From f9fceb58bf64657dee92302df1ed97e597e474c9 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Wed, 11 Dec 2024 17:39:06 +0100 Subject: [PATCH] fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635) Signed-off-by: Fabrizio Sestito Co-authored-by: DmitriyLewen --- integration/sbom_test.go | 5 ---- ...d-multiple-lockfiles-short.cdx.json.golden | 24 +++++++++++++++++++ .../fluentd-multiple-lockfiles.json.golden | 15 +++++++++--- pkg/scanner/scan.go | 21 ---------------- 4 files changed, 36 insertions(+), 29 deletions(-) diff --git a/integration/sbom_test.go b/integration/sbom_test.go index e887f1520e68..1bc41f58639b 100644 --- a/integration/sbom_test.go +++ b/integration/sbom_test.go @@ -186,11 +186,6 @@ func overrideSBOMReport(t *testing.T, want, got *types.Report) { want.Metadata.ImageID = "" want.Metadata.ImageConfig = v1.ConfigFile{} want.Metadata.DiffIDs = nil - for i, result := range want.Results { - for j := range result.Vulnerabilities { - want.Results[i].Vulnerabilities[j].Layer.DiffID = "" - } - } // when running on Windows FS got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName)) diff --git a/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden index 496ca8ae3110..259715928e0f 100644 --- a/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden @@ -80,6 +80,14 @@ "version": "5.0-4", "purl": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2", "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c" + }, { "name": "aquasecurity:trivy:PkgID", "value": "bash@5.0-4" @@ -105,6 +113,14 @@ "version": "2.0.5-1", "purl": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2", "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c" + }, { "name": "aquasecurity:trivy:PkgID", "value": "libidn2-0@2.0.5-1" @@ -141,6 +157,14 @@ "name": "aquasecurity:trivy:FilePath", "value": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec" }, + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602" + }, { "name": "aquasecurity:trivy:PkgID", "value": "activesupport@6.0.2.1" diff --git a/integration/testdata/fluentd-multiple-lockfiles.json.golden b/integration/testdata/fluentd-multiple-lockfiles.json.golden index fec0e1a39a0d..106bb020e84c 100644 --- a/integration/testdata/fluentd-multiple-lockfiles.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden @@ -36,7 +36,10 @@ }, "InstalledVersion": "5.0-4", "Status": "affected", - "Layer": {}, + "Layer": { + "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c", + "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" + }, "SeveritySource": "debian", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276", "DataSource": { @@ -102,7 +105,10 @@ "InstalledVersion": "2.0.5-1", "FixedVersion": "2.0.5-1+deb10u1", "Status": "fixed", - "Layer": {}, + "Layer": { + "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c", + "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" + }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224", "DataSource": { @@ -173,7 +179,10 @@ "InstalledVersion": "6.0.2.1", "FixedVersion": "6.0.3.1, 5.2.4.3", "Status": "fixed", - "Layer": {}, + "Layer": { + "Digest": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602", + "DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9" + }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165", "DataSource": { diff --git a/pkg/scanner/scan.go b/pkg/scanner/scan.go index f1e4cf68c515..4009ddba8a4d 100644 --- a/pkg/scanner/scan.go +++ b/pkg/scanner/scan.go @@ -178,11 +178,6 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (t ptros = nil } - // Layer makes sense only when scanning container images - if artifactInfo.Type != artifact.TypeContainerImage { - removeLayer(results) - } - return types.Report{ SchemaVersion: report.SchemaVersion, CreatedAt: clock.Now(ctx), @@ -202,19 +197,3 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (t BOM: artifactInfo.BOM, }, nil } - -func removeLayer(results types.Results) { - for i := range results { - result := results[i] - - for j := range result.Packages { - result.Packages[j].Layer = ftypes.Layer{} - } - for j := range result.Vulnerabilities { - result.Vulnerabilities[j].Layer = ftypes.Layer{} - } - for j := range result.Misconfigurations { - result.Misconfigurations[j].Layer = ftypes.Layer{} - } - } -}