Skip to content

Commit

Permalink
incomplete SBOM support
Browse files Browse the repository at this point in the history
Signed-off-by: Raziel Cohen <rcohen@armosec.io>
  • Loading branch information
Raziel Cohen committed May 9, 2023
1 parent f6ab6d6 commit 5b1a99a
Show file tree
Hide file tree
Showing 9 changed files with 55,230 additions and 4 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.19
require (
github.com/armosec/utils-k8s-go v0.0.13
github.com/kubescape/go-logger v0.0.11
github.com/kubescape/k8s-interface v0.0.122
github.com/kubescape/k8s-interface v0.0.123
github.com/kubescape/storage v0.2.0
go.opentelemetry.io/otel v1.11.2
go.opentelemetry.io/otel/trace v1.11.2
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -225,8 +225,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kubescape/go-logger v0.0.11 h1:oucpq2S7+DT7O+UclG5IrmHado/tj6+IkYf9czVk/aY=
github.com/kubescape/go-logger v0.0.11/go.mod h1:yGiKBJ2lhq/kxzY/MVYDREL9fLV3RGD6gv+UFjslaew=
github.com/kubescape/k8s-interface v0.0.122 h1:Aq6xf1wq+nl2UtLX6rjFaGULZxES8OlzvXNLQcZk9+0=
github.com/kubescape/k8s-interface v0.0.122/go.mod h1:ENpA9SkkS6E3PIT+AaMu/JGkuyE04aUamY+a7WLqsJQ=
github.com/kubescape/k8s-interface v0.0.123 h1:7KjQ1bHoaggzAPcufdT6NZeffyL4t0WWZBoaJ1tCgmY=
github.com/kubescape/k8s-interface v0.0.123/go.mod h1:ENpA9SkkS6E3PIT+AaMu/JGkuyE04aUamY+a7WLqsJQ=
github.com/kubescape/storage v0.2.0 h1:WZXy4Dyjf5ltEMtk0SOD9RFL1haS9ffFPGfs1gUV1aM=
github.com/kubescape/storage v0.2.0/go.mod h1:sPE749pFNoxoskBn6JTpNQyguF2rv/u2kYqzRd3MvXw=
github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
Expand Down
18 changes: 17 additions & 1 deletion pkg/conthandler/container_main_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
v1 "sniffer/pkg/conthandler/v1"
accumulator "sniffer/pkg/event_data_storage"
"sniffer/pkg/sbom"
sbomV1 "sniffer/pkg/sbom/v1"
"sniffer/pkg/storageclient"
"strings"
"sync"
Expand All @@ -23,6 +24,7 @@ import (
const (
RelevantCVEsService = "RelevantCVEsService"
StepGetSBOM = "StepGetSBOM"
StepValidateSBOM = "StepValidateSBOM"
StepEventAggregator = "StepEventAggregator"
)

Expand Down Expand Up @@ -94,6 +96,13 @@ func (ch *ContainerHandler) afterTimerActions() error {
logger.L().Debug("failed to get SBOM", []helpers.IDetails{helpers.String("container ID", afterTimerActionsData.containerID), helpers.String("container name", containerData.event.GetContainerName()), helpers.String("k8s resource ", containerData.event.GetK8SWorkloadID()), helpers.Error(err)}...)
continue
}
if err = containerData.sbomClient.ValidateSBOM(); err != nil {
ctx, span := otel.Tracer("").Start(context.GetBackgroundContext(), "afterTimerActions")
logger.L().Ctx(ctx).Warning("SBOM is incomplete", []helpers.IDetails{helpers.String("container ID", afterTimerActionsData.containerID), helpers.String("container name", containerData.event.GetContainerName()), helpers.String("k8s resource ", containerData.event.GetK8SWorkloadID()), helpers.Error(err)}...)
containerData.syncChannel[StepValidateSBOM] <- err
span.End()
continue
}
if err = containerData.sbomClient.FilterSBOM(fileList); err != nil {
ctx, span := otel.Tracer("").Start(context.GetBackgroundContext(), "afterTimerActions")
logger.L().Ctx(ctx).Warning("failed to filter SBOM", []helpers.IDetails{helpers.String("container ID", afterTimerActionsData.containerID), helpers.String("container name", containerData.event.GetContainerName()), helpers.String("k8s resource", containerData.event.GetK8SWorkloadID()), helpers.Error(err)}...)
Expand Down Expand Up @@ -130,8 +139,11 @@ func (ch *ContainerHandler) startTimer(watchedContainer watchedContainerData, co
watchedContainer.snifferTicker.Stop()
err = containerHasTerminatedError
}
case err = <-watchedContainer.syncChannel[StepValidateSBOM]:
if errors.Is(err, sbomV1.SBOMIncomplete) {
return err
}
}

return err
}

Expand Down Expand Up @@ -173,6 +185,9 @@ func (ch *ContainerHandler) startRelevancyProcess(contEvent v1.ContainerEventDat
logger.L().Ctx(ctx).Warning("container monitoring got drop events - we may miss some realtime data", helpers.String("container ID", contEvent.GetContainerID()), helpers.String("container name", contEvent.GetContainerName()), helpers.String("k8s resources", contEvent.GetK8SWorkloadID()), helpers.Error(err))
} else if errors.Is(err, containerHasTerminatedError) {
break
} else if errors.Is(err, sbomV1.SBOMIncomplete) {
logger.L().Ctx(ctx).Warning("container monitoring stopped - incomplete SBOM", helpers.String("container ID", contEvent.GetContainerID()), helpers.String("container name", contEvent.GetContainerName()), helpers.String("k8s resources", contEvent.GetK8SWorkloadID()), helpers.Error(err))
break
}
}
span.End()
Expand Down Expand Up @@ -214,6 +229,7 @@ func (ch *ContainerHandler) handleContainerRunningEvent(contEvent v1.ContainerEv
syncChannel: map[string]chan error{
StepGetSBOM: make(chan error, 10),
StepEventAggregator: make(chan error, 10),
StepValidateSBOM: make(chan error, 10),
},
}
ch.watchedContainers.Store(contEvent.GetContainerID(), newWatchedContainer)
Expand Down
4 changes: 4 additions & 0 deletions pkg/sbom/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,7 @@ func (sc *SBOMStructure) CleanResources() {
func IsAlreadyExist() error {
return errorsOfSBOM[DataAlreadyExist]
}

func (sc *SBOMStructure) ValidateSBOM() error {
return sc.SBOMData.ValidateSBOM()
}
1 change: 1 addition & 0 deletions pkg/sbom/sbom_interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package sbom

type SBOMClient interface {
GetSBOM(imageID string) error
ValidateSBOM() error
FilterSBOM(sbomFileRelevantMap map[string]bool) error
StoreFilterSBOM(instanceID string) error
CleanResources()
Expand Down
Loading

0 comments on commit 5b1a99a

Please sign in to comment.