add syft version to SBOM metadata

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
kubescape · Mar 28, 2023 · 12caaaa · 12caaaa
1 parent 80d1733
commit 12caaaa
Show file tree

Hide file tree

Showing 11 changed files with 28 additions and 23 deletions.
diff --git a/adapters/mocksbom.go b/adapters/mocksbom.go
@@ -36,7 +36,7 @@ func (m MockSBOMAdapter) CreateSBOM(ctx context.Context, imageID string, _ domai
 	}
 	sbom := domain.SBOM{
 		ID:                 imageID,
-		SBOMCreatorVersion: m.Version(ctx),
+		SBOMCreatorVersion: m.Version(),
 		Content: &v1beta1.Document{
 			CreationInfo: &v1beta1.CreationInfo{
 				Created: time.Now().Format(time.RFC3339),
@@ -50,7 +50,7 @@ func (m MockSBOMAdapter) CreateSBOM(ctx context.Context, imageID string, _ domai
 }
 
 // Version returns a static version
-func (m MockSBOMAdapter) Version(_ context.Context) string {
+func (m MockSBOMAdapter) Version() string {
 	logger.L().Info("MockSBOMAdapter.Version")
 	return "Mock SBOM 1.0"
 }
diff --git a/adapters/mocksbom_test.go b/adapters/mocksbom_test.go
@@ -28,5 +28,5 @@ func TestMockSBOMAdapter_CreateSBOM_Timeout(t *testing.T) {
 
 func TestMockSBOMAdapter_Version(t *testing.T) {
 	m := NewMockSBOMAdapter(false, false)
-	assert.Assert(t, m.Version(context.TODO()) == "Mock SBOM 1.0")
+	assert.Assert(t, m.Version() == "Mock SBOM 1.0")
 }
diff --git a/adapters/v1/syft.go b/adapters/v1/syft.go
@@ -44,7 +44,7 @@ func (s *SyftAdapter) CreateSBOM(ctx context.Context, imageID string, options do
 	// prepare an SBOM and fill it progressively
 	domainSBOM := domain.SBOM{
 		ID:                 imageID,
-		SBOMCreatorVersion: s.Version(ctx),
+		SBOMCreatorVersion: s.Version(),
 	}
 	// translate business models into Syft models
 	sourceInput, err := source.ParseInput(imageID, "", true)
@@ -113,13 +113,13 @@ func (s *SyftAdapter) CreateSBOM(ctx context.Context, imageID string, options do
 	}
 	// convert SBOM
 	logger.L().Debug("converting SBOM", helpers.String("imageID", imageID))
-	domainSBOM.Content, err = syftToDomain(syftSBOM)
+	domainSBOM.Content, err = s.syftToDomain(syftSBOM)
 	// return SBOM
 	logger.L().Debug("returning SBOM", helpers.String("imageID", imageID))
 	return domainSBOM, err
 }
 
 // Version returns Syft's version which is used to tag SBOMs
-func (s *SyftAdapter) Version(context.Context) string {
+func (s *SyftAdapter) Version() string {
 	return tools.PackageVersion("github.com/anchore/syft")
 }
diff --git a/adapters/v1/syft_test.go b/adapters/v1/syft_test.go
@@ -76,7 +76,7 @@ func Test_syftAdapter_CreateSBOM(t *testing.T) {
 
 func Test_syftAdapter_Version(t *testing.T) {
 	s := NewSyftAdapter(5 * time.Minute)
-	version := s.Version(context.TODO())
+	version := s.Version()
 	assert.Assert(t, version != "")
 }
 
@@ -86,7 +86,8 @@ func Test_syftAdapter_transformations(t *testing.T) {
 	tools.EnsureSetup(t, err == nil)
 	spdxSBOM, err := domainToSpdx(*sbom.Content)
 	tools.EnsureSetup(t, err == nil)
-	domainSBOM, err := spdxToDomain(spdxSBOM)
+	s := NewSyftAdapter(5 * time.Minute)
+	domainSBOM, err := s.spdxToDomain(spdxSBOM)
 	tools.EnsureSetup(t, err == nil)
 	assert.DeepEqual(t, sbom.Content, domainSBOM)
 }
diff --git a/adapters/v1/syft_to_domain.go b/adapters/v1/syft_to_domain.go
@@ -8,12 +8,12 @@ import (
 	"github.com/spdx/tools-golang/spdx/v2/v2_3"
 )
 
-func syftToDomain(syftSBOM sbom.SBOM) (*v1beta1.Document, error) {
+func (s *SyftAdapter) syftToDomain(syftSBOM sbom.SBOM) (*v1beta1.Document, error) {
 	spdxDoc := spdxhelpers.ToFormatModel(syftSBOM)
-	return spdxToDomain(spdxDoc)
+	return s.spdxToDomain(spdxDoc)
 }
 
-func spdxToDomain(spdxDoc *v2_3.Document) (*v1beta1.Document, error) {
+func (s *SyftAdapter) spdxToDomain(spdxDoc *v2_3.Document) (*v1beta1.Document, error) {
 	doc := v1beta1.Document{
 		SPDXVersion:                spdxDoc.SPDXVersion,
 		DataLicense:                spdxDoc.DataLicense,
@@ -33,7 +33,7 @@ func spdxToDomain(spdxDoc *v2_3.Document) (*v1beta1.Document, error) {
 	if spdxDoc.CreationInfo != nil {
 		doc.CreationInfo = &v1beta1.CreationInfo{
 			LicenseListVersion: spdxDoc.CreationInfo.LicenseListVersion,
-			Creators:           syftToDomainCreators(spdxDoc.CreationInfo.Creators),
+			Creators:           s.syftToDomainCreators(spdxDoc.CreationInfo.Creators),
 			Created:            spdxDoc.CreationInfo.Created,
 			CreatorComment:     spdxDoc.CreationInfo.CreatorComment,
 		}
@@ -56,11 +56,15 @@ func syftToDomainExternalDocumentReferences(externalDocumentReferences []v2_3.Ex
 	return result
 }
 
-func syftToDomainCreators(creators []common.Creator) []v1beta1.Creator {
+func (s *SyftAdapter) syftToDomainCreators(creators []common.Creator) []v1beta1.Creator {
 	var result []v1beta1.Creator
 	for _, c := range creators {
+		creator := c.Creator
+		if creator == "syft-" {
+			creator += s.Version()
+		}
 		result = append(result, v1beta1.Creator{
-			Creator:     c.Creator,
+			Creator:     creator,
 			CreatorType: c.CreatorType,
 		})
 	}

diff --git a/adapters/v1/testdata/alpine-sbom.format.json b/adapters/v1/testdata/alpine-sbom.format.json
@@ -11,7 +11,7 @@
   "licenseListVersion": "<<PRESENCE>>",
   "creators": [
    "Organization: Anchore, Inc",
-   "Tool: syft-"
+   "Tool: syft-unknown"
   ],
   "created": "<<PRESENCE>>",
   "comment": ""

diff --git a/adapters/v1/testdata/alpine-sbom.json b/adapters/v1/testdata/alpine-sbom.json
@@ -11,7 +11,7 @@
   "licenseListVersion": "3.20",
   "creators": [
    "Organization: Anchore, Inc",
-   "Tool: syft-"
+   "Tool: syft-unknown"
   ],
   "created": "2023-03-22T07:57:01Z",
   "comment": ""

diff --git a/adapters/v1/testdata/hello-world-sbom.format.json b/adapters/v1/testdata/hello-world-sbom.format.json
@@ -11,7 +11,7 @@
   "licenseListVersion": "<<PRESENCE>>",
   "creators": [
    "Organization: Anchore, Inc",
-   "Tool: syft-"
+   "Tool: syft-unknown"
   ],
   "created": "<<PRESENCE>>",
   "comment": ""

diff --git a/core/ports/providers.go b/core/ports/providers.go
@@ -17,7 +17,7 @@ type CVEScanner interface {
 // SBOMCreator is the port implemented by adapters to be used in ScanService to generate SBOM
 type SBOMCreator interface {
 	CreateSBOM(ctx context.Context, imageID string, options domain.RegistryOptions) (domain.SBOM, error)
-	Version(ctx context.Context) string
+	Version() string
 }
 
 // Platform is the port implemented by adapters to be used in ScanService to report scan results and send telemetry data

diff --git a/core/services/scan.go b/core/services/scan.go
@@ -56,7 +56,7 @@ func (s *ScanService) GenerateSBOM(ctx context.Context) error {
 	sbom := domain.SBOM{}
 	var err error
 	if s.storage {
-		sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageHash, s.sbomCreator.Version(ctx))
+		sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageHash, s.sbomCreator.Version())
 		if err != nil {
 			logger.L().Ctx(ctx).Warning("error getting SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
 		}
@@ -108,7 +108,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 	// check if CVE manifest is already available
 	cve := domain.CVEManifest{}
 	if s.storage {
-		cve, err = s.cveRepository.GetCVE(ctx, workload.ImageHash, s.sbomCreator.Version(ctx), s.cveScanner.Version(ctx), s.cveScanner.DBVersion(ctx))
+		cve, err = s.cveRepository.GetCVE(ctx, workload.ImageHash, s.sbomCreator.Version(), s.cveScanner.Version(ctx), s.cveScanner.DBVersion(ctx))
 		if err != nil {
 			logger.L().Ctx(ctx).Warning("error getting CVE", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
 		}
@@ -119,7 +119,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 		// check if SBOM is already available
 		sbom := domain.SBOM{}
 		if s.storage {
-			sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageHash, s.sbomCreator.Version(ctx))
+			sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageHash, s.sbomCreator.Version())
 			if err != nil {
 				logger.L().Ctx(ctx).Warning("error getting SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
 			}
@@ -164,7 +164,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 	// check if SBOM' is already available
 	sbomp := domain.SBOM{}
 	if s.storage && workload.InstanceID != "" {
-		sbomp, err = s.sbomRepository.GetSBOMp(ctx, workload.InstanceID, s.sbomCreator.Version(ctx))
+		sbomp, err = s.sbomRepository.GetSBOMp(ctx, workload.InstanceID, s.sbomCreator.Version())
 		if err != nil {
 			logger.L().Ctx(ctx).Warning("error getting relevant SBOM", helpers.Error(err), helpers.String("instanceID", workload.InstanceID))
 		}

diff --git a/core/services/scan_test.go b/core/services/scan_test.go
@@ -245,7 +245,7 @@ func TestScanService_ScanCVE(t *testing.T) {
 				t.Errorf("ScanCVE() error = %v, wantErr %v", err, tt.wantErr)
 			}
 			if tt.wantCvep {
-				cvep, err := storageCVE.GetCVE(ctx, sbomp.ID, sbomAdapter.Version(ctx), cveAdapter.Version(ctx), cveAdapter.DBVersion(ctx))
+				cvep, err := storageCVE.GetCVE(ctx, sbomp.ID, sbomAdapter.Version(), cveAdapter.Version(ctx), cveAdapter.DBVersion(ctx))
 				tools.EnsureSetup(t, err == nil)
 				assert.Assert(t, cvep.Labels != nil)
 			}