Merge 5254aa9 into ed5a4ae

kubescape · Aug 8, 2023 · 2752f82 · 2752f82
2 parents ed5a4ae + 5254aa9
commit 2752f82
Show file tree

Hide file tree

Showing 8 changed files with 141 additions and 40 deletions.
diff --git a/adapters/v1/armo.go b/adapters/v1/armo.go
@@ -111,7 +111,7 @@ func (a *ArmoAdapter) SendStatus(ctx context.Context, step int) error {
 	)
 	report.Status = statuses[step]
 	report.Target = fmt.Sprintf("vuln scan:: scanning wlid: %v , container: %v imageTag: %v imageHash: %s",
-		workload.Wlid, workload.ContainerName, workload.ImageTag, workload.ImageHash)
+		workload.Wlid, workload.ContainerName, workload.ImageTagNormalized, workload.ImageHash)
 	report.ActionID = strconv.Itoa(lastAction)
 	report.ActionIDN = lastAction
 	report.ActionName = ActionName

diff --git a/adapters/v1/armo_utils.go b/adapters/v1/armo_utils.go
@@ -152,7 +152,7 @@ func summarize(report v1.ScanResultReport, vulnerabilities []containerscan.Commo
 		ContainerScanID:  report.ContainerScanID,
 		WLID:             workload.Wlid,
 		ImageID:          workload.ImageHash,
-		ImageTag:         workload.ImageTag,
+		ImageTag:         workload.ImageTagNormalized,
 		ClusterName:      report.Designators.Attributes[armotypes.AttributeCluster],
 		Namespace:        report.Designators.Attributes[armotypes.AttributeNamespace],
 		ContainerName:    report.Designators.Attributes[armotypes.AttributeContainerName],
@@ -161,7 +161,7 @@ func summarize(report v1.ScanResultReport, vulnerabilities []containerscan.Commo
 		HasRelevancyData: hasRelevancy,
 	}
 
-	imageInfo, err := armometadata.ImageTagToImageInfo(workload.ImageTag)
+	imageInfo, err := armometadata.ImageTagToImageInfo(workload.ImageTagNormalized)
 	if err == nil {
 		summary.Registry = imageInfo.Registry
 		summary.Version = imageInfo.VersionImage

diff --git a/adapters/v1/armo_utils_test.go b/adapters/v1/armo_utils_test.go
@@ -214,9 +214,10 @@ func Test_summarize(t *testing.T) {
 			args: args{
 				report: v1.ScanResultReport{},
 				workload: domain.ScanCommand{
-					ImageHash: imageHash,
-					Wlid:      wlid,
-					ImageTag:  imageTag,
+					ImageHash:          imageHash,
+					Wlid:               wlid,
+					ImageTag:           imageTag,
+					ImageTagNormalized: imageTag,
 					Session: domain.Session{
 						JobIDs: jobIDs,
 					},
@@ -318,9 +319,10 @@ func Test_summarize(t *testing.T) {
 					},
 				},
 				workload: domain.ScanCommand{
-					ImageHash: imageHash,
-					Wlid:      wlid,
-					ImageTag:  imageTag,
+					ImageHash:          imageHash,
+					Wlid:               wlid,
+					ImageTag:           imageTag,
+					ImageTagNormalized: imageTag,
 					Session: domain.Session{
 						JobIDs: jobIDs,
 					},
@@ -446,9 +448,10 @@ func Test_summarize(t *testing.T) {
 					},
 				},
 				workload: domain.ScanCommand{
-					ImageHash: imageHash,
-					Wlid:      wlid,
-					ImageTag:  imageTag,
+					ImageHash:          imageHash,
+					Wlid:               wlid,
+					ImageTag:           imageTag,
+					ImageTagNormalized: imageTag,
 					Session: domain.Session{
 						JobIDs: jobIDs,
 					},

diff --git a/adapters/v1/domain_to_armo.go b/adapters/v1/domain_to_armo.go
@@ -91,7 +91,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 				Vulnerability: containerscan.Vulnerability{
 					Name:               match.Vulnerability.ID,
 					ImageID:            workload.ImageHash,
-					ImageTag:           workload.ImageTag,
+					ImageTag:           workload.ImageTagNormalized,
 					RelatedPackageName: match.Artifact.Name,
 					PackageVersion:     match.Artifact.Version,
 					Link:               link,
@@ -101,7 +101,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 					Fixes: []containerscan.FixedIn{
 						{
 							Name:    match.Vulnerability.Fix.State,
-							ImgTag:  workload.ImageTag,
+							ImgTag:  workload.ImageTagNormalized,
 							Version: version,
 						},
 					},

diff --git a/controllers/http.go b/controllers/http.go
@@ -12,6 +12,7 @@ import (
 	"github.com/kubescape/k8s-interface/names"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/core/ports"
+	"github.com/kubescape/kubevuln/internal/tools"
 	"schneider.vip/problem"
 )
 
@@ -126,16 +127,17 @@ func (h HTTPController) ScanCVE(c *gin.Context) {
 
 func websocketScanCommandToScanCommand(c wssc.WebsocketScanCommand) domain.ScanCommand {
 	command := domain.ScanCommand{
-		Credentialslist: c.Credentialslist,
-		ImageHash:       c.ImageHash,
-		Wlid:            c.Wlid,
-		ImageTag:        c.ImageTag,
-		JobID:           c.JobID,
-		ContainerName:   c.ContainerName,
-		LastAction:      c.LastAction,
-		ParentJobID:     c.ParentJobID,
-		Args:            c.Args,
-		Session:         sessionChainToSession(c.Session),
+		Credentialslist:    c.Credentialslist,
+		ImageHash:          c.ImageHash,
+		Wlid:               c.Wlid,
+		ImageTag:           c.ImageTag,
+		ImageTagNormalized: tools.NormalizeReference(c.ImageTag),
+		JobID:              c.JobID,
+		ContainerName:      c.ContainerName,
+		LastAction:         c.LastAction,
+		ParentJobID:        c.ParentJobID,
+		Args:               c.Args,
+		Session:            sessionChainToSession(c.Session),
 	}
 	if slug, err := names.ImageInfoToSlug(c.ImageTag, c.ImageHash); err == nil {
 		command.ImageSlug = slug

diff --git a/core/domain/scan.go b/core/domain/scan.go
@@ -30,18 +30,19 @@ type TimestampKey struct{}
 type WorkloadKey struct{}
 
 type ScanCommand struct {
-	Credentialslist []types.AuthConfig
-	ImageHash       string
-	ImageSlug       string
-	InstanceID      string
-	Wlid            string
-	ImageTag        string
-	JobID           string
-	ContainerName   string
-	LastAction      int
-	ParentJobID     string
-	Args            map[string]interface{}
-	Session         Session
+	Credentialslist    []types.AuthConfig
+	ImageHash          string
+	ImageSlug          string
+	InstanceID         string
+	Wlid               string
+	ImageTag           string
+	ImageTagNormalized string
+	JobID              string
+	ContainerName      string
+	LastAction         int
+	ParentJobID        string
+	Args               map[string]interface{}
+	Session            Session
 }
 
 type Session struct {

diff --git a/internal/tools/tools.go b/internal/tools/tools.go
@@ -48,10 +48,17 @@ func sanitize(s string) string {
 // Each label is sanitized and verified to be a valid DNS1123 label.
 func LabelsFromImageID(imageID string) map[string]string {
 	labels := map[string]string{}
-	match := reference.ReferenceRegexp.FindStringSubmatch(imageID)
-	labels[instanceidhandler.ImageIDMetadataKey] = sanitize(match[0])
-	labels[instanceidhandler.ImageNameMetadataKey] = sanitize(match[1])
-	labels[instanceidhandler.ImageTagMetadataKey] = sanitize(match[2])
+	ref, err := reference.Parse(imageID)
+	if err != nil {
+		return labels
+	}
+	if named, ok := ref.(reference.Named); ok {
+		labels[instanceidhandler.ImageIDMetadataKey] = sanitize(named.String())
+		labels[instanceidhandler.ImageNameMetadataKey] = sanitize(named.Name())
+	}
+	if tagged, ok := ref.(reference.Tagged); ok {
+		labels[instanceidhandler.ImageTagMetadataKey] = sanitize(tagged.Tag())
+	}
 	// prune invalid labels
 	for key, value := range labels {
 		if errs := validation.IsDNS1123Label(value); len(errs) != 0 {
@@ -98,3 +105,11 @@ func DeleteContents(dir string) error {
 	}
 	return nil
 }
+
+func NormalizeReference(ref string) string {
+	n, err := reference.ParseNormalizedNamed(ref)
+	if err != nil {
+		return ref
+	}
+	return n.String()
+}
diff --git a/internal/tools/tools_test.go b/internal/tools/tools_test.go
@@ -60,3 +60,83 @@ func TestLabelsFromImageID(t *testing.T) {
 		})
 	}
 }
+
+func TestNormalizeReference(t *testing.T) {
+	type args struct {
+		ref string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "image tag",
+			args: args{
+				ref: "nginx:latest",
+			},
+			want: "docker.io/library/nginx:latest",
+		},
+		{
+			name: "image sha",
+			args: args{
+				ref: "nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "image tag sha",
+			args: args{
+				ref: "nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "repo image tag",
+			args: args{
+				ref: "docker.io/library/nginx:latest",
+			},
+			want: "docker.io/library/nginx:latest",
+		},
+		{
+			name: "repo image sha",
+			args: args{
+				ref: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "repo image tag sha",
+			args: args{
+				ref: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "quay image tag",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln:latest",
+			},
+			want: "quay.io/kubescape/kubevuln:latest",
+		},
+		{
+			name: "quay image sha",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+			},
+			want: "quay.io/kubescape/kubevuln@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+		},
+		{
+			name: "quay image tag sha",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln:latest@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+			},
+			want: "quay.io/kubescape/kubevuln:latest@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, NormalizeReference(tt.args.ref), "NormalizeReference(%v)", tt.args.ref)
+		})
+	}
+}