feat: langmgr and python

[sozercan]

Signed-off-by: Sertac Ozercan [email protected]
Part of #147

Hold merge after current release

Describe the changes in this pull request using active verbs such as Add, Remove, Replace ...

Adds experimental app-level patching support with Python language manager

This PR introduces scaffolding for experimental support for patching application-level dependencies (libraries/packages) in addition to OS packages, with initial Python support.

Key Features

🔬 Experimental Feature

• Requires COPA_EXPERIMENTAL=1 environment variable
• Subject to breaking changes in future releases

📦 Package Type Filtering

• New --pkg-types flag with values: os, library, os,library
• Defaults to os (maintains backward compatibility)
• Enables separate patching policies for OS vs application dependencies

🎯 Patch Level Control

• New --library-patch-level flag with values: patch, minor, major
• Defaults to patch for conservative updates
• Implements preference ordering: patch > minor > major for safest upgrades

🐍 Python Support

• Support for pip-managed Python packages. Other package managers are not considered for this initial PR.
• Special handling for certifi (always latest version)

Example Usage

export COPA_EXPERIMENTAL=1
export IMAGE=mcr.microsoft.com/azure-cli:2.50.0 

# Scan for package vulnerabilities
trivy image --vuln-type os,library --ignore-unfixed -f json -o scan.json $IMAGE

# Patch only libraries with patch level updates only
copa patch -i $IMAGE -r scan.json --pkg-types library --library-patch-level patch

# Mixed OS and library patching with major level updates allowed
copa patch -i $IMAGE -r scan.json --pkg-types os,library --library-patch-level major

[codecov]

Codecov Report

❌ Patch coverage is 57.05882% with 365 lines in your changes missing coverage. Please review.
✅ Project coverage is 45.40%. Comparing base (fb6b525) to head (c68a564).

Files with missing lines	Patch %	Lines
pkg/langmgr/python.go	54.38%	116 Missing and 14 partials ⚠️
pkg/patch/core.go	0.00%	62 Missing ⚠️
pkg/report/trivy.go	77.43%	44 Missing and 14 partials ⚠️
pkg/patch/cmd.go	16.07%	45 Missing and 2 partials ⚠️
pkg/patch/single.go	40.00%	35 Missing and 1 partial ⚠️
pkg/langmgr/langmgr.go	86.58%	8 Missing and 3 partials ⚠️
pkg/patch/patch.go	25.00%	7 Missing and 2 partials ⚠️
pkg/utils/utils.go	0.00%	9 Missing ⚠️
pkg/buildkit/buildkit.go	0.00%	1 Missing ⚠️
pkg/pkgmgr/dpkg.go	0.00%	1 Missing ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1091      +/-   ##
==========================================
+ Coverage   42.86%   45.40%   +2.53%     
==========================================
  Files          35       37       +2     
  Lines        4122     4898     +776     
==========================================
+ Hits         1767     2224     +457     
- Misses       2224     2509     +285     
- Partials      131      165      +34     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[robert-cronin]

just a few comments, otherwise LGTM!

[robert-cronin]

should we do any validation/escaping here for the package names to prevent interpolation issues?

[sozercan]

good point, added validation functions to validate names and version

[robert-cronin]

it looks like this part might be duplicated a few times, perhaps we can pull out into a function like deduplicateStringSlice(input []string) []string?

[sozercan]

added utils.DeduplicateStringSlice

[robert-cronin]

should we add a timeout for the pip install command?

[sozercan]

by default pip has 15 seconds timeout. added a const for 300 seconds (5m), I am not sure if we want to make this configurable yet since we don't want too many knobs. maybe we can wait and see if someone wants a configurable timeout

[ashnamehrotra]

is this function only for testing?

[sozercan]

this is used in patch.go for getting the package managers (kinda equivalent to the GetPackageManager for OS packages), but we only have python in this PR

[ashnamehrotra]

does this mean even if minor is set it will patch to 2.6.1 if both 2.6.1 and 2.7.0 are available?

[sozercan]

correct, since focus is on CVE fixes while maintaining compatibility as much as possible. It'll only bump to 2.7.0 if 2.6.1 doesn't fix that CVE

[Copilot]

Pull Request Overview

This PR introduces experimental support for app-level patching with Python package management in addition to existing OS package patching. The feature enables patching application-level dependencies using configurable patch levels and package type filtering.

Key changes:

• Adds experimental Python language manager for patching pip-managed packages
• Introduces --pkg-types flag to filter between OS and library packages
• Implements --library-patch-level flag for controlling upgrade aggressiveness (patch/minor/major)
• Updates manifest structure to separate OS and language updates

Reviewed Changes

Copilot reviewed 32 out of 33 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
pkg/langmgr/python.go	Core Python package manager implementation with pip integration
pkg/patch/patch.go	Enhanced patching logic to support language managers and package filtering
pkg/patch/cmd.go	New CLI flags for experimental package types and patch level control
pkg/report/trivy.go	Extended Trivy parser with optimal version selection and library patch level support
pkg/types/unversioned/types.go	Updated manifest structure separating OS and language updates
website/docs/app-level-patching.md	Comprehensive documentation for the new feature