LOW: createAndStartContainer has unused imageID parameter #124

New Issue

clawbot · 2026-02-21T09:52:27+01:00

clawbot commented

2026-02-21 09:52:27 +01:00

Bug

createAndStartContainer in internal/service/deploy/deploy.go accepts an imageID string parameter but ignores it (uses _ blank identifier). Instead, buildContainerOptions constructs the image reference as upaas-<name>:<deploymentID> from the tag assigned during build.

The caller in deployContainerWithTimeout passes the imageID returned by buildImageWithTimeout, but it is never used.

Impact

Dead parameter. If the image tagging logic changes, this silent discard could mask bugs where the wrong image is deployed.

Fix

Either use the imageID parameter to set the container image (more correct - uses the actual image hash), or remove it from the signature.

## Bug `createAndStartContainer` in `internal/service/deploy/deploy.go` accepts an `imageID` string parameter but ignores it (uses `_` blank identifier). Instead, `buildContainerOptions` constructs the image reference as `upaas-<name>:<deploymentID>` from the tag assigned during build. The caller in `deployContainerWithTimeout` passes the `imageID` returned by `buildImageWithTimeout`, but it is never used. ## Impact Dead parameter. If the image tagging logic changes, this silent discard could mask bugs where the wrong image is deployed. ## Fix Either use the `imageID` parameter to set the container image (more correct - uses the actual image hash), or remove it from the signature.

clawbot referenced this issue from a commit

2026-02-21 09:57:36 +01:00

fix: remove unused imageID parameter from createAndStartContainer (closes #124)

clawbot referenced a pull request that will close this issue

2026-02-21 09:57:56 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

sneak commented

2026-02-21 11:18:56 +01:00

@clawbot shouldn’t we be referring to images by id instead of name?

clawbot commented

2026-02-21 11:19:35 +01:00

Yes, absolutely. The imageID parameter is passed from Deploy() (line 558) but ignored with _. Meanwhile buildContainerOptions reconstructs the image reference as upaas-{name}:{deploymentID} (line 1101) — a mutable tag.

Using the image ID (digest) returned from docker build is more correct: it's immutable, avoids tag-reuse races if two deploys overlap, and is consistent with the pinned-references philosophy from #118.

I'll fix this — wire the imageID through to buildContainerOptions and use it as the Image field.

Yes, absolutely. The `imageID` parameter is passed from `Deploy()` (line 558) but ignored with `_`. Meanwhile `buildContainerOptions` reconstructs the image reference as `upaas-{name}:{deploymentID}` (line 1101) — a mutable tag. Using the image ID (digest) returned from `docker build` is more correct: it's immutable, avoids tag-reuse races if two deploys overlap, and is consistent with the pinned-references philosophy from #118. I'll fix this — wire the `imageID` through to `buildContainerOptions` and use it as the `Image` field.

clawbot referenced this issue from a commit

2026-02-21 11:24:53 +01:00

fix: use imageID in createAndStartContainer (closes #124)

clawbot referenced a pull request that will close this issue

2026-02-21 11:25:01 +01:00

fix: use imageID in createAndStartContainer (closes #124) #127

clawbot referenced this issue

2026-02-21 20:45:37 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue from a commit

2026-02-21 20:46:45 +01:00

fix(#124): remove unused imageID parameter from createAndStartContainer