Bump Gemnasium image dependencies when they're updated by scheduled updates
Proposal
The Gemnasium project currently rebuilds and releases an image daily. This allow continuous integration of upstream features and security fixes. However, the changes are not tagged and as a result there is the possibility that a regression may occur without a changelog. This MR proposes automating the process of creating PATCH
versions whenever image dependencies change in gemnasium
, gemnasium-python
, gemnasium-maven
, or any of the SBoM generator images once continuous scanning is enabled. If a regression is introduced, it will also allows us to have a starting point on what may have caused the regression.
For example, let's say that git v2.32.0 is installed in gemnasium-python v3.2.0. If a scheduled rebuild runs and upgrades the dependency to v2.33.0
, then we should include a CHANGELOG.md entry with information about the update.
## v3.2.1
### gemnasium-python
- Upgrade to git v2.33.0
The dependencies are exported from the container-scanning gl-dependency-scanning-report.json
artifacts and we could compare the files using something like this (tested it locally only).
$ jq -c '.dependency_files[].dependencies' $PREV_DEPENDENCY_REPORT_NAME > dependency-set-one.json
$ jq -c '.dependency_files[].dependencies' $CURR_DEPENDENCY_REPORT_NAME > dependency-set-two.json
$ jd -set dependency-set-one.json dependency-set-two.json
# This shows the recent addition of the golang builder that
# was merged in https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/merge_requests/389
@ [["set"],{}] │ and "Requires-Python" compatibility checks.
+ {"package":{"name":"diffutils"},"version":"3.6"} │ Defaults to a version derived from the running
+ {"package":{"name":"golang"},"version":"1.17.12"}
This could potentially allow us to parse the additions and deletions output by the jd tool and update the changelog automatically.
Alternatives
I haven't tested this tool out myself, but the container-diff tool might be able to generate a package diff between builds.