rancher-sandbox · flavio · Nov 15, 2024 · Nov 14, 2024 · Nov 14, 2024 · Nov 14, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,3 +31,4 @@ jobs:
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           version: v1.61.0
+          args: --timeout=5m
diff --git a/api/storage/register.go b/api/storage/register.go
@@ -32,8 +32,14 @@ var (
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
+		&v1alpha1.Image{},
+		&v1alpha1.ImageList{},
+
 		&v1alpha1.SBOM{},
 		&v1alpha1.SBOMList{},
+
+		&v1alpha1.VulnerabilityReport{},
+		&v1alpha1.VulnerabilityReportList{},
 	)
 	return nil
 }
diff --git a/api/storage/v1alpha1/register.go b/api/storage/v1alpha1/register.go
@@ -56,8 +56,8 @@ func AddKnownTypes(scheme *runtime.Scheme) error {
 		&SBOM{},
 		&SBOMList{},
 
-		&ScanResult{},
-		&ScanResultList{},
+		&VulnerabilityReport{},
+		&VulnerabilityReportList{},
 
 		&metav1.GetOptions{},
 		&metav1.CreateOptions{},

diff --git a/api/storage/v1alpha1/scanresult_types.go → .../v1alpha1/vulnerabilityreport_types.go.go b/api/storage/v1alpha1/scanresult_types.go → .../v1alpha1/vulnerabilityreport_types.go.go
@@ -18,37 +18,43 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// ScanResultList contains a list of ScanResult
-type ScanResultList struct {
+// VulnerabilityReportList contains a list of ScanResult
+type VulnerabilityReportList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ScanResult `json:"items"`
+	Items           []VulnerabilityReport `json:"items"`
 }
 
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// ScanResult is the Schema for the scanresults API
-type ScanResult struct {
+// VulnerabilityReport is the Schema for the scanresults API
+type VulnerabilityReport struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   ScanResultSpec   `json:"spec,omitempty"`
-	Status ScanResultStatus `json:"status,omitempty"`
+	Spec   VulnerabilityReportSpec   `json:"spec,omitempty"`
+	Status VulnerabilityReportStatus `json:"status,omitempty"`
 }
 
-// ScanResultSpec defines the desired state of ScanResult
-type ScanResultSpec struct {
-	// Foo is an example field of ScanResult.
-	Foo string `json:"foo,omitempty"`
+// VulnerabilityReportSpec defines the desired state of a VulnerabilityReport
+type VulnerabilityReportSpec struct {
+	ImageMetadata ImageMetadata `json:"imageMetadata"`
+	// SARIF is the vulnerability report in SARIF format
+	SARIF runtime.RawExtension `json:"sarif"`
 }
 
-// ScanResultStatus defines the observed state of ScanResult
-type ScanResultStatus struct {
+// VulnerabilityReportStatus defines the observed state of ScanResult
+type VulnerabilityReportStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 }
+
+func (v *VulnerabilityReport) GetImageMetadata() ImageMetadata {
+	return v.Spec.ImageMetadata
+}
diff --git a/api/storage/v1alpha1/zz_generated.deepcopy.go b/api/storage/v1alpha1/zz_generated.deepcopy.go
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -188,8 +188,9 @@ func main() {
 	}
 
 	if err = (&controller.SBOMReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:    mgr.GetClient(),
+		Scheme:    mgr.GetScheme(),
+		Publisher: publisher,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "SBOM")
 		os.Exit(1)

diff --git a/cmd/storage/main.go b/cmd/storage/main.go
@@ -37,6 +37,7 @@ func main() {
 
 	db.MustExec(storage.CreateImageTableSQL)
 	db.MustExec(storage.CreateSBOMTableSQL)
+	db.MustExec(storage.CreateVulnerabilityReportTableSQL)
 
 	ctx := genericapiserver.SetupSignalContext()
 	options := server.NewWardleServerOptions(os.Stdout, os.Stderr, db)

diff --git a/cmd/worker/main.go b/cmd/worker/main.go
@@ -57,6 +57,7 @@ func main() {
 	handlers := messaging.HandlerRegistry{
 		messaging.CreateCatalogType: handlers.NewCreateCatalogHandler(registryClientFactory, k8sClient, logger),
 		messaging.GenerateSBOMType:  handlers.NewGenerateSBOMHandler(k8sClient, "/var/run/worker", logger),
+		messaging.ScanSBOMType:      handlers.NewScanSBOMHandler(k8sClient, "/var/run/worker", logger),
 	}
 	subscriber := messaging.NewSubscriber(sub, handlers, logger)
 

diff --git a/helm/templates/worker/deployment.yaml b/helm/templates/worker/deployment.yaml
@@ -15,7 +15,7 @@ spec:
       labels:
         worker: "true"
     spec:
-      serviceAccountName: controller-manager
+      serviceAccountName: worker
       containers:
         - name: worker
           image: {{ .Values.worker.image.repository }}:{{ .Values.worker.image.tag }}

diff --git a/helm/templates/worker/role.yaml b/helm/templates/worker/role.yaml
@@ -0,0 +1,45 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: worker-role
+rules:
+  - apiGroups:
+      - sbombastic.rancher.io
+    resources:
+      - registries
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - sbombastic.rancher.io
+    resources:
+      - registries/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - sbombastic.rancher.io
+    resources:
+      - registries/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - storage.sbombastic.rancher.io
+    resources:
+      - images
+      - sboms
+      - vulnerabilityreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/helm/templates/worker/rolebinding.yaml b/helm/templates/worker/rolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: sbombastic
+  name: worker-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: worker-role
+subjects:
+  - kind: ServiceAccount
+    name: worker
+    namespace: {{ .Release.Namespace }}
diff --git a/helm/templates/worker/sa.yaml b/helm/templates/worker/sa.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: worker
+  namespace: {{ .Release.Namespace }}
diff --git a/internal/apiserver/apiserver.go b/internal/apiserver/apiserver.go
@@ -19,14 +19,14 @@ package apiserver
 import (
 	"fmt"
 
+	"github.com/jmoiron/sqlx"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 
-	"github.com/jmoiron/sqlx"
 	"github.com/rancher/sbombastic/api/storage/install"
 	"github.com/rancher/sbombastic/api/storage/v1alpha1"
 	"github.com/rancher/sbombastic/internal/storage"
@@ -109,7 +109,6 @@ func (c completedConfig) New(db *sqlx.DB) (*WardleServer, error) {
 
 	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(v1alpha1.GroupName, Scheme, metav1.ParameterCodec, Codecs)
 
-	v1alpha1storage := map[string]rest.Storage{}
 	imageStore, err := storage.NewImageStore(Scheme, c.GenericConfig.RESTOptionsGetter, db)
 	if err != nil {
 		return nil, fmt.Errorf("error creating Image store: %w", err)
@@ -118,8 +117,15 @@ func (c completedConfig) New(db *sqlx.DB) (*WardleServer, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error creating SBOM store: %w", err)
 	}
+	vulnerabilityReportStore, err := storage.NewVulnerabilityReport(Scheme, c.GenericConfig.RESTOptionsGetter, db)
+	if err != nil {
+		return nil, fmt.Errorf("error creating VulnerabilityReport store: %w", err)
+	}
+
+	v1alpha1storage := map[string]rest.Storage{}
 	v1alpha1storage["images"] = imageStore
 	v1alpha1storage["sboms"] = sbomStore
+	v1alpha1storage["vulnerabilityreports"] = vulnerabilityReportStore
 	apiGroupInfo.VersionedResourcesStorageMap["v1alpha1"] = v1alpha1storage
 
 	if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {

diff --git a/internal/controller/sbom_controller.go b/internal/controller/sbom_controller.go
@@ -30,12 +30,14 @@ import (
 
 	storagev1alpha1 "github.com/rancher/sbombastic/api/storage/v1alpha1"
 	"github.com/rancher/sbombastic/api/v1alpha1"
+	"github.com/rancher/sbombastic/internal/messaging"
 )
 
 // SBOMReconciler reconciles a SBOM object
 type SBOMReconciler struct {
 	client.Client
-	Scheme *runtime.Scheme
+	Scheme    *runtime.Scheme
+	Publisher messaging.Publisher
 }
 
 // +kubebuilder:rbac:groups=storage.sbombastic.rancher.io,resources=sboms,verbs=get;list;watch;create;update;patch;delete
@@ -56,6 +58,14 @@ func (r *SBOMReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.
 		return ctrl.Result{}, fmt.Errorf("unable to fetch SBOM: %w", err)
 	}
 
+	scanSBOM := &messaging.ScanSBOM{
+		SBOMName:      sbom.Name,
+		SBOMNamespace: sbom.Namespace,
+	}
+	if err := r.Publisher.Publish(scanSBOM); err != nil {
+		return ctrl.Result{}, fmt.Errorf("unable to publish ScanSBOM message: %w", err)
+	}
+
 	var sbomList storagev1alpha1.SBOMList
 	err := r.List(ctx, &sbomList, client.InNamespace(req.Namespace), client.MatchingFieldsSelector{
 		Selector: fields.SelectorFromSet(map[string]string{