stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/oci-ancestry-extraction.md

1.4 KiB
Raw Blame History

OCI Ancestry Extraction

Module

Scanner

Status

IMPLEMENTED

Description

Extract base image references from OCI manifest config.history to populate lineage parent relationships.

Implementation Details

  • Ancestry Extractor:
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/IOciAncestryExtractor.cs - IOciAncestryExtractor interface defining the ancestry extraction contract
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciAncestryExtractor.cs - OciAncestryExtractor extracts base image references from OCI manifest config.history to populate lineage parent relationships
  • Layer Dependency Graph:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/LayerDependencyGraph.cs - LayerDependencyGraph models parent-child layer relationships from ancestry data

E2E Test Plan

  • Scan a container image built from a known base image and verify the OCI ancestry extractor identifies the base image reference from config.history
  • Verify lineage parent relationships are populated correctly linking child image to base image
  • Verify multi-stage build ancestry is correctly resolved (identifying intermediate build stages)
  • Verify images with LABEL or org.opencontainers.image.base.name annotations use those for ancestry when available
  • Verify images without config.history (scratch-based) are handled gracefully with no parent relationship