You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review
Code Refactoring The get_SBOM_from_storage and get_CVEs_from_storage methods were significantly refactored to use workload tags instead of image IDs. Verify that the new logic correctly retrieves and matches SBOM/CVE data using image tags.
Error Handling New error handling was added to raise exceptions when SBOM/CVE data is not found for an image tag. Validate that these exceptions are handled appropriately by the calling code.
Validate existence of required data before attempting retrieval to provide clearer error messages
Add error handling for cases where no matching SBOM/CVE is found for an image tag in the storage. Currently the code raises an exception only after attempting to get the data, which could lead to confusing errors.
for container_tags in workload_tags:
for container, image_tag in container_tags:
name = ""
for sbom in namespacedSBOMs['items']:
if sbom['metadata']['annotations']['kubescape.io/image-tag'] == image_tag:
name = sbom['metadata']['name']
break
+ if not name:+ raise Exception(f"No SBOM found in storage for image tag {image_tag}")
SBOM_data = self.kubernetes_obj.client_CustomObjectsApi.get_namespaced_custom_object(...)
Apply this suggestion
Suggestion importance[1-10]: 7
Why: The suggestion improves error handling by checking for missing SBOM data earlier in the process, providing clearer error messages and preventing potential confusing errors when trying to retrieve non-existent data.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
matthyx
force-pushed
the
sbom
branch
9 times, most recently
from
PR Type
enhancement, configuration changes
Description
Changes walkthrough 📝
4 files
relevant_cve.py
Refactor SBOM and CVE retrieval to use workload tagstests_scripts/helm/relevant_cve.py
get_imagesIDs_keyswithget_workloads_images_tagsfor SBOMand CVE retrieval.
workload_tagsinstead ofSBOMKeysandCVEsKeys.base_k8s.py
Refactor image handling and storage retrieval logictests_scripts/kubernetes/base_k8s.py
get_image_idsto useimageinstead ofimage_id.get_SBOM_from_storageandget_CVEs_from_storageto useworkload_tags.python-client-to-java.json
Update vulnerability manifest for Python clientconfigurations/expected-result/filteredCVEs/python-client-to-java.json
metadataandspecfields with new values.uid,name, andcreationTimestamp.annotationsandsourcefields.golang-dynamic-simple.json
Update SBOM for Golang dynamic deploymentconfigurations/expected-result/filteredSBOM/golang-dynamic-simple.json
metadataandspecfields with new values.uid,name, andcreationTimestamp.toolversion andsourcemetadata.9 files
python-simple.json
Update Python vulnerability manifest metadataconfigurations/expected-result/CVEs/python-simple.json
golang-simple.json
Update Golang vulnerability manifest with new metadataconfigurations/expected-result/CVEs/golang-simple.json
for Golang.
redis-fixed.yaml
Update Redis deployment image referenceconfigurations/k8s_workloads/deployments/redis/redis-fixed.yaml
docker.ioprefix.sbomspdxv2p3s.yaml
Update metadata name for Golang SBOMconfigurations/kubescape-crds/unsupported/sbomspdxv2p3s.yaml
python.yaml
Update Python deployment image referenceconfigurations/k8s_workloads/deployments/java-and-python/python.yaml
docker.ioprefix.python-simple.yaml
Update Python deployment image referenceconfigurations/k8s_workloads/deployments/python-simple/python-simple.yaml
java.yaml
Update Java deployment image referenceconfigurations/k8s_workloads/deployments/java-and-python/java.yaml
java-simple.yaml
Update Java simple deployment image referenceconfigurations/k8s_workloads/deployments/java-simple/java-simple.yaml
redis-fixed.json
Update vulnerability manifest for Redis with new metadata and toolversion.configurations/expected-result/filteredCVEs/redis-fixed.json
name,uid, andcreationTimestamp.specsection.sourcesection.29 files
wikijs.json
...configurations/expected-result/CVEs/wikijs.json
...
java-simple.json
...configurations/expected-result/filteredSBOM/java-simple.json
...
python-simple.json
...configurations/expected-result/SBOM/python-simple.json
...
redis.json
...configurations/expected-result/SBOM/redis.json
...
nginx.json
...configurations/expected-result/filteredSBOM/nginx.json
...
wikijs.json
...configurations/expected-result/filteredSBOM/wikijs.json
...
nginx.json
...configurations/expected-result/CVEs/nginx.json
...
redis_incomplete.json
...configurations/expected-result/SBOM/redis_incomplete.json
...
redis_sleep.json
...configurations/expected-result/SBOM/redis_sleep.json
...
java-simple.json
...configurations/expected-result/CVEs/java-simple.json
...
python-client-to-java.json
...configurations/expected-result/filteredSBOM/python-client-to-java.json
...
java-simple.json
...configurations/expected-result/filteredCVEs/java-simple.json
...
golang-dynamic-simple.json
...configurations/expected-result/CVEs/golang-dynamic-simple.json
...
redis.json
...configurations/expected-result/CVEs/redis.json
...
redis_sleep.json
...configurations/expected-result/CVEs/redis_sleep.json
...
redis.json
...configurations/expected-result/filteredCVEs/redis.json
...
redis_sleep_updated.json
...configurations/expected-result/filteredCVEs/redis_sleep_updated.json
...
redis_sleep_updated.json
...configurations/expected-result/filteredSBOM/redis_sleep_updated.json
...
redis-fixed.json
...configurations/expected-result/filteredSBOM/redis-fixed.json
...
redis_sleep.json
...configurations/expected-result/filteredSBOM/redis_sleep.json
...
redis.json
...configurations/expected-result/filteredSBOM/redis.json
...
redis_sleep.json
...configurations/expected-result/filteredCVEs/redis_sleep.json
...
python-simple.json
...configurations/expected-result/filteredSBOM/python-simple.json
...
python-simple.json
...configurations/expected-result/filteredCVEs/python-simple.json
...
redis_incomplete.json
...configurations/expected-result/filteredSBOM/redis_incomplete.json
...
golang-dynamic-simple.json
...configurations/expected-result/filteredCVEs/golang-dynamic-simple.json
...
golang-simple.json
...configurations/expected-result/SBOM/golang-simple.json
...
golang-simple.json
...configurations/expected-result/filteredSBOM/golang-simple.json
...
golang-simple.json
...configurations/expected-result/filteredCVEs/golang-simple.json
...