From 20101b5f1d7b6325eef55e278a7a03fa6a6ce937 Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Tue, 13 Jun 2023 14:50:31 +0200
Subject: [PATCH] validate scanID on creation and before sending the report

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
---
 adapters/v1/armo.go   | 5 +++++
 core/domain/scan.go   | 1 +
 core/services/scan.go | 7 +++++--
 go.mod                | 2 +-
 go.sum                | 6 ++----
 5 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/adapters/v1/armo.go b/adapters/v1/armo.go
index 470f08d..cb58d7e 100644
--- a/adapters/v1/armo.go
+++ b/adapters/v1/armo.go
@@ -145,6 +145,11 @@ func (a *ArmoAdapter) SubmitCVE(ctx context.Context, cve domain.CVEManifest, cve
 		return domain.ErrMissingWorkload
 	}
 
+	// validate one more time the scanID before sending it to the platform
+	if !armotypes.ValidateContainerScanID(scanID) {
+		return domain.ErrInvalidScanID
+	}
+
 	// get exceptions
 	exceptions, err := a.GetCVEExceptions(ctx)
 	if err != nil {
diff --git a/core/domain/scan.go b/core/domain/scan.go
index 287533b..6e959d1 100644
--- a/core/domain/scan.go
+++ b/core/domain/scan.go
@@ -16,6 +16,7 @@ var (
 	ErrExpectedError    = errors.New("expected error")
 	ErrInitVulnDB       = errors.New("vulnerability DB is not initialized, run readiness probe")
 	ErrIncompleteSBOM   = errors.New("incomplete SBOM, skipping CVE scan")
+	ErrInvalidScanID    = errors.New("invalid scanID")
 	ErrMissingImageInfo = errors.New("missing image information")
 	ErrMissingScanID    = errors.New("missing scanID")
 	ErrMissingTimestamp = errors.New("missing timestamp")
diff --git a/core/services/scan.go b/core/services/scan.go
index 50fb167..df1cc1e 100644
--- a/core/services/scan.go
+++ b/core/services/scan.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/akyoto/cache"
+	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"github.com/google/uuid"
 	"github.com/kubescape/go-logger"
@@ -328,12 +329,14 @@ func enrichContext(ctx context.Context, workload domain.ScanCommand) context.Con
 }
 
 func generateScanID(workload domain.ScanCommand) string {
-	if workload.InstanceID != "" {
+	if workload.InstanceID != "" && armotypes.ValidateContainerScanID(workload.InstanceID) {
 		return workload.InstanceID
 	}
 	if workload.ImageTag != "" && workload.ImageHash != "" {
 		sum := sha256.Sum256([]byte(workload.ImageTag + workload.ImageHash))
-		return fmt.Sprintf("%x", sum)
+		if scanID := fmt.Sprintf("%x", sum); armotypes.ValidateContainerScanID(scanID) {
+			return scanID
+		}
 	}
 	return uuid.New().String()
 }
diff --git a/go.mod b/go.mod
index 04e8234..0afa691 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/anchore/stereoscope v0.0.0-20230323161519-d7551b7f46f5
 	github.com/anchore/syft v0.76.0
 	github.com/aquilax/truncate v1.0.0
-	github.com/armosec/armoapi-go v0.0.189
+	github.com/armosec/armoapi-go v0.0.193
 	github.com/armosec/cluster-container-scanner-api v0.0.54
 	github.com/armosec/logger-go v0.0.14
 	github.com/armosec/utils-go v0.0.16
diff --git a/go.sum b/go.sum
index c7c4f88..050d8e8 100644
--- a/go.sum
+++ b/go.sum
@@ -258,8 +258,8 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armosec/armoapi-go v0.0.189 h1:x9937uaCzbJKUTgsIDufFi6Txt7TRyUGQ5XL0MwoJ2U=
-github.com/armosec/armoapi-go v0.0.189/go.mod h1:ANarxE0icSvdufFB1x3JAax7XKrWIKe8b/SvLnuDtGw=
+github.com/armosec/armoapi-go v0.0.193 h1:o5vfpFvfYwQPTi9GaErWc/pvjb88cYtcbfZpJft8vds=
+github.com/armosec/armoapi-go v0.0.193/go.mod h1:ANarxE0icSvdufFB1x3JAax7XKrWIKe8b/SvLnuDtGw=
 github.com/armosec/cluster-container-scanner-api v0.0.54 h1:m9R7+bQrGf7vkKKiFDxGU3/+kzn37uecZPjdNwAhqf8=
 github.com/armosec/cluster-container-scanner-api v0.0.54/go.mod h1:HP1ZdO9/R8x8IMiTwO3dwI+MNH1oBTrIwtqdE40lfuI=
 github.com/armosec/logger-go v0.0.14 h1:5YpXMlYt/7zIAcmJP4q1BmWNH/7bpkSndfZTyysrtUE=
@@ -680,8 +680,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kubescape/go-logger v0.0.11 h1:oucpq2S7+DT7O+UclG5IrmHado/tj6+IkYf9czVk/aY=
 github.com/kubescape/go-logger v0.0.11/go.mod h1:yGiKBJ2lhq/kxzY/MVYDREL9fLV3RGD6gv+UFjslaew=
-github.com/kubescape/k8s-interface v0.0.126 h1:W4XijGLV94OQeuWQP9WjmIl2sMIZc3eMvDDt7i9CJCM=
-github.com/kubescape/k8s-interface v0.0.126/go.mod h1:ENpA9SkkS6E3PIT+AaMu/JGkuyE04aUamY+a7WLqsJQ=
 github.com/kubescape/k8s-interface v0.0.127 h1:9H4TxbUliliQe4eY+jsZDOaYRWMEK/jriMBj4cMX73A=
 github.com/kubescape/k8s-interface v0.0.127/go.mod h1:ENpA9SkkS6E3PIT+AaMu/JGkuyE04aUamY+a7WLqsJQ=
 github.com/kubescape/storage v0.2.0 h1:WZXy4Dyjf5ltEMtk0SOD9RFL1haS9ffFPGfs1gUV1aM=