Merge 8313600 into 08e956e

kubescape · Jun 2, 2023 · 7e57636 · 7e57636
2 parents 08e956e + 8313600
commit 7e57636
Show file tree

Hide file tree

Showing 13 changed files with 55 additions and 155 deletions.
diff --git a/adapters/mocksbom.go b/adapters/mocksbom.go
@@ -35,7 +35,7 @@ func NewMockSBOMAdapter(error, timeout, toomanyrequests bool) *MockSBOMAdapter {
 }
 
 // CreateSBOM returns a dummy SBOM for the given imageID
-func (m MockSBOMAdapter) CreateSBOM(_ context.Context, imageID string, _ domain.RegistryOptions) (domain.SBOM, error) {
+func (m MockSBOMAdapter) CreateSBOM(_ context.Context, name, imageID string, _ domain.RegistryOptions) (domain.SBOM, error) {
 	logger.L().Info("CreateSBOM")
 	if m.error {
 		return domain.SBOM{}, domain.ErrMockError
@@ -48,7 +48,7 @@ func (m MockSBOMAdapter) CreateSBOM(_ context.Context, imageID string, _ domain.
 		)
 	}
 	sbom := domain.SBOM{
-		ID:                 imageID,
+		ID:                 name,
 		SBOMCreatorVersion: m.Version(),
 		Annotations: map[string]string{
 			instanceidhandler.ImageIDMetadataKey: imageID,

diff --git a/adapters/mocksbom_test.go b/adapters/mocksbom_test.go
@@ -11,19 +11,19 @@ import (
 
 func TestMockSBOMAdapter_CreateSBOM(t *testing.T) {
 	m := NewMockSBOMAdapter(false, false, false)
-	sbom, _ := m.CreateSBOM(context.TODO(), "image", domain.RegistryOptions{})
+	sbom, _ := m.CreateSBOM(context.TODO(), "name", "image", domain.RegistryOptions{})
 	assert.NotNil(t, sbom.Content)
 }
 
 func TestMockSBOMAdapter_CreateSBOM_Error(t *testing.T) {
 	m := NewMockSBOMAdapter(true, false, false)
-	_, err := m.CreateSBOM(context.TODO(), "image", domain.RegistryOptions{})
+	_, err := m.CreateSBOM(context.TODO(), "name", "image", domain.RegistryOptions{})
 	assert.Error(t, err)
 }
 
 func TestMockSBOMAdapter_CreateSBOM_Timeout(t *testing.T) {
 	m := NewMockSBOMAdapter(false, true, false)
-	sbom, _ := m.CreateSBOM(context.TODO(), "image", domain.RegistryOptions{})
+	sbom, _ := m.CreateSBOM(context.TODO(), "name", "image", domain.RegistryOptions{})
 	assert.Equal(t, sbom.Status, instanceidhandler.Incomplete)
 }
 

diff --git a/adapters/v1/syft.go b/adapters/v1/syft.go
@@ -54,12 +54,12 @@ func NewSyftAdapter(scanTimeout time.Duration, maxImageSize int64) *SyftAdapter
 // CreateSBOM creates an SBOM for a given imageID, restrict parallelism to prevent disk space issues,
 // a timeout prevents the process from hanging for too long.
 // Format is SPDX JSON and the resulting SBOM is tagged with the Syft version.
-func (s *SyftAdapter) CreateSBOM(ctx context.Context, imageID string, options domain.RegistryOptions) (domain.SBOM, error) {
+func (s *SyftAdapter) CreateSBOM(ctx context.Context, name, imageID string, options domain.RegistryOptions) (domain.SBOM, error) {
 	ctx, span := otel.Tracer("").Start(ctx, "SyftAdapter.CreateSBOM")
 	defer span.End()
 	// prepare an SBOM and fill it progressively
 	domainSBOM := domain.SBOM{
-		ID:                 imageID,
+		ID:                 name,
 		SBOMCreatorVersion: s.Version(),
 		Annotations: map[string]string{
 			instanceidhandler.ImageIDMetadataKey: imageID,

diff --git a/adapters/v1/syft_test.go b/adapters/v1/syft_test.go
@@ -75,7 +75,7 @@ func Test_syftAdapter_CreateSBOM(t *testing.T) {
 				maxImageSize = tt.maxImageSize
 			}
 			s := NewSyftAdapter(5*time.Minute, maxImageSize)
-			got, err := s.CreateSBOM(context.TODO(), tt.imageID, tt.options)
+			got, err := s.CreateSBOM(context.TODO(), "name", tt.imageID, tt.options)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("CreateSBOM() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/controllers/http.go b/controllers/http.go
@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/names"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/core/ports"
 	"schneider.vip/problem"
@@ -123,6 +124,9 @@ func websocketScanCommandToScanCommand(c wssc.WebsocketScanCommand) domain.ScanC
 		Args:            c.Args,
 		Session:         sessionChainToSession(c.Session),
 	}
+	if slug, err := names.ImageInfoToSlug(c.ImageTag, c.ImageHash); err != nil {
+		command.ImageID = slug
+	}
 	if c.InstanceID != nil {
 		command.InstanceID = *c.InstanceID
 	}

diff --git a/core/domain/scan.go b/core/domain/scan.go
@@ -16,7 +16,7 @@ var (
 	ErrExpectedError    = errors.New("expected error")
 	ErrInitVulnDB       = errors.New("vulnerability DB is not initialized, run readiness probe")
 	ErrIncompleteSBOM   = errors.New("incomplete SBOM, skipping CVE scan")
-	ErrMissingImageID   = errors.New("missing imageID")
+	ErrMissingImageInfo = errors.New("missing image information")
 	ErrMissingScanID    = errors.New("missing scanID")
 	ErrMissingTimestamp = errors.New("missing timestamp")
 	ErrMissingWorkload  = errors.New("missing workload")
@@ -31,6 +31,7 @@ type WorkloadKey struct{}
 type ScanCommand struct {
 	Credentialslist []types.AuthConfig
 	ImageHash       string
+	ImageID         string
 	InstanceID      string
 	Wlid            string
 	ImageTag        string

diff --git a/core/ports/providers.go b/core/ports/providers.go
@@ -16,7 +16,7 @@ type CVEScanner interface {
 
 // SBOMCreator is the port implemented by adapters to be used in ScanService to generate SBOM
 type SBOMCreator interface {
-	CreateSBOM(ctx context.Context, imageID string, options domain.RegistryOptions) (domain.SBOM, error)
+	CreateSBOM(ctx context.Context, name, imageID string, options domain.RegistryOptions) (domain.SBOM, error)
 	Version() string
 }
 

diff --git a/core/services/scan.go b/core/services/scan.go
@@ -80,16 +80,16 @@ func (s *ScanService) GenerateSBOM(ctx context.Context) error {
 	sbom := domain.SBOM{}
 	var err error
 	if s.storage {
-		sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageHash, s.sbomCreator.Version())
+		sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageID, s.sbomCreator.Version())
 		if err != nil {
-			logger.L().Ctx(ctx).Warning("error getting SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+			logger.L().Ctx(ctx).Warning("error getting SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 		}
 	}
 
 	// if SBOM is not available, create it
 	if sbom.Content == nil {
 		// create SBOM
-		sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageHash, optionsFromWorkload(workload))
+		sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageID, workload.ImageHash, optionsFromWorkload(workload))
 		s.checkCreateSBOM(err, workload.ImageHash)
 		if err != nil {
 			return err
@@ -124,20 +124,20 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 	if !ok {
 		return domain.ErrMissingWorkload
 	}
-	logger.L().Info("scan started", helpers.String("imageID", workload.ImageHash), helpers.String("jobID", workload.JobID))
+	logger.L().Info("scan started", helpers.String("imageID", workload.ImageID), helpers.String("jobID", workload.JobID))
 
 	// report to platform
 	err := s.platform.SendStatus(ctx, domain.Started)
 	if err != nil {
-		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 	}
 
 	// check if CVE manifest is already available
 	cve := domain.CVEManifest{}
 	if s.storage {
-		cve, err = s.cveRepository.GetCVE(ctx, workload.ImageHash, s.sbomCreator.Version(), s.cveScanner.Version(ctx), s.cveScanner.DBVersion(ctx))
+		cve, err = s.cveRepository.GetCVE(ctx, workload.ImageID, s.sbomCreator.Version(), s.cveScanner.Version(ctx), s.cveScanner.DBVersion(ctx))
 		if err != nil {
-			logger.L().Ctx(ctx).Warning("error getting CVE", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+			logger.L().Ctx(ctx).Warning("error getting CVE", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 		}
 	}
 
@@ -146,16 +146,16 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 		// check if SBOM is already available
 		sbom := domain.SBOM{}
 		if s.storage {
-			sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageHash, s.sbomCreator.Version())
+			sbom, err = s.sbomRepository.GetSBOM(ctx, workload.ImageID, s.sbomCreator.Version())
 			if err != nil {
-				logger.L().Ctx(ctx).Warning("error getting SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+				logger.L().Ctx(ctx).Warning("error getting SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 			}
 		}
 
 		// if SBOM is not available, create it
 		if sbom.Content == nil {
 			// create SBOM
-			sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageHash, optionsFromWorkload(workload))
+			sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageID, workload.ImageHash, optionsFromWorkload(workload))
 			s.checkCreateSBOM(err, workload.ImageHash)
 			if err != nil {
 				return err
@@ -164,7 +164,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 			if s.storage {
 				err = s.sbomRepository.StoreSBOM(ctx, sbom)
 				if err != nil {
-					logger.L().Ctx(ctx).Warning("error storing SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+					logger.L().Ctx(ctx).Warning("error storing SBOM", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 				}
 			}
 		}
@@ -184,7 +184,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 		if s.storage {
 			err = s.cveRepository.StoreCVE(ctx, cve, false)
 			if err != nil {
-				logger.L().Ctx(ctx).Warning("error storing CVE", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+				logger.L().Ctx(ctx).Warning("error storing CVE", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 			}
 		}
 	}
@@ -219,7 +219,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 	// report scan success to platform
 	err = s.platform.SendStatus(ctx, domain.Success)
 	if err != nil {
-		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 	}
 	// submit CVE manifest to platform
 	err = s.platform.SubmitCVE(ctx, cve, cvep)
@@ -229,10 +229,10 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 	// report submit success to platform
 	err = s.platform.SendStatus(ctx, domain.Done)
 	if err != nil {
-		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageHash))
+		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 	}
 
-	logger.L().Info("scan complete", helpers.String("imageID", workload.ImageHash), helpers.String("jobID", workload.JobID))
+	logger.L().Info("scan complete", helpers.String("imageID", workload.ImageID), helpers.String("jobID", workload.JobID))
 	return nil
 }
 
@@ -247,16 +247,16 @@ func (s *ScanService) ScanRegistry(ctx context.Context) error {
 	if !ok {
 		return domain.ErrMissingWorkload
 	}
-	logger.L().Info("registry scan started", helpers.String("imageID", workload.ImageTag), helpers.String("jobID", workload.JobID))
+	logger.L().Info("registry scan started", helpers.String("imageID", workload.ImageID), helpers.String("jobID", workload.JobID))
 
 	// report to platform
 	err := s.platform.SendStatus(ctx, domain.Started)
 	if err != nil {
-		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageTag))
+		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 	}
 
 	// create SBOM
-	sbom, err := s.sbomCreator.CreateSBOM(ctx, workload.ImageTag, optionsFromWorkload(workload))
+	sbom, err := s.sbomCreator.CreateSBOM(ctx, workload.ImageID, workload.ImageTag, optionsFromWorkload(workload))
 	s.checkCreateSBOM(err, workload.ImageTag)
 	if err != nil {
 		return err
@@ -276,7 +276,7 @@ func (s *ScanService) ScanRegistry(ctx context.Context) error {
 	// report scan success to platform
 	err = s.platform.SendStatus(ctx, domain.Success)
 	if err != nil {
-		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageTag))
+		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 	}
 	// submit CVE manifest to platform
 	err = s.platform.SubmitCVE(ctx, cve, domain.CVEManifest{})
@@ -286,10 +286,10 @@ func (s *ScanService) ScanRegistry(ctx context.Context) error {
 	// report submit success to platform
 	err = s.platform.SendStatus(ctx, domain.Done)
 	if err != nil {
-		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageTag))
+		logger.L().Ctx(ctx).Warning("telemetry error", helpers.Error(err), helpers.String("imageID", workload.ImageID))
 	}
 
-	logger.L().Info("registry scan complete", helpers.String("imageID", workload.ImageTag), helpers.String("jobID", workload.JobID))
+	logger.L().Info("registry scan complete", helpers.String("imageID", workload.ImageID), helpers.String("jobID", workload.JobID))
 	return nil
 }
 
@@ -346,11 +346,11 @@ func (s *ScanService) ValidateGenerateSBOM(ctx context.Context, workload domain.
 	ctx = enrichContext(ctx, workload)
 	// validate inputs
 	if workload.ImageHash == "" {
-		return ctx, domain.ErrMissingImageID
+		return ctx, domain.ErrMissingImageInfo
 	}
 	// add imageID to parent span
 	if parentSpan := trace.SpanFromContext(ctx); parentSpan != nil {
-		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageHash))
+		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageID))
 		parentSpan.SetAttributes(attribute.String("version", os.Getenv("RELEASE")))
 		ctx = trace.ContextWithSpan(ctx, parentSpan)
 	}
@@ -368,14 +368,14 @@ func (s *ScanService) ValidateScanCVE(ctx context.Context, workload domain.ScanC
 	ctx = enrichContext(ctx, workload)
 	// validate inputs
 	if workload.ImageHash == "" {
-		return ctx, domain.ErrMissingImageID
+		return ctx, domain.ErrMissingImageInfo
 	}
 	// add instanceID and imageID to parent span
 	if parentSpan := trace.SpanFromContext(ctx); parentSpan != nil {
 		if workload.InstanceID != "" {
 			parentSpan.SetAttributes(attribute.String("instanceID", workload.InstanceID))
 		}
-		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageHash))
+		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageID))
 		parentSpan.SetAttributes(attribute.String("version", os.Getenv("RELEASE")))
 		parentSpan.SetAttributes(attribute.String("wlid", workload.Wlid))
 		ctx = trace.ContextWithSpan(ctx, parentSpan)
@@ -399,11 +399,11 @@ func (s *ScanService) ValidateScanRegistry(ctx context.Context, workload domain.
 	ctx = enrichContext(ctx, workload)
 	// validate inputs
 	if workload.ImageTag == "" {
-		return ctx, domain.ErrMissingImageID
+		return ctx, domain.ErrMissingImageInfo
 	}
 	// add imageID to parent span
 	if parentSpan := trace.SpanFromContext(ctx); parentSpan != nil {
-		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageTag))
+		parentSpan.SetAttributes(attribute.String("imageID", workload.ImageID))
 		parentSpan.SetAttributes(attribute.String("version", os.Getenv("RELEASE")))
 		ctx = trace.ContextWithSpan(ctx, parentSpan)
 	}

diff --git a/core/services/scan_test.go b/core/services/scan_test.go
@@ -256,14 +256,14 @@ func TestScanService_ScanCVE(t *testing.T) {
 				tools.EnsureSetup(t, err == nil)
 			}
 			if tt.sbom {
-				sbom, err := sbomAdapter.CreateSBOM(ctx, imageHash, domain.RegistryOptions{})
+				sbom, err := sbomAdapter.CreateSBOM(ctx, "sbom", imageHash, domain.RegistryOptions{})
 				tools.EnsureSetup(t, err == nil)
 				_ = storageSBOM.StoreSBOM(ctx, sbom)
 			}
 			var sbomp domain.SBOM
 			if tt.instanceID != "" {
 				var err error
-				sbomp, err = sbomAdapter.CreateSBOM(ctx, tt.instanceID, domain.RegistryOptions{})
+				sbomp, err = sbomAdapter.CreateSBOM(ctx, tt.instanceID, tt.instanceID, domain.RegistryOptions{})
 				tools.EnsureSetup(t, err == nil)
 				sbomp.Labels = map[string]string{"foo": "bar"}
 				_ = storageSBOM.StoreSBOM(ctx, sbomp)
@@ -297,6 +297,7 @@ func fileToSBOM(path string) *v1beta1.Document {
 
 func TestScanService_NginxTest(t *testing.T) {
 	imageHash := "docker.io/library/nginx@sha256:32fdf92b4e986e109e4db0865758020cb0c3b70d6ba80d02fe87bad5cc3dc228"
+	imageID := "name"
 	instanceID := "1c83b589d90ba26957627525e08124b1a24732755a330924f7987e9d9e3952c1"
 	ctx := context.TODO()
 	sbomAdapter := adapters.NewMockSBOMAdapter(false, false, false)
@@ -312,13 +313,14 @@ func TestScanService_NginxTest(t *testing.T) {
 	workload := domain.ScanCommand{
 		ContainerName: "nginx",
 		ImageHash:     imageHash,
+		ImageID:       imageID,
 		ImageTag:      "docker.io/library/nginx:1.14.1",
 		InstanceID:    instanceID,
 		Wlid:          "wlid://cluster-minikube/namespace-default/deployment-nginx",
 	}
 	ctx, _ = s.ValidateScanCVE(ctx, workload)
 	sbom := domain.SBOM{
-		ID:                 imageHash,
+		ID:                 imageID,
 		Content:            fileToSBOM("../../adapters/v1/testdata/nginx-sbom.json"),
 		SBOMCreatorVersion: sbomAdapter.Version(),
 	}

diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/kinbiko/jsonassert v1.1.1
 	github.com/kubescape/go-logger v0.0.11
-	github.com/kubescape/k8s-interface v0.0.123
+	github.com/kubescape/k8s-interface v0.0.125
 	github.com/kubescape/storage v0.2.0
 	github.com/spdx/tools-golang v0.5.0-rc1
 	github.com/spf13/viper v1.15.0

diff --git a/go.sum b/go.sum
@@ -680,8 +680,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kubescape/go-logger v0.0.11 h1:oucpq2S7+DT7O+UclG5IrmHado/tj6+IkYf9czVk/aY=
 github.com/kubescape/go-logger v0.0.11/go.mod h1:yGiKBJ2lhq/kxzY/MVYDREL9fLV3RGD6gv+UFjslaew=
-github.com/kubescape/k8s-interface v0.0.123 h1:7KjQ1bHoaggzAPcufdT6NZeffyL4t0WWZBoaJ1tCgmY=
-github.com/kubescape/k8s-interface v0.0.123/go.mod h1:ENpA9SkkS6E3PIT+AaMu/JGkuyE04aUamY+a7WLqsJQ=
+github.com/kubescape/k8s-interface v0.0.125 h1:s5+vEz/HxdhdlqtcFJLzu3jmBEK9OhSfo3/8ZanThg4=
+github.com/kubescape/k8s-interface v0.0.125/go.mod h1:ENpA9SkkS6E3PIT+AaMu/JGkuyE04aUamY+a7WLqsJQ=
 github.com/kubescape/storage v0.2.0 h1:WZXy4Dyjf5ltEMtk0SOD9RFL1haS9ffFPGfs1gUV1aM=
 github.com/kubescape/storage v0.2.0/go.mod h1:sPE749pFNoxoskBn6JTpNQyguF2rv/u2kYqzRd3MvXw=
 github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=