From be572db7cfca7bccd5ec347b22359ef312784e36 Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Tue, 8 Aug 2023 11:34:04 +0200
Subject: [PATCH] normalize imageTag before sending to backend

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
---
 adapters/v1/domain_to_armo.go |  6 ++-
 internal/tools/tools.go       |  8 ++++
 internal/tools/tools_test.go  | 80 +++++++++++++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 2 deletions(-)

diff --git a/adapters/v1/domain_to_armo.go b/adapters/v1/domain_to_armo.go
index 970af87..6dc84b1 100644
--- a/adapters/v1/domain_to_armo.go
+++ b/adapters/v1/domain_to_armo.go
@@ -12,6 +12,7 @@ import (
 	"github.com/armosec/cluster-container-scanner-api/containerscan"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/kubescape/kubevuln/core/domain"
+	"github.com/kubescape/kubevuln/internal/tools"
 	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 )
 
@@ -76,6 +77,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 			if description == "" && len(match.RelatedVulnerabilities) > 0 {
 				description = match.RelatedVulnerabilities[0].Description
 			}
+			normalizedImageTag := tools.NormalizeReference(workload.ImageTag)
 			// create a vulnerability result for this vulnerability
 			vulnerabilityResult := containerscan.CommonContainerVulnerabilityResult{
 				IsLastScan:      1,
@@ -91,7 +93,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 				Vulnerability: containerscan.Vulnerability{
 					Name:               match.Vulnerability.ID,
 					ImageID:            workload.ImageHash,
-					ImageTag:           workload.ImageTag,
+					ImageTag:           normalizedImageTag,
 					RelatedPackageName: match.Artifact.Name,
 					PackageVersion:     match.Artifact.Version,
 					Link:               link,
@@ -101,7 +103,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 					Fixes: []containerscan.FixedIn{
 						{
 							Name:    match.Vulnerability.Fix.State,
-							ImgTag:  workload.ImageTag,
+							ImgTag:  normalizedImageTag,
 							Version: version,
 						},
 					},
diff --git a/internal/tools/tools.go b/internal/tools/tools.go
index aa73d43..c8bf44a 100644
--- a/internal/tools/tools.go
+++ b/internal/tools/tools.go
@@ -105,3 +105,11 @@ func DeleteContents(dir string) error {
 	}
 	return nil
 }
+
+func NormalizeReference(ref string) string {
+	n, err := reference.ParseNormalizedNamed(ref)
+	if err != nil {
+		return ref
+	}
+	return n.String()
+}
diff --git a/internal/tools/tools_test.go b/internal/tools/tools_test.go
index 1d15ce6..0ba4202 100644
--- a/internal/tools/tools_test.go
+++ b/internal/tools/tools_test.go
@@ -60,3 +60,83 @@ func TestLabelsFromImageID(t *testing.T) {
 		})
 	}
 }
+
+func TestNormalizeReference(t *testing.T) {
+	type args struct {
+		ref string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "image tag",
+			args: args{
+				ref: "nginx:latest",
+			},
+			want: "docker.io/library/nginx:latest",
+		},
+		{
+			name: "image sha",
+			args: args{
+				ref: "nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "image tag sha",
+			args: args{
+				ref: "nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "repo image tag",
+			args: args{
+				ref: "docker.io/library/nginx:latest",
+			},
+			want: "docker.io/library/nginx:latest",
+		},
+		{
+			name: "repo image sha",
+			args: args{
+				ref: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "repo image tag sha",
+			args: args{
+				ref: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+			},
+			want: "docker.io/library/nginx:latest@sha256:73e957703f1266530db0aeac1fd6a3f87c1e59943f4c13eb340bb8521c6041d7",
+		},
+		{
+			name: "quay image tag",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln:latest",
+			},
+			want: "quay.io/kubescape/kubevuln:latest",
+		},
+		{
+			name: "quay image sha",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+			},
+			want: "quay.io/kubescape/kubevuln@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+		},
+		{
+			name: "quay image tag sha",
+			args: args{
+				ref: "quay.io/kubescape/kubevuln:latest@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+			},
+			want: "quay.io/kubescape/kubevuln:latest@sha256:616d1d4312551b94088deb6ddab232ecabbbff0c289949a0d5f12d4b527c3f8a",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, NormalizeReference(tt.args.ref), "NormalizeReference(%v)", tt.args.ref)
+		})
+	}
+}