Update instanceID generating and handling

core/services/scan.go

@@ -8,6 +8,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/instanceidhandler/v1"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/core/ports"
 	"go.opentelemetry.io/otel"
@@ -163,8 +164,13 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 	// check if SBOM' is already available
 	sbomp := domain.SBOM{}
 	if s.storage && workload.InstanceID != nil {
-		sbomp, err = s.sbomRepository.GetSBOMp(ctx, *workload.InstanceID, s.sbomCreator.Version(ctx))
-		if err != nil {
+		instancesID, err := instanceidhandler.GenerateInstanceIDFromString(*workload.InstanceID)
+		if err == nil {
+			sbomp, err = s.sbomRepository.GetSBOMp(ctx, instancesID.GetIDHashed(), s.sbomCreator.Version(ctx))
+			if err != nil {
+				logger.L().Ctx(ctx).Warning("error getting relevant SBOM", helpers.Error(err), helpers.String("instanceID", *workload.InstanceID))
+			}
+		} else {
 			logger.L().Ctx(ctx).Warning("error getting relevant SBOM", helpers.Error(err), helpers.String("instanceID", *workload.InstanceID))
 		}
 	}

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/armosec/utils-go v0.0.14
 	github.com/armosec/utils-k8s-go v0.0.13
 	github.com/distribution/distribution v2.8.1+incompatible
+	github.com/docker/docker v23.0.1+incompatible
 	github.com/eapache/go-resiliency v1.3.0
 	github.com/gammazero/workerpool v1.1.3
 	github.com/gin-gonic/gin v1.9.0
@@ -21,6 +22,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/kinbiko/jsonassert v1.1.1
 	github.com/kubescape/go-logger v0.0.11
+	github.com/kubescape/k8s-interface v0.0.114-0.20230326195717-d11a8f35efc2
 	github.com/kubescape/storage v0.2.0
 	github.com/spdx/tools-golang v0.5.0-rc1
 	github.com/spf13/viper v1.15.0
@@ -67,7 +69,6 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/cli v23.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v23.0.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -233,6 +234,7 @@ require (
 	modernc.org/sqlite v1.17.3 // indirect
 	modernc.org/strutil v1.1.1 // indirect
 	modernc.org/token v1.0.0 // indirect
+	sigs.k8s.io/controller-runtime v0.12.3 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

go.sum

@@ -412,6 +412,7 @@ github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zapr v1.2.0 h1:n4JnPI1T3Qq1SFEi/F8rwLrZERp2bso19PJZDB9dayk=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8=
@@ -671,6 +672,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kubescape/go-logger v0.0.11 h1:oucpq2S7+DT7O+UclG5IrmHado/tj6+IkYf9czVk/aY=
 github.com/kubescape/go-logger v0.0.11/go.mod h1:yGiKBJ2lhq/kxzY/MVYDREL9fLV3RGD6gv+UFjslaew=
+github.com/kubescape/k8s-interface v0.0.114-0.20230326195717-d11a8f35efc2 h1:zhWaCfuGjXY/whJmLbmanaP4qF32nlN0l3vsFno7bxQ=
+github.com/kubescape/k8s-interface v0.0.114-0.20230326195717-d11a8f35efc2/go.mod h1:/7Y8kdqcL5wLIHsPTuMg+EMV9D2iT/m4n57M/3uPnD4=
 github.com/kubescape/storage v0.2.0 h1:WZXy4Dyjf5ltEMtk0SOD9RFL1haS9ffFPGfs1gUV1aM=
 github.com/kubescape/storage v0.2.0/go.mod h1:sPE749pFNoxoskBn6JTpNQyguF2rv/u2kYqzRd3MvXw=
 github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
@@ -752,6 +755,7 @@ github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJE
 github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
 github.com/nwaples/rardecode v1.1.0 h1:vSxaY8vQhOcVr4mm5e8XllHWTiM4JF507A0Katqw7MQ=
 github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
@@ -1610,6 +1614,7 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -1693,6 +1698,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 schneider.vip/problem v1.8.1 h1:oAgLMu286aNHgvjuoR1PowYx+7hyBUjyzbrFPR1dEMI=
 schneider.vip/problem v1.8.1/go.mod h1:6hLRfO1e1MQWdG23Kl5b3Yp5FSexE+YiGVqCkAp3HUQ=
+sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio=
+sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=

repositories/apiserver.go

@@ -2,15 +2,14 @@ package repositories
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
+	"fmt"
 	"strings"
 	"time"
 
-	"github.com/armosec/utils-k8s-go/wlid"
 	"github.com/distribution/distribution/reference"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/instanceidhandler/v1"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/core/ports"
 	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
@@ -67,19 +66,6 @@ func hashFromImageID(imageID string) string {
 	return strings.Split(reference.ReferenceRegexp.FindStringSubmatch(imageID)[3], ":")[1]
 }
 
-func hashFromInstanceID(instanceID string) string {
-	hash := sha256.Sum256([]byte(instanceID))
-	return hex.EncodeToString(hash[:])
-}
-
-func labelsFromInstanceID(instanceID string) map[string]string {
-	return map[string]string{
-		labelKind:      wlid.GetKindFromWlid(instanceID),
-		labelName:      wlid.GetNameFromWlid(instanceID),
-		labelNamespace: wlid.GetNamespaceFromWlid(instanceID),
-	}
-}
-
 func (a *APIServerStore) GetCVE(ctx context.Context, imageID, SBOMCreatorVersion, CVEScannerVersion, CVEDBVersion string) (cve domain.CVEManifest, err error) {
 	_, span := otel.Tracer("").Start(ctx, "APIServerStore.GetCVE")
 	defer span.End()
@@ -88,7 +74,7 @@ func (a *APIServerStore) GetCVE(ctx context.Context, imageID, SBOMCreatorVersion
 		return domain.CVEManifest{}, nil
 	}
 	manifest, err := a.StorageClient.VulnerabilityManifests(a.Namespace).Get(context.Background(), hashFromImageID(imageID), metav1.GetOptions{})
-	switch  {
+	switch {
 	case errors.IsNotFound(err):
 		logger.L().Debug("CVE manifest not found in storage", helpers.String("ID", imageID))
 		return domain.CVEManifest{}, nil
@@ -121,17 +107,25 @@ func (a *APIServerStore) StoreCVE(ctx context.Context, cve domain.CVEManifest, w
 	}
 	name := hashFromImageID(cve.ID)
 	annotations := map[string]string{domain.ImageTagKey: cve.ID}
+	labels := map[string]string{}
 	if withRelevancy {
-		name = hashFromInstanceID(cve.ID)
+		// get pod instanceID
+		instancesID, err := instanceidhandler.GenerateInstanceIDFromString(cve.ID)
+		if err != nil {
+			return fmt.Errorf("failed to generate instanceID. instanceID: '%s', err: '%w'", cve.ID, err)
+		}
+		name = instancesID.GetIDHashed()
 		annotations = map[string]string{
 			domain.InstanceIDKey: cve.ID,
 			domain.WlidKey:       cve.Wlid,
 		}
+		labels = instancesID.GetLabels()
 	}
 	manifest := v1beta1.VulnerabilityManifest{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        name,
 			Annotations: annotations,
+			Labels:      labels,
 		},
 		Spec: v1beta1.VulnerabilityManifestSpec{
 			Metadata: v1beta1.VulnerabilityManifestMeta{
@@ -165,7 +159,7 @@ func (a *APIServerStore) GetSBOM(ctx context.Context, imageID, SBOMCreatorVersio
 		return domain.SBOM{}, nil
 	}
 	manifest, err := a.StorageClient.SBOMSPDXv2p3s(a.Namespace).Get(context.Background(), hashFromImageID(imageID), metav1.GetOptions{})
-	switch  {
+	switch {
 	case errors.IsNotFound(err):
 		logger.L().Debug("SBOM manifest not found in storage", helpers.String("ID", imageID))
 		return domain.SBOM{}, nil
@@ -197,8 +191,14 @@ func (a *APIServerStore) GetSBOMp(ctx context.Context, instanceID, SBOMCreatorVe
 		logger.L().Debug("empty instance ID provided, skipping relevant SBOM retrieval")
 		return domain.SBOM{}, nil
 	}
-	manifest, err := a.StorageClient.SBOMSPDXv2p3Filtereds(a.Namespace).Get(context.Background(), hashFromInstanceID(instanceID), metav1.GetOptions{})
-	switch  {
+
+	instancesID, err := instanceidhandler.GenerateInstanceIDFromString(instanceID)
+	if err != nil {
+		return domain.SBOM{}, fmt.Errorf("failed to generate instanceID. instanceID: '%s', err: '%w'", instanceID, err)
+	}
+
+	manifest, err := a.StorageClient.SBOMSPDXv2p3Filtereds(a.Namespace).Get(context.Background(), instancesID.GetIDHashed(), metav1.GetOptions{})
+	switch {
 	case errors.IsNotFound(err):
 		logger.L().Debug("relevant SBOM manifest not found in storage", helpers.String("ID", instanceID))
 		return domain.SBOM{}, nil

repositories/apiserver_test.go

@@ -5,20 +5,26 @@ import (
 	"testing"
 	"time"
 
+	"github.com/kubescape/k8s-interface/instanceidhandler/v1"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/internal/tools"
 	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const imageID = "k8s.gcr.io/kube-proxy@sha256:c1b135231b5b1a6799346cd701da4b59e5b7ef8e694ec7b04fb23b8dbe144137"
-const instanceID = "apiVersion-v1/namespace-default/kind-Deployment/name-nginx/resourceVersion-153294/containerName-nginx"
+const instanceID = "apiVersion-apps/v1/namespace-default/kind-ReplicaSet/name-nginx-11233/containerName-nginx"
 
 func (a *APIServerStore) storeSBOMp(ctx context.Context, sbom domain.SBOM) error {
+	instancesID, e := instanceidhandler.GenerateInstanceIDFromString(sbom.ID)
+	if e != nil {
+		return nil
+	}
+
 	manifest := v1beta1.SBOMSPDXv2p3Filtered{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   hashFromInstanceID(sbom.ID),
-			Labels: labelsFromInstanceID(sbom.ID),
+			Name:   instancesID.GetIDHashed(),
+			Labels: instancesID.GetLabels(),
 			Annotations: map[string]string{
 				domain.StatusKey: sbom.Status,
 			},
@@ -335,46 +341,3 @@ func Test_extractHashFromImageID(t *testing.T) {
 		})
 	}
 }
-
-func Test_hashFromInstanceID(t *testing.T) {
-	type args struct {
-		instanceID string
-	}
-	tests := []struct {
-		name string
-		args args
-		want string
-	}{
-		{
-			name: "same as sniffer",
-			args: args{
-				instanceID: "apiVersion-v1/namespace-any/kind-deployment/name-aaa/resourceVersion-1234/containerName-contName",
-			},
-			want: "ee9bdd0adec9ce004572faf3492f583aa82042a8b3a9d5c7d9179dc03c531eef",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := hashFromInstanceID(tt.args.instanceID); got != tt.want {
-				t.Errorf("hashFromInstanceID() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-//func TestForRazi(t *testing.T) {
-//	ctx := context.TODO()
-//	sbomAdapter := v1.NewSyftAdapter(1 * time.Hour)
-//	cveAdapter := v1.NewGrypeAdapter()
-//	cveAdapter.Ready(ctx)
-//	repository, _ := newFakeAPIServerStorage("kubescape")
-//	sbom, err := sbomAdapter.CreateSBOM(ctx, "requarks/wiki@sha256:dd83fff15e77843ff934b25c28c865ac000edf7653e5d11adad1dd51df87439d", domain.RegistryOptions{})
-//	if err != nil {
-//		panic(err)
-//	}
-//	cve, err := cveAdapter.ScanSBOM(ctx, sbom)
-//	if err != nil {
-//		panic(err)
-//	}
-//	repository.StoreCVE(ctx, cve, false)
-//}