From 7185dc9a4d50e38884160f2c295097e137653332 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Jun 2024 13:45:31 +0300 Subject: [PATCH 1/2] normalizeImageID Signed-off-by: David Wertenteil --- adapters/v1/syft.go | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/adapters/v1/syft.go b/adapters/v1/syft.go index 28ecef7..b0634aa 100644 --- a/adapters/v1/syft.go +++ b/adapters/v1/syft.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "regexp" "runtime" "strings" "time" @@ -35,6 +36,10 @@ type SyftAdapter struct { scanTimeout time.Duration } +const digestDelim = "@" + +var hashPattern = regexp.MustCompile(`^.*@sha256:[a-f0-9]{64}$`) + var _ ports.SBOMCreator = (*SyftAdapter)(nil) // NewSyftAdapter initializes the SyftAdapter struct @@ -46,22 +51,25 @@ func NewSyftAdapter(scanTimeout time.Duration, maxImageSize int64, maxSBOMSize i } } -const digestDelim = "@" - func normalizeImageID(imageID, imageTag string) string { // registry scanning doesn't provide imageID, so we use imageTag as a reference if imageID == "" { return imageTag } + + if !hashPattern.MatchString(imageID) { + return imageTag + } // try to parse imageID as a full digest - if newDigest, err := name.NewDigest(imageID); err == nil { + if newDigest, err := name.NewDigest(imageTag); err == nil { return newDigest.String() } // if it's not a full digest, we need to use imageTag as a reference tag, err := name.ParseReference(imageTag) if err != nil { - return "" + return imageTag } + // and append imageID as a digest parts := strings.Split(imageID, digestDelim) // filter garbage @@ -84,6 +92,9 @@ func (s *SyftAdapter) CreateSBOM(ctx context.Context, name, imageID, imageTag st ctx, span := otel.Tracer("").Start(ctx, "SyftAdapter.CreateSBOM") defer span.End() + if imageTag != "" { + imageID = normalizeImageID(imageID, imageTag) + } // prepare an SBOM and fill it progressively domainSBOM := domain.SBOM{ Name: name, @@ -94,10 +105,8 @@ func (s *SyftAdapter) CreateSBOM(ctx context.Context, name, imageID, imageTag st }, Labels: tools.LabelsFromImageID(imageID), } - if imageTag != "" { - imageID = normalizeImageID(imageID, imageTag) - domainSBOM.Annotations[helpersv1.ImageTagMetadataKey] = imageTag - } + domainSBOM.Annotations[helpersv1.ImageTagMetadataKey] = imageTag + // translate business models into Syft models if options.Platform == "" { options.Platform = runtime.GOARCH From a2b2c7b47b6ae97ab95c70bf10f7067d7a72b977 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 3 Jun 2024 13:53:11 +0300 Subject: [PATCH 2/2] update regex Signed-off-by: David Wertenteil --- adapters/v1/syft.go | 2 +- adapters/v1/syft_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/adapters/v1/syft.go b/adapters/v1/syft.go index b0634aa..d9bad44 100644 --- a/adapters/v1/syft.go +++ b/adapters/v1/syft.go @@ -38,7 +38,7 @@ type SyftAdapter struct { const digestDelim = "@" -var hashPattern = regexp.MustCompile(`^.*@sha256:[a-f0-9]{64}$`) +var hashPattern = regexp.MustCompile(`^(.*@)?sha256:[a-f0-9]{64}$`) var _ ports.SBOMCreator = (*SyftAdapter)(nil) diff --git a/adapters/v1/syft_test.go b/adapters/v1/syft_test.go index 5c4c928..b21451c 100644 --- a/adapters/v1/syft_test.go +++ b/adapters/v1/syft_test.go @@ -208,7 +208,7 @@ func TestNormalizeImageID(t *testing.T) { name: "quay.io-kubescape-kubescape-v3.0.3-88a469", imageID: "86413975e2d0330176894e4f3f5987505ed27b1191f2537797fbbf345b88a469", imageTag: "quay.io/kubescape/kubescape:v3.0.3", - want: "quay.io/kubescape/kubescape@sha256:86413975e2d0330176894e4f3f5987505ed27b1191f2537797fbbf345b88a469", + want: "quay.io/kubescape/kubescape:v3.0.3", }, { name: "registry.k8s.io-kube-scheduler-v1.28.4-3d2c54",