Feat store syft sboms

[vladklokun]

Type

Enhancement

---

Description

This Pull Request introduces significant changes to the generation and storage of Software Bill of Materials (SBOMs) using Syft. The main updates include:

• Refactoring of the CreateSBOM function in adapters/v1/syft.go to improve the generation of SBOMs.
• Introduction of new utility functions in adapters/v1/syft_utils.go for handling hash algorithms.
• Modification of the SBOM struct in core/domain/sbom.go to use SyftDocument instead of Document.
• Updates to the import paths in adapters/v1/domain_to_syft.go to reflect changes in the Syft library.
• Updates to dependencies in go.mod and go.sum.

---

PR changes walkthrough

	Relevant files
Enhancement	3 files syft.go                                                                                                          adapters/v1/syft.go The `CreateSBOM` function has been significantly refactored to improve the generation of SBOMs. The function now uses the `detectSource` and `generateSBOM` helper functions to simplify the process of generating SBOMs. The `detectSource` function uses the Syft library's `Detect` function to determine the source of the image, and the `generateSBOM` function uses the `RunTask` function from the Syft library's `eventloop` package to generate the SBOM. +102/-201 syft_utils.go                                                                                              adapters/v1/syft_utils.go This new file introduces utility functions for handling hash algorithms. The `Hashers` function returns a list of hash algorithms based on the provided names, and the `CleanDigestAlgorithmName` function cleans the name of a digest algorithm. +40/-0 sbom.go                                                                                                          core/domain/sbom.go The `SBOM` struct has been modified to use `SyftDocument` instead of `Document` for its `Content` field. This change reflects the use of the Syft library for generating SBOMs. +1/-1
Dependencies	3 files domain_to_syft.go                                                                                      adapters/v1/domain_to_syft.go The import paths have been updated to reflect changes in the Syft library. The `spdxhelpers` package is now imported from `github.com/anchore/syft/syft/format/common/spdxhelpers` instead of `github.com/anchore/syft/syft/formats/common/spdxhelpers`. +1/-1 go.mod                                                                                                            go.mod The dependencies have been updated, likely to reflect changes in the Syft library. +136/-88 go.sum                                                                                                            go.sum The dependencies have been updated, likely to reflect changes in the Syft library. +370/-205

---

User description

Overview

[codiumai-pr-agent[bot]]

PR Description updated to latest commit (https://github.com/kubescape/kubevuln/commit/e728100d125f77bea4bf426ceff198943516a13f)

[codiumai-pr-agent[bot]]

PR Analysis

• 🎯 Main theme: Refactoring and enhancement of Software Bill of Materials (SBOMs) generation and storage using Syft

• 📝 PR summary: This PR introduces significant changes to the generation and storage of Software Bill of Materials (SBOMs) using Syft. The changes include refactoring of the CreateSBOM function, introduction of new utility functions for handling hash algorithms, modification of the SBOM struct to use SyftDocument instead of Document, and updates to import paths and dependencies.

• 📌 Type of PR: Enhancement

• 🧪 Relevant tests added: No

• ⏱️ Estimated effort to review [1-5]: 4, because the PR involves significant changes to the codebase, including refactoring of functions and changes to data structures. The PR also introduces new utility functions and modifies import paths and dependencies, which requires careful review to ensure compatibility and correctness.

• 🔒 Security concerns: No security concerns found

  PR Feedback

• 💡 General suggestions: The PR introduces significant changes and enhancements to the generation and storage of SBOMs. It would be beneficial to include unit tests for the new utility functions and the refactored CreateSBOM function to ensure their correctness. Additionally, it would be helpful to provide more context or documentation about the changes in the PR description, especially for those not familiar with the project or the specific functionalities being modified.

• 🤖 Code feedback:

  - **relevant file:** ``adapters/v1/syft.go`` **suggestion:** It seems like the error handling could be improved. Currently, the function `CreateSBOM` has multiple return points where it returns `domainSBOM` with an error. It would be better to handle errors at the point they occur and only return the `domainSBOM` once at the end of the function. This would make the function easier to read and maintain. [important] **relevant line:** [func (s *SyftAdapter) CreateSBOM(ctx context.Context, name, imageID string, options domain.RegistryOptions) (domain.SBOM, error) {](https://github.com/kubescape/kubevuln/pull/190/files#diff-59cc1c76e75b8cc3f401be82a7ad03494324118b3eb21cb247c7b7f0ade69515R50) - **relevant file:** ``adapters/v1/syft.go`` **suggestion:** The function `detectSource` is called twice with the same parameters if an unauthorized error occurs. It would be more efficient to refactor this part of the code to avoid unnecessary function calls. [medium] **relevant line:** [src, err := detectSource(imageID, syftOpts, ®istryOptions)](https://github.com/kubescape/kubevuln/pull/190/files#diff-59cc1c76e75b8cc3f401be82a7ad03494324118b3eb21cb247c7b7f0ade69515R98) - **relevant file:** ``adapters/v1/syft_utils.go`` **suggestion:** The function `Hashers` could be optimized. Currently, it creates a new map for each call, which could be avoided by creating the map once and reusing it. [medium] **relevant line:** [func Hashers(names ...string) ([]crypto.Hash, error) {](https://github.com/kubescape/kubevuln/pull/190/files#diff-53a43a82800b3e8230d172fb6a8722742d5e24ecd6569bdff56e309532968b3bR20) - **relevant file:** ``core/domain/sbom.go`` **suggestion:** The `SBOM` struct has been modified to use `SyftDocument` instead of `Document`. Ensure that this change is compatible with all parts of the codebase that use the `SBOM` struct. [important] **relevant line:** [Content *v1beta1.SyftDocument](https://github.com/kubescape/kubevuln/pull/190/files#diff-ba50410b8059655424c63620f49a367be72cc272ca9999aa328ffc7ef21d204fR13)

How to use

Instructions

> To invoke the PR-Agent, add a comment using one of the following commands: > **/review**: Request a review of your Pull Request. > **/describe**: Update the PR title and description based on the contents of the PR. > **/improve [--extended]**: Suggest code improvements. Extended mode provides a higher quality feedback. > **/ask \**: Ask a question about the PR. > **/update_changelog**: Update the changelog based on the PR's contents. > **/add_docs**: Generate docstring for new components introduced in the PR. > **/generate_labels**: Generate labels for the PR based on the PR's contents. > see the [tools guide](https://github.com/Codium-ai/pr-agent/blob/main/docs/TOOLS_GUIDE.md) for more details. >To edit any configuration parameter from the [configuration.toml](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml), add --config_path=new_value. >For example: /review --pr_reviewer.extra_instructions="focus on the file: ..." >To list the possible configuration parameters, add a **/config** comment.