fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)

Signed-off-by: Fabrizio Sestito <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: fabriziosestito

integration/sbom_test.go

@@ -186,11 +186,6 @@ func overrideSBOMReport(t *testing.T, want, got *types.Report) {
 	want.Metadata.ImageID = ""
 	want.Metadata.ImageConfig = v1.ConfigFile{}
 	want.Metadata.DiffIDs = nil
-	for i, result := range want.Results {
-		for j := range result.Vulnerabilities {
-			want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
-		}
-	}
 
 	// when running on Windows FS
 	got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName))

integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden

@@ -80,6 +80,14 @@
       "version": "5.0-4",
       "purl": "pkg:deb/debian/[email protected]?distro=debian-10.2",
       "properties": [
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
+        },
         {
           "name": "aquasecurity:trivy:PkgID",
           "value": "[email protected]"
@@ -105,6 +113,14 @@
       "version": "2.0.5-1",
       "purl": "pkg:deb/debian/[email protected]?distro=debian-10.2",
       "properties": [
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
+        },
         {
           "name": "aquasecurity:trivy:PkgID",
           "value": "[email protected]"
@@ -141,6 +157,14 @@
           "name": "aquasecurity:trivy:FilePath",
           "value": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec"
         },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602"
+        },
         {
           "name": "aquasecurity:trivy:PkgID",
           "value": "[email protected]"

integration/testdata/fluentd-multiple-lockfiles.json.golden

@@ -36,7 +36,10 @@
           },
           "InstalledVersion": "5.0-4",
           "Status": "affected",
-          "Layer": {},
+          "Layer": {
+            "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c",
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
           "SeveritySource": "debian",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
           "DataSource": {
@@ -102,7 +105,10 @@
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
           "Status": "fixed",
-          "Layer": {},
+          "Layer": {
+            "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c",
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
           "DataSource": {
@@ -173,7 +179,10 @@
           "InstalledVersion": "6.0.2.1",
           "FixedVersion": "6.0.3.1, 5.2.4.3",
           "Status": "fixed",
-          "Layer": {},
+          "Layer": {
+            "Digest": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602",
+            "DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+          },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
           "DataSource": {

pkg/scanner/scan.go

@@ -178,11 +178,6 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (t
 		ptros = nil
 	}
 
-	// Layer makes sense only when scanning container images
-	if artifactInfo.Type != artifact.TypeContainerImage {
-		removeLayer(results)
-	}
-
 	return types.Report{
 		SchemaVersion: report.SchemaVersion,
 		CreatedAt:     clock.Now(ctx),
@@ -202,19 +197,3 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (t
 		BOM:     artifactInfo.BOM,
 	}, nil
 }
-
-func removeLayer(results types.Results) {
-	for i := range results {
-		result := results[i]
-
-		for j := range result.Packages {
-			result.Packages[j].Layer = ftypes.Layer{}
-		}
-		for j := range result.Vulnerabilities {
-			result.Vulnerabilities[j].Layer = ftypes.Layer{}
-		}
-		for j := range result.Misconfigurations {
-			result.Misconfigurations[j].Layer = ftypes.Layer{}
-		}
-	}
-}