Remove git-core from Container Scanning and use diff to create remediation patch
The following discussion from gitlab-org/security-products/analyzers/container-scanning!2839 (merged) should be addressed:
-
@adamcohen started a discussion: (+18 comments) However, taking a step back, do we even need to use
git
at all? There are other tools we can use to diff two files, for example, the previous container scanning tool used go-difflib to create the diff, as shown here. I'm sure there are similar gems for ruby, or we could even just shell out todiff -u
.Re-reading this comment in the issue, it looks like @thiagocsf already had this idea and created this MR: Draft: Use diff to create remediation patch (gitlab-org/security-products/analyzers/container-scanning!2692 - closed).
The benefits of removing
git-core
are a smaller Docker image as well as not needing to deal with the possible security implications of usingsudo
orsafe.directory
. Perhaps it's worth finishing off Thiago's PoC implementation?
Implementation plan
- The initial solution is started by
@thiagocsf
in gitlab-org/security-products/analyzers/container-scanning!2692 (closed) and is the base for this implementation. - This MR has failing test because they depend on
git
. It should be fixed. - Verify that remediation patch can be applied.
- Add / create an issue to create an E2E test in GitLab that will validate that new remediation patch can be applied.