Merge 64be316 into a25ea54

kubescape · Mar 27, 2023 · 0e903e8 · 0e903e8
2 parents a25ea54 + 64be316
commit 0e903e8
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 55 deletions.
diff --git a/core/domain/cve.go b/core/domain/cve.go
@@ -17,4 +17,5 @@ type CVEManifest struct {
 	CVEScannerVersion  string
 	CVEDBVersion       string
 	Content            *v1beta1.GrypeDocument
+	Labels             map[string]string
 }
diff --git a/core/domain/sbom.go b/core/domain/sbom.go
@@ -19,6 +19,7 @@ type SBOM struct {
 	SBOMCreatorVersion string
 	Status             string
 	Content            *v1beta1.Document
+	Labels             map[string]string
 }
 
 // RegistryCredentials contains OCI registry credentials required for connection

diff --git a/core/services/scan.go b/core/services/scan.go
@@ -3,6 +3,7 @@ package services
 import (
 	"context"
 	"errors"
+	"os"
 	"time"
 
 	"github.com/google/uuid"
@@ -179,6 +180,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 		}
 		// store CVE'
 		if s.storage {
+			cvep.Labels = sbomp.Labels
 			cvep.Wlid = workload.Wlid
 			err = s.cveRepository.StoreCVE(ctx, cvep, true)
 			if err != nil {
@@ -249,6 +251,7 @@ func (s *ScanService) ValidateGenerateSBOM(ctx context.Context, workload domain.
 	// add imageID to parent span
 	if parentSpan := trace.SpanFromContext(ctx); parentSpan != nil {
 		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageHash))
+		parentSpan.SetAttributes(attribute.String("version", os.Getenv("RELEASE")))
 		ctx = trace.ContextWithSpan(ctx, parentSpan)
 	}
 	return ctx, nil
@@ -269,6 +272,7 @@ func (s *ScanService) ValidateScanCVE(ctx context.Context, workload domain.ScanC
 			parentSpan.SetAttributes(attribute.String("instanceID", *workload.InstanceID))
 		}
 		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageHash))
+		parentSpan.SetAttributes(attribute.String("version", os.Getenv("RELEASE")))
 		parentSpan.SetAttributes(attribute.String("wlid", workload.Wlid))
 		ctx = trace.ContextWithSpan(ctx, parentSpan)
 	}

diff --git a/repositories/apiserver.go b/repositories/apiserver.go
@@ -2,12 +2,9 @@ package repositories
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"strings"
 	"time"
 
-	"github.com/armosec/utils-k8s-go/wlid"
 	"github.com/distribution/distribution/reference"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
@@ -23,12 +20,6 @@ import (
 	"k8s.io/client-go/rest"
 )
 
-const (
-	labelKind      = "kubescape.io/workload-kind"
-	labelName      = "kubescape.io/workload-name"
-	labelNamespace = "kubescape.io/workload-namespace"
-)
-
 // APIServerStore implements both CVERepository and SBOMRepository with in-cluster storage (apiserver) to be used for production
 type APIServerStore struct {
 	StorageClient spdxv1beta1.SpdxV1beta1Interface
@@ -67,19 +58,6 @@ func hashFromImageID(imageID string) string {
 	return strings.Split(reference.ReferenceRegexp.FindStringSubmatch(imageID)[3], ":")[1]
 }
 
-func hashFromInstanceID(instanceID string) string {
-	hash := sha256.Sum256([]byte(instanceID))
-	return hex.EncodeToString(hash[:])
-}
-
-func labelsFromInstanceID(instanceID string) map[string]string {
-	return map[string]string{
-		labelKind:      wlid.GetKindFromWlid(instanceID),
-		labelName:      wlid.GetNameFromWlid(instanceID),
-		labelNamespace: wlid.GetNamespaceFromWlid(instanceID),
-	}
-}
-
 func (a *APIServerStore) GetCVE(ctx context.Context, imageID, SBOMCreatorVersion, CVEScannerVersion, CVEDBVersion string) (cve domain.CVEManifest, err error) {
 	_, span := otel.Tracer("").Start(ctx, "APIServerStore.GetCVE")
 	defer span.End()
@@ -88,7 +66,7 @@ func (a *APIServerStore) GetCVE(ctx context.Context, imageID, SBOMCreatorVersion
 		return domain.CVEManifest{}, nil
 	}
 	manifest, err := a.StorageClient.VulnerabilityManifests(a.Namespace).Get(context.Background(), hashFromImageID(imageID), metav1.GetOptions{})
-	switch  {
+	switch {
 	case errors.IsNotFound(err):
 		logger.L().Debug("CVE manifest not found in storage", helpers.String("ID", imageID))
 		return domain.CVEManifest{}, nil
@@ -122,7 +100,7 @@ func (a *APIServerStore) StoreCVE(ctx context.Context, cve domain.CVEManifest, w
 	name := hashFromImageID(cve.ID)
 	annotations := map[string]string{domain.ImageTagKey: cve.ID}
 	if withRelevancy {
-		name = hashFromInstanceID(cve.ID)
+		name = cve.ID
 		annotations = map[string]string{
 			domain.InstanceIDKey: cve.ID,
 			domain.WlidKey:       cve.Wlid,
@@ -132,6 +110,7 @@ func (a *APIServerStore) StoreCVE(ctx context.Context, cve domain.CVEManifest, w
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        name,
 			Annotations: annotations,
+			Labels:      cve.Labels,
 		},
 		Spec: v1beta1.VulnerabilityManifestSpec{
 			Metadata: v1beta1.VulnerabilityManifestMeta{
@@ -165,7 +144,7 @@ func (a *APIServerStore) GetSBOM(ctx context.Context, imageID, SBOMCreatorVersio
 		return domain.SBOM{}, nil
 	}
 	manifest, err := a.StorageClient.SBOMSPDXv2p3s(a.Namespace).Get(context.Background(), hashFromImageID(imageID), metav1.GetOptions{})
-	switch  {
+	switch {
 	case errors.IsNotFound(err):
 		logger.L().Debug("SBOM manifest not found in storage", helpers.String("ID", imageID))
 		return domain.SBOM{}, nil
@@ -197,8 +176,8 @@ func (a *APIServerStore) GetSBOMp(ctx context.Context, instanceID, SBOMCreatorVe
 		logger.L().Debug("empty instance ID provided, skipping relevant SBOM retrieval")
 		return domain.SBOM{}, nil
 	}
-	manifest, err := a.StorageClient.SBOMSPDXv2p3Filtereds(a.Namespace).Get(context.Background(), hashFromInstanceID(instanceID), metav1.GetOptions{})
-	switch  {
+	manifest, err := a.StorageClient.SBOMSPDXv2p3Filtereds(a.Namespace).Get(context.Background(), instanceID, metav1.GetOptions{})
+	switch {
 	case errors.IsNotFound(err):
 		logger.L().Debug("relevant SBOM manifest not found in storage", helpers.String("ID", instanceID))
 		return domain.SBOM{}, nil
@@ -215,6 +194,7 @@ func (a *APIServerStore) GetSBOMp(ctx context.Context, instanceID, SBOMCreatorVe
 		ID:                 instanceID,
 		SBOMCreatorVersion: SBOMCreatorVersion,
 		Content:            &manifest.Spec.SPDX,
+		Labels:             manifest.Labels,
 	}
 	if status, ok := manifest.Annotations[domain.StatusKey]; ok {
 		result.Status = status

diff --git a/repositories/apiserver_test.go b/repositories/apiserver_test.go
@@ -17,8 +17,7 @@ const instanceID = "apiVersion-v1/namespace-default/kind-Deployment/name-nginx/r
 func (a *APIServerStore) storeSBOMp(ctx context.Context, sbom domain.SBOM) error {
 	manifest := v1beta1.SBOMSPDXv2p3Filtered{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   hashFromInstanceID(sbom.ID),
-			Labels: labelsFromInstanceID(sbom.ID),
+			Name:   sbom.ID,
 			Annotations: map[string]string{
 				domain.StatusKey: sbom.Status,
 			},
@@ -336,32 +335,6 @@ func Test_extractHashFromImageID(t *testing.T) {
 	}
 }
 
-func Test_hashFromInstanceID(t *testing.T) {
-	type args struct {
-		instanceID string
-	}
-	tests := []struct {
-		name string
-		args args
-		want string
-	}{
-		{
-			name: "same as sniffer",
-			args: args{
-				instanceID: "apiVersion-v1/namespace-any/kind-deployment/name-aaa/resourceVersion-1234/containerName-contName",
-			},
-			want: "ee9bdd0adec9ce004572faf3492f583aa82042a8b3a9d5c7d9179dc03c531eef",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := hashFromInstanceID(tt.args.instanceID); got != tt.want {
-				t.Errorf("hashFromInstanceID() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 //func TestForRazi(t *testing.T) {
 //	ctx := context.TODO()
 //	sbomAdapter := v1.NewSyftAdapter(1 * time.Hour)