Add better support for cyclonedx

Signed-off-by: Mateusz Dymiński <[email protected]>

Author: mateuszdyminski

cmd/cyclonexdx.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"hash/fnv"
+	"slices"
 	"time"
 
 	"github.com/CycloneDX/cyclonedx-go"
@@ -12,8 +13,10 @@ import (
 )
 
 const (
-	CdxPrefix  = "cdx:"
-	KSOCPrefix = "ksoc:kbom:"
+	CdxPrefix        = "cdx:"
+	KSOCPrefix       = "ksoc:kbom:"
+	K8sComponentType = "k8s:component:type"
+	K8sComponentName = "k8s:component:name"
 
 	ClusterType   = "cluster"
 	NodeType      = "node"
@@ -33,24 +36,13 @@ func transformToCycloneDXBOM(kbom *model.KBOM) *cyclonedx.BOM { //nolint:funlen
 				Version: kbom.GeneratedBy.Version,
 			},
 		},
-		Component: &cyclonedx.Component{
-			BOMRef: id(kbom.GeneratedBy),
-			Type:   cyclonedx.ComponentTypeApplication,
-			Name:   kbom.GeneratedBy.Name,
-			Hashes: &[]cyclonedx.Hash{
-				{
-					Algorithm: cyclonedx.HashAlgoSHA256,
-					Value:     kbom.GeneratedBy.Commit,
-				},
-			},
-			Version: kbom.GeneratedBy.Version,
-		},
 	}
 
 	components := []cyclonedx.Component{}
+	dependencies := []cyclonedx.Dependency{}
 	clusterProperties := []cyclonedx.Property{
 		{
-			Name:  CdxPrefix + "k8s:component:type",
+			Name:  CdxPrefix + K8sComponentType,
 			Value: ClusterType,
 		},
 		{
@@ -85,28 +77,29 @@ func transformToCycloneDXBOM(kbom *model.KBOM) *cyclonedx.BOM { //nolint:funlen
 	}
 
 	clusterComponent := cyclonedx.Component{
-		BOMRef:     id(kbom.Cluster),
+		BOMRef:     kbom.Cluster.BOMRef(),
 		Type:       cyclonedx.ComponentTypePlatform,
-		Name:       "cluster",
+		Name:       kbom.Cluster.BOMName(),
 		Version:    kbom.Cluster.K8sVersion,
 		Properties: &clusterProperties,
 	}
+	cdxBOM.Metadata.Component = &clusterComponent
 
-	components = append(components, clusterComponent)
-
+	clusterDependencies := make(map[string]string)
 	for i := range kbom.Cluster.Nodes {
 		n := kbom.Cluster.Nodes[i]
+		bomRef := id(n)
 		components = append(components, cyclonedx.Component{
-			BOMRef: id(n),
+			BOMRef: bomRef,
 			Type:   cyclonedx.ComponentTypePlatform,
 			Name:   n.Name,
 			Properties: &[]cyclonedx.Property{
 				{
-					Name:  CdxPrefix + "k8s:component:type",
+					Name:  CdxPrefix + K8sComponentType,
 					Value: NodeType,
 				},
 				{
-					Name:  CdxPrefix + "k8s:component:name",
+					Name:  CdxPrefix + K8sComponentName,
 					Value: n.Name,
 				},
 				{
@@ -187,22 +180,24 @@ func transformToCycloneDXBOM(kbom *model.KBOM) *cyclonedx.BOM { //nolint:funlen
 				},
 			},
 		})
+		clusterDependencies[bomRef] = bomRef
 	}
 
 	for _, img := range kbom.Cluster.Components.Images {
+		bomRef := img.PkgID()
 		container := cyclonedx.Component{
-			BOMRef:     img.PkgID(),
+			BOMRef:     bomRef,
 			Type:       cyclonedx.ComponentTypeContainer,
 			Name:       img.Name,
 			Version:    img.Digest,
-			PackageURL: img.PkgID(),
+			PackageURL: bomRef,
 			Properties: &[]cyclonedx.Property{
 				{
-					Name:  CdxPrefix + "k8s:component:type",
+					Name:  CdxPrefix + K8sComponentType,
 					Value: ContainerType,
 				},
 				{
-					Name:  CdxPrefix + "k8s:component:name",
+					Name:  CdxPrefix + K8sComponentName,
 					Value: img.Name,
 				},
 				{
@@ -225,17 +220,21 @@ func transformToCycloneDXBOM(kbom *model.KBOM) *cyclonedx.BOM { //nolint:funlen
 		}
 
 		components = append(components, container)
+
+		if img.ControlPlane {
+			clusterDependencies[bomRef] = bomRef
+		}
 	}
 
 	for _, resList := range kbom.Cluster.Components.Resources {
 		for _, res := range resList.Resources {
 			properties := []cyclonedx.Property{
 				{
-					Name:  CdxPrefix + "k8s:component:type",
+					Name:  CdxPrefix + K8sComponentType,
 					Value: resList.Kind,
 				},
 				{
-					Name:  CdxPrefix + "k8s:component:name",
+					Name:  CdxPrefix + K8sComponentName,
 					Value: res.Name,
 				},
 				{
@@ -263,9 +262,21 @@ func transformToCycloneDXBOM(kbom *model.KBOM) *cyclonedx.BOM { //nolint:funlen
 		}
 	}
 
-	cdxBOM.Components = &components
+	clusterDependenciesArr := make([]string, 0)
+	for _, dep := range clusterDependencies {
+		clusterDependenciesArr = append(clusterDependenciesArr, dep)
+	}
+	slices.Sort(clusterDependenciesArr)
 
-	// TODO: add relationships and dependencies
+	dependencies = append(dependencies,
+		cyclonedx.Dependency{
+			Ref:          clusterComponent.BOMRef,
+			Dependencies: &clusterDependenciesArr,
+		},
+	)
+
+	cdxBOM.Components = &components
+	cdxBOM.Dependencies = &dependencies
 
 	return cdxBOM
 }

docs/schema.md

@@ -1,10 +1,11 @@
-## KBOM Schema
+# KBOM Schema
 
 The section below describes the high level object model for KBOM.
 
-Cluster Details
+## Cluster Details
+
+Instances:
 
-Instances
 - Name
 - Hostname
 - CloudType
@@ -18,13 +19,15 @@ Instances
 - Kubelet Version
 - Kube Proxy Version
 
-Images
+Images:
+
 - Name
 - FullName
 - Version
 - Digest
 
-KubeObjects
+KubeObjects:
+
 - Kind
 - Api Version
 - Count

go.mod

@@ -5,6 +5,7 @@ go 1.20
 require (
 	github.com/CycloneDX/cyclonedx-go v0.7.2
 	github.com/Masterminds/semver v1.5.0
+	github.com/distribution/reference v0.5.0
 	github.com/google/uuid v1.4.0
 	github.com/invopop/jsonschema v0.12.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
@@ -48,6 +49,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect

go.sum

@@ -14,6 +14,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
+github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
 github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
@@ -89,6 +91,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE=
 github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4=
 github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

internal/kube/kube.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/Masterminds/semver"
+	"github.com/distribution/reference"
 	"github.com/rs/zerolog/log"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -172,38 +173,40 @@ func (k *k8sDB) AllImages(ctx context.Context) ([]model.Image, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to list pods: %w", err)
 		}
+		namespace := namespaces.Items[i].Name
 
-		log.Debug().Str("namespace", namespaces.Items[i].Name).Int("count", len(pods.Items)).Msg("Found pods in namespace")
+		log.Debug().Str("namespace", namespace).Int("count", len(pods.Items)).Msg("Found pods in namespace")
 
 		for j := range pods.Items {
 			pod := pods.Items[j]
 
 			for k := range pod.Spec.InitContainers {
-				img, err := containerToImage(pod.Spec.InitContainers[k].Image, pod.Spec.InitContainers[k].Name, pod.Status.InitContainerStatuses)
+				img, err := containerToImage(pod.Spec.InitContainers[k].Image,
+					pod.Spec.InitContainers[k].Name, pod.Status.InitContainerStatuses, namespace)
 				if err != nil {
 					return nil, err
 				}
 
-				images[img.Name] = *img
+				images[img.FullName] = *img
 			}
 
 			for k := range pod.Spec.Containers {
-				img, err := containerToImage(pod.Spec.Containers[k].Image, pod.Spec.Containers[k].Name, pod.Status.ContainerStatuses)
+				img, err := containerToImage(pod.Spec.Containers[k].Image, pod.Spec.Containers[k].Name, pod.Status.ContainerStatuses, namespace)
 				if err != nil {
 					return nil, err
 				}
 
-				images[img.Name] = *img
+				images[img.FullName] = *img
 			}
 
 			for k := range pod.Spec.EphemeralContainers {
 				img, err := containerToImage(pod.Spec.EphemeralContainers[k].Image,
-					pod.Spec.EphemeralContainers[k].Name, pod.Status.EphemeralContainerStatuses)
+					pod.Spec.EphemeralContainers[k].Name, pod.Status.EphemeralContainerStatuses, namespace)
 				if err != nil {
 					return nil, err
 				}
 
-				images[img.Name] = *img
+				images[img.FullName] = *img
 			}
 		}
 	}
@@ -216,20 +219,35 @@ func (k *k8sDB) AllImages(ctx context.Context) ([]model.Image, error) {
 	return toReturn, nil
 }
 
-func containerToImage(img, imgName string, statuses []v1.ContainerStatus) (*model.Image, error) {
+func containerToImage(img, imgName string, statuses []v1.ContainerStatus, namespace string) (*model.Image, error) {
 	if img == "" {
 		return nil, fmt.Errorf("container %s has no image", img)
 	}
 
+	named, err := reference.ParseNormalizedNamed(img)
+	if err != nil {
+		return nil, err
+	}
+
+	controlPlane := false
+	if namespace == "kube-system" {
+		controlPlane = true
+	}
+
 	res := &model.Image{
-		FullName: img,
-		Name:     strings.Split(strings.Split(img, "@sha256:")[0], ":")[0],
-		Version:  versionFromImage(img),
+		FullName:     img,
+		ControlPlane: controlPlane,
 	}
 
-	if strings.Contains(img, "@") {
-		res.Digest = strings.Split(img, "@")[1]
-		return res, nil
+	res.Name = named.Name()
+	tagged, ok := named.(reference.Tagged)
+	if ok {
+		res.Version = tagged.Tag()
+	}
+
+	digested, ok := named.(reference.Digested)
+	if ok {
+		res.Digest = digested.Digest().String()
 	}
 
 	// search in statuses for ImageID to get digest
@@ -250,24 +268,6 @@ func containerToImage(img, imgName string, statuses []v1.ContainerStatus) (*mode
 	return res, nil
 }
 
-func versionFromImage(img string) string {
-	if strings.Contains(img, ":") {
-		if strings.Contains(img, "@") {
-			withoutDigest := strings.Split(img, "@")[0]
-
-			if strings.Contains(withoutDigest, ":") {
-				return strings.Split(withoutDigest, ":")[1]
-			}
-
-			return ""
-		}
-
-		return strings.Split(img, ":")[1]
-	}
-
-	return ""
-}
-
 // Metadata returns the kubernetes version
 func (k *k8sDB) Metadata(ctx context.Context) (k8sVersion, caDigest string, err error) {
 	if _, err := rest.InClusterConfig(); err != nil {