normalize imageID before sending to backend

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
kubescape · Aug 8, 2023 · f10db0a · f10db0a
1 parent b854b27
commit f10db0a
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 1 deletion.
diff --git a/adapters/v1/armo.go b/adapters/v1/armo.go
@@ -17,6 +17,8 @@ import (
 	pkgcautils "github.com/armosec/utils-k8s-go/armometadata"
 	wlidpkg "github.com/armosec/utils-k8s-go/wlid"
 	"github.com/hashicorp/go-multierror"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/core/ports"
 	"go.opentelemetry.io/otel"
@@ -196,6 +198,7 @@ func (a *ArmoAdapter) SubmitCVE(ctx context.Context, cve domain.CVEManifest, cve
 		finalReport.Designators.Attributes[armotypes.AttributeRegistryName] = val.(string)
 	}
 	if val, ok := workload.Args[armotypes.AttributeRepository]; ok {
+		logger.L().Info("addind attribute repository", helpers.String("repository", val.(string)))
 		finalReport.Designators.Attributes[armotypes.AttributeRepository] = val.(string)
 	}
 	if val, ok := workload.Args[armotypes.AttributeTag]; ok {

diff --git a/adapters/v1/domain_to_armo.go b/adapters/v1/domain_to_armo.go
@@ -12,6 +12,7 @@ import (
 	"github.com/armosec/cluster-container-scanner-api/containerscan"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/kubescape/kubevuln/core/domain"
+	"github.com/kubescape/kubevuln/internal/tools"
 	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 )
 
@@ -76,6 +77,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 			if description == "" && len(match.RelatedVulnerabilities) > 0 {
 				description = match.RelatedVulnerabilities[0].Description
 			}
+			normalizedImageHash := tools.NormalizeReference(workload.ImageHash)
 			// create a vulnerability result for this vulnerability
 			vulnerabilityResult := containerscan.CommonContainerVulnerabilityResult{
 				IsLastScan:      1,
@@ -90,7 +92,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 				},
 				Vulnerability: containerscan.Vulnerability{
 					Name:               match.Vulnerability.ID,
-					ImageID:            workload.ImageHash,
+					ImageID:            normalizedImageHash,
 					ImageTag:           workload.ImageTag,
 					RelatedPackageName: match.Artifact.Name,
 					PackageVersion:     match.Artifact.Version,

diff --git a/internal/tools/tools.go b/internal/tools/tools.go
@@ -105,3 +105,11 @@ func DeleteContents(dir string) error {
 	}
 	return nil
 }
+
+func NormalizeReference(ref string) string {
+	n, err := reference.ParseNormalizedNamed(ref)
+	if err != nil {
+		return ref
+	}
+	return n.String()
+}
diff --git a/internal/tools/tools_test.go b/internal/tools/tools_test.go
@@ -60,3 +60,83 @@ func TestLabelsFromImageID(t *testing.T) {
 		})
 	}
 }
+
+func TestNormalizeReference(t *testing.T) {
+	type args struct {
+		ref string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "image tag",
+			args: args{
+				ref: "nginx:latest",
+			},
+			want: "docker.io/library/nginx:latest",
+		},
+		{
+			name: "image sha",
+			args: args{
+				ref: "nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "image tag sha",
+			args: args{
+				ref: "nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "repo image tag",
+			args: args{
+				ref: "docker.io/library/nginx:latest",
+			},
+			want: "docker.io/library/nginx:latest",
+		},
+		{
+			name: "repo image sha",
+			args: args{
+				ref: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "repo image tag sha",
+			args: args{
+				ref: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "quay image tag",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln:latest",
+			},
+			want: "quay.io/kubescape/kubevuln:latest",
+		},
+		{
+			name: "quay image sha",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+			},
+			want: "quay.io/kubescape/kubevuln@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+		},
+		{
+			name: "quay image tag sha",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln:latest@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+			},
+			want: "quay.io/kubescape/kubevuln:latest@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, NormalizeReference(tt.args.ref), "NormalizeReference(%v)", tt.args.ref)
+		})
+	}
+}