feat: reduce VulnerabilityReport size by omitting empty fields

Author: sathieu

deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml

@@ -269,13 +269,6 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
-                  - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array

deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml

@@ -270,13 +270,6 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
-                  - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array

deploy/static/trivy-operator.yaml

@@ -1476,13 +1476,6 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
-                  - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array
@@ -2916,13 +2909,6 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
-                  - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array
@@ -3204,6 +3190,25 @@ spec:
     app.kubernetes.io/instance: trivy-operator
   type: ClusterIP
 ---
+# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: trivy-operator
+  labels:
+    app.kubernetes.io/name: trivy-operator
+    app.kubernetes.io/instance: trivy-operator
+    app.kubernetes.io/version: "0.29.0"
+    app.kubernetes.io/managed-by: kubectl
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: trivy-operator
+subjects:
+  - kind: ServiceAccount
+    name: trivy-operator
+    namespace: trivy-system
+---
 # Source: trivy-operator/templates/rbac/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -3355,20 +3360,21 @@ rules:
   verbs:
     - get
 ---
-# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml
+# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: trivy-operator
+  name: trivy-operator-leader-election
+  namespace: trivy-system
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
     app.kubernetes.io/version: "0.29.0"
     app.kubernetes.io/managed-by: kubectl
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: trivy-operator
+  kind: Role
+  name: trivy-operator-leader-election
 subjects:
   - kind: ServiceAccount
     name: trivy-operator
@@ -3402,11 +3408,11 @@ rules:
     verbs:
       - create
 ---
-# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml
+# Source: trivy-operator/templates/rbac/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: trivy-operator-leader-election
+  name: trivy-operator
   namespace: trivy-system
   labels:
     app.kubernetes.io/name: trivy-operator
@@ -3416,7 +3422,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: trivy-operator-leader-election
+  name: trivy-operator
 subjects:
   - kind: ServiceAccount
     name: trivy-operator
@@ -3453,26 +3459,6 @@ rules:
       - delete
       - update
 ---
-# Source: trivy-operator/templates/rbac/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: trivy-operator
-  namespace: trivy-system
-  labels:
-    app.kubernetes.io/name: trivy-operator
-    app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: "0.29.0"
-    app.kubernetes.io/managed-by: kubectl
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: trivy-operator
-subjects:
-  - kind: ServiceAccount
-    name: trivy-operator
-    namespace: trivy-system
----
 # Source: trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml
 # permissions for end users to view configauditreports
 apiVersion: rbac.authorization.k8s.io/v1

pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go

@@ -83,29 +83,29 @@ type Vulnerability struct {
 	VulnerabilityID string `json:"vulnerabilityID"`
 
 	// Resource is a vulnerable package, application, or library.
-	Resource string `json:"resource"`
+	Resource string `json:"resource,omitempty"`
 
 	// InstalledVersion indicates the installed version of the Resource.
-	InstalledVersion string `json:"installedVersion"`
+	InstalledVersion string `json:"installedVersion,omitempty"`
 
 	// FixedVersion indicates the version of the Resource in which this vulnerability has been fixed.
-	FixedVersion string `json:"fixedVersion"`
+	FixedVersion string `json:"fixedVersion,omitempty"`
 	// PublishedDate indicates the date of published CVE.
-	PublishedDate string `json:"publishedDate"`
+	PublishedDate string `json:"publishedDate,omitempty"`
 	// LastModifiedDate indicates the last date CVE has been modified.
-	LastModifiedDate string `json:"lastModifiedDate"`
+	LastModifiedDate string `json:"lastModifiedDate,omitempty"`
 	// Severity level of a vulnerability or a configuration audit check.
 	// +kubebuilder:validation:Enum={CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN}
-	Severity    Severity `json:"severity"`
-	Title       string   `json:"title"`
+	Severity    Severity `json:"severity,omitempty"`
+	Title       string   `json:"title,omitempty"`
 	Description string   `json:"description,omitempty"`
 	CVSSSource  string   `json:"cvsssource,omitempty"`
 	PrimaryLink string   `json:"primaryLink,omitempty"`
 	// +optional
-	Links []string `json:"links"`
+	Links []string `json:"links,omitempty"`
 	Score *float64 `json:"score,omitempty"`
 	// +optional
-	Target string `json:"target"`
+	Target string `json:"target,omitempty"`
 	// +optional
 	CVSS types.VendorCVSS `json:"cvss,omitempty"`
 	// +optional

pkg/plugins/trivy/plugin_test.go

@@ -7165,7 +7165,6 @@ var (
 				Severity:         v1alpha1.SeverityMedium,
 				Title:            "openssl: information disclosure in fork()",
 				PrimaryLink:      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-				Links:            []string{},
 			},
 			{
 				VulnerabilityID:  "CVE-2019-1547",
@@ -7175,7 +7174,6 @@ var (
 				Severity:         v1alpha1.SeverityLow,
 				Title:            "openssl: side-channel weak encryption vulnerability",
 				PrimaryLink:      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-				Links:            []string{},
 			},
 		},
 	}

pkg/webhook/webhookreporter_test.go

@@ -25,7 +25,7 @@ func Test_sendReports(t *testing.T) {
 	}{
 		{
 			name: "happy path, vuln report data",
-			want: `{"metadata":{},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"os":{"family":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","resource":"","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz", "lastModifiedDate":"", "links":null, "publishedDate":"", "target":"","class":"os-pkgs"}]}}`,
+			want: `{"metadata":{},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"os":{"family":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz", "class":"os-pkgs"}]}}`,
 			inputReport: v1alpha1.VulnerabilityReport{
 				Report: v1alpha1.VulnerabilityReportData{
 					Vulnerabilities: []v1alpha1.Vulnerability{