feat(sbom): add image labels into SPDX and CycloneDX reports (#7257)

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
aquasecurity · Jul 30, 2024 · 4a2f492 · 4a2f492
1 parent f198cf8
commit 4a2f492
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 5 deletions.
diff --git a/pkg/sbom/core/bom.go b/pkg/sbom/core/bom.go
@@ -25,11 +25,12 @@ const (
  PropertyClass = "Class"
 
  // Image properties
- PropertySize = "Size"
- PropertyImageID = "ImageID"
- PropertyRepoDigest = "RepoDigest"
- PropertyDiffID = "DiffID"
- PropertyRepoTag = "RepoTag"
+ PropertySize = "Size"
+ PropertyImageID = "ImageID"
+ PropertyRepoDigest = "RepoDigest"
+ PropertyDiffID = "DiffID"
+ PropertyRepoTag = "RepoTag"
+ PropertyLabelsPrefix = "Labels"
 
  // Package properties
  PropertyPkgID = "PkgID"

diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go
@@ -105,6 +105,11 @@ func TestMarshaler_MarshalReport(t *testing.T) {
  RepoDigests: []string{"rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177"},
  ImageConfig: v1.ConfigFile{
  Architecture: "arm64",
+ Config: v1.Config{
+ Labels: map[string]string{
+ "vendor": "aquasecurity",
+ },
+ },
  },
  },
  Results: types.Results{
@@ -301,6 +306,10 @@ func TestMarshaler_MarshalReport(t *testing.T) {
  Name: "aquasecurity:trivy:ImageID",
  Value: "sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6",
  },
+ {
+ Name: "aquasecurity:trivy:Labels:vendor",
+ Value: "aquasecurity",
+ },
  {
  Name: "aquasecurity:trivy:RepoDigest",
  Value: "rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177",

diff --git a/pkg/sbom/io/encode.go b/pkg/sbom/io/encode.go
@@ -73,6 +73,15 @@ func (e *Encoder) rootComponent(r types.Report) (*core.Component, error) {
  Value: r.Metadata.ImageID,
  })
 
+ // Save image labels as properties with `Labels:` prefix.
+ // e.g. `LABEL vendor="aquasecurity"` => `Labels:vendor` -> `aquasecurity`
+ for label, value := range r.Metadata.ImageConfig.Config.Labels {
+ props = append(props, core.Property{
+ Name: core.PropertyLabelsPrefix + ":" + label,
+ Value: value,
+ })
+ }
+
  p, err := purl.New(purl.TypeOCI, r.Metadata, ftypes.Package{})
  if err != nil {
  return nil, xerrors.Errorf("failed to new package url for oci: %w", err)

diff --git a/pkg/sbom/io/encode_test.go b/pkg/sbom/io/encode_test.go
@@ -3,6 +3,7 @@ package io_test
 import (
  "testing"
 
+ v1 "github.com/google/go-containerregistry/pkg/v1"
  "github.com/package-url/packageurl-go"
  "github.com/stretchr/testify/assert"
  "github.com/stretchr/testify/require"
@@ -43,6 +44,13 @@ func TestEncoder_Encode(t *testing.T) {
  RepoDigests: []string{
  "debian@sha256:4482958b4461ff7d9fabc24b3a9ab1e9a2c85ece07b2db1840c7cbc01d053e90",
  },
+ ImageConfig: v1.ConfigFile{
+ Config: v1.Config{
+ Labels: map[string]string{
+ "vendor": "aquasecurity",
+ },
+ },
+ },
  },
  Results: []types.Result{
  {
@@ -185,6 +193,10 @@ func TestEncoder_Encode(t *testing.T) {
  BOMRef: "pkg:oci/debian@sha256%3A4482958b4461ff7d9fabc24b3a9ab1e9a2c85ece07b2db1840c7cbc01d053e90?repository_url=index.docker.io%2Flibrary%2Fdebian",
  },
  Properties: []core.Property{
+ {
+ Name: "Labels:vendor",
+ Value: "aquasecurity",
+ },
  {
  Name: core.PropertyRepoDigest,
  Value: "debian@sha256:4482958b4461ff7d9fabc24b3a9ab1e9a2c85ece07b2db1840c7cbc01d053e90",

diff --git a/pkg/sbom/spdx/marshal_test.go b/pkg/sbom/spdx/marshal_test.go
@@ -49,6 +49,11 @@ func TestMarshaler_Marshal(t *testing.T) {
  RepoDigests: []string{"rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177"},
  ImageConfig: v1.ConfigFile{
  Architecture: "arm64",
+ Config: v1.Config{
+ Labels: map[string]string{
+ "vendor": "aquasecurity",
+ },
+ },
  },
  },
  Results: types.Results{
@@ -199,6 +204,7 @@ func TestMarshaler_Marshal(t *testing.T) {
  PackageAttributionTexts: []string{
  "DiffID: sha256:d871dadfb37b53ef1ca45be04fc527562b91989991a8f545345ae3be0b93f92a",
  "ImageID: sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6",
+ "Labels:vendor: aquasecurity",
  "RepoDigest: rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177",
  "RepoTag: rails:latest",
  "SchemaVersion: 2",