Copa will need to write metadata information about which packages got patched.

[ashnamehrotra]

No description provided.

[ashnamehrotra]

Investigated this with update all and scanner patches:

• For debian non-distroless images, the status file is properly updated with new versions of packages when comparing locally and using crane.

• For debian distroless, the package files in the status.d folder are properly upgraded with new versions when checking locally. When inspecting through crane however, the changes in the same image are not reflected. This could be an issue with crane?

• For rpm non-distroless, I could not find a file that would need to be updated to reflect package version changes.

• For rpm distroless, the container-manifest1/container-manifest2 files are not upgraded with new versions when inspecting with crane. Unable to run the images locally to test.

• For apk non-distroless, new version changes are not reflected when inspecting with crane. Unable to run the images locally to test. I believe the /lib/apk/db/installed file needs to be updated.

This metadata information was consistent in update all and scanner patches. There should probably be a follow up fix to this since this is not specific to the update all feature, and we need to add code to rpm and apk that updates the metadata.