Merge pull request #208 from pohanhuangtw/fix/sbom-platform-awareness

fix: sbom generate with digest not the tag, add other platform into test cases with unify naming style.

Author: flavio

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.24.1"
+          go-version: "1.24.2"
       - run: make test
       - name: Upload unit-tests coverage to Codecov
         uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2

cmd/storage/main.go

@@ -42,6 +42,7 @@ func main() {
 		log.Fatalln(err)
 	}
 
+	db.SetMaxOpenConns(1)
 	db.MustExec(storage.CreateImageTableSQL)
 	db.MustExec(storage.CreateSBOMTableSQL)
 	db.MustExec(storage.CreateVulnerabilityReportTableSQL)

internal/handlers/generate_sbom.go

@@ -95,10 +95,10 @@ func (h *GenerateSBOMHandler) Handle(message messaging.Message) error {
 		"--java-db-repository", "public.ecr.aws/aquasecurity/trivy-java-db",
 		"--output", sbomFile.Name(),
 		fmt.Sprintf(
-			"%s/%s:%s",
+			"%s/%s@%s",
 			image.GetImageMetadata().RegistryURI,
 			image.GetImageMetadata().Repository,
-			image.GetImageMetadata().Tag,
+			image.GetImageMetadata().Digest,
 		),
 	})
 

internal/handlers/generate_sbom_test.go

@@ -22,7 +22,7 @@ import (
 	"github.com/rancher/sbombastic/pkg/generated/clientset/versioned/scheme"
 )
 
-func TestGenerateSBOMHandler_Handle(t *testing.T) {
+func generateSBOM(t *testing.T, platform, sha256, expectedSPDXJSON string) {
 	image := &storagev1alpha1.Image{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-image",
@@ -34,8 +34,8 @@ func TestGenerateSBOMHandler_Handle(t *testing.T) {
 				RegistryURI: "ghcr.io/rancher-sandbox/sbombastic/test-assets",
 				Repository:  "golang",
 				Tag:         "1.12-alpine",
-				Platform:    "linux/amd64",
-				Digest:      "sha256:123",
+				Platform:    platform,
+				Digest:      sha256,
 			},
 		},
 	}
@@ -48,35 +48,34 @@ func TestGenerateSBOMHandler_Handle(t *testing.T) {
 		WithRuntimeObjects(image).
 		Build()
 
-	spdxPath := filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine.spdx.json")
-	spdxData, err := os.ReadFile(spdxPath)
-	require.NoError(t, err)
+	spdxData, err := os.ReadFile(expectedSPDXJSON)
+	require.NoError(t, err, "failed to read expected SPDX JSON file %s", expectedSPDXJSON)
 
 	expectedSPDX := &spdx.Document{}
 	err = json.Unmarshal(spdxData, expectedSPDX)
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to unmarshal expected SPDX JSON file %s", expectedSPDXJSON)
 
 	handler := NewGenerateSBOMHandler(k8sClient, scheme, "/tmp", slog.Default())
 
 	err = handler.Handle(&messaging.GenerateSBOM{
 		ImageName:      image.Name,
 		ImageNamespace: image.Namespace,
 	})
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to generate SBOM, with platform %s", platform)
 
 	sbom := &storagev1alpha1.SBOM{}
 	err = k8sClient.Get(t.Context(), types.NamespacedName{
 		Name:      image.Name,
 		Namespace: image.Namespace,
 	}, sbom)
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to get SBOM, with platform %s", platform)
 
 	assert.Equal(t, image.Spec.ImageMetadata, sbom.Spec.ImageMetadata)
 	assert.Equal(t, image.UID, sbom.GetOwnerReferences()[0].UID)
 
 	generatedSPDX := &spdx.Document{}
 	err = json.Unmarshal(sbom.Spec.SPDX.Raw, generatedSPDX)
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to unmarshal generated SPDX, with platform %s", platform)
 
 	// Filter out "DocumentNamespace" and any field named "AnnotationDate" or "Created" regardless of nesting,
 	// since they contain timestamps and are not deterministic.
@@ -86,5 +85,53 @@ func TestGenerateSBOMHandler_Handle(t *testing.T) {
 	}, cmp.Ignore())
 	diff := cmp.Diff(expectedSPDX, generatedSPDX, filter, cmpopts.IgnoreUnexported(spdx.Package{}))
 
-	assert.Empty(t, diff)
+	assert.Empty(t, diff, "SPDX diff mismatch on platform %s\nDiff:\n%s", platform, diff)
+}
+
+func TestGenerateSBOMHandler_Handle(t *testing.T) {
+	for _, test := range []struct {
+		platform         string
+		sha256           string
+		expectedSPDXJSON string
+	}{
+		{
+			platform:         "linux/amd64",
+			sha256:           "sha256:1782cafde43390b032f960c0fad3def745fac18994ced169003cb56e9a93c028",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-amd64.spdx.json"),
+		},
+		{
+			platform:         "linux/arm/v6",
+			sha256:           "sha256:ea95bb81dab31807beac6c62824c048b1ee96b408f6097ea9dd0204e380f00b2",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm-v6.spdx.json"),
+		},
+		{
+			platform:         "linux/arm/v7",
+			sha256:           "sha256:ab389e320938f3bd42f45437d381fab28742dadcb892816236801e24a0bef804",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm-v7.spdx.json"),
+		},
+		{
+			platform:         "linux/arm64/v8",
+			sha256:           "sha256:1c96d48d06d96929d41e76e8145eb182ce22983f5e3539a655ec2918604835d0",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm64-v8.spdx.json"),
+		},
+		{
+			platform:         "linux/386",
+			sha256:           "sha256:d8801b3783dd4e4aee273c1a312cc265c832c7f264056d68e7ea73b8e1dd94b0",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-386.spdx.json"),
+		},
+		{
+			platform:         "linux/ppc64le",
+			sha256:           "sha256:216cb428a7a53a75ef7806ed1120c409253e3e65bddc6ae0c21f5cd2faf92324",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-ppc64le.spdx.json"),
+		},
+		{
+			platform:         "linux/s390x",
+			sha256:           "sha256:f2475c61ab276da0882a9637b83b2a5710b289d6d80f3daedb71d4a8eaeb1686",
+			expectedSPDXJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-s390x.spdx.json"),
+		},
+	} {
+		t.Run(test.platform, func(t *testing.T) {
+			generateSBOM(t, test.platform, test.sha256, test.expectedSPDXJSON)
+		})
+	}
 }

internal/handlers/scan_sbom_test.go

@@ -21,10 +21,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
-func TestScanSBOMHandler_Handle(t *testing.T) {
-	spdxPath := filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine.spdx.json")
-	spdxData, err := os.ReadFile(spdxPath)
-	require.NoError(t, err)
+func scanSBOM(t *testing.T, platform, sourceSBOMJSON, expectedReportJSON string) {
+	spdxData, err := os.ReadFile(sourceSBOMJSON)
+	require.NoError(t, err, "failed to read source SBOM file %s", sourceSBOMJSON)
 
 	sbom := &storagev1alpha1.SBOM{
 		ObjectMeta: metav1.ObjectMeta{
@@ -44,35 +43,34 @@ func TestScanSBOMHandler_Handle(t *testing.T) {
 		WithRuntimeObjects(sbom).
 		Build()
 
-	reportPath := filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine.sarif.json")
-	reportData, err := os.ReadFile(reportPath)
-	require.NoError(t, err)
+	reportData, err := os.ReadFile(expectedReportJSON)
+	require.NoError(t, err, "failed to read expected report file %s", expectedReportJSON)
 
 	expectedReport := &sarif.Report{}
 	err = json.Unmarshal(reportData, expectedReport)
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to unmarshal expected report file %s", expectedReportJSON)
 
 	handler := NewScanSBOMHandler(k8sClient, scheme, "/tmp", slog.Default())
 
 	err = handler.Handle(&messaging.ScanSBOM{
 		SBOMName:      sbom.Name,
 		SBOMNamespace: sbom.Namespace,
 	})
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to scan SBOM, with platform %s", platform)
 
 	vulnerabilityReport := &storagev1alpha1.VulnerabilityReport{}
 	err = k8sClient.Get(t.Context(), client.ObjectKey{
 		Name:      sbom.Name,
 		Namespace: sbom.Namespace,
 	}, vulnerabilityReport)
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to get vulnerability report, with platform %s", platform)
 
 	assert.Equal(t, sbom.GetImageMetadata(), vulnerabilityReport.GetImageMetadata())
 	assert.Equal(t, sbom.UID, vulnerabilityReport.GetOwnerReferences()[0].UID)
 
 	report := &sarif.Report{}
 	err = json.Unmarshal(vulnerabilityReport.Spec.SARIF.Raw, report)
-	require.NoError(t, err)
+	require.NoError(t, err, "failed to unmarshal vulnerability report, with platform %s", platform)
 
 	// Filter out fields containing the file path from the comparison
 	filter := cmp.FilterPath(func(path cmp.Path) bool {
@@ -87,5 +85,53 @@ func TestScanSBOMHandler_Handle(t *testing.T) {
 	}))
 	diff := cmp.Diff(expectedReport, report, filter)
 
-	assert.Empty(t, diff)
+	assert.Empty(t, diff, "diff mismatch on platform %s\nDiff:\n%s", platform, diff)
+}
+
+func TestScanSBOMHandler_Handle(t *testing.T) {
+	for _, test := range []struct {
+		platform           string
+		sourceSBOMJSON     string
+		expectedReportJSON string
+	}{
+		{
+			platform:           "linux/amd64",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-amd64.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-amd64.sarif.json"),
+		},
+		{
+			platform:           "linux/arm/v6",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm-v6.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm-v6.sarif.json"),
+		},
+		{
+			platform:           "linux/arm/v7",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm-v7.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm-v7.sarif.json"),
+		},
+		{
+			platform:           "linux/arm64/v8",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm64-v8.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-arm64-v8.sarif.json"),
+		},
+		{
+			platform:           "linux/386",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-386.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-386.sarif.json"),
+		},
+		{
+			platform:           "linux/ppc64le",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-ppc64le.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-ppc64le.sarif.json"),
+		},
+		{
+			platform:           "linux/s390x",
+			sourceSBOMJSON:     filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-s390x.spdx.json"),
+			expectedReportJSON: filepath.Join("..", "..", "test", "fixtures", "golang-1.12-alpine-s390x.sarif.json"),
+		},
+	} {
+		t.Run(test.platform, func(t *testing.T) {
+			scanSBOM(t, test.platform, test.sourceSBOMJSON, test.expectedReportJSON)
+		})
+	}
 }

test/e2e/e2e_suite_test.go

@@ -7,6 +7,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/e2e-framework/klient/k8s/resources"
 	"sigs.k8s.io/e2e-framework/klient/wait"
 	"sigs.k8s.io/e2e-framework/klient/wait/conditions"
 	"sigs.k8s.io/e2e-framework/pkg/envconf"
@@ -15,21 +17,19 @@ import (
 
 	storagev1alpha1 "github.com/rancher/sbombastic/api/storage/v1alpha1"
 	v1alpha1 "github.com/rancher/sbombastic/api/v1alpha1"
+	"github.com/rancher/sbombastic/internal/handlers"
 )
 
-func EqualReference(img storagev1alpha1.ImageMetadata, registryURI, registryRepository, tag string) bool {
-	return img.RegistryURI == registryURI &&
-		img.Repository == registryRepository &&
-		img.Tag == tag
-}
-
 func TestRegistryCreation(t *testing.T) {
 	releaseName := "sbombastic"
 	registryName := "test-registry"
 	registryURI := "ghcr.io"
 	registryRepository := "rancher-sandbox/sbombastic/test-assets/golang"
+	totalImages := 7 // Current number of images in the test-assets/golang directory
 
-	crName := "dfe56d8371e7df15a3dde25c33a78b84b79766de2ab5a5897032019c878b5932"
+	labelSelector := labels.FormatLabels(
+		map[string]string{handlers.LabelManagedByKey: handlers.LabelManagedByValue},
+	)
 
 	f := features.New("Start Registry CR Creation test").
 		Setup(func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
@@ -69,42 +69,36 @@ func TestRegistryCreation(t *testing.T) {
 			return ctx
 		}).
 		Assess("Verify the Image is created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
-			images := storagev1alpha1.ImageList{
-				Items: []storagev1alpha1.Image{
-					{ObjectMeta: metav1.ObjectMeta{Name: crName, Namespace: cfg.Namespace()}},
-				},
-			}
+			images := storagev1alpha1.ImageList{}
+			err := wait.For(conditions.New(cfg.Client().Resources(cfg.Namespace())).ResourceListN(
+				&images,
+				totalImages,
+				resources.WithLabelSelector(labelSelector)),
+			)
+			require.NoError(t, err)
 
-			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(&images))
-			if err != nil {
-				t.Error(err)
-			}
 			return ctx
 		}).
 		Assess("Verify the SPDX SBOM is created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
-			sboms := storagev1alpha1.SBOMList{
-				Items: []storagev1alpha1.SBOM{
-					{ObjectMeta: metav1.ObjectMeta{Name: crName, Namespace: cfg.Namespace()}},
-				},
-			}
+			sboms := storagev1alpha1.SBOMList{}
+			err := wait.For(conditions.New(cfg.Client().Resources(cfg.Namespace())).ResourceListN(
+				&sboms,
+				totalImages,
+				resources.WithLabelSelector(labelSelector)),
+			)
+			require.NoError(t, err)
 
-			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(&sboms))
-			if err != nil {
-				t.Error(err)
-			}
 			return ctx
 		}).
 		Assess("Verify the VulnerabilityReport is created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
-			vulnReports := storagev1alpha1.VulnerabilityReportList{
-				Items: []storagev1alpha1.VulnerabilityReport{
-					{ObjectMeta: metav1.ObjectMeta{Name: crName, Namespace: cfg.Namespace()}},
-				},
-			}
+			vulnReports := storagev1alpha1.VulnerabilityReportList{}
+			err := wait.For(conditions.New(cfg.Client().Resources(cfg.Namespace())).ResourceListN(
+				&vulnReports,
+				totalImages,
+				resources.WithLabelSelector(labelSelector)),
+			)
+			require.NoError(t, err)
 
-			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(&vulnReports))
-			if err != nil {
-				t.Error(err)
-			}
 			return ctx
 		}).
 		Teardown(func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {