Add image labels to artifact of vulnerability report

Author: tom1299

deploy/helm/crds/aquasecurity.github.io_clustersbomreports.yaml

@@ -78,6 +78,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string

deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml

@@ -94,6 +94,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string

deploy/helm/crds/aquasecurity.github.io_exposedsecretreports.yaml

@@ -89,6 +89,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string

deploy/helm/crds/aquasecurity.github.io_sbomreports.yaml

@@ -79,6 +79,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string

deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml

@@ -95,6 +95,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string

deploy/static/trivy-operator.yaml

@@ -890,6 +890,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string
@@ -1301,6 +1307,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string
@@ -1771,6 +1783,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string
@@ -2328,6 +2346,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string
@@ -2741,6 +2765,12 @@ spec:
                     description: Digest is a unique and immutable identifier of an
                       Artifact.
                     type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels is a map of key value pairs from the scanned
+                      artifact
+                    type: object
                   mimeType:
                     description: MimeType represents a type and format of an Artifact.
                     type: string

pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go

@@ -60,6 +60,10 @@ type Artifact struct {
 	// MimeType represents a type and format of an Artifact.
 	// +optional
 	MimeType string `json:"mimeType,omitempty"`
+
+	// Labels is a map of key value pairs from the scanned artifact
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
 }
 
 // OS is the Operating System of the Artifact

pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go

@@ -150,14 +150,16 @@ func (p *plugin) ParseReportData(ctx trivyoperator.PluginContext, imageRef strin
 	}
 
 	var reports ty.Report
+
 	err = json.NewDecoder(logsReader).Decode(&reports)
 	if err != nil {
 		return vulnReport, secretReport, nil, err
 	}
 
 	imageDigest := p.getImageDigest(reports)
+	imageLabels := reports.Metadata.ImageConfig.Config.Labels
 
-	registry, artifact, err := ParseImageRef(imageRef, imageDigest)
+	registry, artifact, err := ParseImageRef(imageRef, imageDigest, imageLabels)
 	if err != nil {
 		return vulnReport, secretReport, nil, err
 	}
@@ -215,7 +217,7 @@ func (p *plugin) NewConfigForConfigAudit(ctx trivyoperator.PluginContext) (confi
 	return getConfig(ctx)
 }
 
-func ParseImageRef(imageRef, imageDigest string) (v1alpha1.Registry, v1alpha1.Artifact, error) {
+func ParseImageRef(imageRef, imageDigest string, imageLabels map[string]string) (v1alpha1.Registry, v1alpha1.Artifact, error) {
 	ref, err := containerimage.ParseReference(imageRef)
 	if err != nil {
 		return v1alpha1.Registry{}, v1alpha1.Artifact{}, err
@@ -236,6 +238,9 @@ func ParseImageRef(imageRef, imageDigest string) (v1alpha1.Registry, v1alpha1.Ar
 	if artifact.Digest == "" {
 		artifact.Digest = imageDigest
 	}
+
+	artifact.Labels = imageLabels
+
 	return registry, artifact, nil
 }
 

pkg/plugins/trivy/plugin.go

@@ -8250,6 +8250,7 @@ func TestParseImageRef(t *testing.T) {
 		name             string
 		inputImageRef    string
 		inputImageID     string
+		inputImageLabels map[string]string
 		expectedRegistry v1alpha1.Registry
 		expectedArtifact v1alpha1.Artifact
 		expectedErr      error
@@ -8345,6 +8346,29 @@ func TestParseImageRef(t *testing.T) {
 				Tag:        "1.0.0",
 			},
 		},
+		{
+			name:          "well known image with labels",
+			inputImageRef: "docker.io/library/busybox:latest",
+			inputImageID:  "sha256:2bc57c6bcb194869d18676e003dfed47b87d257fce49667557fb8eb1f324d5d6",
+			inputImageLabels: map[string]string{
+				"org.opencontainers.image.source":  "https://github.com/docker-library/busybox",
+				"org.opencontainers.image.url":     "docker.io/library/busybox",
+				"org.opencontainers.image.created": "2019-10-12T07:20:50.52Z",
+			},
+			expectedRegistry: v1alpha1.Registry{
+				Server: "index.docker.io",
+			},
+			expectedArtifact: v1alpha1.Artifact{
+				Repository: "library/busybox",
+				Digest:     "sha256:2bc57c6bcb194869d18676e003dfed47b87d257fce49667557fb8eb1f324d5d6",
+				Labels: map[string]string{
+					"org.opencontainers.image.source":  "https://github.com/docker-library/busybox",
+					"org.opencontainers.image.url":     "docker.io/library/busybox",
+					"org.opencontainers.image.created": "2019-10-12T07:20:50.52Z",
+				},
+				Tag: "latest",
+			},
+		},
 		{
 			name:          "repo with digest",
 			inputImageRef: "quay.io/prometheus-operator/prometheus-operator@sha256:1420cefd4b20014b3361951c22593de6e9a2476bbbadd1759464eab5bfc0d34f",
@@ -8380,7 +8404,7 @@ func TestParseImageRef(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			registry, artifact, err := trivy.ParseImageRef(tc.inputImageRef, tc.inputImageID)
+			registry, artifact, err := trivy.ParseImageRef(tc.inputImageRef, tc.inputImageID, tc.inputImageLabels)
 			if tc.expectedErr != nil {
 				require.Errorf(t, err, "expected: %v", tc.expectedErr)
 			}