ubuntu: verify dist is actually ubuntu

[RTann]

This PR addresses #969

Note: This PR does not address potentially needing to migrate/cleanup the database for current installations. This does, however, prevent the issue from popping up in fresh installs.

[RTann]

@crozzy the unit tests pass, but I'm wondering how you usually test ClairCore upgrades because I haven't done it before. Any suggestions?

[crozzy]

I usually do a manual test for instances like these, we currently don't have a good automated way to test changes on environments with existing state:

• checkout main and start Clair (docker-compose or however you like to do it, make sure you're replacing the claircore mod with your local go mod edit -replace github.com/quay/claircore=../claircore)
• run an index request that is getting mis-distributioned (:grimacing:)
• kill the indexer container/pod
• checkout your branch
• rebuild the indexer container/pod
• re-run the index request, check that the distribution is correct

Happy to go into more detail if any steps aren't clear

[crozzy]

This looks good, just needs a rebase

[RTann]

Testing by doing the following:

1. Run the main branch of clair via make local-dev (only changes I made were to the config to run only debian and ubuntu matchers/updaters and removed the need for the auth psk)
2. Ran go run ./cmd/clairctl report debian:stable-slim and go run ./cmd/clairctl report gcr.io/distroless/base
3. Ran the following:

$ docker exec -it clair-database /bin/bash
$ psql indexer --username clair

From here, I can see the following:

indexer=> SELECT name, version, version_code_name, version_id FROM dist;
       name       |    version    | version_code_name | version_id 
------------------+---------------+-------------------+------------
 Ubuntu           | 12 (Bookworm) | bookworm          | 12
 Debian GNU/Linux | 12 (bookworm) | bookworm          | 12
 Debian GNU/Linux | 11 (bullseye) | bullseye          | 11
 Ubuntu           | 11 (Bullseye) | bullseye          | 11
(4 rows)

One thing to note: the vuln report only mentioned Debian in the distributions map. Never mentioned Ubuntu. For example:

"distributions": {
    "3": {
      "id": "3",
      "did": "debian",
      "name": "Debian GNU/Linux",
      "version": "11 (bullseye)",
      "version_code_name": "bullseye",
      "version_id": "11",
      "arch": "",
      "cpe": "",
      "pretty_name": "Debian GNU/Linux 11 (bullseye)"
    }
  },

4. Add replace github.com/quay/claircore => github.com/RTann/claircore debian-isnt-ubuntu to the go.mod
5. $ go mod tidy && go mod vendor
6. Killed all containers and reran local-dev
7. Generate vuln reports again
8. Find this:

indexer=> select * from dist;
 id |       name       |  did   |    version    | version_code_name | version_id | arch | cpe |
          pretty_name           
----+------------------+--------+---------------+-------------------+------------+------+-----+
--------------------------------
  1 | Debian GNU/Linux | debian | 12 (bookworm) | bookworm          | 12         |      |     |
 Debian GNU/Linux 12 (bookworm)
  2 | Debian GNU/Linux | debian | 11 (bullseye) | bullseye          | 11         |      |     |
 Debian GNU/Linux 11 (bullseye)
(2 rows)

Looks like this PR properly attributes these images to Debian, only.

[crozzy]

nice work @RTann