From 81852ef9a716a2480f4d392c79bb757f255b2bd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Ma=C5=84kowski?= Date: Sun, 10 Nov 2024 21:19:41 +0100 Subject: [PATCH 1/2] fix: return proper image digest Trivy Operator incorrectly reported imageID as image digest. Fixes #2259 --- pkg/plugins/trivy/plugin.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go index 18aa47567..8037a342f 100644 --- a/pkg/plugins/trivy/plugin.go +++ b/pkg/plugins/trivy/plugin.go @@ -4,6 +4,7 @@ import ( "encoding/json" "io" "path/filepath" + "strings" "github.com/aquasecurity/trivy-operator/pkg/exposedsecretreport" "github.com/aquasecurity/trivy-operator/pkg/sbomreport" @@ -154,7 +155,15 @@ func (p *plugin) ParseReportData(ctx trivyoperator.PluginContext, imageRef strin return vulnReport, secretReport, nil, err } - registry, artifact, err := p.parseImageRef(imageRef, reports.Metadata.ImageID) + // Note: every Docker image is associated with 2 different SHAs: + // - image digest (this is what K8s shows in imageID field in kubectl get pod -o yaml) - and, for example, + // kube-prometheus-stack reports this value in kube_pod_container_info metric + // - image ID (this is what is visible in 'docker image ls command') + // Execute docker image ls --digests --no-trunc to see both digest and ID. + // See https://stackoverflow.com/questions/56364643/whats-the-difference-between-a-docker-images-image-id-and-its-digest + var imageDigest = strings.Split(reports.Metadata.RepoDigests[0], "@")[1] + + registry, artifact, err := p.parseImageRef(imageRef, imageDigest) if err != nil { return vulnReport, secretReport, nil, err } @@ -212,7 +221,7 @@ func (p *plugin) NewConfigForConfigAudit(ctx trivyoperator.PluginContext) (confi return getConfig(ctx) } -func (p *plugin) parseImageRef(imageRef string, imageID string) (v1alpha1.Registry, v1alpha1.Artifact, error) { +func (p *plugin) parseImageRef(imageRef string, imageDigest string) (v1alpha1.Registry, v1alpha1.Artifact, error) { ref, err := containerimage.ParseReference(imageRef) if err != nil { return v1alpha1.Registry{}, v1alpha1.Artifact{}, err @@ -230,7 +239,7 @@ func (p *plugin) parseImageRef(imageRef string, imageID string) (v1alpha1.Regist artifact.Digest = t.DigestStr() } if len(artifact.Digest) == 0 { - artifact.Digest = imageID + artifact.Digest = imageDigest } return registry, artifact, nil } From 920678fa49c5a965fdb8333dab29497820fbea53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Ma=C5=84kowski?= Date: Tue, 12 Nov 2024 20:48:06 +0100 Subject: [PATCH 2/2] fix: add missing RepoDigests --- pkg/plugins/trivy/testdata/fixture/full_report.json | 7 +++++-- .../trivy/testdata/fixture/vulnerability_report.json | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/pkg/plugins/trivy/testdata/fixture/full_report.json b/pkg/plugins/trivy/testdata/fixture/full_report.json index 0f1674fb0..d5d4936df 100644 --- a/pkg/plugins/trivy/testdata/fixture/full_report.json +++ b/pkg/plugins/trivy/testdata/fixture/full_report.json @@ -5,7 +5,10 @@ "Family": "alpine", "Name": "3.10.2", "EOSL": true - } + }, + "RepoDigests": [ + "alpine@sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb" + ] }, "Results": [ { @@ -90,4 +93,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/pkg/plugins/trivy/testdata/fixture/vulnerability_report.json b/pkg/plugins/trivy/testdata/fixture/vulnerability_report.json index 3e73a6627..1d51dc558 100644 --- a/pkg/plugins/trivy/testdata/fixture/vulnerability_report.json +++ b/pkg/plugins/trivy/testdata/fixture/vulnerability_report.json @@ -5,7 +5,10 @@ "Family": "alpine", "Name": "3.10.2", "EOSL": true - } + }, + "RepoDigests": [ + "alpine@sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb" + ] }, "Results": [ { @@ -42,4 +45,4 @@ ] } ] -} \ No newline at end of file +}