Reset()\n\t\t// if block-end exceeds array bounds, slice block underflow.\n\t\t// next block-start will cause loop to exit.\n\t\tif be > len(d.n) {\n\t\t\tbe = len(d.n)\n\t\t}\n\n\t\tcurrentBlock = d.n[bs:be]\n\t\terr := enc.Encode(¤tBlock)\n\t\tif err != nil {\n\t\t\tch.TxRollback()\n\t\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t\t}\n\t\tmsg := amqp.Publishing{\n\t\t\tContentType: \"application/json\",\n\t\t\tAppId: \"clairV4-notifier\",\n\t\t\tBody: buf.Bytes(),\n\t\t}\n\t\terr = ch.Publish(\n\t\t\td.exchange.Name,\n\t\t\td.routingKey,\n\t\t\tfalse,\n\t\t\tfalse,\n\t\t\tmsg,\n\t\t)\n\t\tif err != nil {\n\t\t\tch.TxRollback()\n\t\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t\t}\n\t}\n\n\terr = ch.TxCommit()\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/amqp/directdeliverer_integration_test.go",
"content": "package amqp\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/test\"\n\t\"github.com/quay/claircore/test/integration\"\n\tamqp \"github.com/rabbitmq/amqp091-go\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// TestDirectDeliverer confirms delivery of notifications directly\n// to the AMQP queue with rollup works correctly.\nfunc TestDirectDeliverer(t *testing.T) {\n\tintegration.Skip(t)\n\tctx := test.Logging(t)\n\t// test start\n\ttable := []struct {\n\t\tname string\n\t\trollup int\n\t\tnotes int\n\t\texpectedMsgs int\n\t}{\n\t\t{\n\t\t\tname: \"0\",\n\t\t\trollup: 0,\n\t\t\tnotes: 1,\n\t\t\texpectedMsgs: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"1\",\n\t\t\trollup: 1,\n\t\t\tnotes: 5,\n\t\t\texpectedMsgs: 5,\n\t\t},\n\t\t{\n\t\t\tname: \"RollupOverflow\",\n\t\t\trollup: 10,\n\t\t\tnotes: 5,\n\t\t\texpectedMsgs: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"Odds\",\n\t\t\trollup: 3,\n\t\t\tnotes: 7,\n\t\t\texpectedMsgs: 3,\n\t\t},\n\t\t{\n\t\t\tname: \"OddsRollup\",\n\t\t\trollup: 3,\n\t\t\tnotes: 8,\n\t\t\texpectedMsgs: 3,\n\t\t},\n\t\t{\n\t\t\tname: \"OddsNotes\",\n\t\t\trollup: 4,\n\t\t\tnotes: 7,\n\t\t\texpectedMsgs: 2,\n\t\t},\n\t\t{\n\t\t\tname: \"Large\",\n\t\t\trollup: 100,\n\t\t\tnotes: 1000,\n\t\t\texpectedMsgs: 10,\n\t\t},\n\t}\n\n\turi := os.Getenv(\"RABBITMQ_CONNECTION_STRING\")\n\tif uri == \"\" {\n\t\turi = defaultRabbitMQURI\n\t}\n\tt.Logf(\"using uri: %q\", uri)\n\tconn, err := amqp.Dial(uri)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to connect to broker at %v: %v\", uri, err)\n\t}\n\tdefer conn.Close()\n\t// our test assumes a default exchange\n\texchange := config.Exchange{\n\t\tName: \"\",\n\t\tType: \"direct\",\n\t\tDurable: true,\n\t\tAutoDelete: false,\n\t}\n\tfor _, tt := range table {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tctx := test.Logging(t, ctx)\n\t\t\t// rabbitmq queue declare\n\n\t\t\tqueueAndKey := tt.name + \"-\" + uuid.New().String()\n\n\t\t\tch, err := conn.Channel()\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to obtain channel from broker %v: %v\", uri, err)\n\t\t\t}\n\t\t\tdefer ch.Close()\n\t\t\t// this queue will autobind to the default \"direct\" exchange\n\t\t\t// and the queue name may be used as the routing key.\n\t\t\t_, err = ch.QueueDeclare(\n\t\t\t\tqueueAndKey,\n\t\t\t\ttrue,\n\t\t\t\tfalse,\n\t\t\t\tfalse,\n\t\t\t\tfalse,\n\t\t\t\tnil,\n\t\t\t)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to declare queue: %v\", err)\n\t\t\t}\n\n\t\t\t// deliverer test\n\t\t\tconf := config.AMQP{\n\t\t\t\tDirect: true,\n\t\t\t\tRollup: tt.rollup,\n\t\t\t\t// values come from rabbitmq setup\n\t\t\t\tRoutingKey: queueAndKey,\n\t\t\t\tExchange: exchange,\n\t\t\t\tURIs: []string{\n\t\t\t\t\t// give a few bogus URIs to confirm failover mechanisms are working\n\t\t\t\t\t\"amqp://guest:guest@nohost1:5672/\",\n\t\t\t\t\t\"amqp://guest:guest@nohost2:5672/\",\n\t\t\t\t\t\"amqp://guest:guest@nohost3:5672/\",\n\t\t\t\t\turi,\n\t\t\t\t},\n\t\t\t}\n\n\t\t\tnoteID := uuid.New()\n\t\t\tnotes := make([]notifier.Notification, 0, tt.notes)\n\t\t\tfor i := 0; i < tt.notes; i++ {\n\t\t\t\tnotes = append(notes, notifier.Notification{\n\t\t\t\t\tID: uuid.New(),\n\t\t\t\t\tManifest: claircore.MustParseDigest(\"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\"),\n\t\t\t\t\tReason: notifier.Added,\n\t\t\t\t\tVulnerability: notifier.VulnSummary{\n\t\t\t\t\t\tDescription: fmt.Sprintf(\"test-vuln-%d\", i),\n\t\t\t\t\t},\n\t\t\t\t})\n\t\t\t}\n\n\t\t\t// test parallel usage\n\t\t\tg := errgroup.Group{}\n\t\t\tfor i := 0; i < 4; i++ {\n\t\t\t\tg.Go(func() error {\n\t\t\t\t\td, err := NewDirectDeliverer(&conf)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"could not create deliverer: %v\", err)\n\t\t\t\t\t}\n\t\t\t\t\terr = d.Notifications(ctx, notes)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to provide notifications to direct deliverer: %v\", err)\n\t\t\t\t\t}\n\t\t\t\t\t// we simply need to check for an error. rabbitmq\n\t\t\t\t\t// will error if message cannot be delivered to broker\n\t\t\t\t\terr = d.Deliver(ctx, noteID)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to deliver message: %v\", err)\n\t\t\t\t\t}\n\t\t\t\t\treturn nil\n\t\t\t\t})\n\t\t\t}\n\t\t\tif err := g.Wait(); err != nil {\n\t\t\t\tt.Fatalf(\"test failed: %v\", err)\n\t\t\t}\n\n\t\t\t// create consumer\n\t\t\tconsumerConn, err := amqp.Dial(uri)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to create consumer connection: %v\", err)\n\t\t\t}\n\t\t\tdefer consumerConn.Close()\n\n\t\t\tconsumerCh, err := consumerConn.Channel()\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to create consumer channel: %v\", err)\n\t\t\t}\n\t\t\tdefer consumerCh.Close()\n\n\t\t\tmsgs, err := consumerCh.Consume(\n\t\t\t\tqueueAndKey,\n\t\t\t\t\"test\",\n\t\t\t\tfalse,\n\t\t\t\tfalse,\n\t\t\t\tfalse,\n\t\t\t\tfalse,\n\t\t\t\tnil,\n\t\t\t)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to start consuming messages: %v\", err)\n\t\t\t}\n\n\t\t\t// read messages\n\t\t\ttotalExpectedMsgs := tt.expectedMsgs * 4\n\t\t\tfor i := 0; i < totalExpectedMsgs; i++ {\n\t\t\t\tm := <-msgs\n\t\t\t\tif m.ContentType != \"application/json\" {\n\t\t\t\t\tt.Errorf(\"msg content type mismatch: expected %s, got %s\", \"application/json\", m.ContentType)\n\t\t\t\t}\n\t\t\t\tif m.AppId != \"clairV4-notifier\" {\n\t\t\t\t\tt.Errorf(\"msg app ID mismatch: expected %s, got %s\", \"clairV4-notifier\", m.AppId)\n\t\t\t\t}\n\t\t\t\tvar msgBody []notifier.Notification\n\t\t\t\tif err = json.Unmarshal(m.Body, &msgBody); err != nil {\n\t\t\t\t\tt.Errorf(\"cannot unmarshall msg body into slice of notifications: %v\", err)\n\t\t\t\t}\n\t\t\t\trollup := tt.rollup\n\t\t\t\tif tt.rollup == 0 {\n\t\t\t\t\trollup++\n\t\t\t\t}\n\t\t\t\tif len(msgBody) > rollup {\n\t\t\t\t\tt.Errorf(\"found more notifications in msg than expected: rollup %d, got %d\", rollup, len(msgBody))\n\t\t\t\t}\n\t\t\t\tm.Ack(false)\n\t\t\t}\n\n\t\t\t// check if msgs channel is empty\n\t\t\tselect {\n\t\t\tcase <-msgs:\n\t\t\t\tt.Fatal(\"there is still msg in msgs channel\")\n\t\t\tcase <-time.After(1 * time.Millisecond): // no msg found, as expected\n\t\t\t}\n\t\t})\n\t}\n}\n"
},
{
"path": "notifier/amqp/doc.go",
"content": "// Package amqp implements a [Deliverer] over the AMQP protocol.\n//\n// Deprecated: This package will be removed in a future version. Users should\n// write a webhook to AMQP transducer.\npackage amqp\n"
},
{
"path": "notifier/amqp/failover.go",
"content": "package amqp\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net/url\"\n\t\"sync\"\n\n\t\"github.com/quay/clair/config\"\n\tamqp \"github.com/rabbitmq/amqp091-go\"\n)\n\n// failOver will return the first successful connection made against the provided\n// brokers, or an existing connection if not closed.\n//\n// failOver is safe for concurrent usage.\ntype failOver struct {\n\tsync.RWMutex\n\tconn *amqp.Connection\n\ttls *tls.Config\n\texchange *config.Exchange\n\turis []*url.URL\n}\n\n// Connection returns an AMQP connection to the first broker which successfully\n// handshakes.\nfunc (f *failOver) Connection(ctx context.Context) (*amqp.Connection, error) {\n\tf.RLock()\n\tif f.conn != nil && !f.conn.IsClosed() {\n\t\tslog.DebugContext(ctx, \"reusing connection\", \"address\", f.conn.LocalAddr())\n\t\tf.RUnlock()\n\t\treturn f.conn, nil\n\t}\n\tf.RUnlock()\n\n\tfor _, uri := range f.uris {\n\t\tlog := slog.With(\"broker\", uri)\n\t\t// safe to always call DialTLS per docs:\n\t\t// 'DialTLS will use the provided tls.Config when it encounters an amqps:// scheme and will dial a plain connection when it encounters an amqp:// scheme.'\n\t\tconn, err := amqp.DialTLS(uri.String(), f.tls)\n\t\tif err != nil {\n\t\t\tif conn != nil {\n\t\t\t\tconn.Close()\n\t\t\t}\n\t\t\tlog.InfoContext(ctx, \"failed to connect to AMQP broker; attempting next broker\",\n\t\t\t\t\"reason\", err)\n\t\t\tcontinue\n\t\t}\n\t\tch, err := conn.Channel()\n\t\tif err != nil {\n\t\t\tif conn != nil {\n\t\t\t\tconn.Close()\n\t\t\t}\n\t\t\tlog.InfoContext(ctx, \"could not obtain initial AMQP channel; attempting next broker\",\n\t\t\t\t\"reason\", err)\n\t\t\tcontinue\n\t\t}\n\t\t// if the name is \"\" it's the default exchange which\n\t\t// cannot be declared.\n\t\tif f.exchange.Name != \"\" {\n\t\t\terr = ch.ExchangeDeclarePassive(\n\t\t\t\tf.exchange.Name,\n\t\t\t\tf.exchange.Type,\n\t\t\t\tf.exchange.Durable,\n\t\t\t\tf.exchange.AutoDelete,\n\t\t\t\t// these will not be considered in a passive declare\n\t\t\t\tfalse,\n\t\t\t\tfalse,\n\t\t\t\tnil,\n\t\t\t)\n\t\t\tif err != nil {\n\t\t\t\tif conn != nil {\n\t\t\t\t\tconn.Close()\n\t\t\t\t}\n\t\t\t\tlog.InfoContext(ctx, \"could not declare AMQP exchange; attempting next broker\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tch.Close()\n\n\t\tf.Lock()\n\t\tdefer f.Unlock()\n\t\t// only set our connection if its necessary still\n\t\t// if not close the conn to ensure no leak occurs\n\t\tif f.conn == nil || f.conn.IsClosed() {\n\t\t\tf.conn = conn\n\t\t} else {\n\t\t\tconn.Close()\n\t\t}\n\t\treturn f.conn, nil\n\t}\n\treturn nil, fmt.Errorf(\"all failover URIs failed to connect\")\n}\n"
},
{
"path": "notifier/callback.go",
"content": "package notifier\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/url\"\n\n\t\"github.com/google/uuid\"\n)\n\n// Callback holds the details for clients to call back the Notifier\n// and receive notifications.\ntype Callback struct {\n\tNotificationID uuid.UUID `json:\"notification_id\"`\n\tCallback url.URL `json:\"callback\"`\n}\n\nfunc (cb Callback) MarshalJSON() ([]byte, error) {\n\tvar m = map[string]string{\n\t\t\"notification_id\": cb.NotificationID.String(),\n\t\t\"callback\": cb.Callback.String(),\n\t}\n\treturn json.Marshal(m)\n}\n\nfunc (cb *Callback) UnmarshalJSON(b []byte) error {\n\tvar m = make(map[string]string, 2)\n\terr := json.Unmarshal(b, &m)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, ok := m[\"notification_id\"]; !ok {\n\t\treturn fmt.Errorf(\"json unmarshal failed. webhook requires a \\\"notification_id\\\" field\")\n\t}\n\tif _, ok := m[\"callback\"]; !ok {\n\t\treturn fmt.Errorf(\"json unmarshal failed. webhook requires a \\\"callback\\\" field\")\n\t}\n\n\tuid, err := uuid.Parse(m[\"notification_id\"])\n\tif err != nil {\n\t\treturn fmt.Errorf(\"json unmarshal failed. malformed notification uuid: %v\", err)\n\t}\n\tcbURL, err := url.Parse(m[\"callback\"])\n\tif err != nil {\n\t\treturn fmt.Errorf(\"json unmarshal failed. malformed callback url: %v\", err)\n\t}\n\n\t(*cb).NotificationID = uid\n\t(*cb).Callback = *cbURL\n\treturn nil\n}\n"
},
{
"path": "notifier/callback_test.go",
"content": "package notifier\n\nimport (\n\t\"encoding/json\"\n\t\"net/url\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/uuid\"\n)\n\nfunc TestCallbackSerializtion(t *testing.T) {\n\tvar want = []byte(`{\"callback\":\"https://example.com\",\"notification_id\":\"00000000-0000-0000-0000-000000000000\"}`)\n\tcb := Callback{\n\t\tNotificationID: uuid.Nil,\n\t}\n\tu, err := url.Parse(\"https://example.com\")\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tcb.Callback = *u\n\tgot, err := json.Marshal(&cb)\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tif !cmp.Equal(got, want) {\n\t\tt.Error(cmp.Diff(got, want))\n\t}\n\n\tvar rt Callback\n\tif err := json.Unmarshal(want, &rt); err != nil {\n\t\tt.Error(err)\n\t}\n\tgot, err = json.Marshal(&rt)\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tif !cmp.Equal(got, want) {\n\t\tt.Error(cmp.Diff(got, want))\n\t}\n}\n"
},
{
"path": "notifier/deliverer.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n)\n\n// Deliverer provides the method set for delivering notifications\ntype Deliverer interface {\n\t// A unique name for the deliverer implementation\n\tName() string\n\t// Deliver will push the notification ID to subscribed clients.\n\t//\n\t// If delivery fails a clairerror.ErrDeliveryFailed error must be returned.\n\tDeliver(ctx context.Context, nID uuid.UUID) error\n}\n\n// DirectDeliverer implementations are used in coordination with the Deliverer interface.\n//\n// DirectDeliverer(s) expect this method to be called prior to their Deliverer methods.\n// Implementations must still implement both Deliverer and DirectDeliverer methods for correct use.\n//\n// Implementations will be provided a list of notifications in which they can directly deliver to subscribed\n// clients.\ntype DirectDeliverer interface {\n\tNotifications(ctx context.Context, n []Notification) error\n}\n"
},
{
"path": "notifier/delivery.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"log/slog\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n)\n\n// Delivery handles the business logic of delivering\n// notifications.\ntype Delivery struct {\n\t// a Deliverer implementation to invoke.\n\tDeliverer Deliverer\n\t// a store to retrieve notifications and update their receipts\n\tstore Store\n\t// distributed lock used for mutual exclusion\n\tlocks Locker\n\t// the interval at which we will attempt delivery of notifications.\n\tinterval time.Duration\n}\n\nfunc NewDelivery(store Store, l Locker, d Deliverer, interval time.Duration) *Delivery {\n\treturn &Delivery{\n\t\tDeliverer: d,\n\t\tinterval: interval,\n\t\tstore: store,\n\t\tlocks: l,\n\t}\n}\n\n// Deliver begins delivering notifications.\n//\n// Canceling the ctx will end delivery.\nfunc (d *Delivery) Deliver(ctx context.Context) error {\n\tslog.InfoContext(ctx, \"delivering notifications\")\n\n\tticker := time.NewTicker(d.interval)\n\tdefer ticker.Stop()\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn ctx.Err()\n\t\tcase <-ticker.C:\n\t\t\tslog.DebugContext(ctx, \"delivery tick\")\n\t\t\tif err := d.RunDelivery(ctx); err != nil {\n\t\t\t\tslog.WarnContext(ctx, \"encountered error on tick\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t}\n\t\t}\n\t}\n}\n\n// RunDelivery determines notifications to deliver and\n// calls the implemented Deliverer to perform the actions.\nfunc (d *Delivery) RunDelivery(ctx context.Context) error {\n\ttoDeliver := []uuid.UUID{}\n\t// get created\n\tcreated, err := d.store.Created(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif sz := len(created); sz != 0 {\n\t\tslog.InfoContext(ctx, \"notification ids in created status\",\n\t\t\t\"created\", sz)\n\t\ttoDeliver = append(toDeliver, created...)\n\t}\n\n\t// get failed\n\tfailed, err := d.store.Failed(ctx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif sz := len(failed); sz != 0 {\n\t\tslog.InfoContext(ctx, \"notification ids in failed status\",\n\t\t\t\"failed\", sz)\n\t\ttoDeliver = append(toDeliver, failed...)\n\t}\n\n\tfor _, nID := range toDeliver {\n\t\tvar err error\n\t\tctx, done := d.locks.TryLock(ctx, nID.String())\n\t\tif ok := ctx.Err(); !errors.Is(ok, nil) {\n\t\t\tslog.DebugContext(ctx, \"unable to get lock\",\n\t\t\t\t\"reason\", ok,\n\t\t\t\t\"notification_id\", nID)\n\t\t} else {\n\t\t\terr = d.do(ctx, nID)\n\t\t}\n\t\tdone()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// do performs the delivery of notifications via the composed\n// deliverer\n//\n// do's actions should be performed under a distributed lock.\nfunc (d *Delivery) do(ctx context.Context, nID uuid.UUID) error {\n\t// if we have a direct deliverer provide the notifications to it.\n\tif dd, ok := d.Deliverer.(DirectDeliverer); ok {\n\t\tslog.DebugContext(ctx, \"providing direct deliverer notifications\")\n\t\tnotifications, _, err := d.store.Notifications(ctx, nID, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = dd.Notifications(ctx, notifications)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// deliver the notification\n\terr := d.Deliverer.Deliver(ctx, nID)\n\tif err != nil {\n\t\tvar dErr clairerror.ErrDeliveryFailed\n\t\tif errors.As(err, &dErr) {\n\t\t\t// OK for this to fail, notification will stay in Created status.\n\t\t\t// store is failing, lets back off it tho until next tick.\n\t\t\tslog.InfoContext(ctx, \"failed to deliver notifications\")\n\t\t\terr := d.store.SetDeliveryFailed(ctx, nID)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\treturn err\n\t}\n\terr = d.store.SetDelivered(ctx, nID)\n\tif err != nil {\n\t\t// the message was delivered, but we can't ack this in our db\n\t\t// it will be delivered again unless deleted before next interval\n\t\treturn err\n\t}\n\n\t// if we successfully performed direct delivery\n\t// we can delete notification id\n\tif _, ok := d.Deliverer.(DirectDeliverer); ok {\n\t\terr := d.store.SetDeleted(ctx, nID)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tslog.InfoContext(ctx, \"successfully delivered notifications\")\n\treturn nil\n}\n"
},
{
"path": "notifier/locker.go",
"content": "package notifier\n\nimport \"context\"\n\n// Locker is any context-based locking API.\ntype Locker interface {\n\tTryLock(context.Context, string) (context.Context, context.CancelFunc)\n\tLock(context.Context, string) (context.Context, context.CancelFunc)\n\tClose(context.Context) error\n}\n"
},
{
"path": "notifier/migrations/01-init.sql",
"content": "--- an identity table for notifications\nCREATE TABLE IF NOT EXISTS notification (\n id uuid PRIMARY KEY\n);\n\n--- a relation expressing the latest update operation\n--- processed for a given updater name\nCREATE TABLE IF NOT EXISTS notifier_update_operation (\n uo_id uuid PRIMARY KEY,\n updater text,\n ts timestamptz\n);\n\n--- a relation mapping notifications to their serialized json bodies\nCREATE TABLE IF NOT EXISTS notification_body (\n id uuid PRIMARY KEY,\n notification_id uuid REFERENCES notification,\n body jsonb NOT NULL -- serialized json body of notification\n);\n\nCREATE INDEX notification_body_idx ON notification_body (notification_id, id);\n\n--- an enumeration identifying the possible status a receipt may be in\nCREATE TYPE receiptstatus AS ENUM (\n 'created',\n 'delivered',\n 'delivery_failed',\n 'deleted'\n);\n\n--- a relation expressing the current status of a notification\n--- this acts as a trigger for application business logic\nCREATE TABLE IF NOT EXISTS receipt (\n notification_id uuid PRIMARY KEY REFERENCES notification,\n uo_id uuid REFERENCES notifier_update_operation (uo_id),\n status receiptstatus NOT NULL,\n ts timestamptz,\n details jsonb -- any additional details specific to the delivery mechanism\n);\n\nCREATE INDEX receipt_idx ON receipt (notification_id, uo_id);\n\n--- a relation holding a pub_key in PKIX, ASN.1 DER form\n--- expiration is application defined and not associated with the public key\nCREATE TABLE IF NOT EXISTS key (\n id uuid PRIMARY KEY,\n expiration timestamptz,\n pub_key bytea\n);\n\n"
},
{
"path": "notifier/migrations/02-constraints.sql",
"content": "ALTER TABLE notification_body\n DROP CONSTRAINT notification_body_notification_id_fkey,\n ADD CONSTRAINT notification_body_notification_id_fkey FOREIGN KEY (notification_id) REFERENCES notification (id) ON DELETE CASCADE;\n\n"
},
{
"path": "notifier/migrations/03-constraints.sql",
"content": "ALTER TABLE receipt\n DROP CONSTRAINT receipt_notification_id_fkey,\n DROP CONSTRAINT receipt_uo_id_fkey,\n ADD CONSTRAINT receipt_notification_id_fkey FOREIGN KEY (notification_id) REFERENCES notification (id) ON DELETE CASCADE,\n ADD CONSTRAINT receipt_uo_id_fkey FOREIGN KEY (uo_id) REFERENCES notifier_update_operation (uo_id) ON DELETE CASCADE;\n\n"
},
{
"path": "notifier/migrations/04-drop-key.sql",
"content": "-- Drop the key table, as all of its users have been removed.\nDROP TABLE key;\n\n"
},
{
"path": "notifier/migrations/migrations.go",
"content": "package migrations\n\nimport (\n\t\"database/sql\"\n\t\"embed\"\n\n\t\"github.com/remind101/migrate\"\n)\n\n//go:embed *.sql\nvar fs embed.FS\n\nfunc runFile(n string) func(*sql.Tx) error {\n\tb, err := fs.ReadFile(n)\n\treturn func(tx *sql.Tx) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif _, err := tx.Exec(string(b)); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t}\n}\n\nconst MigrationTable = \"notifier_migrations\"\n\nvar Migrations = []migrate.Migration{\n\t{\n\t\tID: 1,\n\t\tUp: runFile(\"01-init.sql\"),\n\t},\n\t{\n\t\tID: 2,\n\t\tUp: runFile(\"02-constraints.sql\"),\n\t},\n\t{\n\t\tID: 3,\n\t\tUp: runFile(\"03-constraints.sql\"),\n\t},\n\t// This can be uncommented once 4.4 is released and 4.1 is gone.\n\t/*\n\t\t{\n\t\t\tID: 4,\n\t\t\tUp: runFile(\"04-drop-key.sql\"),\n\t\t},\n\t*/\n}\n"
},
{
"path": "notifier/mockstore.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n)\n\n// MockStore implements a mock Store.\ntype MockStore struct {\n\tNotifications_ func(ctx context.Context, id uuid.UUID, page *Page) ([]Notification, Page, error)\n\tPutNotifications_ func(ctx context.Context, opts PutOpts) error\n\tPutReceipt_ func(ctx context.Context, updater string, r Receipt) error\n\tCollectNotitfications_ func(ctx context.Context) error\n\tReceipt_ func(ctx context.Context, id uuid.UUID) (Receipt, error)\n\tReceiptByUOID_ func(ctx context.Context, id uuid.UUID) (Receipt, error)\n\tCreated_ func(ctx context.Context) ([]uuid.UUID, error)\n\tFailed_ func(ctx context.Context) ([]uuid.UUID, error)\n\tDeleted_ func(ctx context.Context) ([]uuid.UUID, error)\n\tSetDelivered_ func(ctx context.Context, id uuid.UUID) error\n\tSetDeliveredFailed_ func(ctx context.Context, id uuid.UUID) error\n\tSetDeleted_ func(ctx context.Context, id uuid.UUID) error\n}\n\n// Notifications retrieves the list of notifications associated with a\n// notification id\nfunc (m *MockStore) Notifications(ctx context.Context, id uuid.UUID, page *Page) ([]Notification, Page, error) {\n\treturn m.Notifications_(ctx, id, page)\n}\n\n// PutNotifications persists the provided notifications and associates\n// them with the provided notification id\n//\n// PutNotifications must update the latest update operation for the provided\n// updater in such a way that UpdateOperation returns the provided update\n// operation id when queried with the updater name\n//\n// PutNotifications must create a Receipt with status created status on\n// successful persistence of notifications in such a way that Receipter.Created()\n// returns the persisted notification id.\nfunc (m *MockStore) PutNotifications(ctx context.Context, opts PutOpts) error {\n\treturn m.PutNotifications_(ctx, opts)\n}\n\n// PutReceipt allows for the caller to directly add a receipt to the store\n// without notifications being created.\n//\n// After this method returns all methods on the Receipter interface must work accordingly.\nfunc (m *MockStore) PutReceipt(ctx context.Context, updater string, r Receipt) error {\n\treturn m.PutReceipt_(ctx, updater, r)\n}\n\n// CollectNotifications garbage collects all notifications.\nfunc (m *MockStore) CollectNotifications(ctx context.Context) error {\n\treturn m.CollectNotitfications_(ctx)\n}\n\n// Receipt returns the Receipt for a given notification id\nfunc (m *MockStore) Receipt(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\treturn m.Receipt_(ctx, id)\n}\n\n// ReceiptByUOID returns the Receipt for a given UOID\nfunc (m *MockStore) ReceiptByUOID(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\treturn m.ReceiptByUOID_(ctx, id)\n}\n\n// Created returns a slice of notification ids in created status\nfunc (m *MockStore) Created(ctx context.Context) ([]uuid.UUID, error) {\n\treturn m.Created_(ctx)\n}\n\n// Failed returns a slice of notification ids in failed status\nfunc (m *MockStore) Failed(ctx context.Context) ([]uuid.UUID, error) {\n\treturn m.Failed_(ctx)\n}\n\n// Deleted returns a slice of notification ids in deleted status\nfunc (m *MockStore) Deleted(ctx context.Context) ([]uuid.UUID, error) {\n\treturn m.Deleted_(ctx)\n}\n\n// SetDelivered marks the provided notification id as delivered\nfunc (m *MockStore) SetDelivered(ctx context.Context, id uuid.UUID) error {\n\treturn m.SetDelivered_(ctx, id)\n}\n\n// SetDeliveryFailed marks the provided notification id failed to be delivere\nfunc (m *MockStore) SetDeliveryFailed(ctx context.Context, id uuid.UUID) error {\n\treturn m.SetDeliveredFailed_(ctx, id)\n}\n\n// SetDeleted marks the provided notification id as deleted\nfunc (m *MockStore) SetDeleted(ctx context.Context, id uuid.UUID) error {\n\treturn m.SetDeleted_(ctx, id)\n}\n"
},
{
"path": "notifier/notification.go",
"content": "package notifier\n\nimport (\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n)\n\n// Reason indicates the catalyst for a notification.\ntype Reason string\n\nconst (\n\tAdded Reason = \"added\"\n\tRemoved Reason = \"removed\"\n\tChanged Reason = \"changed\"\n)\n\n// Notification summarizes a change in the vulnerabilities affecting a manifest.\n//\n// The mentioned Vulnerability will be the most severe vulnerability discovered\n// in an update operation.\n//\n// Receiving clients are expected to filter notifications by severity in such a\n// way that they receive all vulnerabilities at or above a particular\n// claircore.Severity level.\ntype Notification struct {\n\tID uuid.UUID `json:\"id\"`\n\tManifest claircore.Digest `json:\"manifest\"`\n\tReason Reason `json:\"reason\"`\n\tVulnerability VulnSummary `json:\"vulnerability\"`\n}\n"
},
{
"path": "notifier/notificationhandle.go",
"content": "package notifier\n\nimport \"github.com/google/uuid\"\n\n// NotificationHandle is a handle a client may use to\n// retrieve a list of associated notification models\ntype NotificationHandle struct {\n\tID uuid.UUID `json:\"id\"`\n}\n"
},
{
"path": "notifier/pager.go",
"content": "package notifier\n\nimport (\n\t\"github.com/google/uuid\"\n)\n\n// Page communicates a bare-minimum paging protocol with clients.\ntype Page struct {\n\t// the next id to retrieve\n\tNext *uuid.UUID `json:\"next,omitempty\"`\n\t// the max number of elements returned in a page\n\tSize int `json:\"size\"`\n}\n"
},
{
"path": "notifier/poller.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"log/slog\"\n\t\"time\"\n\n\t\"github.com/quay/claircore/libvuln/driver\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\nconst (\n\t// max number of UOIDs that we will queue in a channel\n\tMaxChanSize = 1024\n)\n\n// PollerOpt applies a configuration to a Poller\ntype PollerOpt func(*Poller) error\n\n// Poller implements new Update Operation discovery via an event channel.\ntype Poller struct {\n\t// a store to retrieve known UOIDs and compare\n\t// with the polled UOIDs.\n\tstore Store\n\t// a differ to retrieve latest update operations\n\tdiffer matcher.Differ\n\t// the interval to poll a Matcher node.\n\tinterval time.Duration\n}\n\nfunc NewPoller(store Store, differ matcher.Differ, interval time.Duration) *Poller {\n\treturn &Poller{\n\t\tinterval: interval,\n\t\tstore: store,\n\t\tdiffer: differ,\n\t}\n}\n\n// Event is delivered on the poller's channel when a new UpdateOperation is\n// discovered.\ntype Event struct {\n\tupdater string\n\tuo driver.UpdateOperation\n}\n\n// Poll begins polling the Matcher for UpdateOperations and producing Events on\n// the supplied channel. This method takes ownership of the channel and is\n// responsible for closing it.\n//\n// Cancel ctx to stop the poller.\nfunc (p *Poller) Poll(ctx context.Context, c chan<- Event) error {\n\tdefer close(c)\n\tif err := ctx.Err(); err != nil {\n\t\tslog.InfoContext(ctx, \"context canceled before polling began\")\n\t\treturn err\n\t}\n\n\t// loop on interval tick\n\tt := time.NewTicker(p.interval)\n\tdefer t.Stop()\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tslog.InfoContext(ctx, \"context canceled; polling ended\")\n\t\t\treturn ctx.Err()\n\t\tcase <-t.C:\n\t\t\tslog.DebugContext(ctx, \"poll interval tick\")\n\t\t\tp.onTick(ctx, c)\n\t\t}\n\t}\n}\n\n// OnTick retrieves the latest update operations for all known updaters and\n// delivers an event if notification creation is necessary.\nfunc (p *Poller) onTick(ctx context.Context, c chan<- Event) {\n\tlatest, err := p.differ.LatestUpdateOperations(ctx, driver.VulnerabilityKind)\n\tif err != nil {\n\t\tslog.WarnContext(ctx, \"client error retrieving latest update operations\",\n\t\t\t\"reason\", err)\n\t\treturn\n\t}\n\n\tfor updater, uo := range latest {\n\t\tlog := slog.With(\"updater\", updater)\n\t\tif len(uo) == 0 {\n\t\t\tlog.DebugContext(ctx, \"received 0 update operations after polling Matcher\")\n\t\t\treturn // Should this be a continue?\n\t\t}\n\t\tlatest := uo[0]\n\t\tlog = log.With(\"UOID\", latest.Ref)\n\t\t// confirm notifications were never created for this UOID.\n\t\tvar errNoReceipt *clairerror.ErrNoReceipt\n\t\t_, err := p.store.ReceiptByUOID(ctx, latest.Ref)\n\t\tif errors.As(err, &errNoReceipt) {\n\t\t\te := Event{\n\t\t\t\tupdater: updater,\n\t\t\t\tuo: latest,\n\t\t\t}\n\t\t\tselect {\n\t\t\tcase c <- e:\n\t\t\tdefault:\n\t\t\t\tlog.WarnContext(ctx, \"could not deliver event to channel; skipping updater\")\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\t\tif err != nil {\n\t\t\tlog.WarnContext(ctx, \"received error getting receipt by UOID\",\n\t\t\t\t\"reason\", err)\n\t\t\treturn\n\t\t}\n\t}\n}\n"
},
{
"path": "notifier/postgres/e2e_test.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"sort\"\n\t\"strconv\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\tcctest \"github.com/quay/claircore/test\"\n\t\"github.com/quay/claircore/test/integration\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// TestE2E performs an end to end test ensuring creating, retrieving,\n// bookkeeping, and deleting of notifications and associated data works\n// correctly.\nfunc TestE2E(t *testing.T) {\n\tintegration.NeedDB(t)\n\tctx := cctest.Logging(t)\n\tfor _, e := range []*e2e{\n\t\tNewE2E(ctx, t, 1),\n\t\tNewE2E(ctx, t, 10),\n\t\tNewE2E(ctx, t, 100),\n\t} {\n\t\tt.Run(strconv.Itoa(len(e.notifications)), func(t *testing.T) {\n\t\t\tctx := cctest.Logging(t, ctx)\n\t\t\te.Run(ctx, t)\n\t\t})\n\t}\n}\n\n// e2e is a series of test cases for handling notification\n// persistence.\n//\n// each method on e2e fulfills the expected function signature\n// for t.Run() and is thus eligible to be used as a sub-test.\n//\n// e2e.Run drives the subtest order and will fail on first subtest\n// failure\ntype e2e struct {\n\t// the updater associated with the set of notifications under test\n\tupdater string\n\t// a store instance implementing notification persistence methods\n\tstore *Store\n\t// the notifications this test persist and retrieves\n\tnotifications []notifier.Notification\n\t// the notification ID this e2e test will use\n\tnotificationID uuid.UUID\n\t// the update operation ID associated with the set of notifications under test\n\tupdateID uuid.UUID\n}\n\nfunc NewE2E(ctx context.Context, t *testing.T, ct int) *e2e {\n\tupdater := fmt.Sprintf(\"%s-%d\", t.Name(), ct)\n\tid := uuid.New()\n\tvs := cctest.GenUniqueVulnerabilities(ct, updater)\n\tns := make([]notifier.Notification, len(vs))\n\tfor i, v := range vs {\n\t\tn := &ns[i]\n\t\tn.Manifest = cctest.RandomSHA256Digest(t)\n\t\tswitch rand.Intn(3) {\n\t\tcase 0:\n\t\t\tn.Reason = notifier.Added\n\t\tcase 1:\n\t\t\tn.Reason = notifier.Changed\n\t\tcase 2:\n\t\t\tn.Reason = notifier.Removed\n\t\t}\n\t\tn.Vulnerability.FromVulnerability(v)\n\t}\n\te := e2e{\n\t\tnotificationID: id,\n\t\tupdater: updater,\n\t\tupdateID: uuid.New(),\n\t\tnotifications: ns,\n\t}\n\treturn &e\n}\n\nfunc (e *e2e) Run(ctx context.Context, t *testing.T) {\n\te.store = TestingStore(ctx, t)\n\ttype subtest struct {\n\t\tdo func(context.Context) func(t *testing.T)\n\t\tname string\n\t}\n\tfor _, sub := range [...]subtest{\n\t\t{name: \"PutNotifications\", do: e.PutNotifications},\n\t\t{name: \"Created\", do: e.Created},\n\t\t{name: \"Notifications\", do: e.Notifications},\n\t\t{name: \"SetDelivered\", do: e.SetDelivered},\n\t\t{name: \"SetDeliveryFailed\", do: e.SetDeliveryFailed},\n\t\t{name: \"SetDeleted\", do: e.SetDeleted},\n\t\t{name: \"PutReceipt\", do: e.PutReceipt},\n\t\t{name: \"CollectNotifications\", do: e.CollectNotifications},\n\t} {\n\t\tt.Run(sub.name, sub.do(ctx))\n\t\tif t.Failed() {\n\t\t\tt.FailNow()\n\t\t}\n\t}\n}\n\n// PutNotifications adds a set of notifications to the database and confirms no\n// error occurs.\nfunc (e *e2e) PutNotifications(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\topts := notifier.PutOpts{\n\t\t\tUpdater: e.updater,\n\t\t\tNotificationID: e.notificationID,\n\t\t\tNotifications: e.notifications,\n\t\t\tUpdateID: e.updateID,\n\t\t}\n\t\tif err := e.store.PutNotifications(ctx, opts); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t}\n}\n\n// Created ensures the expected notification ID is returned when persistence\n// layer is queried for all created, a specific receipt, or a receipt by UOID.\nfunc (e *e2e) Created(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\tids, err := e.store.Created(ctx)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := len(ids), 1; got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t\twant := e.notificationID\n\t\tif got := ids[0]; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\n\t\tr, err := e.store.Receipt(ctx, want)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got := r.NotificationID; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tif got, want := r.Status, notifier.Created; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\n\t\tr, err = e.store.ReceiptByUOID(ctx, e.updateID)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got := r.NotificationID; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tif got, want := r.Status, notifier.Created; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\n// Notifications confirms the correct notifications were returned from the\n// database when providing the notification ID.\nfunc (e *e2e) Notifications(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\twant := e.notificationID\n\t\tinner := func(p *notifier.Page) func(*testing.T) {\n\t\t\treturn func(t *testing.T) {\n\t\t\t\tctx := cctest.Logging(t, ctx)\n\t\t\t\tvar ns []notifier.Notification\n\t\t\t\tfor {\n\t\t\t\t\trs, np, err := e.store.Notifications(ctx, want, p)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tt.Error(err)\n\t\t\t\t\t}\n\t\t\t\t\tns = append(ns, rs...)\n\t\t\t\t\tif np.Next == nil {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t\tp = &np\n\t\t\t\t}\n\t\t\t\tif got, want := len(ns), len(e.notifications); got != want {\n\t\t\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t\t\t}\n\t\t\t\topts := cmp.Options{\n\t\t\t\t\tcmpopts.IgnoreUnexported(claircore.Digest{}),\n\t\t\t\t\tcmpopts.IgnoreFields(claircore.Vulnerability{}, \"ID\"),\n\t\t\t\t\tcmp.Transformer(\"Sort\", func(in []notifier.Notification) []notifier.Notification {\n\t\t\t\t\t\tout := make([]notifier.Notification, len(in))\n\t\t\t\t\t\tcopy(out, in)\n\t\t\t\t\t\tsort.Slice(out, func(i, j int) bool {\n\t\t\t\t\t\t\treturn out[i].ID.String() < out[j].ID.String()\n\t\t\t\t\t\t})\n\t\t\t\t\t\treturn out\n\t\t\t\t\t}),\n\t\t\t\t}\n\t\t\t\tif got, want := ns, e.notifications; !cmp.Equal(got, want, opts) {\n\t\t\t\t\tt.Error(cmp.Diff(got, want, opts))\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tt.Run(\"NilPage\", inner(nil))\n\t\tt.Run(\"5Page\", inner(¬ifier.Page{Size: 5}))\n\t\tt.Run(\"500Page\", inner(¬ifier.Page{Size: 500}))\n\t}\n}\n\n// SetDelivered confirms a receipt for a notification ID can be set to\n// delivered.\nfunc (e *e2e) SetDelivered(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\twant := e.notificationID\n\t\terr := e.store.SetDelivered(ctx, want)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\treceipt, err := e.store.Receipt(ctx, want)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got := receipt.NotificationID; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tif got, want := receipt.Status, notifier.Delivered; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\n// SetDeliveryFailed confirms a receipt for a notification ID can be set to\n// delivered.\nfunc (e *e2e) SetDeliveryFailed(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\twant := e.notificationID\n\t\terr := e.store.SetDeliveryFailed(ctx, want)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\treceipt, err := e.store.Receipt(ctx, e.notificationID)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got := receipt.NotificationID; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tif got, want := receipt.Status, notifier.DeliveryFailed; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tids, err := e.store.Failed(ctx)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := len(ids), 1; got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t\tif got := ids[0]; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\n// SetDeleted ...\nfunc (e *e2e) SetDeleted(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\twant := e.notificationID\n\t\terr := e.store.SetDeleted(ctx, want)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\treceipt, err := e.store.Receipt(ctx, want)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got := receipt.NotificationID; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tif got, want := receipt.Status, notifier.Deleted; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t\tids, err := e.store.Deleted(ctx)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := len(ids), 1; got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t\tif got := ids[0]; !cmp.Equal(got, want) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\n// PutReceipt will confirm a receipt can be directly placed into the database.\nfunc (e *e2e) PutReceipt(ctx context.Context) func(*testing.T) {\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\twant := notifier.Receipt{\n\t\t\tNotificationID: uuid.New(),\n\t\t\tUOID: uuid.New(),\n\t\t\tStatus: notifier.Delivered,\n\t\t}\n\t\terr := e.store.PutReceipt(ctx, \"test-updater\", want)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to put receipt: %v\", err)\n\t\t}\n\n\t\tgot, err := e.store.Receipt(ctx, want.NotificationID)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif !cmp.Equal(got, want, cmpopts.IgnoreFields(got, \"TS\")) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\n\t\tgot, err = e.store.ReceiptByUOID(ctx, want.UOID)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif !cmp.Equal(got, want, cmpopts.IgnoreFields(got, \"TS\")) {\n\t\t\tt.Error(cmp.Diff(got, want))\n\t\t}\n\t}\n}\n\nfunc (e *e2e) CollectNotifications(ctx context.Context) func(*testing.T) {\n\tconst jump = `UPDATE receipt SET ts = (CURRENT_TIMESTAMP - INTERVAL '21 days') WHERE notification_id = $1;`\n\treturn func(t *testing.T) {\n\t\tctx := cctest.Logging(t, ctx)\n\t\tpool := e.store.pool\n\t\t// Jump our receipt back in time.\n\t\tif _, err := pool.Exec(ctx, jump, e.notificationID); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\tif err := e.store.CollectNotifications(ctx); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\tvar ct int\n\t\tif err := pool.QueryRow(ctx, `SELECT COUNT(id) FROM notification_body;`).Scan(&ct); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := ct, 0; got != want {\n\t\t\tt.Errorf(\"got: %d row remaining, wanted: %d rows remaining\", got, want)\n\t\t}\n\t}\n}\n"
},
{
"path": "notifier/postgres/get_status.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n)\n\nvar (\n\tcreatedCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"created_total\",\n\t\t\tHelp: \"Total number of database queries issued in the created method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tcreatedDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"created_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the created method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tfailedCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"failed_total\",\n\t\t\tHelp: \"Total number of database queries issued in the failed method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tfailedDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"failed_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the failed method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tdeletedCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"deleted_total\",\n\t\t\tHelp: \"Total number of database queries issued in the deleted method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tdeletedDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"deleted_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the deleted method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n)\n\nfunc (s *Store) getStatus(ctx context.Context, status string, m statusMetrics) ([]uuid.UUID, error) {\n\tconst (\n\t\tquery = `SELECT notification_id FROM receipt WHERE status = $1::receiptstatus;`\n\t)\n\n\tids := []uuid.UUID{}\n\terr := s.pool.AcquireFunc(ctx, func(c *pgxpool.Conn) error {\n\t\tvar err error\n\t\tvar rows pgx.Rows\n\t\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\t\tm.dur.WithLabelValues(`query`, errLabel(err)).Observe(v)\n\t\t}))\n\t\tdefer timer.ObserveDuration()\n\t\trows, err = c.Query(ctx, query, status)\n\t\tm.counter.WithLabelValues(`query`, errLabel(err)).Add(1)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar id uuid.UUID\n\t\tfor rows.Next() {\n\t\t\tif err := rows.Scan(&id); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tids = append(ids, id)\n\t\t}\n\t\tif err := rows.Err(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn ids, nil\n}\n\n// Created will return all notification ids in \"created\" status.\nfunc (s *Store) Created(ctx context.Context) ([]uuid.UUID, error) {\n\tids, err := s.getStatus(ctx, `created`, statusMetrics{\n\t\tcounter: createdCounter,\n\t\tdur: createdDuration,\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn ids, nil\n}\n\n// Failed will return all notification ids in \"delivery_failed\" status.\nfunc (s *Store) Failed(ctx context.Context) ([]uuid.UUID, error) {\n\tids, err := s.getStatus(ctx, `delivery_failed`, statusMetrics{\n\t\tcounter: failedCounter,\n\t\tdur: failedDuration,\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn ids, nil\n}\n\n// Deleted will return all notification ids in \"deleted\" status.\nfunc (s *Store) Deleted(ctx context.Context) ([]uuid.UUID, error) {\n\tids, err := s.getStatus(ctx, `deleted`, statusMetrics{\n\t\tcounter: deletedCounter,\n\t\tdur: deletedDuration,\n\t})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn ids, nil\n}\n"
},
{
"path": "notifier/postgres/notifications.go",
"content": "package postgres\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nvar (\n\tnotificationsCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"notifications_total\",\n\t\t\tHelp: \"Total number of database queries issued in the notifications method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tnotificationsDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"notifications_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the notifications method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\n\tgcNotificationCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"collectnotification_query_total\",\n\t\t\tHelp: \"Total number of database queries issued in the CollectNotification method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tgcNotificationDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"collectnotification_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the CollectNotification method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tgcNotificationAffected = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"collectnotification_affected_total\",\n\t\t\tHelp: \"Total number of rows affected in the CollectNotification method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\n\tputNotificationsCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"putnotifications_query_total\",\n\t\t\tHelp: \"Total number of database queries issued in the PutNotifications method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tputNotificationsDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"putnotifications_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the PutNotifications method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tputNotificationsAffected = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"putnotifications_affected_total\",\n\t\t\tHelp: \"Total number of rows affected in the PutNotifications method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n)\n\n// Notifications retrieves the list of notifications associated with a\n// notification ID.\nfunc (s *Store) Notifications(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error) {\n\tconst (\n\t\tquery = \"SELECT id, body FROM notification_body WHERE notification_id = $1::uuid\"\n\t\tpagedQuery = \"SELECT id, body FROM notification_body WHERE notification_id = $1::uuid AND id > $2 ORDER BY id ASC LIMIT $3\"\n\t)\n\n\t// If no page argument, early return all notifications.\n\tif page == nil {\n\t\tp := notifier.Page{}\n\t\tns := make([]notifier.Notification, 0)\n\t\terr := s.pool.AcquireFunc(ctx, func(c *pgxpool.Conn) error {\n\t\t\tvar err error\n\t\t\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\t\t\tnotificationsDuration.WithLabelValues(`query`, errLabel(err)).Observe(v)\n\t\t\t}))\n\t\t\tdefer timer.ObserveDuration()\n\t\t\tvar rows pgx.Rows\n\t\t\trows, err = c.Query(ctx, query, id)\n\t\t\tnotificationsCounter.WithLabelValues(`query`, errLabel(err)).Add(1)\n\t\t\tfor rows.Next() {\n\t\t\t\tns = append(ns, notifier.Notification{})\n\t\t\t\tn := &ns[len(ns)-1]\n\t\t\t\tif err := rows.Scan(&n.ID, n); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif err := rows.Err(); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn nil\n\t\t})\n\t\tif err != nil {\n\t\t\treturn nil, p, &clairerror.ErrBadNotification{\n\t\t\t\tNotificationID: id,\n\t\t\t\tE: err,\n\t\t\t}\n\t\t}\n\t\treturn ns, p, nil\n\t}\n\n\t// Page.Next being nil indicates a client's first request for a paged set of\n\t// notifications.\n\tif page.Next == nil {\n\t\tpage.Next = &uuid.Nil\n\t}\n\t// If asking for a weird number of results, just error.\n\tif page.Size < 1 {\n\t\treturn nil, notifier.Page{}, &clairerror.ErrBadNotification{\n\t\t\tNotificationID: id,\n\t\t\tE: fmt.Errorf(\"bad page size: %d\", page.Size),\n\t\t}\n\t}\n\t// Add one to limit to determine if there is another page to fetch.\n\tlimit := page.Size + 1\n\n\tns := make([]notifier.Notification, 0, limit)\n\terr := s.pool.AcquireFunc(ctx, func(c *pgxpool.Conn) error {\n\t\tvar err error\n\t\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\t\tnotificationsDuration.WithLabelValues(`pagedQuery`, errLabel(err)).Observe(v)\n\t\t}))\n\t\tdefer timer.ObserveDuration()\n\t\tvar rows pgx.Rows\n\t\trows, err = c.Query(ctx, pagedQuery, id, page.Next, limit)\n\t\tnotificationsCounter.WithLabelValues(`pagedQuery`, errLabel(err)).Add(1)\n\t\tfor rows.Next() {\n\t\t\tns = append(ns, notifier.Notification{})\n\t\t\tn := &ns[len(ns)-1]\n\t\t\tif err := rows.Scan(&n.ID, n); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif err := rows.Err(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn nil, notifier.Page{}, &clairerror.ErrBadNotification{\n\t\t\tNotificationID: id,\n\t\t\tE: err,\n\t\t}\n\t}\n\n\t// Page to return to client.\n\toutPage := notifier.Page{Size: page.Size}\n\tif len(ns) == limit {\n\t\t// Slice off the last element as it was only an indicator that another\n\t\t// page should be delivered.\n\t\t//\n\t\t// Set outPage.Next to the final element id being returned to the\n\t\t// caller.\n\t\tns = ns[:page.Size]\n\t\toutPage.Next = &(ns[len(ns)-1].ID)\n\t}\n\treturn ns, outPage, nil\n}\n\n// PutNotifications persists the provided notifications and associates them with\n// the provided notification ID.\n//\n// PutNotifications must update the latest update operation for the provided\n// updater in such a way that UpdateOperation returns the provided update\n// operation ID when queried with the updater name.\n//\n// PutNotifications must create a Receipt with status created status on\n// successful persistence of notifications in such a way that\n// Receipter.Created() returns the persisted notification ID.\nfunc (s *Store) PutNotifications(ctx context.Context, opts notifier.PutOpts) error {\n\tconst (\n\t\tinsertNotification = `INSERT INTO notification (id) VALUES ($1);`\n\t\tinsertUpdateOperation = `INSERT INTO notifier_update_operation (updater, uo_id, ts) VALUES ($1, $2, CURRENT_TIMESTAMP);`\n\t\tinsertReceipt = `INSERT INTO receipt (notification_id, uo_id, status, ts) VALUES ($1, $2, 'created', CURRENT_TIMESTAMP);`\n\t)\n\ttxOpt := pgx.TxOptions{\n\t\tIsoLevel: pgx.ReadCommitted,\n\t\tAccessMode: pgx.ReadWrite,\n\t}\n\tmetrics := statusMetrics{\n\t\tdur: putNotificationsDuration,\n\t\tcounter: putNotificationsCounter,\n\t\taffected: putNotificationsAffected,\n\t}\n\n\terr := pgx.BeginTxFunc(ctx, s.pool, txOpt, func(tx pgx.Tx) error {\n\t\tif err := txExec(ctx, metrics, tx,\n\t\t\t`insertNotification`, insertNotification,\n\t\t\t[]interface{}{opts.NotificationID}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := func() error {\n\t\t\tconst name = `copyNotificationBody`\n\t\t\t// Batch insert via the Copy API. This needs its own little closure\n\t\t\t// here because it's using the lower-level API.\n\t\t\tsrc := copyNotifications(&opts.NotificationID, opts.Notifications)\n\t\t\tvar err error\n\t\t\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\t\t\tputNotificationsDuration.WithLabelValues(name, errLabel(err)).Observe(v)\n\t\t\t}))\n\t\t\tdefer timer.ObserveDuration()\n\t\t\tct, err := tx.CopyFrom(ctx, pgx.Identifier{\"notification_body\"}, src.Columns(), src)\n\t\t\tputNotificationsCounter.WithLabelValues(name, errLabel(err)).Add(1)\n\t\t\tputNotificationsAffected.WithLabelValues(name, errLabel(err)).Add(float64(ct))\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif got, want := ct, int64(len(opts.Notifications)); got != want {\n\t\t\t\treturn fmt.Errorf(\"inserted %d/%d rows\", got, want)\n\t\t\t}\n\t\t\treturn nil\n\t\t}(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx,\n\t\t\t`insertUpdateOperation`, insertUpdateOperation,\n\t\t\t[]interface{}{opts.Updater, opts.UpdateID}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx,\n\t\t\t`insertReceipt`, insertReceipt,\n\t\t\t[]interface{}{opts.NotificationID, opts.UpdateID}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn &clairerror.ErrPutNotifications{\n\t\t\tNotificationID: opts.NotificationID,\n\t\t\tE: err,\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc copyNotifications(id *uuid.UUID, ns []notifier.Notification) *notificationSource {\n\ts := notificationSource{\n\t\tid: id,\n\t\tns: ns,\n\t}\n\ts.enc = json.NewEncoder(&s.buf)\n\treturn &s\n}\n\ntype notificationSource struct {\n\terr error\n\tenc *json.Encoder\n\tid *uuid.UUID\n\tbuf bytes.Buffer\n\tns []notifier.Notification\n}\n\nfunc (r *notificationSource) Next() bool {\n\treturn len(r.ns) > 0\n}\n\nfunc (r *notificationSource) Values() ([]interface{}, error) {\n\tn := &r.ns[0]\n\tr.ns = r.ns[1:]\n\tn.ID = uuid.New()\n\tr.buf.Reset()\n\tif err := r.enc.Encode(n); err != nil {\n\t\tr.err = err\n\t\tr.ns = nil\n\t\treturn nil, err\n\t}\n\treturn []interface{}{n.ID, r.id, r.buf.Bytes()}, nil\n}\n\nfunc (r *notificationSource) Err() error {\n\tif r.err != nil {\n\t\treturn r.err\n\t}\n\treturn nil\n}\n\nfunc (r *notificationSource) Columns() []string {\n\treturn []string{\"id\", \"notification_id\", \"body\"}\n}\n\n// CollectNotifications garbage collects all notifications.\n//\n// Normally Receipter.SetDeleted will be issued first, however application logic\n// may decide to gc notifications which have not been set deleted after some\n// period of time, thus this condition should not be checked.\nfunc (s *Store) CollectNotifications(ctx context.Context) error {\n\tconst (\n\t\ttryLock = `SELECT pg_try_advisory_xact_lock($1, $2);`\n\t\tdeleteNotification = `DELETE FROM notification USING receipt WHERE id = receipt.notification_id AND receipt.status = 'deleted'::receiptstatus;`\n\t\tdeleteUpdateOp = `DELETE FROM notifier_update_operation\n\tWHERE uo_id IN (\n\t\tSELECT uo_id FROM notifier_update_operation\n\t\tEXCEPT\n\t\tSELECT uo_id FROM receipt);`\n\t\tdeleteReceipts = `DELETE FROM receipt\n\tWHERE\n\t\tts < date_trunc('day', (now() - INTERVAL '14 days'))\n\t\tAND\n\t\tstatus <> 'created'::receiptstatus;`\n\t)\n\ttxOpt := pgx.TxOptions{\n\t\tIsoLevel: pgx.ReadCommitted,\n\t\tAccessMode: pgx.ReadWrite,\n\t}\n\tmetrics := statusMetrics{\n\t\tdur: gcNotificationDuration,\n\t\tcounter: gcNotificationCounter,\n\t\taffected: gcNotificationAffected,\n\t}\n\n\terr := pgx.BeginTxFunc(ctx, s.pool, txOpt, func(tx pgx.Tx) error {\n\t\tvar ok bool\n\t\tif err := tx.QueryRow(ctx, tryLock, adminKeyspace, gcLock).Scan(&ok); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !ok {\n\t\t\t// unable to lock\n\t\t\treturn nil\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx, \"deleteNotification\", deleteNotification, nil); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx, \"deleteReceipts\", deleteReceipts, nil); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx, \"deleteUpdateOp\", deleteUpdateOp, nil); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/postgres/notifications_test.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"math/rand\"\n\t\"strconv\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/quay/claircore/test\"\n\t\"github.com/quay/claircore/test/integration\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nfunc TestNotificationCopy(t *testing.T) {\n\tintegration.NeedDB(t)\n\tctx := test.Logging(t)\n\tfor _, tc := range []notificationCopyTestcase{\n\t\t{Count: 1},\n\t\t{Count: 10},\n\t\t{Count: 100},\n\t\t{Count: 1000},\n\t\t{Count: 10000},\n\t} {\n\t\ttc.Setup(t)\n\t\tt.Run(strconv.Itoa(tc.Count), tc.Func(ctx))\n\t}\n}\n\ntype notificationCopyTestcase struct {\n\tNotifications []notifier.Notification\n\tCount int\n}\n\nfunc (n *notificationCopyTestcase) Setup(t testing.TB) {\n\tvs := test.GenUniqueVulnerabilities(n.Count, t.Name())\n\tns := make([]notifier.Notification, len(vs))\n\tfor i := range vs {\n\t\tn := &ns[i]\n\t\tn.Manifest = test.RandomSHA256Digest(t)\n\t\tswitch rand.Intn(3) {\n\t\tcase 0:\n\t\t\tn.Reason = notifier.Added\n\t\tcase 1:\n\t\t\tn.Reason = notifier.Changed\n\t\tcase 2:\n\t\t\tn.Reason = notifier.Removed\n\t\t}\n\t\tn.Vulnerability.FromVulnerability(vs[i])\n\t}\n\tn.Notifications = ns\n}\n\nfunc (n notificationCopyTestcase) Func(ctx context.Context) func(*testing.T) {\n\tid := uuid.New()\n\treturn func(t *testing.T) {\n\t\tctx := test.Logging(t, ctx)\n\t\tn.Setup(t)\n\t\tsrc := copyNotifications(&id, n.Notifications)\n\t\ts := TestingStore(ctx, t)\n\t\ttx, err := s.pool.Begin(ctx)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tdefer func() {\n\t\t\tif err := tx.Rollback(ctx); err != nil && !errors.Is(err, pgx.ErrTxClosed) {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t}()\n\t\ttag, err := tx.Exec(ctx, `INSERT INTO notification (id) VALUES ($1);`, id)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := int(tag.RowsAffected()), 1; got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t\tct, err := tx.CopyFrom(ctx, pgx.Identifier{\"notification_body\"}, src.Columns(), src)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif got, want := int(ct), len(n.Notifications); got != want {\n\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t}\n\t\tif err := tx.Commit(ctx); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t}\n}\n"
},
{
"path": "notifier/postgres/pagination_test.go",
"content": "package postgres\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/test\"\n\t\"github.com/quay/claircore/test/integration\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// TestPagination confirms paginating notifications works correctly.\nfunc TestPagination(t *testing.T) {\n\tintegration.NeedDB(t)\n\n\ttable := []struct {\n\t\t// name of test\n\t\tname string\n\t\t// total number of notifications to request\n\t\ttotal int\n\t\t// number of notifications per page to test\n\t\tpageSize int\n\t}{\n\t\t{\n\t\t\tname: \"TotalZero\",\n\t\t\ttotal: 0,\n\t\t\tpageSize: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"PageOne\",\n\t\t\ttotal: 5,\n\t\t\tpageSize: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"Ones\",\n\t\t\ttotal: 1,\n\t\t\tpageSize: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"OddsGT\",\n\t\t\ttotal: 3,\n\t\t\tpageSize: 7,\n\t\t},\n\t\t{\n\t\t\tname: \"OddsLT\",\n\t\t\ttotal: 7,\n\t\t\tpageSize: 3,\n\t\t},\n\t\t{\n\t\t\tname: \"LT\",\n\t\t\ttotal: 1000,\n\t\t\tpageSize: 5,\n\t\t},\n\t\t{\n\t\t\tname: \"GT\",\n\t\t\ttotal: 5,\n\t\t\tpageSize: 1000,\n\t\t},\n\t\t{\n\t\t\tname: \"Large\",\n\t\t\ttotal: 5000,\n\t\t\tpageSize: 1000,\n\t\t},\n\t}\n\n\tfor _, tt := range table {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tctx := test.Logging(t)\n\t\t\tstore := TestingStore(ctx, t)\n\n\t\t\tnoteID := uuid.New()\n\t\t\tupdateID := uuid.New()\n\t\t\tmanifestHash := claircore.MustParseDigest(\"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\")\n\n\t\t\tnotes := make([]notifier.Notification, 0, tt.total)\n\t\t\tfor i := 0; i < tt.total; i++ {\n\t\t\t\tnotes = append(notes, notifier.Notification{\n\t\t\t\t\tManifest: manifestHash,\n\t\t\t\t\tReason: \"added\",\n\t\t\t\t})\n\t\t\t}\n\t\t\tt.Logf(\"inserting %v notes\", len(notes))\n\t\t\terr := store.PutNotifications(ctx, notifier.PutOpts{\n\t\t\t\tUpdater: \"test-updater\",\n\t\t\t\tNotificationID: noteID,\n\t\t\t\tNotifications: notes,\n\t\t\t\tUpdateID: updateID,\n\t\t\t})\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to insert notifications: %v\", err)\n\t\t\t}\n\n\t\t\tinPage := notifier.Page{\n\t\t\t\tSize: tt.pageSize,\n\t\t\t}\n\n\t\t\ttotal := []notifier.Notification{}\n\t\t\treturned, outPage, err := store.Notifications(ctx, noteID, &inPage)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"failed to retrieve initial page: %v\", err)\n\t\t\t}\n\t\t\ttotal = append(total, returned...)\n\n\t\t\tfor outPage.Next != nil {\n\t\t\t\tif outPage.Size != tt.pageSize {\n\t\t\t\t\tt.Fatalf(\"got: %v, want: %v\", outPage.Size, tt.pageSize)\n\t\t\t\t}\n\t\t\t\tif len(returned) > tt.pageSize {\n\t\t\t\t\tt.Fatalf(\"got: %v, want: %v\", len(returned), tt.pageSize)\n\t\t\t\t}\n\t\t\t\treturned, outPage, err = store.Notifications(ctx, noteID, &outPage)\n\t\t\t\ttotal = append(total, returned...)\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Error(err)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif len(total) != tt.total {\n\t\t\t\tt.Fatalf(\"got: %v, want: %v\", len(total), tt.total)\n\t\t\t}\n\t\t})\n\t}\n}\n"
},
{
"path": "notifier/postgres/postgres_test.go",
"content": "package postgres\n\nimport (\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/quay/claircore/test/integration\"\n)\n\nfunc TestMain(m *testing.M) {\n\tvar c int\n\tdefer func() { os.Exit(c) }()\n\tdefer integration.DBSetup()()\n\tc = m.Run()\n}\n"
},
{
"path": "notifier/postgres/receipt.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\t\"errors\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nvar (\n\treceiptCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"receipt_total\",\n\t\t\tHelp: \"Total number of database queries issued in the receipt method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\treceiptDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"receipt_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the receipt method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\treceiptByUOIDCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"receiptbyuoid_total\",\n\t\t\tHelp: \"Total number of database queries issued in the receiptByUOID method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\treceiptByUOIDDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"receiptbyuoid_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the receiptByUOID method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tputReceiptCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"putreceipt_total\",\n\t\t\tHelp: \"Total number of database queries issued in the putReceipt method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tputReceiptAffected = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"putreceipt_affected_total\",\n\t\t\tHelp: \"Total number of rows affected in the putReceipt method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tputReceiptDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"putreceipt_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the putReceipt method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n)\n\n// Receipt returns the Receipt for a given notification ID.\nfunc (s *Store) Receipt(ctx context.Context, id uuid.UUID) (notifier.Receipt, error) {\n\tconst query = `SELECT uo_id, notification_id, status, ts FROM receipt WHERE notification_id = $1::uuid;`\n\tvar r notifier.Receipt\n\tf := getReceipt(ctx, &r, query, `query`, id, statusMetrics{\n\t\tcounter: receiptCounter,\n\t\tdur: receiptDuration,\n\t})\n\treturn r, s.pool.AcquireFunc(ctx, f)\n}\n\n// ReceiptByUOID returns the Receipt for a given UpdateOperation ID.\nfunc (s *Store) ReceiptByUOID(ctx context.Context, id uuid.UUID) (notifier.Receipt, error) {\n\tconst query = `SELECT uo_id, notification_id, status, ts FROM receipt WHERE uo_id = $1::uuid;`\n\tvar r notifier.Receipt\n\tf := getReceipt(ctx, &r, query, `query`, id, statusMetrics{\n\t\tcounter: receiptByUOIDCounter,\n\t\tdur: receiptByUOIDDuration,\n\t})\n\treturn r, s.pool.AcquireFunc(ctx, f)\n}\n\nfunc getReceipt(ctx context.Context, r *notifier.Receipt, query, name string, id uuid.UUID, m statusMetrics) func(*pgxpool.Conn) error {\n\treturn func(c *pgxpool.Conn) error {\n\t\tvar err error\n\t\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\t\tm.dur.WithLabelValues(`query`, errLabel(err)).Observe(v)\n\t\t}))\n\t\tdefer timer.ObserveDuration()\n\t\terr = c.QueryRow(ctx, query, id).Scan(\n\t\t\t&r.UOID,\n\t\t\t&r.NotificationID,\n\t\t\t&r.Status,\n\t\t\t&r.TS,\n\t\t)\n\t\treceiptCounter.WithLabelValues(\"query\", errLabel(err)).Add(1)\n\t\tswitch {\n\t\tcase errors.Is(err, pgx.ErrNoRows):\n\t\t\treturn &clairerror.ErrNoReceipt{\n\t\t\t\tNotificationID: id,\n\t\t\t}\n\t\tcase err != nil:\n\t\t\treturn &clairerror.ErrReceipt{\n\t\t\t\tNotificationID: id,\n\t\t\t\tE: err,\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n}\n\nfunc (s *Store) PutReceipt(ctx context.Context, updater string, r notifier.Receipt) error {\n\tconst (\n\t\tinsertNotification = `INSERT INTO notification (id) VALUES ($1);`\n\t\tinsertReceipt = `INSERT INTO receipt (notification_id, uo_id, status, ts) VALUES ($1, $2, $3, CURRENT_TIMESTAMP);`\n\t\tinsertUpdateOperation = `INSERT INTO notifier_update_operation (updater, uo_id, ts) VALUES ($1, $2, CURRENT_TIMESTAMP);`\n\t)\n\ttxOpt := pgx.TxOptions{\n\t\tIsoLevel: pgx.ReadCommitted,\n\t\tAccessMode: pgx.ReadWrite,\n\t}\n\tmetrics := statusMetrics{\n\t\tdur: putReceiptDuration,\n\t\tcounter: putReceiptCounter,\n\t\taffected: putReceiptAffected,\n\t}\n\terr := pgx.BeginTxFunc(ctx, s.pool, txOpt, func(tx pgx.Tx) error {\n\t\tif err := txExec(ctx, metrics, tx,\n\t\t\t`insertNotification`,\n\t\t\tinsertNotification,\n\t\t\t[]interface{}{r.NotificationID}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx,\n\t\t\t`insertUpdateOperation`,\n\t\t\tinsertUpdateOperation,\n\t\t\t[]interface{}{updater, r.UOID}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := txExec(ctx, metrics, tx,\n\t\t\t`insertReceipt`,\n\t\t\tinsertReceipt,\n\t\t\t[]interface{}{r.NotificationID, r.UOID, r.Status}); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/postgres/set_status.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/jackc/pgx/v5/pgconn\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n)\n\nvar (\n\tsetDeletedCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"setdeleted_total\",\n\t\t\tHelp: \"Total number of database queries issued in the setDeleted method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tsetDeletedDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"setdeleted_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the setDeleted method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tsetDeliveredCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"setdelivered_total\",\n\t\t\tHelp: \"Total number of database queries issued in the setDelivered method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tsetDeliveredDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"setdelivered_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the setDelivered method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tsetDeliveryFailedCounter = promauto.NewCounterVec(\n\t\tprometheus.CounterOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"setdeliveryfailed_total\",\n\t\t\tHelp: \"Total number of database queries issued in the setDeliveryFailed method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n\tsetDeliveryFailedDuration = promauto.NewHistogramVec(\n\t\tprometheus.HistogramOpts{\n\t\t\tNamespace: \"clair\",\n\t\t\tSubsystem: \"notifier\",\n\t\t\tName: \"setdeliveryfailed_duration_seconds\",\n\t\t\tHelp: \"Duration of all queries issued in the setDeliveryFailed method\",\n\t\t},\n\t\t[]string{\"query\", \"error\"},\n\t)\n)\n\nfunc (s *Store) setStatus(ctx context.Context, id uuid.UUID, status string, m statusMetrics) error {\n\tconst query = `UPDATE receipt SET status = $1::receiptstatus, ts = CURRENT_TIMESTAMP WHERE notification_id = $2::uuid;`\n\treturn s.pool.AcquireFunc(ctx, func(c *pgxpool.Conn) error {\n\t\tvar err error\n\t\tvar tag pgconn.CommandTag\n\t\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\t\tm.dur.WithLabelValues(`query`, errLabel(err)).Observe(v)\n\t\t}))\n\t\tdefer timer.ObserveDuration()\n\t\ttag, err = c.Exec(ctx, query, status, id)\n\t\tm.counter.WithLabelValues(`query`, errLabel(err)).Add(1)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif tag.RowsAffected() == 0 {\n\t\t\treturn &clairerror.ErrNoReceipt{NotificationID: id}\n\t\t}\n\t\treturn nil\n\t})\n}\n\n// SetDelivered marks the provided notification id as delivered\nfunc (s *Store) SetDelivered(ctx context.Context, id uuid.UUID) error {\n\treturn s.setStatus(ctx, id, `delivered`, statusMetrics{\n\t\tcounter: setDeliveredCounter,\n\t\tdur: setDeliveredDuration,\n\t})\n}\n\n// SetDeliveryFailed marks the provided notification id failed to be delivere\nfunc (s *Store) SetDeliveryFailed(ctx context.Context, id uuid.UUID) error {\n\treturn s.setStatus(ctx, id, `delivery_failed`, statusMetrics{\n\t\tcounter: setDeliveryFailedCounter,\n\t\tdur: setDeliveryFailedDuration,\n\t})\n}\n\n// SetDeleted marks the provided notification id as deleted\nfunc (s *Store) SetDeleted(ctx context.Context, id uuid.UUID) error {\n\treturn s.setStatus(ctx, id, `deleted`, statusMetrics{\n\t\tcounter: setDeletedCounter,\n\t\tdur: setDeletedDuration,\n\t})\n}\n"
},
{
"path": "notifier/postgres/store.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\t\"database/sql\"\n\t\"fmt\"\n\t\"log/slog\"\n\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/jackc/pgx/v5/pgconn\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/jackc/pgx/v5/stdlib\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/remind101/migrate\"\n\n\t\"github.com/quay/clair/v4/notifier/migrations\"\n)\n\n// Store implements the notifier.Store interface.\ntype Store struct {\n\tpool *pgxpool.Pool\n}\n\n// NewStore returns a Store using the passed-in Pool.\n//\n// The caller should close the Pool once the store is no longer needed.\nfunc NewStore(pool *pgxpool.Pool) *Store {\n\treturn &Store{pool}\n}\n\n// Init initializes the database using the specified config.\nfunc Init(ctx context.Context, cfg *pgx.ConnConfig) error {\n\tdb, err := sql.Open(\"pgx\", stdlib.RegisterConnConfig(cfg))\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to open db: %w\", err)\n\t}\n\tdefer db.Close()\n\n\tslog.InfoContext(ctx, \"performing notifier migrations\")\n\tmigrator := migrate.NewPostgresMigrator(db)\n\tmigrator.Table = migrations.MigrationTable\n\tif err := migrator.Exec(migrate.Up, migrations.Migrations...); err != nil {\n\t\treturn fmt.Errorf(\"failed to perform migrations: %w\", err)\n\t}\n\treturn nil\n}\n\n// As a rule of thumb, admin/worker locks should be in the two-part keyspace to\n// avoid clashing with the manifest locks. They're engine wide, so it's a\n// concern even here in the notifier's bailiwick.\nconst (\n\tadminKeyspace int32 = 4\n\n\t_ int32 = iota\n\tgcLock\n)\n\nfunc errLabel(e error) string {\n\tif e == nil {\n\t\treturn `false`\n\t}\n\treturn `true`\n}\n\ntype statusMetrics struct {\n\tcounter *prometheus.CounterVec\n\taffected *prometheus.CounterVec\n\tdur *prometheus.HistogramVec\n}\n\n// TxExec runs the passed query in the provided transaction, recording it as\n// \"name\" with the metrics passed in \"m\".\n//\n// This is highly specific to how metrics are used in this package, and will\n// panic if there are more than two labels unpopulated. It's expected that\n// they're \"query\" and \"error\", respectively.\nfunc txExec(ctx context.Context, m statusMetrics, tx pgx.Tx, name, query string, args []interface{}) error {\n\tvar err error\n\tvar tag pgconn.CommandTag\n\ttimer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {\n\t\tm.dur.WithLabelValues(name, errLabel(err)).Observe(v)\n\t}))\n\tdefer timer.ObserveDuration()\n\ttag, err = tx.Exec(ctx, query, args...)\n\tm.counter.WithLabelValues(name, errLabel(err)).Add(1)\n\tm.affected.WithLabelValues(name, errLabel(err)).Add(float64(tag.RowsAffected()))\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/postgres/store_test.go",
"content": "package postgres\n\nimport (\n\t\"context\"\n\t\"testing\"\n\n\t\"github.com/jackc/pgx/v5/log/testingadapter\"\n\t\"github.com/jackc/pgx/v5/pgxpool\"\n\t\"github.com/jackc/pgx/v5/tracelog\"\n\t\"github.com/quay/claircore/test/integration\"\n)\n\nfunc TestingStore(ctx context.Context, t testing.TB) *Store {\n\tdb, err := integration.NewDB(ctx, t)\n\tif err != nil {\n\t\tt.Fatalf(\"unable to create test database: %v\", err)\n\t}\n\tt.Cleanup(func() { db.Close(ctx, t) })\n\n\tcfg := db.Config()\n\t// This looks backwards, but means that failures get lots of output and\n\t// verbose output gets a moderate amount of output.\n\ttracer := &tracelog.TraceLog{\n\t\tLogLevel: tracelog.LogLevelInfo,\n\t\tLogger: testingadapter.NewLogger(t),\n\t}\n\tif testing.Verbose() {\n\t\ttracer.LogLevel = tracelog.LogLevelError\n\t}\n\tcfg.ConnConfig.Tracer = tracer\n\n\tif err := Init(ctx, cfg.ConnConfig); err != nil {\n\t\tt.Fatalf(\"failed to init database: %v\", err)\n\t}\n\n\tpool, err := pgxpool.NewWithConfig(ctx, cfg)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create connpool: %v\", err)\n\t}\n\tt.Cleanup(pool.Close)\n\treturn NewStore(pool)\n}\n"
},
{
"path": "notifier/postgres/testdata/.gitignore",
"content": "pg*\n!.gitignore\n"
},
{
"path": "notifier/processor.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"sync\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"golang.org/x/sync/errgroup\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\n// Processor listen for new UOIDs, creates notifications, and persists\n// these notifications for later retrieval.\n//\n// Processor(s) create atomic boundaries, no two Processor(s) will be creating\n// notifications for the same UOID at once.\ntype Processor struct {\n\t// distributed lock used for mutual exclusion\n\tlocks Locker\n\t// a handle to an indexer service\n\tindexer indexer.Service\n\t// a handle to a matcher service\n\tmatcher matcher.Service\n\t// a store instance to persist notifications\n\tstore Store\n\n\t// NoSummary controls whether per-manifest vulnerability summarization\n\t// should happen.\n\t//\n\t// The zero value makes the default behavior to do the summary.\n\tNoSummary bool\n}\n\nfunc NewProcessor(store Store, l Locker, indexer indexer.Service, matcher matcher.Service) *Processor {\n\treturn &Processor{\n\t\tlocks: l,\n\t\tindexer: indexer,\n\t\tmatcher: matcher,\n\t\tstore: store,\n\t}\n}\n\n// Process receives new UOs as events, creates and persists notifications, and\n// updates the notifier system with the \"latest\" seen UOID.\n//\n// Canceling the ctx will end the processing.\nfunc (p *Processor) Process(ctx context.Context, c <-chan Event) error {\n\tslog.DebugContext(ctx, \"processing events\")\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tslog.InfoContext(ctx, \"context canceled: ending event processing\")\n\t\t\treturn ctx.Err()\n\t\tcase e := <-c:\n\t\t\tlog := slog.With(\"updater\", e.updater, \"UOID\", e.uo.Ref)\n\t\t\tlog.DebugContext(ctx, \"processing\")\n\t\t\tif err := func() error {\n\t\t\t\tctx, done := p.locks.TryLock(ctx, e.uo.Ref.String())\n\t\t\t\tdefer done()\n\t\t\t\tif err := ctx.Err(); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tsafe, prev := p.safe(ctx, log, e)\n\t\t\t\tif !safe {\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t\treturn p.create(ctx, log, e, prev)\n\t\t\t}(); err != nil {\n\t\t\t\tlog.WarnContext(ctx, \"failed to create notifications\",\n\t\t\t\t\t\"reason\", err)\n\t\t\t}\n\t\t}\n\t}\n}\n\n// create implements the business logic of creating and persisting\n// notifications\n//\n// will be performed under a distributed lock\nfunc (p *Processor) create(ctx context.Context, log *slog.Logger, e Event, prev uuid.UUID) error {\n\tlog.DebugContext(ctx, \"retrieving diff\",\n\t\t\"prev\", prev,\n\t\t\"cur\", e.uo.Ref)\n\tdiff, err := p.matcher.UpdateDiff(ctx, prev, e.uo.Ref)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to get update diff: %v\", err)\n\t}\n\tlog.DebugContext(ctx, \"diff results\",\n\t\t\"removed\", len(diff.Removed),\n\t\t\"added\", len(diff.Added))\n\n\ttab := notifTab{\n\t\tN: make([]Notification, 0),\n\t\tlookup: make(map[string]int),\n\t}\n\teg, wctx := errgroup.WithContext(ctx)\n\teg.Go(getAffected(wctx, p.indexer, p.NoSummary, diff.Added, Added, &tab))\n\teg.Go(getAffected(wctx, p.indexer, p.NoSummary, diff.Removed, Removed, &tab))\n\tif err := eg.Wait(); err != nil {\n\t\treturn fmt.Errorf(\"failed to get affected manifests: %v\", err)\n\t}\n\n\t// Don't count up the affected manifests unless we're going to print it.\n\tif log.Enabled(ctx, slog.LevelDebug) {\n\t\tvar added, removed int\n\t\tfor _, n := range tab.N {\n\t\t\tswitch n.Reason {\n\t\t\tcase Added:\n\t\t\t\tadded++\n\t\t\tcase Removed:\n\t\t\t\tremoved++\n\t\t\t}\n\t\t}\n\t\tlog.DebugContext(ctx, \"affected manifest counts\",\n\t\t\t\"added\", added,\n\t\t\t\"removed\", removed)\n\t}\n\n\tif len(tab.N) == 0 {\n\t\t// directly add a \"delivered\" receipt, this will stop subsequent processing\n\t\t// of this update operation and also avoid delivery attempts.\n\t\tr := Receipt{\n\t\t\tNotificationID: uuid.New(),\n\t\t\tUOID: e.uo.Ref,\n\t\t\tStatus: Delivered,\n\t\t}\n\t\tlog.DebugContext(ctx, \"no affected manifests for update operation, setting to delivered\")\n\t\terr := p.store.PutReceipt(ctx, e.uo.Updater, r)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to put receipt: %v\", err)\n\t\t}\n\t\treturn nil\n\t}\n\n\topts := PutOpts{\n\t\tUpdater: e.updater,\n\t\tUpdateID: e.uo.Ref,\n\t\tNotificationID: uuid.New(),\n\t\tNotifications: tab.N,\n\t}\n\terr = p.store.PutNotifications(ctx, opts)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to store notifications: %v\", err)\n\t}\n\treturn nil\n}\n\nfunc min(a, b int) int {\n\tif a < b {\n\t\treturn a\n\t}\n\treturn b\n}\n\n// NotifTab is a handle for a slice of Notifications.\n//\n// It has supporting structures for concurrent use and summaries.\ntype notifTab struct {\n\tsync.Mutex\n\tlookup map[string]int // only used in \"summary\" mode\n\tN []Notification\n}\n\n// GetAffected issues AffectedManifest calls in chunks and merges the result.\n//\n// Its signature is weird to make use in an errgroup a little bit nicer.\nfunc getAffected(ctx context.Context, ic indexer.Service, nosummary bool, vs []claircore.Vulnerability, r Reason, out *notifTab) func() error {\n\tconst chunk = 1000\n\treturn func() error {\n\t\tvar s []claircore.Vulnerability\n\t\tfor len(vs) > 0 {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn ctx.Err()\n\t\t\tdefault:\n\t\t\t}\n\t\t\ts = vs[:min(chunk, len(vs))]\n\t\t\tvs = vs[len(s):]\n\t\t\ta, err := ic.AffectedManifests(ctx, s)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor manifest, vulns := range a.VulnerableManifests {\n\t\t\t\tdigest, err := claircore.ParseDigest(manifest)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\t// The vulns slice is sorted most severe to lease severe, so\n\t\t\t\t// when in summary mode, we only need to check the initial vuln.\n\t\t\t\tif !nosummary {\n\t\t\t\t\tvuln := a.Vulnerabilities[vulns[0]]\n\t\t\t\t\tkey := digest.String()\n\t\t\t\t\tvar n *Notification\n\t\t\t\t\tout.Lock()\n\t\t\t\t\t// First, lookup if there's a notification for this\n\t\t\t\t\t// manifest.\n\t\t\t\t\ti, ok := out.lookup[key]\n\t\t\t\t\tif ok {\n\t\t\t\t\t\tn = &out.N[i]\n\t\t\t\t\t}\n\t\t\t\t\tif n == nil {\n\t\t\t\t\t\t// If this is the first appearance of this manifest,\n\t\t\t\t\t\t// insert it.\n\t\t\t\t\t\ti := len(out.N)\n\t\t\t\t\t\tout.N = append(out.N, Notification{\n\t\t\t\t\t\t\tManifest: digest,\n\t\t\t\t\t\t\tReason: r,\n\t\t\t\t\t\t})\n\t\t\t\t\t\tout.lookup[key] = i\n\t\t\t\t\t\tn = &out.N[i]\n\t\t\t\t\t\tn.Vulnerability.FromVulnerability(vuln)\n\t\t\t\t\t} else {\n\t\t\t\t\t\t// If we've seen this before, check the severity and\n\t\t\t\t\t\t// swap if the new vuln is more severe.\n\t\t\t\t\t\tvar sev claircore.Severity\n\t\t\t\t\t\tif err := sev.UnmarshalText([]byte(n.Vulnerability.Severity)); err != nil {\n\t\t\t\t\t\t\tout.Unlock()\n\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif sev < vuln.NormalizedSeverity {\n\t\t\t\t\t\t\tn.Vulnerability.FromVulnerability(vuln)\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tout.Unlock()\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\t// If not in summary, create all the notifications.\n\t\t\t\tfor idx := range vulns {\n\t\t\t\t\tvuln := a.Vulnerabilities[vulns[idx]]\n\t\t\t\t\tout.Lock()\n\t\t\t\t\ti := len(out.N)\n\t\t\t\t\tout.N = append(out.N, Notification{\n\t\t\t\t\t\tManifest: digest,\n\t\t\t\t\t\tReason: r,\n\t\t\t\t\t})\n\t\t\t\t\tn := &out.N[i]\n\t\t\t\t\tn.Vulnerability.FromVulnerability(vuln)\n\t\t\t\t\tout.Unlock()\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// safe guards against situations where creating notifications is\n// incorrect.\n//\n// if deemed safe to create notifications the previous update operation will be\n// returned\n//\n// will be performed under a distributed lock.\nfunc (p *Processor) safe(ctx context.Context, log *slog.Logger, e Event) (bool, uuid.UUID) {\n\t// confirm we are not making duplicate notifications\n\tvar errNoReceipt *clairerror.ErrNoReceipt\n\t_, err := p.store.ReceiptByUOID(ctx, e.uo.Ref)\n\tswitch {\n\tcase errors.As(err, &errNoReceipt):\n\t\t// hop out of switch\n\tcase err != nil:\n\t\tlog.WarnContext(ctx, \"received error getting receipt by UOID\",\n\t\t\t\"reason\", err)\n\t\treturn false, uuid.Nil\n\tdefault:\n\t\tlog.InfoContext(ctx, \"receipt created by another processor; will not process notifications\")\n\t\treturn false, uuid.Nil\n\t}\n\n\t// confirm UOID is not stale and get previous UOID for diffing if exists.\n\t// if no previous UOID, return false, we don't want a full diff of notifications\n\t// TODO(louis) UpdateOperations signature supports getting \"all\" for a given updater\n\t// but code path is not implemented. implement this to optimize.\n\tall, err := p.matcher.UpdateOperations(ctx, driver.VulnerabilityKind)\n\tif err != nil {\n\t\tlog.WarnContext(ctx, \"received error getting update operations from matcher\",\n\t\t\t\"reason\", err)\n\t\treturn false, uuid.Nil\n\t}\n\tif _, ok := all[e.updater]; !ok {\n\t\tlog.WarnContext(ctx, \"updater missing from update operations returned from matcher (may have been garbage collected)\")\n\t\treturn false, uuid.Nil\n\t}\n\n\tuos := all[e.updater]\n\n\tvar current driver.UpdateOperation\n\tvar prev driver.UpdateOperation\n\n\tif len(uos) == 1 {\n\t\tcurrent = uos[0]\n\t\tprev.Ref = uuid.Nil\n\t} else {\n\t\tcurrent, prev = uos[0], uos[1]\n\t}\n\n\tif current.Ref.String() != e.uo.Ref.String() {\n\t\tlog.InfoContext(ctx, \"newer update operation is present, will not process notifications\",\n\t\t\t\"new\", current.Ref)\n\t\treturn false, uuid.Nil\n\t}\n\treturn true, prev.Ref\n}\n"
},
{
"path": "notifier/processor_create_test.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"sort\"\n\t\"sync/atomic\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"github.com/quay/claircore/test\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\nvar (\n\tvulnAdd = &claircore.Vulnerability{\n\t\tID: \"0\",\n\t\tName: \"added vulnerability\",\n\t\tDescription: \"a vulnerability added\",\n\t}\n\tvulnRemoved = &claircore.Vulnerability{\n\t\tID: \"1\",\n\t\tName: \"removed vulnerability\",\n\t\tDescription: \"a vulnerability removed\",\n\t}\n\tmanifestAdd = `sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef`\n\tmanifestRemoved = `sha256:fc92eec5cac70b0c324cec2933cd7db1c0eae7c9e2649e42d02e77eb6da0d15f`\n\taffectedManifestsAdd = &claircore.AffectedManifests{\n\t\tVulnerabilities: map[string]*claircore.Vulnerability{\n\t\t\tvulnAdd.ID: vulnAdd,\n\t\t},\n\t\tVulnerableManifests: map[string][]string{\n\t\t\tmanifestAdd: {vulnAdd.ID},\n\t\t},\n\t}\n\taffectedManifestsRemoved = &claircore.AffectedManifests{\n\t\tVulnerabilities: map[string]*claircore.Vulnerability{\n\t\t\tvulnRemoved.ID: vulnRemoved,\n\t\t},\n\t\tVulnerableManifests: map[string][]string{\n\t\t\tmanifestRemoved: {vulnRemoved.ID},\n\t\t},\n\t}\n\tnotifications = []Notification{\n\t\t{\n\t\t\tManifest: claircore.MustParseDigest(manifestAdd),\n\t\t\tReason: Added,\n\t\t\tVulnerability: VulnSummary{\n\t\t\t\tDescription: affectedManifestsAdd.Vulnerabilities[vulnAdd.ID].Description,\n\t\t\t\tName: affectedManifestsAdd.Vulnerabilities[vulnAdd.ID].Name,\n\t\t\t\tSeverity: claircore.Unknown.String(),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tManifest: claircore.MustParseDigest(manifestRemoved),\n\t\t\tReason: Removed,\n\t\t\tVulnerability: VulnSummary{\n\t\t\t\tDescription: affectedManifestsRemoved.Vulnerabilities[vulnRemoved.ID].Description,\n\t\t\t\tName: affectedManifestsRemoved.Vulnerabilities[vulnRemoved.ID].Name,\n\t\t\t\tSeverity: claircore.Unknown.String(),\n\t\t\t},\n\t\t},\n\t}\n)\n\nfunc TestProcessCreate(t *testing.T) {\n\tt.Run(\"Create\", testProcessorCreate)\n\tt.Run(\"MatcherErr\", testProcessorMatcherErr)\n\tt.Run(\"IndexerErr\", testProcessorIndexerErr)\n\tt.Run(\"StoreErr\", testProcessorStoreErr)\n}\n\n// testProcessorStoreErr confirms create fails when the store is not\n// available\nfunc testProcessorStoreErr(t *testing.T) {\n\tt.Parallel()\n\tctx := test.Logging(t)\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn &driver.UpdateDiff{\n\t\t\t\tAdded: []claircore.Vulnerability{*vulnAdd},\n\t\t\t\tRemoved: []claircore.Vulnerability{*vulnRemoved},\n\t\t\t}, nil\n\t\t},\n\t}\n\tim := &indexer.Mock{\n\t\tAffectedManifests_: func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\t// needs to be populated.\n\t\t\t// create method needs at least one affected manifest\n\t\t\t// for the code path to invoke store.PutNotifications()\n\t\t\treturn affectedManifestsAdd, nil\n\t\t},\n\t}\n\t// perform bulk of checks in this mock method.\n\tsm := &MockStore{\n\t\tPutNotifications_: func(_ context.Context, _ PutOpts) error {\n\t\t\treturn fmt.Errorf(\"expected\")\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tindexer: im,\n\t\tmatcher: mm,\n\t}\n\n\terr := p.create(ctx, slog.Default(), e, uuid.Nil)\n\tif err == nil {\n\t\tt.Fatalf(\"expected err\")\n\t}\n}\n\n// testProcessorIndexerErr confirms create fails when the indexer is not\n// available\nfunc testProcessorIndexerErr(t *testing.T) {\n\tt.Parallel()\n\tctx := test.Logging(t)\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn &driver.UpdateDiff{\n\t\t\t\tAdded: []claircore.Vulnerability{*vulnAdd},\n\t\t\t\tRemoved: []claircore.Vulnerability{*vulnRemoved},\n\t\t\t}, nil\n\t\t},\n\t}\n\tim := &indexer.Mock{\n\t\tAffectedManifests_: func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\treturn nil, fmt.Errorf(\"expected\")\n\t\t},\n\t}\n\t// perform bulk of checks in this mock method.\n\tsm := &MockStore{\n\t\tPutNotifications_: func(ctx context.Context, opts PutOpts) error {\n\t\t\treturn nil\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tindexer: im,\n\t\tmatcher: mm,\n\t}\n\n\terr := p.create(ctx, slog.Default(), e, uuid.Nil)\n\tif err == nil {\n\t\tt.Fatalf(\"expected err\")\n\t}\n}\n\n// testProcessorMatcherErr confirms create fails when the matcher is not\n// available\nfunc testProcessorMatcherErr(t *testing.T) {\n\tt.Parallel()\n\tctx := test.Logging(t)\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn nil, fmt.Errorf(\"expected\")\n\t\t},\n\t}\n\tim := &indexer.Mock{\n\t\tAffectedManifests_: func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\treturn &claircore.AffectedManifests{}, nil\n\t\t},\n\t}\n\t// perform bulk of checks in this mock method.\n\tsm := &MockStore{\n\t\tPutNotifications_: func(ctx context.Context, opts PutOpts) error {\n\t\t\treturn nil\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tindexer: im,\n\t\tmatcher: mm,\n\t}\n\n\terr := p.create(ctx, slog.Default(), e, uuid.Nil)\n\tif err == nil {\n\t\tt.Fatalf(\"expected err\")\n\t}\n}\n\n// testProcessorCreate confirms notifications are created correctly.\nfunc testProcessorCreate(t *testing.T) {\n\tt.Parallel()\n\tctx := test.Logging(t)\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateDiff_: func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\treturn &driver.UpdateDiff{\n\t\t\t\tAdded: []claircore.Vulnerability{*vulnAdd},\n\t\t\t\tRemoved: []claircore.Vulnerability{*vulnRemoved},\n\t\t\t}, nil\n\t\t},\n\t}\n\tcount := uint64(0)\n\tim := &indexer.Mock{\n\t\tAffectedManifests_: func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\tif atomic.LoadUint64(&count) > 1 {\n\t\t\t\treturn nil, fmt.Errorf(\"unexpected number of calls\")\n\t\t\t}\n\t\t\tatomic.AddUint64(&count, 1)\n\t\t\tswitch vulns[0].ID {\n\t\t\tcase \"0\":\n\t\t\t\treturn affectedManifestsAdd, nil\n\t\t\tcase \"1\":\n\t\t\t\treturn affectedManifestsRemoved, nil\n\t\t\t}\n\t\t\treturn nil, fmt.Errorf(\"unexpected call\")\n\t\t},\n\t}\n\t// perform bulk of checks in this mock method.\n\tsm := &MockStore{\n\t\tPutNotifications_: func(ctx context.Context, opts PutOpts) error {\n\t\t\tif opts.Updater != e.updater {\n\t\t\t\tt.Fatalf(\"got: %s, wanted: %s\", opts.Updater, testUpdater)\n\t\t\t}\n\t\t\tif opts.UpdateID != e.uo.Ref {\n\t\t\t\tt.Fatalf(\"got: %v, want: %v\", opts.UpdateID, e.uo.Ref)\n\t\t\t}\n\t\t\tif opts.NotificationID == uuid.Nil {\n\t\t\t\tt.Fatalf(\"malformed notification id: %v\", opts.NotificationID)\n\t\t\t}\n\t\t\t// Need some sort of stable order here:\n\t\t\tsort.Slice(opts.Notifications, func(i, j int) bool {\n\t\t\t\treturn opts.Notifications[i].Reason < opts.Notifications[j].Reason\n\t\t\t})\n\t\t\tif !cmp.Equal(opts.Notifications, notifications, cmpopts.IgnoreUnexported(claircore.Digest{})) {\n\t\t\t\tt.Fatalf(\"%v\", cmp.Diff(opts.Notifications, notifications, cmpopts.IgnoreUnexported(claircore.Digest{})))\n\t\t\t}\n\n\t\t\treturn nil\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tindexer: im,\n\t\tmatcher: mm,\n\t}\n\n\terr := p.create(ctx, slog.Default(), e, uuid.Nil)\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected err: %v\", err)\n\t}\n}\n"
},
{
"path": "notifier/processor_safe_test.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"github.com/quay/claircore/test\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\nvar (\n\ttestUpdater = \"test-updater\"\n\tstart = time.Now()\n\tprocessorUpdateOps = map[string][]driver.UpdateOperation{\n\t\t// the array will be sorted by newest UO\n\t\ttestUpdater: {\n\t\t\t{\n\t\t\t\tRef: uuid.New(),\n\t\t\t\tDate: start,\n\t\t\t\tFingerprint: \"fp\",\n\t\t\t\tUpdater: testUpdater,\n\t\t\t},\n\t\t\t{\n\t\t\t\tRef: uuid.New(),\n\t\t\t\tDate: start.Add(-10 * time.Minute),\n\t\t\t\tFingerprint: \"fp\",\n\t\t\t\tUpdater: testUpdater,\n\t\t\t},\n\t\t},\n\t}\n)\n\n// TestProcessSafe is a harness for running concurrent tests which ensure notification\n// creation happens safely.\nfunc TestProcessorSafe(t *testing.T) {\n\tt.Run(\"UnsafeDuplications\", testUnsafeDuplications)\n\tt.Run(\"UnsafeStaleUOID\", testUnsafeStaleUOID)\n\tt.Run(\"UnsafeMatcherErr\", testUnsafeMatcherErr)\n\tt.Run(\"UnsafeStoreErr\", testUnsafeStoreErr)\n\tt.Run(\"Safe\", testSafe)\n}\n\n// testSafe confirms when all safety guards pass the processor will\n// create notifications.\nfunc testSafe(t *testing.T) {\n\tctx := test.Logging(t)\n\tsm := &MockStore{\n\t\tReceiptByUOID_: func(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\t\t\treturn Receipt{}, &clairerror.ErrNoReceipt{}\n\t\t},\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn processorUpdateOps, nil\n\t\t},\n\t}\n\tp := Processor{\n\t\tstore: sm,\n\t\tmatcher: mm,\n\t}\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tb, _ := p.safe(ctx, slog.Default(), e)\n\tif !b {\n\t\tt.Fatalf(\"got: %v, want: %v\", b, true)\n\t}\n}\n\n// testUnsafeStoreErr confirms notifications will not be created if Store is returning an error.\nfunc testUnsafeStoreErr(t *testing.T) {\n\tctx := test.Logging(t)\n\tsm := &MockStore{\n\t\tReceiptByUOID_: func(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\t\t\treturn Receipt{}, fmt.Errorf(\"expected\")\n\t\t},\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn processorUpdateOps, nil\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tmatcher: mm,\n\t}\n\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tb, _ := p.safe(ctx, slog.Default(), e)\n\tif b {\n\t\tt.Fatalf(\"got: %v, want: %v\", b, false)\n\t}\n}\n\n// testUnsafeMatcherErr confirms notifications will not be created if Matcher is returning an error.\nfunc testUnsafeMatcherErr(t *testing.T) {\n\tctx := test.Logging(t)\n\tsm := &MockStore{\n\t\tReceiptByUOID_: func(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\t\t\treturn Receipt{}, &clairerror.ErrNoReceipt{}\n\t\t},\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn processorUpdateOps, fmt.Errorf(\"expected\")\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tmatcher: mm,\n\t}\n\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tb, _ := p.safe(ctx, slog.Default(), e)\n\tif b {\n\t\tt.Fatalf(\"got: %v, want: %v\", b, false)\n\t}\n}\n\n// testSafeStaleUOID confirms the guard against creating stale notifications\n// works correctly.\nfunc testUnsafeStaleUOID(t *testing.T) {\n\tctx := test.Logging(t)\n\tsm := &MockStore{\n\t\tReceiptByUOID_: func(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\t\t\treturn Receipt{}, &clairerror.ErrNoReceipt{}\n\t\t},\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn processorUpdateOps, nil\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tmatcher: mm,\n\t}\n\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][1],\n\t}\n\n\tb, _ := p.safe(ctx, slog.Default(), e)\n\tif b {\n\t\tt.Fatalf(\"got: %v, want: %v\", b, false)\n\t}\n}\n\n// testUnsafeDuplications confirms the guard against creating\n// duplicate notifications works correctly.\nfunc testUnsafeDuplications(t *testing.T) {\n\tctx := test.Logging(t)\n\tsm := &MockStore{\n\t\tReceiptByUOID_: func(ctx context.Context, id uuid.UUID) (Receipt, error) {\n\t\t\treturn Receipt{}, nil\n\t\t},\n\t}\n\tmm := &matcher.Mock{\n\t\tUpdateOperations_: func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\t\treturn processorUpdateOps, nil\n\t\t},\n\t}\n\n\tp := Processor{\n\t\tstore: sm,\n\t\tmatcher: mm,\n\t}\n\n\te := Event{\n\t\tupdater: testUpdater,\n\t\tuo: processorUpdateOps[testUpdater][0],\n\t}\n\tb, _ := p.safe(ctx, slog.Default(), e)\n\tif b {\n\t\tt.Fatalf(\"got: %v, want: %v\", b, false)\n\t}\n}\n"
},
{
"path": "notifier/receipt.go",
"content": "package notifier\n\nimport (\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n)\n\n// Status defines the possible states of a notification.\ntype Status string\n\nconst (\n\t// A notification is created and ready to be delivered to a client\n\tCreated Status = \"created\"\n\t// A notification has been successfully delivered to a client\n\tDelivered Status = \"delivered\"\n\t// A notification failed to be delivered\n\tDeliveryFailed Status = \"delivery_failed\"\n\t// The client has read the notification and issued a delete\n\tDeleted Status = \"deleted\"\n)\n\n// Receipt represents the current status of a notification\ntype Receipt struct {\n\t// The update operation associated with this receipt\n\tUOID uuid.UUID\n\t// the id a client may use to retrieve a set of notifications\n\tNotificationID uuid.UUID\n\t// the current status of the notification\n\tStatus Status\n\t// the timestamp of the last status update\n\tTS time.Time\n}\n"
},
{
"path": "notifier/service/mock.go",
"content": "package service\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nvar _ notifier.Service = (*Mock)(nil)\n\n// Mock implements a mock notifier service\ntype Mock struct {\n\tNotifications_ func(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error)\n\tDeleteNotifications_ func(ctx context.Context, id uuid.UUID) error\n}\n\nfunc (m *Mock) Notifications(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error) {\n\treturn m.Notifications_(ctx, id, page)\n}\n\nfunc (m *Mock) DeleteNotifications(ctx context.Context, id uuid.UUID) error {\n\treturn m.DeleteNotifications_(ctx, id)\n}\n"
},
{
"path": "notifier/service/notifier.go",
"content": "package service\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"os\"\n\t\"runtime\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n\t\"github.com/quay/clair/v4/notifier\"\n\t\"github.com/quay/clair/v4/notifier/amqp\"\n\t\"github.com/quay/clair/v4/notifier/stomp\"\n\t\"github.com/quay/clair/v4/notifier/webhook\"\n)\n\nvar (\n\tprocessors = runtime.GOMAXPROCS(0)\n\tdeliveries = runtime.GOMAXPROCS(0)\n)\n\nvar _ notifier.Service = (*Notifier)(nil)\n\n// ErrNoDelivery is returned when there's insufficient configuration for\n// notification delivery.\nvar ErrNoDelivery = errors.New(\"no delivery mechanisms configured\")\n\n// Notifier is a local implementation of a notifier service.\ntype Notifier struct {\n\tstore notifier.Store\n\tpoll *notifier.Poller\n\tproc *notifier.Processor\n\tdel *notifier.Delivery\n}\n\n// Notifications implements notifier.Service.\nfunc (s *Notifier) Notifications(ctx context.Context, id uuid.UUID, page *notifier.Page) ([]notifier.Notification, notifier.Page, error) {\n\treturn s.store.Notifications(ctx, id, page)\n}\n\n// DeleteNotifications implements notifier.Service.\nfunc (s *Notifier) DeleteNotifications(ctx context.Context, id uuid.UUID) error {\n\treturn s.store.SetDeleted(ctx, id)\n}\n\n// Opts configures the notifier service.\ntype Opts struct {\n\tMatcher matcher.Service\n\tIndexer indexer.Service\n\tSigner webhook.Signer\n\tClient *http.Client\n\tWebhook *config.Webhook\n\tAMQP *config.AMQP\n\tSTOMP *config.STOMP\n\tPollInterval time.Duration\n\tDeliveryInterval time.Duration\n\tDisableSummary bool\n}\n\n// New returns a configured notifier subsystem.\nfunc New(ctx context.Context, store notifier.Store, locks notifier.Locker, opts Opts) (*Notifier, error) {\n\tsrv := Notifier{store: store}\n\n\t// Check for test mode.\n\tif tm := os.Getenv(\"NOTIFIER_TEST_MODE\"); tm != \"\" {\n\t\tslog.WarnContext(ctx,\n\t\t\t\"notifier will create test notifications on a set interval\",\n\t\t\t\"test_mode_enabled\", true,\n\t\t\t\"interval\", opts.PollInterval)\n\t\ttestModeInit(ctx, &opts)\n\t}\n\n\t// Configure the Poller.\n\tslog.InfoContext(ctx, \"initializing poller\",\n\t\t\"interval\", opts.PollInterval)\n\tsrv.poll = notifier.NewPoller(store, opts.Matcher, opts.PollInterval)\n\n\t// Configure the Processor.\n\tslog.InfoContext(ctx, \"initializing processors\",\n\t\t\"count\", processors)\n\tsrv.proc = notifier.NewProcessor(store, locks, opts.Indexer, opts.Matcher)\n\tsrv.proc.NoSummary = opts.DisableSummary\n\n\t// Configure a Deliverer.\n\tvar del notifier.Deliverer\n\tvar err error\n\t// BUG(hank) Currently only one delivery mechanism can be configured at a\n\t// time.\n\tswitch {\n\tcase opts.Webhook != nil:\n\t\tslog.InfoContext(ctx, \"initializing webhook deliverers\",\n\t\t\t\"count\", deliveries)\n\t\tdel, err = webhook.New(opts.Webhook, opts.Client, opts.Signer)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to create webhook deliverer: %v\", err)\n\t\t}\n\tcase opts.AMQP != nil:\n\t\tconf := opts.AMQP\n\t\tif len(conf.URIs) == 0 {\n\t\t\tslog.WarnContext(ctx, \"amqp delivery misconfigured\",\n\t\t\t\t\"reason\", \"no broker URIs to connect to\")\n\t\t\tbreak\n\t\t}\n\t\tif conf.Direct {\n\t\t\tdel, err = amqp.NewDirectDeliverer(conf)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"failed to create AMQP deliverer: %v\", err)\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t\tdel, err = amqp.New(conf)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to create AMQP deliverer: %v\", err)\n\t\t}\n\tcase opts.STOMP != nil:\n\t\tconf := opts.STOMP\n\t\tif len(conf.URIs) == 0 {\n\t\t\tslog.WarnContext(ctx, \"stomp delivery misconfigured\",\n\t\t\t\t\"reason\", \"no broker URIs to connect to\")\n\t\t\tbreak\n\t\t}\n\t\tif conf.Direct {\n\t\t\tdel, err = stomp.NewDirectDeliverer(conf)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"failed to create STOMP direct deliverer: %v\", err)\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t\tdel, err = stomp.New(conf)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to create STOMP deliverer: %v\", err)\n\t\t}\n\t}\n\tif del == nil {\n\t\t// Report an error if configured such that no notifications are being\n\t\t// processed.\n\t\treturn nil, ErrNoDelivery\n\t}\n\tsrv.del = notifier.NewDelivery(store, locks, del, opts.DeliveryInterval)\n\n\treturn &srv, nil\n}\n\n// TestModeInit will inject a mock Indexer and Matcher into opts\n// to be used in testing mode.\nfunc testModeInit(ctx context.Context, opts *Opts) error {\n\tmm := &matcher.Mock{}\n\tim := &indexer.Mock{}\n\tmatcherForTestMode(mm)\n\tindexerForTestMode(im)\n\topts.Matcher = mm\n\topts.Indexer = im\n\treturn nil\n}\n\n// Run spawns all needed background goroutines and waits for the first error.\n//\n// Canceling the supplied Context should return context.Canceled.\nfunc (s *Notifier) Run(ctx context.Context) error {\n\t// Channel for poller to processor communication.\n\tch := make(chan notifier.Event, notifier.MaxChanSize)\n\teg, ctx := errgroup.WithContext(ctx)\n\t// Poller goroutine.\n\teg.Go(func() error { return s.poll.Poll(ctx, ch) })\n\t// Processor goroutines.\n\tfor i := 0; i < processors; i++ {\n\t\teg.Go(func() error { return s.proc.Process(ctx, ch) })\n\t}\n\t// Garbage collection goroutine.\n\teg.Go(s.gc(ctx))\n\t// Delivery goroutines.\n\tfor i := 0; i < deliveries; i++ {\n\t\teg.Go(func() error { return s.del.Deliver(ctx) })\n\t}\n\treturn eg.Wait()\n}\n\n// Gc is the garbage collection process.\nfunc (s *Notifier) gc(ctx context.Context) func() error {\n\t// BUG(hank) The garbage collection period is currently unconfigurable.\n\tticker := time.NewTicker(time.Hour)\n\treturn func() error {\n\t\tdefer ticker.Stop()\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn ctx.Err()\n\t\t\tcase <-ticker.C:\n\t\t\t\tattrs := make([]slog.Attr, 1, 2)\n\t\t\t\tattrs[0] = slog.Bool(\"success\", true)\n\t\t\t\tif err := s.store.CollectNotifications(ctx); err != nil {\n\t\t\t\t\tattrs[0].Value = slog.BoolValue(false)\n\t\t\t\t\tattrs = append(attrs, slog.String(\"reason\", err.Error()))\n\t\t\t\t}\n\t\t\t\tslog.LogAttrs(ctx, slog.LevelInfo, \"gc done\", attrs...)\n\t\t\t}\n\t\t}\n\t}\n}\n"
},
{
"path": "notifier/service/testmode.go",
"content": "package service\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/sha256\"\n\t\"time\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\n// indexerForTestMode configures a mock Indexer service for notifier test mode.\n//\n// in notifier test mode a notifier.Processor will request \"indexer.AffectedManifest\" with a\n// set of vulnerabilities at which point we will return a mock affected vulnerability.\nfunc indexerForTestMode(mock *indexer.Mock) {\n\taffectedManifests := func(ctx context.Context, vulns []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\tif len(vulns) == 0 {\n\t\t\treturn &claircore.AffectedManifests{}, nil\n\t\t}\n\n\t\tdata := make([]byte, sha256.Size)\n\t\t_, err := rand.Read(data)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tdigest, err := claircore.NewDigest(\"sha256\", data)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tam := &claircore.AffectedManifests{\n\t\t\tVulnerabilities: map[string]*claircore.Vulnerability{\n\t\t\t\tvulns[0].ID: &(vulns[0]),\n\t\t\t},\n\t\t\tVulnerableManifests: map[string][]string{\n\t\t\t\tdigest.String(): {vulns[0].ID},\n\t\t\t},\n\t\t}\n\t\treturn am, nil\n\t}\n\tmock.AffectedManifests_ = affectedManifests\n}\n\n// MatcherForTestMode configures a mock Matcher service for notifier test mode.\n//\n// in notifier test mode a notifier.Poller will request \"matcher.LatestUpdateOperations\" at which point\n// a new UO pair will be smithed.\n//\n// next a notifier.Processor will request \"matcher.UpdateOperations\" and look for \"test-updater\" UOs in which\n// the smithed pair will be returned.\n//\n// finally a notifier.Processor will request to \"matcher.UpdateDiff\" will be created where a mock added vulnerability\n// will be returned.\nfunc matcherForTestMode(mock *matcher.Mock) {\n\tlatestUpdateOperations := func(context.Context, driver.UpdateKind) (map[string][]driver.UpdateOperation, error) {\n\t\tlatest := driver.UpdateOperation{\n\t\t\tRef: uuid.New(),\n\t\t\tUpdater: \"test-updater\",\n\t\t\tFingerprint: \"test-fingerprint\",\n\t\t}\n\t\tolder := driver.UpdateOperation{\n\t\t\tRef: uuid.New(),\n\t\t\tUpdater: \"test-updater\",\n\t\t\tFingerprint: \"test-fingerprint\",\n\t\t}\n\t\tmock.Lock()\n\t\tdefer mock.Unlock()\n\t\tmock.TestUOs = map[string][]driver.UpdateOperation{\n\t\t\t\"test-updater\": []driver.UpdateOperation{latest, older},\n\t\t}\n\t\tm := map[string][]driver.UpdateOperation{\n\t\t\tlatest.Updater: []driver.UpdateOperation{\n\t\t\t\tlatest,\n\t\t\t},\n\t\t}\n\t\treturn m, nil\n\t}\n\tupdateOperations := func(context.Context, driver.UpdateKind, ...string) (map[string][]driver.UpdateOperation, error) {\n\t\tmock.Lock()\n\t\tdefer mock.Unlock()\n\t\tm := map[string][]driver.UpdateOperation{}\n\t\tfor k, v := range mock.TestUOs {\n\t\t\tm[k] = v\n\t\t}\n\t\treturn m, nil\n\t}\n\tupdateDiff := func(context.Context, uuid.UUID, uuid.UUID) (*driver.UpdateDiff, error) {\n\t\tv := claircore.Vulnerability{\n\t\t\tID: \"0\",\n\t\t\tUpdater: \"test-updater\",\n\t\t\tName: \"test-vulnerability\",\n\t\t\tDescription: \"this vulnerability indicates you are running the notifier in test mode.\",\n\t\t\tIssued: time.Now(),\n\t\t\tNormalizedSeverity: claircore.Unknown,\n\t\t\tFixedInVersion: \"\",\n\t\t}\n\t\tmock.Lock()\n\t\tdiff := driver.UpdateDiff{\n\t\t\tCur: mock.TestUOs[\"test-updater\"][0],\n\t\t\tPrev: mock.TestUOs[\"test-updater\"][1],\n\t\t\tAdded: []claircore.Vulnerability{v},\n\t\t}\n\t\tmock.Unlock()\n\t\treturn &diff, nil\n\t}\n\tmock.LatestUpdateOperations_ = latestUpdateOperations\n\tmock.UpdateOperations_ = updateOperations\n\tmock.UpdateDiff_ = updateDiff\n\treturn\n}\n"
},
{
"path": "notifier/service.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n)\n\n// Service is an interface wrapping ClairV4's notifier functionality.\n//\n// This remains an interface so remote clients may implement as well.\ntype Service interface {\n\t// Retrieves an optional paginated set of notifications given an notification id\n\tNotifications(ctx context.Context, id uuid.UUID, page *Page) ([]Notification, Page, error)\n\t// Deletes the provided notification id\n\tDeleteNotifications(ctx context.Context, id uuid.UUID) error\n}\n"
},
{
"path": "notifier/stomp/deliverer.go",
"content": "package stomp\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"time\"\n\n\tgostomp \"github.com/go-stomp/stomp/v3\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// Deliverer is a STOMP deliverer which publishes a notifier.Callback to the\n// broker.\ntype Deliverer struct {\n\tcallback *url.URL\n\tdestination string\n\tfo failOver\n\trollup int\n}\n\nfunc New(conf *config.STOMP) (*Deliverer, error) {\n\tvar d Deliverer\n\tif err := d.load(conf); err != nil {\n\t\treturn nil, err\n\t}\n\treturn &d, nil\n}\n\nfunc (d *Deliverer) load(cfg *config.STOMP) error {\n\td.fo.timeout = 30 * time.Second\n\t// TODO(hank) Wire up the \"host\" and \"timeout\" config somehow -- probably\n\t// just make the config URIs strings actual URIs and parse them out with\n\t// query parameters.\n\tvar err error\n\tif cfg.TLS != nil {\n\t\td.fo.tls, err = cfg.TLS.Config()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif !cfg.Direct {\n\t\td.callback, err = url.Parse(cfg.Callback)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\td.fo.addrs = make([]string, len(cfg.URIs))\n\tcopy(d.fo.addrs, cfg.URIs)\n\td.destination = cfg.Destination\n\td.rollup = cfg.Rollup\n\treturn nil\n}\n\nfunc (d *Deliverer) Name() string {\n\treturn fmt.Sprintf(\"stomp-%s\", d.destination)\n}\n\nfunc (d *Deliverer) Deliver(ctx context.Context, nID uuid.UUID) error {\n\tconn, err := d.fo.Connection(ctx)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\tdefer conn.Disconnect()\n\n\tu, err := d.callback.Parse(nID.String())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tcb := notifier.Callback{\n\t\tNotificationID: nID,\n\t\tCallback: *u,\n\t}\n\tb, err := json.Marshal(&cb)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\n\terr = conn.Send(d.destination, \"application/json\", b, gostomp.SendOpt.Receipt)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{err}\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/stomp/directdeliverer.go",
"content": "package stomp\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"log/slog\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// Deliverer is a STOMP deliverer which publishes a notifier.Callback to the\n// the broker.\ntype DirectDeliverer struct {\n\tDeliverer\n\tn []notifier.Notification\n}\n\nfunc NewDirectDeliverer(conf *config.STOMP) (*DirectDeliverer, error) {\n\tvar d DirectDeliverer\n\tif err := d.load(conf); err != nil {\n\t\treturn nil, err\n\t}\n\td.n = make([]notifier.Notification, 0, 1024)\n\treturn &d, nil\n}\n\nfunc (d *DirectDeliverer) Name() string {\n\treturn fmt.Sprintf(\"stomp-direct-%s\", d.destination)\n}\n\n// Notifications will copy the provided notifications into a buffer for STOMP\n// delivery.\nfunc (d *DirectDeliverer) Notifications(ctx context.Context, n []notifier.Notification) error {\n\t// if we can reslice instead of allocate do so.\n\tif len(n) <= len(d.n) {\n\t\td.n = d.n[:len(n)]\n\t\tcopy(d.n, n)\n\t\treturn nil\n\t}\n\ttmp := make([]notifier.Notification, len(n))\n\tcopy(tmp, n)\n\td.n = tmp\n\treturn nil\n}\n\nfunc (d *DirectDeliverer) Deliver(ctx context.Context, nID uuid.UUID) error {\n\tconn, err := d.fo.Connection(ctx)\n\tif err != nil {\n\t\treturn errDeliever(err)\n\t}\n\tdefer conn.Disconnect()\n\n\ttx, err := conn.BeginWithError()\n\tif err != nil {\n\t\treturn errDeliever(err)\n\t}\n\tvar success bool\n\tdefer func() {\n\t\tif success {\n\t\t\treturn\n\t\t}\n\t\tif err := tx.AbortWithReceipt(); err != nil {\n\t\t\tslog.WarnContext(ctx, \"transaction aborted\", \"reason\", err)\n\t\t}\n\t}()\n\n\t// block loop publishing smaller blocks of max(rollup) length via reslicing.\n\trollup := d.rollup\n\tif rollup == 0 {\n\t\trollup++\n\t}\n\n\tvar currentBlock []notifier.Notification\n\tfor bs, be := 0, rollup; bs < len(d.n); bs, be = be, be+rollup {\n\t\t// If block-end exceeds array bounds, slice block underflow.\n\t\t// Next block-start will cause loop to exit.\n\t\tif be > len(d.n) {\n\t\t\tbe = len(d.n)\n\t\t}\n\n\t\tcurrentBlock = d.n[bs:be]\n\t\t// Can't reuse a buffer because without receipts, the client returns\n\t\t// after queuing the send.\n\t\t// Can't use receipts because RabbitMQ treats receipt as a thing that\n\t\t// happens at the end of a transaction (not unreasonable, I suppose).\n\t\tvar buf bytes.Buffer\n\t\tif err := json.NewEncoder(&buf).Encode(¤tBlock); err != nil {\n\t\t\treturn errDeliever(err)\n\t\t}\n\t\tif err := tx.Send(d.destination, \"application/json\", buf.Bytes(), nil); err != nil {\n\t\t\treturn errDeliever(err)\n\t\t}\n\t}\n\n\tif err := tx.CommitWithReceipt(); err != nil {\n\t\treturn errDeliever(err)\n\t}\n\tsuccess = true\n\treturn nil\n}\n\nfunc errDeliever(e error) error {\n\treturn &clairerror.ErrDeliveryFailed{E: e}\n}\n"
},
{
"path": "notifier/stomp/doc.go",
"content": "// Package stomp implements a [Deliverer] over the STOMP protocol.\n//\n// Deprecated: This package will be removed in a future version. Users should\n// write a webhook to STOMP transducer.\npackage stomp\n"
},
{
"path": "notifier/stomp/failover.go",
"content": "package stomp\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net\"\n\t\"time\"\n\n\tgostomp \"github.com/go-stomp/stomp/v3\"\n\t\"github.com/quay/clair/config\"\n)\n\n// failOver will return the first successful connection made against the provided\n// brokers, or an existing connection if not closed.\n//\n// failOver is safe for concurrent usage.\ntype failOver struct {\n\ttls *tls.Config\n\tlogin *config.Login\n\taddrs []string\n\ttimeout time.Duration\n}\n\n// Dial will dial the provided address in accordance with the provided Config.\n//\n// Note: the STOMP protocol does not support multiplexing operations over a\n// single TCP connection. A TCP connection must be made for each STOMP\n// connection.\nfunc (f *failOver) Dial(ctx context.Context, addr string) (*gostomp.Conn, error) {\n\tvar opts []func(*gostomp.Conn) error\n\tif f.login != nil {\n\t\topts = append(opts, gostomp.ConnOpt.Login(f.login.Login, f.login.Passcode))\n\t}\n\tif host, _, err := net.SplitHostPort(addr); err == nil {\n\t\topts = append(opts, gostomp.ConnOpt.Host(host))\n\t}\n\n\tvar d interface {\n\t\tDialContext(context.Context, string, string) (net.Conn, error)\n\t} = &net.Dialer{\n\t\tTimeout: f.timeout,\n\t}\n\tif f.tls != nil {\n\t\td = &tls.Dialer{\n\t\t\tNetDialer: d.(*net.Dialer),\n\t\t\tConfig: f.tls,\n\t\t}\n\t}\n\tconn, err := d.DialContext(ctx, \"tcp\", addr)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to connect to broker @ %v: %w\", addr, err)\n\t}\n\n\tstompConn, err := gostomp.Connect(conn, opts...)\n\tif err != nil {\n\t\tif conn != nil {\n\t\t\tconn.Close()\n\t\t}\n\t\treturn nil, fmt.Errorf(\"stomp connect handshake to broker @ %v failed: %w\", addr, err)\n\t}\n\n\treturn stompConn, err\n}\n\n// Connection returns a new connection to the first broker that successfully\n// handshakes.\n//\n// The caller MUST call conn.Disconnect() to close the underlying TCP connection\n// when finished.\nfunc (f *failOver) Connection(ctx context.Context) (*gostomp.Conn, error) {\n\tfor _, addr := range f.addrs {\n\t\tconn, err := f.Dial(ctx, addr)\n\t\tif err != nil {\n\t\t\tslog.DebugContext(ctx, \"failed to dial broker, attempting next\",\n\t\t\t\t\"broker\", addr,\n\t\t\t\t\"reason\", err)\n\t\t\tcontinue\n\t\t}\n\t\treturn conn, nil\n\t}\n\treturn nil, fmt.Errorf(\"exhausted all brokers and unable to make connection\")\n}\n"
},
{
"path": "notifier/stomp/integration_test.go",
"content": "package stomp\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/go-stomp/stomp/v3\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/test\"\n\t\"github.com/quay/claircore/test/integration\"\n\t\"golang.org/x/sync/errgroup\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nfunc setURI(t *testing.T, cfg config.STOMP, uri string) (next config.STOMP, dial string, opt []func(*stomp.Conn) error) {\n\tconst (\n\t\tdefaultStompBrokerURI = \"localhost:61613\"\n\t)\n\tt.Helper()\n\tswitch {\n\tcase uri == \"\":\n\t\tt.Logf(\"using default broker URI: %q\", defaultStompBrokerURI)\n\t\tcfg.URIs = append(cfg.URIs, defaultStompBrokerURI)\n\t\treturn cfg, defaultStompBrokerURI, nil\n\tcase strings.Contains(uri, \"://\"): // probably a URL\n\t\tu, err := url.Parse(uri)\n\t\tif err != nil {\n\t\t\tt.Logf(\"weird test URI: %q: %v\", uri, err)\n\t\t\treturn setURI(t, cfg, \"\")\n\t\t}\n\t\tt.Logf(\"using broker address: %q\", u.Host)\n\t\tcfg.URIs = append(cfg.URIs, u.Host)\n\t\tt.Logf(\"using broker vhost: %q\", u.Hostname())\n\t\topt = append(opt, stomp.ConnOpt.Host(u.Hostname()))\n\t\tif u := u.User; u != nil {\n\t\t\tt.Logf(\"using login: %q\", u.String())\n\t\t\tcfg.Login = &config.Login{\n\t\t\t\tLogin: u.Username(),\n\t\t\t}\n\t\t\tcfg.Login.Passcode, _ = u.Password()\n\t\t\topt = append(opt, stomp.ConnOpt.Login(cfg.Login.Login, cfg.Login.Passcode))\n\t\t}\n\t\treturn cfg, u.Host, opt\n\tdefault:\n\t\tt.Logf(\"using broker URI: %q\", uri)\n\t\tcfg.URIs = append(cfg.URIs, uri)\n\t\treturn cfg, uri, nil\n\t}\n}\n\ntype logAdapter struct{ *testing.T }\n\nvar _ stomp.Logger = logAdapter{}\n\nfunc (a logAdapter) Debugf(format string, value ...interface{}) { a.Logf(format, value...) }\nfunc (a logAdapter) Infof(format string, value ...interface{}) { a.Logf(format, value...) }\nfunc (a logAdapter) Warningf(format string, value ...interface{}) { a.Logf(format, value...) }\nfunc (a logAdapter) Debug(msg string) { a.Log(msg) }\nfunc (a logAdapter) Info(msg string) { a.Log(msg) }\nfunc (a logAdapter) Warning(msg string) { a.Log(msg) }\nfunc (a logAdapter) Error(msg string) { a.T.Error(msg) }\n\nfunc consumer(ctx context.Context, t *testing.T, dial string, opt []func(*stomp.Conn) error, queue string, ct int, hook func(*testing.T, *stomp.Message)) func() error {\n\treturn func() error {\n\t\tconn, err := stomp.Dial(\"tcp\", dial, opt...)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to connect to broker at %q: %w\", dial, err)\n\t\t}\n\t\tdefer conn.Disconnect()\n\t\tt.Log(\"consumer: connect OK\")\n\n\t\tsub, err := conn.Subscribe(queue, stomp.AckClient)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to subscribe to %q: %w\", queue, err)\n\t\t}\n\t\tdefer func() {\n\t\t\tdefer func() {\n\t\t\t\tif r := recover(); r != nil {\n\t\t\t\t\tt.Logf(\"*stomp.Conn.Unsubscribe panicked (see https://github.com/go-stomp/stomp/pull/139):\\n%v\", r)\n\t\t\t\t}\n\t\t\t}()\n\t\t\terr := sub.Unsubscribe()\n\t\t\tif err != nil {\n\t\t\t\tt.Logf(\"unsubscribing: %v\", err)\n\t\t\t\tif runtime.GOARCH == \"amd64\" {\n\t\t\t\t\tt.Fail()\n\t\t\t\t} else {\n\t\t\t\t\tt.Logf(\"ignoring previous error because of arch %q\", runtime.GOARCH)\n\t\t\t\t}\n\t\t\t}\n\t\t}()\n\t\tt.Log(\"consumer: subscribe OK\")\n\n\t\t// read messages\n\t\tfor i := 0; i < ct; i++ {\n\t\t\tvar m *stomp.Message\n\t\t\tselect {\n\t\t\tcase m = <-sub.C:\n\t\t\t\tconn.Ack(m)\n\t\t\tcase <-ctx.Done():\n\t\t\t\treturn context.Cause(ctx)\n\t\t\t}\n\t\t\thook(t, m)\n\t\t\tif t.Failed() {\n\t\t\t\treturn errors.New(\"hook failed\")\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// TestDeliverer confirms a notification\n// callback is successfully delivered to the stomp broker.\nfunc TestDeliverer(t *testing.T) {\n\tt.Parallel()\n\t// This is only really made to work with RabbitMQ. Previous revisions of the\n\t// code tested against ActiveMQ, but this was migrated to make the setup\n\t// simpler.\n\tintegration.Skip(t)\n\tctx := test.Logging(t)\n\tconst (\n\t\tcallback = \"http://clair-notifier/notifier/api/v1/notifications/\"\n\t)\n\n\tvar (\n\t\tqueue = `/queue/` + uuid.New().String()\n\t\tconf = config.STOMP{\n\t\t\tCallback: callback,\n\t\t\tDestination: queue,\n\t\t\tDirect: false,\n\t\t\tURIs: []string{\n\t\t\t\t\"nohost1:5672\", // Put a bogus host in here to hit the failover code.\n\t\t\t},\n\t\t}\n\t)\n\tconf, dial, opt := setURI(t, conf, os.Getenv(\"STOMP_CONNECTION_STRING\"))\n\topt = append(opt, stomp.ConnOpt.Logger(logAdapter{t}))\n\n\t// test parallel usage\n\teg, ctx := errgroup.WithContext(ctx)\n\tconst n = 4\n\teg.Go(consumer(ctx, t, dial, opt, queue, n, func(t *testing.T, m *stomp.Message) {\n\t\tif got, want := m.ContentType, \"application/json\"; got != want {\n\t\t\tt.Errorf(\"msg content type mismatch: got %q, want %q\", got, want)\n\t\t}\n\t\tvar msgBody map[string]string\n\t\tif err := json.Unmarshal(m.Body, &msgBody); err != nil {\n\t\t\tt.Errorf(\"cannot unmarshal msg body into map: %v\", err)\n\t\t}\n\t\tnid, ok := msgBody[\"notification_id\"]\n\t\tif !ok {\n\t\t\tt.Error(`cannot find \"notification_id\" key in msg body`)\n\t\t}\n\t\tt.Logf(\"recv note %q\", nid)\n\t\tcb, ok := msgBody[\"callback\"]\n\t\tif !ok {\n\t\t\tt.Error(`cannot find \"callback\" key in msg body`)\n\t\t}\n\t\tif got, want := cb, callback+nid; got != want {\n\t\t\tt.Errorf(\"callback mismatch: got: %q, want: %q\", got, want)\n\t\t}\n\t}))\n\tfor i := 0; i < n; i++ {\n\t\teg.Go(func() error {\n\t\t\tnoteID := uuid.New()\n\t\t\td, err := New(&conf)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"could not create deliverer: %v\", err)\n\t\t\t}\n\t\t\t// will error if message cannot be delivered to broker\n\t\t\terr = d.Deliver(ctx, noteID)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to deliver message: %v\", err)\n\t\t\t}\n\t\t\tt.Logf(\"sent note %q\", noteID)\n\t\t\treturn nil\n\t\t})\n\t}\n\tif err := eg.Wait(); err != nil {\n\t\tt.Error(err)\n\t}\n}\n\n// TestDirectDeliverer confirms delivery of notifications directly\n// to the STOMP queue with rollup works correctly.\nfunc TestDirectDeliverer(t *testing.T) {\n\tt.Parallel()\n\tintegration.Skip(t)\n\tctx := test.Logging(t)\n\n\ttable := []struct {\n\t\tname string\n\t\trollup int\n\t\tnotes int\n\t\texpectedMsgs int\n\t}{\n\t\t{name: \"Rollup0\", rollup: 0, notes: 1, expectedMsgs: 1},\n\t\t{name: \"Rollup1\", rollup: 1, notes: 5, expectedMsgs: 5},\n\t\t{name: \"Overflow\", rollup: 10, notes: 5, expectedMsgs: 1},\n\t\t{name: \"Odds\", rollup: 3, notes: 7, expectedMsgs: 3},\n\t\t{name: \"OddsRollup\", rollup: 3, notes: 8, expectedMsgs: 3},\n\t\t{name: \"OddsNotes\", rollup: 4, notes: 7, expectedMsgs: 2},\n\t\t{name: \"Large\", rollup: 100, notes: 1000, expectedMsgs: 10},\n\t}\n\n\tfor _, tt := range table {\n\t\tqueue := `/queue/` + uuid.New().String()\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tctx := test.Logging(t, ctx)\n\t\t\t// deliverer test\n\t\t\tconf := config.STOMP{\n\t\t\t\tDirect: true,\n\t\t\t\tRollup: tt.rollup,\n\t\t\t\tDestination: queue,\n\t\t\t}\n\t\t\tconf, dial, opt := setURI(t, conf, os.Getenv(\"STOMP_CONNECTION_STRING\"))\n\n\t\t\tnoteID := uuid.New()\n\t\t\tnotes := make([]notifier.Notification, 0, tt.notes)\n\t\t\tfor i := 0; i < tt.notes; i++ {\n\t\t\t\tnotes = append(notes, notifier.Notification{\n\t\t\t\t\tID: uuid.New(),\n\t\t\t\t\tManifest: claircore.MustParseDigest(\"sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a\"),\n\t\t\t\t\tReason: notifier.Added,\n\t\t\t\t\tVulnerability: notifier.VulnSummary{\n\t\t\t\t\t\tDescription: fmt.Sprintf(\"test-vuln-%d\", i),\n\t\t\t\t\t},\n\t\t\t\t})\n\t\t\t}\n\t\t\tt.Logf(\"created %d notes\", len(notes))\n\n\t\t\t// test parallel usage\n\t\t\teg, ctx := errgroup.WithContext(ctx)\n\t\t\tconst n = 4\n\t\t\tvar ct int\n\t\t\teg.Go(consumer(ctx, t, dial, opt, queue, n*tt.expectedMsgs, func(t *testing.T, m *stomp.Message) {\n\t\t\t\tif got, want := m.ContentType, \"application/json\"; got != want {\n\t\t\t\t\tt.Errorf(\"msg content type mismatch: got %q, want %q\", got, want)\n\t\t\t\t}\n\t\t\t\tvar msgBody []notifier.Notification\n\t\t\t\tif err := json.Unmarshal(m.Body, &msgBody); err != nil {\n\t\t\t\t\tt.Errorf(\"cannot unmarshal msg body into slice of notifications: %v\", err)\n\t\t\t\t}\n\t\t\t\trollup := tt.rollup\n\t\t\t\tif tt.rollup == 0 {\n\t\t\t\t\trollup++\n\t\t\t\t}\n\t\t\t\tif got, want := len(msgBody), rollup; got > want {\n\t\t\t\t\tt.Errorf(\"more notes in msg than expected: got %d, want %d\", got, want)\n\t\t\t\t}\n\t\t\t\tct += len(msgBody)\n\t\t\t}))\n\t\t\tdefer func() {\n\t\t\t\tgot, want := ct, tt.notes*n\n\t\t\t\tt.Logf(\"consumer: read notes: got %d, want %d\", got, want)\n\t\t\t\tif got != want {\n\t\t\t\t\tt.Fail()\n\t\t\t\t}\n\t\t\t}()\n\t\t\tfor i := 0; i < n; i++ {\n\t\t\t\tid := i\n\t\t\t\teg.Go(func() error {\n\t\t\t\t\td, err := NewDirectDeliverer(&conf)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"could not create deliverer: %w\", err)\n\t\t\t\t\t}\n\t\t\t\t\tt.Logf(\"deliverer(%d): created %p\", id, d)\n\t\t\t\t\tif err := d.Notifications(ctx, notes); err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to provide notifications to direct deliverer: %w\", err)\n\t\t\t\t\t}\n\t\t\t\t\tt.Logf(\"deliverer(%d): added %d notes\", id, len(notes))\n\t\t\t\t\tif err := d.Deliver(ctx, noteID); err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to deliver message: %w\", err)\n\t\t\t\t\t}\n\t\t\t\t\tt.Logf(\"deliverer(%d): delivered\", id)\n\t\t\t\t\treturn nil\n\t\t\t\t})\n\t\t\t}\n\t\t\tif err := eg.Wait(); err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t})\n\t}\n}\n"
},
{
"path": "notifier/store.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/uuid\"\n)\n\n// PutOpts is provided to Notificationer.Put\n// with fields necessary to persist a notification id\ntype PutOpts struct {\n\t// the updater triggering a notification\n\tUpdater string\n\t// the update operation id triggering the notification\n\tUpdateID uuid.UUID\n\t// the notification id clients will use to retrieve the\n\t// list of notifications\n\tNotificationID uuid.UUID\n\t// a slice of notifications to persist. these notifications\n\t// will be retrievable via the notification id\n\tNotifications []Notification\n}\n\n// Store is an aggregate interface implementing all methods\n// necessary for a notifier persistence layer\ntype Store interface {\n\tNotificationer\n\tReceipter\n}\n\n// Notificationer implements persistence methods for Notification models\ntype Notificationer interface {\n\t// Notifications retrieves the list of notifications associated with a\n\t// notification id\n\t//\n\t// If a Page is provided the returned notifications will be a subset of the total\n\t// and it's len will be no larger then Page.Size.\n\t//\n\t// This method should interpret the page.Next field as the requested page and\n\t// set the returned page.Next field to the next page to receive or -1 if\n\t// paging has been exhausted.\n\t//\n\t// Page maybe nil to receive all notifications.\n\tNotifications(ctx context.Context, id uuid.UUID, page *Page) ([]Notification, Page, error)\n\t// PutNotifications persists the provided notifications and associates\n\t// them with the provided notification id\n\t//\n\t// PutNotifications must update the latest update operation for the provided\n\t// updater in such a way that UpdateOperation returns the provided update\n\t// operation id when queried with the updater name\n\t//\n\t// PutNotifications must create a Receipt with status created status on\n\t// successful persistence of notifications in such a way that Receipter.Created()\n\t// returns the persisted notification id.\n\tPutNotifications(ctx context.Context, opts PutOpts) error\n\t// PutReceipt allows for the caller to directly add a receipt to the store\n\t// without notifications being created.\n\t//\n\t// After this method returns all methods on the Receipter interface must work accordingly.\n\tPutReceipt(ctx context.Context, updater string, r Receipt) error\n\t// CollectNotifications garbage collects all notifications.\n\t//\n\t// Normally Receipter.SetDeleted will be issues first, however\n\t// application logic may decide to GC notifications which have not been\n\t// set deleted after some period of time, thus this condition should not\n\t// be checked.\n\tCollectNotifications(ctx context.Context) error\n}\n\n// Receipter implements persistence methods for Receipt models\ntype Receipter interface {\n\t// Receipt returns the Receipt for a given notification id\n\tReceipt(ctx context.Context, id uuid.UUID) (Receipt, error)\n\t// ReceiptByUOID returns the Receipt for a given UOID\n\tReceiptByUOID(ctx context.Context, id uuid.UUID) (Receipt, error)\n\t// Created returns a slice of notification ids in created status\n\tCreated(ctx context.Context) ([]uuid.UUID, error)\n\t// Failed returns a slice of notification ids to in delivery failed status\n\tFailed(ctx context.Context) ([]uuid.UUID, error)\n\t// Deleted returns a slice of notification ids in deleted status\n\tDeleted(ctx context.Context) ([]uuid.UUID, error)\n\t// SetDelivered marks the provided notification id as delivered\n\tSetDelivered(ctx context.Context, id uuid.UUID) error\n\t// SetDeliveryFailed marks the provided notification id failed to be delivered\n\tSetDeliveryFailed(ctx context.Context, id uuid.UUID) error\n\t// SetDeleted marks the provided notification id as deleted\n\tSetDeleted(ctx context.Context, id uuid.UUID) error\n}\n"
},
{
"path": "notifier/summary_test.go",
"content": "package notifier\n\nimport (\n\t\"context\"\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/claircore\"\n\t\"github.com/quay/claircore/libvuln/driver\"\n\t\"github.com/quay/claircore/test\"\n\n\t\"github.com/quay/clair/v4/indexer\"\n\t\"github.com/quay/clair/v4/matcher\"\n)\n\nfunc TestNotificationSummary(t *testing.T) {\n\tctx := test.Logging(t)\n\n\t// This is a bunch of supporting data structures.\n\tupdater := uuid.New().String()\n\te := Event{\n\t\tupdater: updater,\n\t\tuo: driver.UpdateOperation{\n\t\t\tRef: uuid.New(),\n\t\t\tUpdater: updater,\n\t\t},\n\t}\n\tmanifest := \"sha256:8d502da610b3c153d5aedaaf5323c0d49f61401d4791b4b1ffe9e36c6cbe09a0\"\n\tvs := []claircore.Vulnerability{\n\t\t{ID: \"🖳\", Name: \"uncool vulnerability\"},\n\t\t{ID: \"☃\", Name: \"cool vulnerability\", NormalizedSeverity: claircore.Critical},\n\t}\n\tam := &claircore.AffectedManifests{\n\t\tVulnerabilities: map[string]*claircore.Vulnerability{\n\t\t\t\"☃\": &vs[0],\n\t\t\t\"🖳\": &vs[1],\n\t\t},\n\t\tVulnerableManifests: map[string][]string{},\n\t}\n\tfor _, v := range vs {\n\t\tam.VulnerableManifests[manifest] = append(am.VulnerableManifests[manifest], v.ID)\n\t}\n\tp := Processor{\n\t\tmatcher: &matcher.Mock{\n\t\t\tUpdateDiff_: func(_ context.Context, prev, _ uuid.UUID) (*driver.UpdateDiff, error) {\n\t\t\t\tif got, want := prev, uuid.Nil; got != want {\n\t\t\t\t\tt.Errorf(\"got: %v, want: %v\", got, want)\n\t\t\t\t}\n\t\t\t\treturn &driver.UpdateDiff{\n\t\t\t\t\tAdded: vs,\n\t\t\t\t\tRemoved: []claircore.Vulnerability{},\n\t\t\t\t}, nil\n\t\t\t},\n\t\t},\n\t\tindexer: &indexer.Mock{\n\t\t\tAffectedManifests_: func(_ context.Context, vs []claircore.Vulnerability) (*claircore.AffectedManifests, error) {\n\t\t\t\tif len(vs) > 0 {\n\t\t\t\t\t// Needs at least one affected manifest\n\t\t\t\t\t// for the code path to invoke store.PutNotifications()\n\t\t\t\t\treturn am, nil\n\t\t\t\t}\n\t\t\t\treturn &claircore.AffectedManifests{}, nil\n\t\t\t},\n\t\t},\n\t}\n\n\t// Enable summarization, set the check function.\n\tp.NoSummary = false\n\tp.store = &MockStore{\n\t\tPutNotifications_: func(_ context.Context, o PutOpts) error {\n\t\t\tt.Logf(\"got notification ID: %v\", o.NotificationID)\n\t\t\tfor _, n := range o.Notifications {\n\t\t\t\tt.Logf(\"manifest(%v): %v %v\", n.Manifest, n.Reason, n.Vulnerability.Name)\n\t\t\t}\n\t\t\tif got, want := len(o.Notifications), 1; got != want {\n\t\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t\t}\n\t\t\tif got, want := vs[1].Name, o.Notifications[0].Vulnerability.Name; got != want {\n\t\t\t\tt.Errorf(\"got: %s, want: %s\", got, want)\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t}\n\tif err := p.create(ctx, slog.Default(), e, uuid.Nil); err != nil {\n\t\tt.Error(err)\n\t}\n\n\t// Disable summarization, swap the check function, and run again.\n\tp.NoSummary = true\n\tp.store = &MockStore{\n\t\tPutNotifications_: func(_ context.Context, o PutOpts) error {\n\t\t\tt.Logf(\"got notification ID: %v\", o.NotificationID)\n\t\t\tfor _, n := range o.Notifications {\n\t\t\t\tt.Logf(\"manifest(%v): %v %v\", n.Manifest, n.Reason, n.Vulnerability.Name)\n\t\t\t}\n\t\t\tif got, want := len(o.Notifications), len(vs); got != want {\n\t\t\t\tt.Errorf(\"got: %d, want: %d\", got, want)\n\t\t\t}\n\t\t\treturn nil\n\t\t},\n\t}\n\tif err := p.create(ctx, slog.Default(), e, uuid.Nil); err != nil {\n\t\tt.Error(err)\n\t}\n}\n"
},
{
"path": "notifier/vulnsummary.go",
"content": "package notifier\n\nimport \"github.com/quay/claircore\"\n\n// VulnSummary summarizes a vulnerability which triggered\n// a notification\ntype VulnSummary struct {\n\tName string `json:\"name\"`\n\tDescription string `json:\"description\"`\n\tPackage *claircore.Package `json:\"package,omitempty\"`\n\tDistribution *claircore.Distribution `json:\"distribution,omitempty\"`\n\tRepo *claircore.Repository `json:\"repo,omitempty\"`\n\tSeverity string `json:\"severity\"`\n\tFixedInVersion string `json:\"fixed_in_version\"`\n\tLinks string `json:\"links\"`\n}\n\nfunc (vs *VulnSummary) FromVulnerability(v *claircore.Vulnerability) {\n\t*vs = VulnSummary{\n\t\tName: v.Name,\n\t\tDescription: v.Description,\n\t\tPackage: v.Package,\n\t\tDistribution: v.Dist,\n\t\tRepo: v.Repo,\n\t\tSeverity: v.NormalizedSeverity.String(),\n\t\tFixedInVersion: v.FixedInVersion,\n\t\tLinks: v.Links,\n\t}\n}\n"
},
{
"path": "notifier/webhook/cmd/webhookd/main.go",
"content": "// Command webhookd is a server implementation of Clair's \"webhook\" notification\n// protocol.\n//\n// This command is exempt from compatibility concerns beyond being compatible\n// with the webhook protocol at the same point in the repository.\n//\n// This implementation is currently only suitable for debugging the notification\n// subsystem, but ideas and implementations for extended functionality is\n// welcome.\npackage main\n\nimport (\n\t\"context\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"flag\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httputil\"\n\t\"os\"\n\t\"os/signal\"\n\t\"path\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v3\"\n\t\"github.com/go-jose/go-jose/v3/jwt\"\n\t\"github.com/google/uuid\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nfunc main() {\n\tvar code int\n\tctx, done := signal.NotifyContext(context.Background(), os.Interrupt)\n\tdefer done()\n\tdefer func() {\n\t\tdone()\n\t\tif code != 0 {\n\t\t\tos.Exit(code)\n\t\t}\n\t}()\n\tvar level slog.LevelVar\n\tflag.BoolFunc(\"D\", \"print debugging output\", func(arg string) error {\n\t\tl := slog.LevelInfo\n\t\tif ok, _ := strconv.ParseBool(arg); ok {\n\t\t\tl = slog.LevelDebug\n\t\t}\n\t\tlevel.Set(l)\n\t\treturn nil\n\t})\n\taddr := flag.String(\"listen\", \":http\", \"address to listen on\")\n\tkeyEnc := flag.String(\"key\", \"\", \"base64 encoded PSK for signed requests\")\n\tiss := flag.String(\"iss\", \"quay\", \"issuer for signed requests\")\n\tflag.Parse()\n\n\tslog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{\n\t\tLevel: &level,\n\t})))\n\n\th := &Recv{\n\t\tClient: http.DefaultClient,\n\t}\n\n\tif len(*keyEnc) != 0 {\n\t\tb := []byte(*keyEnc)\n\t\tl := base64.StdEncoding.DecodedLen(len(b))\n\t\tkey := make([]byte, l)\n\t\tn, err := base64.StdEncoding.Decode(key, b)\n\t\tif err != nil {\n\t\t\tslog.ErrorContext(ctx, \"unable to decode key\", \"reason\", err)\n\t\t\tcode = 1\n\t\t\treturn\n\t\t}\n\t\tkey = key[:n]\n\t\tslog.DebugContext(ctx, \"decoded key\", \"key\", key)\n\t\tsk := jose.SigningKey{\n\t\t\tAlgorithm: jose.HS256,\n\t\t\tKey: key,\n\t\t}\n\t\th.Signer, err = jose.NewSigner(sk, nil)\n\t\tif err != nil {\n\t\t\tslog.ErrorContext(ctx, \"unable to create signer\", \"reason\", err)\n\t\t\tcode = 1\n\t\t\treturn\n\t\t}\n\t\th.Claim = &jwt.Claims{Issuer: *iss}\n\t}\n\tsrv := http.Server{\n\t\tAddr: *addr,\n\t\tHandler: h,\n\t\tBaseContext: func(_ net.Listener) context.Context { return ctx },\n\t}\n\tgo func() {\n\t\tif err := srv.ListenAndServe(); err != http.ErrServerClosed {\n\t\t\tslog.ErrorContext(ctx, \"unable to start HTTP server\", \"reason\", err)\n\t\t\tdone()\n\t\t\tcode = 1\n\t\t\treturn\n\t\t}\n\t}()\n\n\tslog.InfoContext(ctx, \"ready\")\n\tdefer func() {\n\t\tslog.InfoContext(ctx, \"shutting down\")\n\t\tif err := srv.Shutdown(ctx); err != nil && err != context.Canceled {\n\t\t\tslog.ErrorContext(ctx, \"HTTP server shutdown\", \"reason\", err)\n\t\t}\n\t}()\n\t<-ctx.Done()\n}\n\n// Recv implements the Clair notifier's \"webhook\" protocol.\ntype Recv struct {\n\tClient *http.Client\n\tSigner jose.Signer\n\tClaim *jwt.Claims\n}\n\nconst contentType = `application/json`\n\n// ServeHTTP implements [http.Handler].\nfunc (h *Recv) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tctx := r.Context()\n\trc := http.NewResponseController(w)\n\tdefer rc.Flush()\n\n\tslog.DebugContext(ctx, \"received hook\", \"request\", (*logRequest)(r))\n\n\tif r.Method != http.MethodPost {\n\t\tw.Header().Set(\"Allow\", http.MethodPost)\n\t\thttp.Error(w, \"\", http.StatusMethodNotAllowed)\n\t\tslog.WarnContext(ctx, \"bad request\", \"method\", r.Method)\n\t\treturn\n\t}\n\tif ct := r.Header.Get(`content-type`); ct != contentType {\n\t\tw.Header().Set(\"Accept-Post\", contentType)\n\t\thttp.Error(w, \"\", http.StatusUnsupportedMediaType)\n\t\tslog.WarnContext(ctx, \"bad request\", \"content-type\", ct)\n\t\treturn\n\t}\n\n\tdefer func() {\n\t\tif err := r.Body.Close(); err != nil {\n\t\t\tslog.WarnContext(ctx, \"unable to close request body\", \"reason\", err)\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t}()\n\tvar payload notifier.Callback\n\tdec := json.NewDecoder(r.Body)\n\tif err := dec.Decode(&payload); err != nil {\n\t\thttp.Error(w, fmt.Sprintf(\"bad content: %v\", err), http.StatusBadRequest)\n\t\tslog.WarnContext(ctx, \"bad payload\", \"reason\", err)\n\t\treturn\n\t}\n\twhid := path.Base(payload.Callback.Path)\n\n\tvar resp response\n\tfor next := new(uuid.UUID); next != nil; next = resp.Page.Next {\n\t\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, payload.Callback.String(), nil)\n\t\tif err != nil {\n\t\t\thttp.Error(w, fmt.Sprintf(\"unable to create request: %v\", err), http.StatusInternalServerError)\n\t\t\tslog.WarnContext(ctx, \"unable to create request\", \"reason\", err)\n\t\t\treturn\n\t\t}\n\t\tif pg := resp.Page.Next; pg != nil {\n\t\t\tv := req.URL.Query()\n\t\t\tv.Set(`next`, pg.String())\n\t\t\treq.URL.RawQuery = v.Encode()\n\t\t}\n\t\tif err := h.sign(req); err != nil {\n\t\t\thttp.Error(w, fmt.Sprintf(\"unable to sign request: %v\", err), http.StatusInternalServerError)\n\t\t\tslog.WarnContext(ctx, \"unable to sign request\", \"reason\", err)\n\t\t\treturn\n\t\t}\n\n\t\tslog.DebugContext(ctx, \"making request\", \"request\", (*logRequest)(req))\n\n\t\tres, err := http.DefaultClient.Do(req)\n\t\tif err != nil {\n\t\t\thttp.Error(w, fmt.Sprintf(\"error making request: %v\", err), http.StatusInternalServerError)\n\t\t\tslog.WarnContext(ctx, \"unable to make request\", \"reason\", err)\n\t\t\treturn\n\t\t}\n\t\tdefer res.Body.Close()\n\n\t\tslog.DebugContext(ctx, \"got response\", \"response\", (*logResponse)(res))\n\t\tif res.StatusCode != http.StatusOK {\n\t\t\thttp.Error(w, fmt.Sprintf(\"bad response from upstream: %q\", res.Status), http.StatusInternalServerError)\n\t\t\tslog.WarnContext(ctx, \"bad status\", \"status\", res.Status)\n\t\t\treturn\n\t\t}\n\n\t\tif err := json.NewDecoder(res.Body).Decode(&resp); err != nil {\n\t\t\thttp.Error(w, fmt.Sprintf(\"bad content from upstream: %v\", err), http.StatusTeapot)\n\t\t\tslog.WarnContext(ctx, \"bad content\", \"reason\", err)\n\t\t\treturn\n\t\t}\n\n\t\tfor _, n := range resp.Notifications {\n\t\t\tslog.InfoContext(ctx, \"notification\", \"id\", whid, slog.Group(\"notification\",\n\t\t\t\t\"id\", n.ID,\n\t\t\t\t\"manifest\", n.Manifest,\n\t\t\t\t\"reason\", n.Reason,\n\t\t\t\t\"name\", n.Vulnerability.Name,\n\t\t\t))\n\t\t}\n\t}\n\treq, err := http.NewRequestWithContext(ctx, http.MethodDelete, payload.Callback.String(), nil)\n\tif err != nil {\n\t\thttp.Error(w, fmt.Sprintf(\"unable to create request: %v\", err), http.StatusInternalServerError)\n\t\tslog.WarnContext(ctx, \"unable to create request\", \"reason\", err)\n\t\treturn\n\t}\n\tif err := h.sign(req); err != nil {\n\t\thttp.Error(w, fmt.Sprintf(\"unable to sign request: %v\", err), http.StatusInternalServerError)\n\t\tslog.WarnContext(ctx, \"unable to sign request\", \"reason\", err)\n\t\treturn\n\t}\n\tslog.DebugContext(ctx, \"making request\", \"request\", (*logRequest)(req))\n\n\tres, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\thttp.Error(w, fmt.Sprintf(\"error making request: %v\", err), http.StatusInternalServerError)\n\t\tslog.WarnContext(ctx, \"unable to make request\", \"reason\", err)\n\t\treturn\n\t}\n\tdefer res.Body.Close()\n\tslog.DebugContext(ctx, \"got response\", \"response\", (*logResponse)(res))\n\tif res.StatusCode != http.StatusOK {\n\t\thttp.Error(w, fmt.Sprintf(\"bad response from upstream: %q\", res.Status), http.StatusInternalServerError)\n\t\tslog.WarnContext(ctx, \"bad status\", \"status\", res.Status)\n\t\treturn\n\t}\n\tslog.InfoContext(ctx, \"deleted\", \"id\", whid)\n}\n\n// Response is a page of notifications.\ntype response struct {\n\tPage notifier.Page `json:\"page\"`\n\tNotifications []notifier.Notification `json:\"notifications\"`\n}\n\n// Sign does what it says on the tin.\nfunc (h *Recv) sign(req *http.Request) error {\n\tif h.Signer == nil {\n\t\treturn nil\n\t}\n\tnow := time.Now()\n\tcl := *h.Claim\n\tcl.IssuedAt = jwt.NewNumericDate(now)\n\tcl.NotBefore = jwt.NewNumericDate(now.Add(-jwt.DefaultLeeway))\n\tcl.Expiry = jwt.NewNumericDate(now.Add(jwt.DefaultLeeway))\n\ttok, err := jwt.Signed(h.Signer).Claims(&cl).CompactSerialize()\n\tif err != nil {\n\t\treturn err\n\t}\n\treq.Header.Set(\"authorization\", \"Bearer \"+tok)\n\treturn nil\n}\n\nvar (\n\t_ slog.LogValuer = (*logRequest)(nil)\n\t_ slog.LogValuer = (*logResponse)(nil)\n)\n\ntype logRequest http.Request\n\n// LogValue implements [slog.LogValuer].\nfunc (l *logRequest) LogValue() slog.Value {\n\treq := (*http.Request)(l)\n\tb, err := httputil.DumpRequest(req, true)\n\tif err != nil {\n\t\treturn slog.GroupValue(slog.String(\"error\", err.Error()))\n\t}\n\treturn slog.StringValue(string(b))\n}\n\ntype logResponse http.Response\n\n// LogValue implements [slog.LogValuer].\nfunc (l *logResponse) LogValue() slog.Value {\n\tres := (*http.Response)(l)\n\tb, err := httputil.DumpResponse(res, true)\n\tif err != nil {\n\t\treturn slog.GroupValue(slog.String(\"error\", err.Error()))\n\t}\n\treturn slog.StringValue(string(b))\n}\n"
},
{
"path": "notifier/webhook/deliverer.go",
"content": "package webhook\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\n\tclairerror \"github.com/quay/clair/v4/clair-error\"\n\t\"github.com/quay/clair/v4/internal/codec\"\n\t\"github.com/quay/clair/v4/internal/httputil\"\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\n// SignedOnce is used to print a deprecation notice, but only once per run.\nvar signedOnce sync.Once\n\ntype Deliverer struct {\n\t// a client to use for POSTing webhooks\n\tc *http.Client\n\tcallback *url.URL\n\ttarget *url.URL\n\tsigner Signer\n\theaders http.Header\n}\n\ntype Signer interface {\n\tSign(context.Context, *http.Request) error\n}\n\n// New returns a new webhook Deliverer\nfunc New(conf *config.Webhook, client *http.Client, signer Signer) (*Deliverer, error) {\n\tswitch {\n\tcase conf == nil:\n\t\treturn nil, errors.New(\"config not provided\")\n\tcase client == nil:\n\t\treturn nil, errors.New(\"http client not provided\")\n\t}\n\tvar d Deliverer\n\tvar err error\n\n\td.callback, err = url.Parse(conf.Callback)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\td.target, err = url.Parse(conf.Target)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\td.headers = conf.Headers.Clone()\n\tif d.headers == nil {\n\t\td.headers = make(map[string][]string)\n\t}\n\td.headers.Set(\"content-type\", \"application/json\")\n\td.signer = signer\n\n\td.c = client\n\treturn &d, nil\n}\n\nfunc (d *Deliverer) Name() string {\n\treturn \"webhook\"\n}\n\n// Deliver implements the notifier.Deliverer interface.\n//\n// Deliver POSTS a webhook data structure to the configured target.\nfunc (d *Deliverer) Deliver(ctx context.Context, nID uuid.UUID) error {\n\tlog := slog.With(\"notification_id\", &nID)\n\n\tcallback, err := d.callback.Parse(nID.String())\n\tif err != nil {\n\t\treturn err\n\t}\n\n\twh := notifier.Callback{\n\t\tNotificationID: nID,\n\t\tCallback: *callback,\n\t}\n\n\treq, err := httputil.NewRequestWithContext(ctx, http.MethodPost, d.target.String(), codec.JSONReader(&wh))\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor k, vs := range d.headers {\n\t\tfor _, v := range vs {\n\t\t\treq.Header.Add(k, v)\n\t\t}\n\t}\n\tif d.signer != nil {\n\t\tif err := d.signer.Sign(ctx, req); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tlog.InfoContext(ctx, \"dispatching webhook\",\n\t\t\"callback\", callback,\n\t\t\"target\", d.target)\n\n\tresp, err := d.c.Do(req)\n\tif err != nil {\n\t\treturn &clairerror.ErrDeliveryFailed{E: err}\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn &clairerror.ErrDeliveryFailed{\n\t\t\tE: &clairerror.ErrRequestFail{\n\t\t\t\tCode: resp.StatusCode,\n\t\t\t\tStatus: resp.Status,\n\t\t\t},\n\t\t}\n\t}\n\treturn nil\n}\n"
},
{
"path": "notifier/webhook/deliverer_test.go",
"content": "package webhook\n\nimport (\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"path\"\n\t\"sync\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/uuid\"\n\t\"github.com/quay/clair/config\"\n\t\"github.com/quay/claircore/test\"\n\n\t\"github.com/quay/clair/v4/notifier\"\n)\n\nvar (\n\tcallback = \"http://clair-notifier/notifier/api/v1/notification/\"\n\tnoteID = uuid.New()\n)\n\n// TestDeliverer confirms the deliverer correctly sends the webhook\n// data structure to the configured target.\nfunc TestDeliverer(t *testing.T) {\n\tvar whResult struct {\n\t\tsync.Mutex\n\t\tcb notifier.Callback\n\t}\n\tserver := httptest.NewServer(http.HandlerFunc(\n\t\tfunc(w http.ResponseWriter, r *http.Request) {\n\t\t\tif r.Method != http.MethodPost {\n\t\t\t\tw.WriteHeader(http.StatusMethodNotAllowed)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tvar cb notifier.Callback\n\t\t\terr := json.NewDecoder(r.Body).Decode(&cb)\n\t\t\tif err != nil {\n\t\t\t\tw.WriteHeader(http.StatusBadRequest)\n\t\t\t\treturn\n\t\t\t}\n\t\t\twhResult.Lock()\n\t\t\twhResult.cb = cb\n\t\t\twhResult.Unlock()\n\t\t},\n\t))\n\tdefer server.Close()\n\tctx := test.Logging(t)\n\tconf := config.Webhook{\n\t\tCallback: callback,\n\t\tTarget: server.URL,\n\t}\n\n\td, err := New(&conf, server.Client(), nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to create new webhook deliverer: %v\", err)\n\t}\n\terr = d.Deliver(ctx, noteID)\n\tif err != nil {\n\t\tt.Fatalf(\"got: %v, wanted: nil\", err)\n\t}\n\n\twhResult.Lock()\n\twh := whResult.cb\n\twhResult.Unlock()\n\n\tif !cmp.Equal(wh.NotificationID, noteID) {\n\t\tt.Fatalf(\"got: %v, wanted: %v\", wh.NotificationID, noteID)\n\t}\n\n\tcbURL, err := url.Parse(callback)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse callback url: %v\", err)\n\t}\n\tcbURL.Path = path.Join(cbURL.Path, noteID.String())\n\n\tif got, want := wh.Callback.String(), cbURL.String(); got != want {\n\t\tt.Fatalf(\"got: %v, wanted: %v\", got, want)\n\t}\n}\n"
}
]