use application profile instead of sbomp

Signed-off-by: Matthias Bertschy <[email protected]>

Author: matthyx

mainhandler/handlerequests.go

@@ -146,7 +146,11 @@ func (mainHandler *MainHandler) HandleWatchers(ctx context.Context) {
 		}
 	}()
 
-	ksStorageClient, err := kssc.NewForConfig(k8sinterface.GetK8sConfig())
+	cfg := k8sinterface.GetK8sConfig()
+	// force GRPC
+	cfg.AcceptContentTypes = "application/vnd.kubernetes.protobuf"
+	cfg.ContentType = "application/vnd.kubernetes.protobuf"
+	ksStorageClient, err := kssc.NewForConfig(cfg)
 	if err != nil {
 		logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err))
 	}
@@ -160,7 +164,7 @@ func (mainHandler *MainHandler) HandleWatchers(ctx context.Context) {
 
 	// start watching
 	go watchHandler.PodWatch(ctx, mainHandler.eventWorkerPool)
-	go watchHandler.SBOMFilteredWatch(ctx, mainHandler.eventWorkerPool)
+	go watchHandler.ApplicationProfileWatch(ctx, mainHandler.eventWorkerPool)
 }
 
 func (h *MainHandler) StartContinuousScanning(_ context.Context) error {
@@ -229,8 +233,8 @@ func (actionHandler *ActionHandler) runCommand(ctx context.Context, sessionObj *
 	switch c.CommandName {
 	case apis.TypeScanImages:
 		return actionHandler.scanImage(ctx, sessionObj)
-	case utils.CommandScanFilteredSBOM:
-		actionHandler.scanFilteredSBOM(ctx, sessionObj)
+	case utils.CommandScanApplicationProfile:
+		actionHandler.scanApplicationProfile(ctx, sessionObj)
 	case apis.TypeRunKubescape, apis.TypeRunKubescapeJob:
 		return actionHandler.kubescapeScan(ctx)
 	case apis.TypeSetKubescapeCronJob:

mainhandler/vulnscan.go

@@ -339,8 +339,8 @@ func (actionHandler *ActionHandler) scanImage(ctx context.Context, sessionObj *u
 	return nil
 }
 
-func (actionHandler *ActionHandler) scanFilteredSBOM(ctx context.Context, sessionObj *utils.SessionObj) error {
-	ctx, span := otel.Tracer("").Start(ctx, "actionHandler.scanFilteredSBOM")
+func (actionHandler *ActionHandler) scanApplicationProfile(ctx context.Context, sessionObj *utils.SessionObj) error {
+	ctx, span := otel.Tracer("").Start(ctx, "actionHandler.scanApplicationProfile")
 	defer span.End()
 
 	if !actionHandler.config.Components().Kubevuln.Enabled {
@@ -352,7 +352,7 @@ func (actionHandler *ActionHandler) scanFilteredSBOM(ctx context.Context, sessio
 		return fmt.Errorf("failed to get container for image %s", actionHandler.command.Args[utils.ArgsContainerData])
 	}
 
-	// scanning a filtered SBOM (SBOM already downloaded) so AuthConfig can be empty
+	// scanning an application profile so AuthConfig can be empty
 	span.AddEvent("scanning", trace.WithAttributes(attribute.String("wlid", actionHandler.wlid)))
 	cmd := actionHandler.getImageScanCommand(containerData, sessionObj, &ImageScanConfig{})
 

utils/utils.go

@@ -29,7 +29,7 @@ const ArgsPod = "pod"
 const ArgsContainerData = "containerData"
 const dockerPullableURN = "docker-pullable://"
 
-const CommandScanFilteredSBOM = "scanFilteredSBOM"
+const CommandScanApplicationProfile = "scanApplicationProfile"
 
 func MapToString(m map[string]interface{}) []string {
 	s := []string{}

watcher/filteredsbomwatcher.go watcher/applicationprofilewatcher.go

@@ -29,20 +29,20 @@ var (
 	ErrMissingContainerName = fmt.Errorf("missing container name")
 )
 
-// SBOMFilteredWatch watches and processes changes on Filtered SBOMs
-func (wh *WatchHandler) SBOMFilteredWatch(ctx context.Context, workerPool *ants.PoolWithFunc) {
+// ApplicationProfileWatch watches and processes changes on ApplicationProfile resources
+func (wh *WatchHandler) ApplicationProfileWatch(ctx context.Context, workerPool *ants.PoolWithFunc) {
 	inputEvents := make(chan watch.Event)
 	cmdCh := make(chan *apis.Command)
 	errorCh := make(chan error)
-	sbomEvents := make(<-chan watch.Event)
+	apEvents := make(<-chan watch.Event)
 
 	// The watcher is considered unavailable by default
-	sbomWatcherUnavailable := make(chan struct{})
+	apWatcherUnavailable := make(chan struct{})
 	go func() {
-		sbomWatcherUnavailable <- struct{}{}
+		apWatcherUnavailable <- struct{}{}
 	}()
 
-	go wh.HandleSBOMFilteredEvents(inputEvents, cmdCh, errorCh)
+	go wh.HandleApplicationProfileEvents(inputEvents, cmdCh, errorCh)
 
 	// notifyWatcherDown notifies the appropriate channel that the watcher
 	// is down and backs off for the retry interval to not produce
@@ -56,45 +56,45 @@ func (wh *WatchHandler) SBOMFilteredWatch(ctx context.Context, workerPool *ants.
 	var err error
 	for {
 		select {
-		case sbomEvent, ok := <-sbomEvents:
+		case apEvent, ok := <-apEvents:
 			if ok {
-				inputEvents <- sbomEvent
+				inputEvents <- apEvent
 			} else {
-				notifyWatcherDown(sbomWatcherUnavailable)
+				notifyWatcherDown(apWatcherUnavailable)
 			}
 		case cmd, ok := <-cmdCh:
 			if ok {
 				utils.AddCommandToChannel(ctx, wh.cfg, cmd, workerPool)
 			} else {
-				notifyWatcherDown(sbomWatcherUnavailable)
+				notifyWatcherDown(apWatcherUnavailable)
 			}
 		case err, ok := <-errorCh:
 			if ok {
-				logger.L().Ctx(ctx).Error(fmt.Sprintf("error in SBOMFilteredWatch: %v", err.Error()))
+				logger.L().Ctx(ctx).Error(fmt.Sprintf("error in ApplicationProfileWatch: %v", err.Error()))
 			} else {
-				notifyWatcherDown(sbomWatcherUnavailable)
+				notifyWatcherDown(apWatcherUnavailable)
 			}
-		case <-sbomWatcherUnavailable:
+		case <-apWatcherUnavailable:
 			if watcher != nil {
 				watcher.Stop()
 			}
 
-			watcher, err = wh.getSBOMFilteredWatcher()
+			watcher, err = wh.getApplicationProfileWatcher()
 			if err != nil {
-				notifyWatcherDown(sbomWatcherUnavailable)
+				notifyWatcherDown(apWatcherUnavailable)
 			} else {
-				sbomEvents = watcher.ResultChan()
+				apEvents = watcher.ResultChan()
 			}
 		}
 	}
 
 }
 
-func (wh *WatchHandler) HandleSBOMFilteredEvents(sfEvents <-chan watch.Event, producedCommands chan<- *apis.Command, errorCh chan<- error) {
+func (wh *WatchHandler) HandleApplicationProfileEvents(sfEvents <-chan watch.Event, producedCommands chan<- *apis.Command, errorCh chan<- error) {
 	defer close(errorCh)
 
 	for e := range sfEvents {
-		obj, ok := e.Object.(*spdxv1beta1.SBOMSyftFiltered)
+		obj, ok := e.Object.(*spdxv1beta1.ApplicationProfile)
 		if !ok {
 			errorCh <- ErrUnsupportedObject
 			continue
@@ -111,13 +111,13 @@ func (wh *WatchHandler) HandleSBOMFilteredEvents(sfEvents <-chan watch.Event, pr
 			continue
 		}
 
-		if skipSBOM(obj.ObjectMeta.Annotations) {
+		if skipAP(obj.ObjectMeta.Annotations) {
 			continue
 		}
 
-		containerData, err := wh.getContainerDataFilteredSBOM(obj)
+		containerData, err := wh.getContainerDataApplicationProfile(obj)
 		if err != nil {
-			logger.L().Error("failed to get container data from filtered SBOM",
+			logger.L().Error("failed to get container data from application profile",
 				helpers.String("name", obj.ObjectMeta.Name),
 				helpers.String("namespace", obj.ObjectMeta.Namespace),
 				helpers.Interface("annotations", obj.ObjectMeta.Annotations),
@@ -138,25 +138,25 @@ func (wh *WatchHandler) HandleSBOMFilteredEvents(sfEvents <-chan watch.Event, pr
 
 		cmd := &apis.Command{
 			Wlid:        containerData.Wlid,
-			CommandName: utils.CommandScanFilteredSBOM,
+			CommandName: utils.CommandScanApplicationProfile,
 			Args: map[string]interface{}{
 				utils.ArgsContainerData: containerData,
 			},
 		}
 		// send
-		logger.L().Info("scanning filtered SBOM", helpers.String("wlid", cmd.Wlid), helpers.String("slug", containerData.Slug), helpers.String("containerName", containerData.ContainerName), helpers.String("imageTag", containerData.ImageTag), helpers.String("imageID", containerData.ImageID))
+		logger.L().Info("scanning application profile", helpers.String("wlid", cmd.Wlid), helpers.String("slug", containerData.Slug), helpers.String("containerName", containerData.ContainerName), helpers.String("imageTag", containerData.ImageTag), helpers.String("imageID", containerData.ImageID))
 		producedCommands <- cmd
 	}
 }
 
-func (wh *WatchHandler) getContainerDataFilteredSBOM(obj *spdxv1beta1.SBOMSyftFiltered) (*utils.ContainerData, error) {
+func (wh *WatchHandler) getContainerDataApplicationProfile(obj *spdxv1beta1.ApplicationProfile) (*utils.ContainerData, error) {
 
 	containerData, err := annotationsToContainerData(obj.GetAnnotations())
 	if err != nil {
 		return nil, err
 	}
 
-	if err := validateContainerDataFilteredSBOM(containerData); err != nil {
+	if err := validateContainerDataApplicationProfiles(containerData); err != nil {
 		return nil, err
 	}
 	return containerData, nil
@@ -183,14 +183,14 @@ func annotationsToContainerData(annotations map[string]string) (*utils.Container
 	containerData.ContainerName = instanceID.GetContainerName()
 	containerData.ContainerType = string(instanceID.GetInstanceType())
 
-	// FIXME: use the annotations after adding imageID and imageTag to the filtered SBOM
+	// FIXME: use the annotations after adding imageID and imageTag to the application profile
 	containerData.ImageID = annotations[helpersv1.ImageIDMetadataKey]
 	containerData.ImageTag = annotations[helpersv1.ImageTagMetadataKey]
 
 	return containerData, nil
 }
 
-func skipSBOM(annotations map[string]string) bool {
+func skipAP(annotations map[string]string) bool {
 	ann := []string{
 		"", // empty string for backward compatibility
 		helpersv1.Ready,
@@ -207,12 +207,12 @@ func skipSBOM(annotations map[string]string) bool {
 	return false // do not skip
 }
 
-func (wh *WatchHandler) getSBOMFilteredWatcher() (watch.Interface, error) {
+func (wh *WatchHandler) getApplicationProfileWatcher() (watch.Interface, error) {
 	// no need to support ExcludeNamespaces and IncludeNamespaces since node-agent will respect them as well
-	return wh.storageClient.SpdxV1beta1().SBOMSyftFiltereds("").Watch(context.Background(), v1.ListOptions{})
+	return wh.storageClient.SpdxV1beta1().ApplicationProfiles("").Watch(context.Background(), v1.ListOptions{})
 }
 
-func validateContainerDataFilteredSBOM(containerData *utils.ContainerData) error {
+func validateContainerDataApplicationProfiles(containerData *utils.ContainerData) error {
 	if containerData.ContainerName == "" {
 		return ErrMissingContainerName
 	}

watcher/filteredsbomwatcher_test.go watcher/applicationprofilewatcher_test.go

@@ -66,7 +66,7 @@ func TestNewWatchHandlerProducesValidResult(t *testing.T) {
 	}
 }
 
-func TestHandleSBOMFilteredEvents(t *testing.T) {
+func TestHandleApplicationProfileEvents(t *testing.T) {
 	tt := []struct {
 		name                      string
 		inputEvents               []watch.Event
@@ -77,11 +77,11 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 		expectedWlidAndImageIDMap []string
 	}{
 		{
-			name: "Adding a new Filtered SBOM should produce a matching scan command",
+			name: "Adding a new application profile should produce a matching scan command",
 			inputEvents: []watch.Event{
 				{
 					Type: watch.Added,
-					Object: &spdxv1beta1.SBOMSyftFiltered{
+					Object: &spdxv1beta1.ApplicationProfile{
 						ObjectMeta: v1.ObjectMeta{
 							Name: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861",
 							Annotations: map[string]string{
@@ -96,7 +96,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 				},
 				{
 					Type: watch.Modified,
-					Object: &spdxv1beta1.SBOMSyftFiltered{
+					Object: &spdxv1beta1.ApplicationProfile{
 						ObjectMeta: v1.ObjectMeta{
 							Name: "replicaset-nginx-6ccd565b7d-nginx-e4ff-657a",
 							Annotations: map[string]string{
@@ -112,7 +112,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 			},
 			expectedCommands: []*apis.Command{
 				{
-					CommandName: utils.CommandScanFilteredSBOM,
+					CommandName: utils.CommandScanApplicationProfile,
 					Wlid:        "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx",
 					Args: map[string]interface{}{
 						utils.ArgsContainerData: &utils.ContainerData{
@@ -126,7 +126,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 					},
 				},
 				{
-					CommandName: utils.CommandScanFilteredSBOM,
+					CommandName: utils.CommandScanApplicationProfile,
 					Wlid:        "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx",
 					Args: map[string]interface{}{
 						utils.ArgsContainerData: &utils.ContainerData{
@@ -158,7 +158,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 			inputEvents: []watch.Event{
 				{
 					Type: watch.Added,
-					Object: &spdxv1beta1.SBOMSyftFiltered{
+					Object: &spdxv1beta1.ApplicationProfile{
 						ObjectMeta: v1.ObjectMeta{
 							Name: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861",
 							Annotations: map[string]string{
@@ -185,7 +185,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 			inputEvents: []watch.Event{
 				{
 					Type:   watch.Deleted,
-					Object: &spdxv1beta1.SBOMSyftFiltered{},
+					Object: &spdxv1beta1.ApplicationProfile{},
 				},
 			},
 			expectedCommands:          []*apis.Command{},
@@ -220,7 +220,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 
 			wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, nil)
 
-			go wh.HandleSBOMFilteredEvents(inputEvents, cmdCh, errorCh)
+			go wh.HandleApplicationProfileEvents(inputEvents, cmdCh, errorCh)
 
 			go func() {
 				for _, e := range tc.inputEvents {
@@ -250,7 +250,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 				}
 			}
 
-			actualObjects, _ := storageClient.SpdxV1beta1().SBOMSyftFiltereds("").List(ctx, v1.ListOptions{})
+			actualObjects, _ := storageClient.SpdxV1beta1().ApplicationProfiles("").List(ctx, v1.ListOptions{})
 
 			actualObjectNames := []string{}
 			for _, obj := range actualObjects.Items {
@@ -276,16 +276,16 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 
 	}
 }
-func TestGetContainerDataFilteredSBOM(t *testing.T) {
+func TestGetContainerDataApplicationProfile(t *testing.T) {
 	tests := []struct {
-		obj     *spdxv1beta1.SBOMSyftFiltered
+		obj     *spdxv1beta1.ApplicationProfile
 		want    *utils.ContainerData
 		name    string
 		wantErr bool
 	}{
 		{
-			name: "valid SBOMSyftFiltered object",
-			obj: &spdxv1beta1.SBOMSyftFiltered{
+			name: "valid ApplicationProfile object",
+			obj: &spdxv1beta1.ApplicationProfile{
 				ObjectMeta: v1.ObjectMeta{
 					Annotations: map[string]string{
 						helpersv1.InstanceIDMetadataKey:    "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx",
@@ -307,8 +307,8 @@ func TestGetContainerDataFilteredSBOM(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "invalid SBOMSyftFiltered object - missing instanceID",
-			obj: &spdxv1beta1.SBOMSyftFiltered{
+			name: "invalid ApplicationProfile object - missing instanceID",
+			obj: &spdxv1beta1.ApplicationProfile{
 				ObjectMeta: v1.ObjectMeta{
 					Annotations: map[string]string{
 						helpersv1.InstanceIDMetadataKey:    "",
@@ -323,8 +323,8 @@ func TestGetContainerDataFilteredSBOM(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "invalid SBOMSyftFiltered object - missing other fields",
-			obj: &spdxv1beta1.SBOMSyftFiltered{
+			name: "invalid ApplicationProfile object - missing other fields",
+			obj: &spdxv1beta1.ApplicationProfile{
 				ObjectMeta: v1.ObjectMeta{
 					Annotations: map[string]string{
 						helpersv1.InstanceIDMetadataKey:    "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx",
@@ -344,7 +344,7 @@ func TestGetContainerDataFilteredSBOM(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := wh.getContainerDataFilteredSBOM(tt.obj)
+			got, err := wh.getContainerDataApplicationProfile(tt.obj)
 			assert.Equal(t, tt.want, got)
 			assert.Equal(t, tt.wantErr, err != nil)
 		})
@@ -406,7 +406,7 @@ func TestAnnotationsToContainerData(t *testing.T) {
 		})
 	}
 }
-func TestSkipSBOM(t *testing.T) {
+func TestSkipAP(t *testing.T) {
 	tests := []struct {
 		annotations map[string]string
 		name        string
@@ -449,12 +449,13 @@ func TestSkipSBOM(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotSkip := skipSBOM(tt.annotations)
+			gotSkip := skipAP(tt.annotations)
 			assert.Equal(t, tt.wantSkip, gotSkip)
 		})
 	}
 }
-func TestValidateContainerDataFilteredSBOM(t *testing.T) {
+
+func TestValidateContainerDataApplicationProfile(t *testing.T) {
 	tests := []struct {
 		wantErr       error
 		containerData *utils.ContainerData
@@ -525,7 +526,7 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateContainerDataFilteredSBOM(tt.containerData)
+			err := validateContainerDataApplicationProfiles(tt.containerData)
 			assert.Equal(t, tt.wantErr, err)
 		})
 	}