search

kubescape / kubevuln

Kubevuln is an in-cluster component of the Kubescape security platform. It scans container images for vulnerabilities, using Grype as its engine.
Apache License 2.0
18 stars 19 forks source link

Copy artifacts to filtered SBOMs #224

Closed dwertent closed 5 months ago

dwertent commented 5 months ago

User description

Overview

This would enable us to release the next chart without requiring restarts for generating new filtered SBOMs

Type

bug_fix, enhancement

Description

Changes walkthrough

Relevant files
Error handling
scan.go
Introduce Error Handling for Partial Artifacts in SBOMs   
core/domain/scan.go
  • Added new error ErrSBOMWithPartialArtifacts to handle cases of SBOMs
    with partial artifacts.
  • Adjusted error handling to accommodate the new error type.
    		•  +12/-11 
    Enhancement
    scan.go
    Enhance SBOM Handling During CVE Scans                                     
    core/services/scan.go
  • Implemented logic to update SBOMs with partial artifacts during CVE
    scanning.
  • Enhanced error handling to differentiate between partial artifacts and
    other errors.
    		•  +17/-3   
    apiserver.go
    Update SBOM Validation and Retrieval Logic                             
    repositories/apiserver.go
  • Added error handling for SBOMs with partial artifacts in the SBOM
    validation function.
  • Modified the GetSBOMp function to handle partial artifacts errors
    differently.
    		•  +14/-5   
    Tests
    apiserver_test.go
    Unit Tests for SBOM Validation                                                     
    repositories/apiserver_test.go - Added unit tests for validating SBOMs with partial artifacts.
    		+70/-0   

    PR-Agent usage: Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    codiumai-pr-agent-free[bot] commented 5 months ago

    PR Description updated to latest commit (https://github.com/kubescape/kubevuln/commit/8a9b27b7a2201e942620fab22a5a2a6077a62151)

    codiumai-pr-agent-free[bot] commented 5 months ago

    PR Review

    ⏱️ Estimated effort to review [1-5] 3, because the PR involves multiple changes across different files, including error handling, logic for handling partial artifacts in SBOMs, and updates to unit tests. The complexity is moderate due to the handling of specific error conditions and the interaction with storage systems.
    🧪 Relevant tests Yes
    🔍 Possible issues Hardcoded Version Check: The check for a specific SBOM creator version ("v0.101.1") in `validateSBOMp` function is hardcoded, which might lead to maintenance issues when versions change.
    Error Handling Consistency: The new error `ErrSBOMWithPartialArtifacts` is handled differently in various parts of the code, which could lead to inconsistent behavior under different conditions.
    🔒 Security concerns No
    ✨ Review tool usage guide:
    **Overview:** The `review` tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be [added](https://pr-agent-docs.codium.ai/tools/review/#general-configurations) by configuring the tool. The tool can be triggered [automatically](https://pr-agent-docs.codium.ai/usage-guide/automations_and_usage/#github-app-automatic-tools-when-a-new-pr-is-opened) every time a new PR is opened, or can be invoked manually by commenting on any PR. - When commenting, to edit [configurations](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml#L23) related to the review tool (`pr_reviewer` section), use the following template: ``` /review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=... ``` - With a [configuration file](https://pr-agent-docs.codium.ai/usage-guide/configuration_options/), use the following template: ``` [pr_reviewer] some_config1=... some_config2=... ``` See the review [usage page](https://pr-agent-docs.codium.ai/tools/review/) for a comprehensive guide on using this tool.
    codiumai-pr-agent-free[bot] commented 5 months ago

    PR Code Suggestions

    CategorySuggestions                                                                                                                                                       
    Enhancement
    Improve the clarity and helpfulness of the error message for ErrSBOMWithPartialArtifacts. ___ **Consider using a more descriptive error message for ErrSBOMWithPartialArtifacts to clarify
    what "partial artifacts" means, potentially including suggestions on how to resolve or
    further diagnose the issue.** [core/domain/scan.go [20]](https://github.com/kubescape/kubevuln/pull/224/files#diff-72a9841d2f895677acbce1929094dc617c62a91856dacdfe90f3ecb5c8a4a1d0R20-R20) ```diff -ErrSBOMWithPartialArtifacts = errors.New("SBOM having partial artifacts") +ErrSBOMWithPartialArtifacts = errors.New("SBOM has incomplete artifact data, please verify the artifact sources or regenerate the SBOM") ```
    Enhance logging by adding more contextual information. ___ **Use structured logging to include more context in the log message, such as the error type
    or other relevant details.** [core/services/scan.go [240-241]](https://github.com/kubescape/kubevuln/pull/224/files#diff-85deac1fd3ad15a30ddc8a15245049faf294923a8058adfb7c47994034b662d8R240-R241) ```diff -logger.L().Ctx(ctx).Warning("error getting relevant SBOM", helpers.Error(err), - helpers.String("instanceID", workload.InstanceID)) +logger.L().Ctx(ctx).Warning("Failed to retrieve SBOM", helpers.Error(err), helpers.String("instanceID", workload.InstanceID), helpers.String("errorType", fmt.Sprintf("%T", err))) ```
    Maintainability
    Refactor nested loops into a separate function to enhance code readability. ___ **Refactor the nested loop for updating artifacts to a separate function to improve
    readability and maintainability.** [core/services/scan.go [231-237]](https://github.com/kubescape/kubevuln/pull/224/files#diff-85deac1fd3ad15a30ddc8a15245049faf294923a8058adfb7c47994034b662d8R231-R237) ```diff -for i := range sbomp.Content.Artifacts { - for j := range sbom.Content.Artifacts { - if sbomp.Content.Artifacts[i].ID == sbom.Content.Artifacts[j].ID { - sbomp.Content.Artifacts[i] = sbom.Content.Artifacts[j] - break - } - } -} +updateArtifacts(sbomp, sbom) ```
    Best practice
    Replace hardcoded version string with a constant to improve code maintainability. ___ **Avoid hardcoding the version string in the conditional check. Consider defining it as a
    constant or retrieving it from a configuration.** [repositories/apiserver.go [825-826]](https://github.com/kubescape/kubevuln/pull/224/files#diff-dcc3484e8a0759bddcff34049e6114ed941f40176d0f3c1e4a84841dfabf6403R825-R826) ```diff -if manifest.Spec.Metadata.Tool.Version == "v0.101.1" { // hard coded version. We have a specific workaround for this version +const specificVersion = "v0.101.1" +if manifest.Spec.Metadata.Tool.Version == specificVersion { return domain.ErrSBOMWithPartialArtifacts } ```
    Bug
    Improve error handling by returning the actual error instead of nil. ___ **Instead of returning nil directly, consider handling the error more explicitly in the
    GetSBOMp function to avoid potential issues with error handling upstream.** [repositories/apiserver.go [874]](https://github.com/kubescape/kubevuln/pull/224/files#diff-dcc3484e8a0759bddcff34049e6114ed941f40176d0f3c1e4a84841dfabf6403R874-R874) ```diff -return domain.SBOM{}, nil +return domain.SBOM{}, vErr ```
    ✨ Improve tool usage guide:
    **Overview:** The `improve` tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered [automatically](https://pr-agent-docs.codium.ai/usage-guide/automations_and_usage/#github-app-automatic-tools-when-a-new-pr-is-opened) every time a new PR is opened, or can be invoked manually by commenting on a PR. - When commenting, to edit [configurations](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml#L78) related to the improve tool (`pr_code_suggestions` section), use the following template: ``` /improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=... ``` - With a [configuration file](https://pr-agent-docs.codium.ai/usage-guide/configuration_options/), use the following template: ``` [pr_code_suggestions] some_config1=... some_config2=... ``` See the improve [usage page](https://pr-agent-docs.codium.ai/tools/improve/) for a comprehensive guide on using this tool.
    github-actions[bot] commented 5 months ago

    Summary: