Skip to content

Add option to exclude base image components#1825

Merged
jasonpaulos merged 10 commits into
mainfrom
users/jasonpaulos/exclude-base-image
Jun 26, 2026
Merged

Add option to exclude base image components#1825
jasonpaulos merged 10 commits into
mainfrom
users/jasonpaulos/exclude-base-image

Conversation

@jasonpaulos

@jasonpaulos jasonpaulos commented Jun 10, 2026

Copy link
Copy Markdown
Member

This PR makes two changes:

Improve the way components from container images are mapped to layers

Prior to this, the Syft output's "Locations" field was the sole source of a component's file and layer information. This was undesirable because, for packages installed by the system package manager, the only location would be the system package manager database. As a result, any changes to system packages in later layers would result in every system package being mapped to the last layer where the database was modified.

Now, the Syft output's "Metadata.Files" field is used to augment the "Locations" data about files and layers associated with a component, and any known system package manager database files are ignored in favor of other file mappings, if present. This leads to more accurate mappings of components to image layers.

The expected result of this change is that some components which were previously mapped to layers above the base image may now be properly mapped to base image layers.

Add a new option to exclude components which solely originate from the base image when scanning a container image.

The flag --ExcludeBaseImageComponents can be specified to filter out components from the base image.

Copilot AI review requested due to automatic review settings June 10, 2026 20:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new scan option to exclude components that originate exclusively from base image layers when scanning container images, integrating the filtering into scan result generation and validating behavior with new unit tests.

Changes:

  • Added --FilterBaseImageComponents to ScanSettings to enable base-image-only component filtering for container scans.
  • Implemented filtering logic in DefaultGraphTranslationService to remove components whose referenced container layers are all marked IsBaseImage.
  • Added orchestrator tests covering removal/retention scenarios for base-image-only, mixed-layer, and non-container components.
Show a summary per file
File Description
test/Microsoft.ComponentDetection.Orchestrator.Tests/Services/DefaultGraphTranslationServiceTests.cs Adds unit tests validating the new base-image component filtering behavior.
src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs Applies the new filtering option during scan result generation and introduces base-image-only detection logic.
src/Microsoft.ComponentDetection.Orchestrator/Commands/ScanSettings.cs Introduces the new CLI/settings flag FilterBaseImageComponents.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 6

@jasonpaulos jasonpaulos force-pushed the users/jasonpaulos/exclude-base-image branch from 32138d8 to f97ff44 Compare June 22, 2026 20:56
@jasonpaulos jasonpaulos requested a review from Copilot June 22, 2026 20:57
@github-actions

Copy link
Copy Markdown

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 2

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 0 new

@jasonpaulos jasonpaulos requested a review from Copilot June 25, 2026 16:27
@jasonpaulos jasonpaulos marked this pull request as ready for review June 25, 2026 16:27
@jasonpaulos jasonpaulos requested a review from a team as a code owner June 25, 2026 16:27
@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.0%. Comparing base (63dafd9) to head (39b2cff).

Additional details and impacted files
@@     Coverage Diff      @@
##   main   #1825   +/-   ##
============================
============================

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 5/5 changed files
  • Comments generated: 2

Comment thread src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs
Comment thread src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 5/5 changed files
  • Comments generated: 0 new

Copilot AI review requested due to automatic review settings June 26, 2026 20:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 6/6 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs
@jasonpaulos jasonpaulos merged commit 0d673a8 into main Jun 26, 2026
15 checks passed
@jasonpaulos jasonpaulos deleted the users/jasonpaulos/exclude-base-image branch June 26, 2026 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants