neticdk · langecode · May 2, 2024 · May 2, 2024 · May 2, 2024 · May 2, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -15,7 +15,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v4
       with:
-        go-version: '1.21'
+        go-version: '1.22'
 
     - name: Build
       run: |

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -78,4 +78,4 @@ jobs:
       actions: read
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      go-version: 1.21
+      go-version: 1.22
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.21 as build
+FROM golang:1.22 as build
 
 WORKDIR /go/src/app
 COPY . .

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/pkg/controllers/convert.go b/pkg/controllers/convert.go
@@ -1,30 +1,25 @@
 package controllers
 
 import (
-	"context"
-	"fmt"
-	"net/url"
 	"sort"
 	"strings"
 
 	trivyDBTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	ty "github.com/aquasecurity/trivy/pkg/types"
 	"github.com/openclarity/kubeclarity/shared/pkg/scanner"
 	utilsVul "github.com/openclarity/kubeclarity/shared/pkg/utils/vulnerability"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // convertTrivyReport based on https://github.com/openclarity/kubeclarity/blob/main/shared/pkg/scanner/trivy/scanner.go#L285
-func convertTrivyReport(ctx context.Context, report *ty.Report) ([]*scanner.MergedVulnerability, error) {
-	log := log.FromContext(ctx)
-
+func convertTrivyReport(report *ty.Report) ([]*scanner.MergedVulnerability, error) {
 	matches := []*scanner.MergedVulnerability{}
 	for _, result := range report.Results {
 		for _, vul := range result.Vulnerabilities {
-			typ, err := getTypeFromPurl(vul.PkgRef)
-			if err != nil {
-				log.V(1).Info("unable to convert pkgref", "pkgref", vul.PkgRef, "error", err)
-				typ = ""
+			typ := ""
+			purl := ""
+			if vul.PkgIdentifier.PURL != nil {
+				typ = vul.PkgIdentifier.PURL.Type
+				purl = vul.PkgIdentifier.PURL.String()
 			}
 
 			cvsses := getCVSSesFromVul(vul.CVSS)
@@ -55,7 +50,7 @@ func convertTrivyReport(ctx context.Context, report *ty.Report) ([]*scanner.Merg
 				Package: scanner.Package{
 					Name:     vul.PkgName,
 					Version:  vul.InstalledVersion,
-					PURL:     vul.PkgRef,
+					PURL:     purl,
 					Type:     typ,
 					Language: "",
 					Licenses: nil,
@@ -73,18 +68,6 @@ func convertTrivyReport(ctx context.Context, report *ty.Report) ([]*scanner.Merg
 	return matches, nil
 }
 
-func getTypeFromPurl(purl string) (string, error) {
-	u, err := url.Parse(purl)
-	if err != nil {
-		return "", fmt.Errorf("unable to parse purl: %w", err)
-	}
-	typ, _, found := strings.Cut(u.Opaque, "/")
-	if !found {
-		return "", fmt.Errorf("type not found in purl")
-	}
-	return typ, nil
-}
-
 func getCVSSesFromVul(vCvss trivyDBTypes.VendorCVSS) []scanner.CVSS {
 	cvsses := []scanner.CVSS{}
 	v2Collected := false

diff --git a/pkg/controllers/scanjob.go b/pkg/controllers/scanjob.go
@@ -13,7 +13,7 @@ import (
 	"github.com/aquasecurity/trivy-operator/pkg/utils"
 	"github.com/aquasecurity/trivy/pkg/sbom/cyclonedx"
 	ty "github.com/aquasecurity/trivy/pkg/types"
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"github.com/neticdk/scanning-controller/pkg/dependencies"
 	"go.uber.org/multierr"
 	batchv1 "k8s.io/api/batch/v1"
@@ -100,7 +100,7 @@ func (r *ScanJobController) processCompleteScanJob(ctx context.Context, job *bat
 
 	var merr error
 	for containerName, containerImage := range containerImages {
-		res, err := r.processScanJobResults(ctx, job, containerName, containerImage, owner)
+		res, err := r.processScanJobResults(ctx, job, containerName)
 		if err != nil {
 			merr = multierr.Append(merr, err)
 		} else {
@@ -124,7 +124,7 @@ func (r *ScanJobController) processCompleteScanJob(ctx context.Context, job *bat
 	return r.deleteJob(ctx, job)
 }
 
-func (r *ScanJobController) processScanJobResults(ctx context.Context, job *batchv1.Job, containerName, containerImage string, owner client.Object) (*dependencies.ScanResult, error) {
+func (r *ScanJobController) processScanJobResults(ctx context.Context, job *batchv1.Job, containerName string) (*dependencies.ScanResult, error) {
 	log := log.FromContext(ctx)
 
 	logsStream, err := r.LogsReader.GetLogsByJobAndContainerName(ctx, job, containerName)
@@ -164,8 +164,9 @@ func (r *ScanJobController) processLogStream(ctx context.Context, stream io.Read
 		return nil, err
 	}
 
-	vuln, _ := convertTrivyReport(ctx, &reports)
-	bom, _ := cyclonedx.NewMarshaler("").Marshal(reports)
+	vuln, _ := convertTrivyReport(&reports)
+	marshaller := &cyclonedx.Marshaler{}
+	bom, _ := marshaller.MarshalReport(ctx, reports)
 
 	sha := GetHashFromRepoDigest(reports.Metadata.RepoDigests, reports.ArtifactName)
 

diff --git a/pkg/controllers/workload.go b/pkg/controllers/workload.go
@@ -175,7 +175,7 @@ func (r *WorkloadController) reconcileWorkload(workloadKind kube.Kind) reconcile
 			return ctrl.Result{}, nil
 		}
 
-		exists, job, err := r.hasActiveScanJob(ctx, workloadRef, hash)
+		exists, job, err := r.hasActiveScanJob(ctx, workloadObj, hash)
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("checking scan job: %w", err)
 		}
@@ -222,8 +222,8 @@ func (r *WorkloadController) ProcessScanJob() {
 	}
 }
 
-func (r *WorkloadController) hasActiveScanJob(ctx context.Context, owner kube.ObjectRef, hash string) (bool, *batchv1.Job, error) {
-	jobName := fmt.Sprintf("scan-vulnerabilityreport-%s", kube.ComputeHash(owner))
+func (r *WorkloadController) hasActiveScanJob(ctx context.Context, owner client.Object, hash string) (bool, *batchv1.Job, error) {
+	jobName := vulnerabilityreport.GetScanJobName(owner)
 	job := &batchv1.Job{}
 	err := r.Get(ctx, client.ObjectKey{Namespace: r.Config.Namespace, Name: jobName}, job)
 	if err != nil {