fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)

Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
2025-12-05 20:40:16 -08:00 · 2024-12-11 17:39:06 +01:00
parent 4202c4ba0d
commit f9fceb58bf
4 changed files with 36 additions and 29 deletions
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -186,11 +186,6 @@ func overrideSBOMReport(t *testing.T, want, got *types.Report) {
 	want.Metadata.ImageID = ""
 	want.Metadata.ImageConfig = v1.ConfigFile{}
 	want.Metadata.DiffIDs = nil
-	for i, result := range want.Results {
-		for j := range result.Vulnerabilities {
-			want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
-		}
-	}

 	// when running on Windows FS
 	got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName))
--- a/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden
@@ -80,6 +80,14 @@
      "version": "5.0-4",
      "purl": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
      "properties": [
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
+        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "bash@5.0-4"
@@ -105,6 +113,14 @@
      "version": "2.0.5-1",
      "purl": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
      "properties": [
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
+        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "libidn2-0@2.0.5-1"
@@ -141,6 +157,14 @@
          "name": "aquasecurity:trivy:FilePath",
          "value": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec"
        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602"
+        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "activesupport@6.0.2.1"
--- a/integration/testdata/fluentd-multiple-lockfiles.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -36,7 +36,10 @@
          },
          "InstalledVersion": "5.0-4",
          "Status": "affected",
-          "Layer": {},
+          "Layer": {
+            "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c",
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
          "SeveritySource": "debian",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
          "DataSource": {
@@ -102,7 +105,10 @@
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
          "Status": "fixed",
-          "Layer": {},
+          "Layer": {
+            "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c",
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
          "DataSource": {
@@ -173,7 +179,10 @@
          "InstalledVersion": "6.0.2.1",
          "FixedVersion": "6.0.3.1, 5.2.4.3",
          "Status": "fixed",
-          "Layer": {},
+          "Layer": {
+            "Digest": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602",
+            "DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
          "DataSource": {
--- a/pkg/scanner/scan.go
+++ b/pkg/scanner/scan.go
@@ -178,11 +178,6 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (t
 		ptros = nil
 	}

-	// Layer makes sense only when scanning container images
-	if artifactInfo.Type != artifact.TypeContainerImage {
-		removeLayer(results)
-	}
-
 	return types.Report{
 		SchemaVersion: report.SchemaVersion,
 		CreatedAt:     clock.Now(ctx),
@@ -202,19 +197,3 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (t
 		BOM:     artifactInfo.BOM,
 	}, nil
 }
-
-func removeLayer(results types.Results) {
-	for i := range results {
-		result := results[i]
-
-		for j := range result.Packages {
-			result.Packages[j].Layer = ftypes.Layer{}
-		}
-		for j := range result.Vulnerabilities {
-			result.Vulnerabilities[j].Layer = ftypes.Layer{}
-		}
-		for j := range result.Misconfigurations {
-			result.Misconfigurations[j].Layer = ftypes.Layer{}
-		}
-	}
-}