diff --git a/deploy/helm/crds/aquasecurity.github.io_clustersbomreports.yaml b/deploy/helm/crds/aquasecurity.github.io_clustersbomreports.yaml index ada23e0f9..7f96732eb 100644 --- a/deploy/helm/crds/aquasecurity.github.io_clustersbomreports.yaml +++ b/deploy/helm/crds/aquasecurity.github.io_clustersbomreports.yaml @@ -78,6 +78,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string diff --git a/deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml b/deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml index 1451620d6..a014ab94c 100644 --- a/deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml +++ b/deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml @@ -94,6 +94,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string diff --git a/deploy/helm/crds/aquasecurity.github.io_exposedsecretreports.yaml b/deploy/helm/crds/aquasecurity.github.io_exposedsecretreports.yaml index be5c9bcf9..05ac26a53 100644 --- a/deploy/helm/crds/aquasecurity.github.io_exposedsecretreports.yaml +++ b/deploy/helm/crds/aquasecurity.github.io_exposedsecretreports.yaml @@ -89,6 +89,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string diff --git a/deploy/helm/crds/aquasecurity.github.io_sbomreports.yaml b/deploy/helm/crds/aquasecurity.github.io_sbomreports.yaml index 34cbb3539..590f64142 100644 --- a/deploy/helm/crds/aquasecurity.github.io_sbomreports.yaml +++ b/deploy/helm/crds/aquasecurity.github.io_sbomreports.yaml @@ -79,6 +79,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string diff --git a/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml b/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml index 6764ca437..c27cac686 100644 --- a/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml +++ b/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml @@ -95,6 +95,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 5d4c92775..f30e9c1f2 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -890,6 +890,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string @@ -1301,6 +1307,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string @@ -1771,6 +1783,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string @@ -2328,6 +2346,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string @@ -2741,6 +2765,12 @@ spec: description: Digest is a unique and immutable identifier of an Artifact. type: string + labels: + additionalProperties: + type: string + description: Labels is a map of key value pairs from the scanned + artifact + type: object mimeType: description: MimeType represents a type and format of an Artifact. type: string diff --git a/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go b/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go index 40f663e26..16b715e6e 100644 --- a/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go +++ b/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go @@ -60,6 +60,10 @@ type Artifact struct { // MimeType represents a type and format of an Artifact. // +optional MimeType string `json:"mimeType,omitempty"` + + // Labels is a map of key value pairs from the scanned artifact + // +optional + Labels map[string]string `json:"labels,omitempty"` } // OS is the Operating System of the Artifact diff --git a/pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go index 7944c2416..0ddf9a547 100644 --- a/pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,13 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Artifact) DeepCopyInto(out *Artifact) { *out = *in + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Artifact. @@ -836,7 +843,7 @@ func (in *ExposedSecretReportData) DeepCopyInto(out *ExposedSecretReportData) { in.UpdateTimestamp.DeepCopyInto(&out.UpdateTimestamp) out.Scanner = in.Scanner out.Registry = in.Registry - out.Artifact = in.Artifact + in.Artifact.DeepCopyInto(&out.Artifact) out.Summary = in.Summary if in.Secrets != nil { in, out := &in.Secrets, &out.Secrets @@ -1335,7 +1342,7 @@ func (in *SbomReportData) DeepCopyInto(out *SbomReportData) { in.UpdateTimestamp.DeepCopyInto(&out.UpdateTimestamp) out.Scanner = in.Scanner out.Registry = in.Registry - out.Artifact = in.Artifact + in.Artifact.DeepCopyInto(&out.Artifact) out.Summary = in.Summary in.Bom.DeepCopyInto(&out.Bom) } @@ -1535,7 +1542,7 @@ func (in *VulnerabilityReportData) DeepCopyInto(out *VulnerabilityReportData) { in.UpdateTimestamp.DeepCopyInto(&out.UpdateTimestamp) out.Scanner = in.Scanner out.Registry = in.Registry - out.Artifact = in.Artifact + in.Artifact.DeepCopyInto(&out.Artifact) in.OS.DeepCopyInto(&out.OS) out.Summary = in.Summary if in.Vulnerabilities != nil { diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go index f1ca25ae6..8eb0c8801 100644 --- a/pkg/plugins/trivy/plugin.go +++ b/pkg/plugins/trivy/plugin.go @@ -150,14 +150,16 @@ func (p *plugin) ParseReportData(ctx trivyoperator.PluginContext, imageRef strin } var reports ty.Report + err = json.NewDecoder(logsReader).Decode(&reports) if err != nil { return vulnReport, secretReport, nil, err } imageDigest := p.getImageDigest(reports) + imageLabels := reports.Metadata.ImageConfig.Config.Labels - registry, artifact, err := ParseImageRef(imageRef, imageDigest) + registry, artifact, err := ParseImageRef(imageRef, imageDigest, imageLabels) if err != nil { return vulnReport, secretReport, nil, err } @@ -215,7 +217,7 @@ func (p *plugin) NewConfigForConfigAudit(ctx trivyoperator.PluginContext) (confi return getConfig(ctx) } -func ParseImageRef(imageRef, imageDigest string) (v1alpha1.Registry, v1alpha1.Artifact, error) { +func ParseImageRef(imageRef, imageDigest string, imageLabels map[string]string) (v1alpha1.Registry, v1alpha1.Artifact, error) { ref, err := containerimage.ParseReference(imageRef) if err != nil { return v1alpha1.Registry{}, v1alpha1.Artifact{}, err @@ -236,6 +238,9 @@ func ParseImageRef(imageRef, imageDigest string) (v1alpha1.Registry, v1alpha1.Ar if artifact.Digest == "" { artifact.Digest = imageDigest } + + artifact.Labels = imageLabels + return registry, artifact, nil } diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index afb3bc94a..b49e7e494 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -8250,6 +8250,7 @@ func TestParseImageRef(t *testing.T) { name string inputImageRef string inputImageID string + inputImageLabels map[string]string expectedRegistry v1alpha1.Registry expectedArtifact v1alpha1.Artifact expectedErr error @@ -8345,6 +8346,29 @@ func TestParseImageRef(t *testing.T) { Tag: "1.0.0", }, }, + { + name: "well known image with labels", + inputImageRef: "docker.io/library/busybox:latest", + inputImageID: "sha256:2bc57c6bcb194869d18676e003dfed47b87d257fce49667557fb8eb1f324d5d6", + inputImageLabels: map[string]string{ + "org.opencontainers.image.source": "https://github.com/docker-library/busybox", + "org.opencontainers.image.url": "docker.io/library/busybox", + "org.opencontainers.image.created": "2019-10-12T07:20:50.52Z", + }, + expectedRegistry: v1alpha1.Registry{ + Server: "index.docker.io", + }, + expectedArtifact: v1alpha1.Artifact{ + Repository: "library/busybox", + Digest: "sha256:2bc57c6bcb194869d18676e003dfed47b87d257fce49667557fb8eb1f324d5d6", + Labels: map[string]string{ + "org.opencontainers.image.source": "https://github.com/docker-library/busybox", + "org.opencontainers.image.url": "docker.io/library/busybox", + "org.opencontainers.image.created": "2019-10-12T07:20:50.52Z", + }, + Tag: "latest", + }, + }, { name: "repo with digest", inputImageRef: "quay.io/prometheus-operator/prometheus-operator@sha256:1420cefd4b20014b3361951c22593de6e9a2476bbbadd1759464eab5bfc0d34f", @@ -8380,7 +8404,7 @@ func TestParseImageRef(t *testing.T) { } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - registry, artifact, err := trivy.ParseImageRef(tc.inputImageRef, tc.inputImageID) + registry, artifact, err := trivy.ParseImageRef(tc.inputImageRef, tc.inputImageID, tc.inputImageLabels) if tc.expectedErr != nil { require.Errorf(t, err, "expected: %v", tc.expectedErr) }