Hi,

First of all: thanks for this great work! 🥳

When running v0.9.0 with dependency-track as target, most public available images work fine, except for ECR hosted ones:

sbom-operator-77fdbbfd87-dbznp sbom-operator time="2022-04-20T10:09:53Z" level=error msg="Image-Pull failed" error="GET https://602401143452.dkr.ecr.eu-west-1.amazonaws.com/v2/amazon-k8s-cni-init/manifests/sha256:6c70af7bf257712105a89a896b2afb86c86ace865d32eb73765bf29163a08c56: unexpected status code 401 Unauthorized: Not Authorized\n"

This ECR repo is provided by AWS and should be available for everyone. Other private ECRs give the same 401 error.

Some information about the environment:

• Kubernetes 1.21 (EKS)
• Instance has AmazonEC2ContainerRegistryReadOnly policy.

Can someone point me in te right direction? I'll add it to the README if useful for others!

Image ID's are retrieved as follows: https://github.com/ckotzbauer/sbom-operator/blob/151dde7a4046091f2ea56eaaabfc900ced1800da/internal/kubernetes/kubernetes.go#L106-L122

And they are parsed as follows: https://github.com/ckotzbauer/sbom-operator/blob/151dde7a4046091f2ea56eaaabfc900ced1800da/internal/syft/syft.go#L42

I am seeing the following error logs:

time="2022-04-06T19:40:03Z" level=error msg="Could not parse imageID docker-pullable://<rest of image id>" error="Error parsing reference: \"docker-pullable://<rest of image id>\" is not a valid repository/tag"

I believe this is because the Image ID is prefixed with docker-pullable://

I writing a small program to parse <rest of image id> using the same library used by sbom-operator: docker-parserand it works fine.

I think the simplest fix to this is to either remove the docker-pullable:// prefix or use the img.Image field instead.

Hello - thank you for starting this project - it has saved me from attempting to build the same thing! ❤️

Would you be open to a contribution to allow SBOM generation from AWS Lambda functions?

Broadly, something like:

1. Use the AWS Lambda Go SDK to call the GetFunction operation, to obtain the Code.Location URL
2. Fetch the Lambda's function code from the URL to a local temporary dir; this is generally a ZIP file
3. Invoke Syft on the local code package
4. (Tidy up?)

This would enable use of this tool in an environment in which there is a mix of Kubernetes workloads and serverless ones.

I wanted to guage your interest in whether this aligns with your project goals, before contributing a PR.

Instead of storing the generated SBOMs to Git it would be good to support different targets, e.g. "Dependency Track".

/kind feature /cc @stevespringett

When I try to configure a private Azure DevOps git repo as a target cloning fails with the following message:

level=error msg="Open or clone failed" error="unexpected client error: unexpected requesting \"https://*******@dev.azure.com/****/*************/_git/**************/git-upload-pack\" status code: 400"

I suspect the go-git lib to be responsible here as other people report similar issues: https://github.com/src-d/go-git/issues/335

This seems to have been solved for other projects by falling back to git client: https://github.com/argoproj/argo-cd/pull/1244

Secrets with type = "kubernetes.io/dockercfg" containing the pull secret in the field .dockercfg do not work.

OpenShift uses this type of secret for the internal registry - so, you cannot provide the type = "kubernetes.io/dockerconfigjson".

Hello @ckotzbauer, in cosign there is a support for attaching SBOM files to an OCI registry along with an image. So, maybe we can support that too as an alternative way of storing SBOM files instead of just storing them in git. WDYT?

Hello, first thanks for the work!

I'm looking at it and I've found something that may be a blocker for us: use of mirrors

We deploy our kubernetes in airgap environment and we configure the mirrors in containerd. That means that on the "kubernetes side", you don't see the mirrors but they are present...

Would it be feasible to add a configuration for mirror registries?

would be awesome :)

As a System Operator, I would like to add pod labels as project tags in DependencyTrack So that grouping/filtering by label in dtrack is possible

Background: We use k8s pod labels to determine and group things like application, stage, department, ...

Given the following deployment was applied to k8s cluster:
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: dependencytrack-frontend
    namespace: dependencytrack-sales-live
  spec:
    template:
        metadata:
          labels:
            app=dependencytrack
            stage=live
            department=sales
            service=inventory
        spec:
          containers:
            - name: dependencytrack-frontend
              image: dependencytrack-frontend:4.5.1
  ---
When the sbom-operator scans the pod and adds the project to dtrack
Then the following tags should be added to dtrack:
  [namespace=dependencytrack-sales-live, app=dependencytrack, stage=live, department=sales, ...]
But currently only the following tags are added:
  [namespace=dependencytrack-sales-live, ...]

What do you think about the idea of adding Labels map[string]string to struct libk8s.PodInfo and allow custom mapping of labels to dtrack project tags? What would be an appropriate way to configure the custom mapping?

sbom-operator is awesome. Thank you!

This adds tags to the Dependency-Track projects to track which were created by the SBOM operator. The following tags are created:

• sbom-operator
• kubernetes-cluster={kubernetes-cluster-id}

The kubernetes-cluster-id can be set via a command line parameter (when not specified default is used).

This is how the tags look like in the Dependency-Track UI: You can use the tags to filter for images in a certain cluster

Closes #27

Deleting a pod results in error

time="2022-09-28T14:21:56Z" level=error msg="Could not load project: The project could not be found. (status: 404)"

In DependencyTrackTarget.Remove(), populating g.imageProjectMap fails and remains empty after g.LoadImages(). As a result, dtrack project uuid for the image cannot be found.

There is a bug in DependencyTrackTarget.LoadImages(): imageId is set to empty string at the beginning of project tag for loop. Therefore it will only be added to imageProjectMap if raw-image-id is the last tag in project.Tags. However, the sbom-operator usually follows raw-image-id and resets imageId To fix this particular issue imageId = "" should be moved above the loop.

However, this is not enough to fix the actual problem that deleting a project from DependencyTrack fails. Its seems there are inconsistencies in the imageProjectMap. Once sbom-operator is running, new pods successfully create new dtrack project, but the imageId and corresponding uuid are not added to imageProjectMap. When the pod gets deleted, the project uuid resolved from imageProjectMap is 00000000-0000-0000-0000-000000000000 - the default for empty uuid.UUID{}.String() - which cannot be found in dtrack. A potential fix could be to update imageProjectMap at the end of ProcessSbom.

Hi @ckotzbauer. Thank you very much for your work trying to support Azure DevOps repos. Unfortunately it seems to be not working for me. This is the log output from a sbom-operator pod deployed into kubernetes:

time="2022-09-20T09:11:41Z" level=info msg="Commit: 0f4635d8a13131aa655e6096beb6f46a92199ce9"
time="2022-09-20T09:11:41Z" level=info msg="Built at: 2022-09-17T08:59:11Z"
time="2022-09-20T09:11:41Z" level=info msg="Built by: goreleaser"
time="2022-09-20T09:11:41Z" level=info msg="Go Version: go1.19"
time="2022-09-20T09:11:41Z" level=debug msg="Targets set to: [git]"
time="2022-09-20T09:11:41Z" level=info msg="Webserver is running at port 8080"
time="2022-09-20T09:11:41Z" level=info msg="Wait for cache to be synced"
time="2022-09-20T09:11:41Z" level=error msg="Open or clone failed" error="'git clone -b sbom-operator https://******@dev.azure.com/******/**********/_git/******************* /work/sbom' failed: Cloning 
into '/work/sbom'..."
time="2022-09-20T09:11:41Z" level=info msg="Start pod-informer"
time="2022-09-20T09:11:41Z" level=info msg="Processing image ghcr.io/ckotzbauer/sbom-operator@sha256:846b4d38b700d4c995404ff038f97b1748e3018e234b1255d7989a8ed7647a2e"
time="2022-09-20T09:11:41Z" level=info msg="Finished cache sync"
time="2022-09-20T09:11:41Z" level=error msg="An error occurred while processing /work/sbom/aks/sbom" error="lstat /work/sbom/aks/sbom: permission denied"
time="2022-09-20T09:11:41Z" level=debug msg="Pod sbom-operator/sbom-operator-788b8f6697-7k59x needs to be analyzed"
time="2022-09-20T09:11:41Z" level=debug msg="Skip image ghcr.io/ckotzbauer/sbom-operator@sha256:846b4d38b700d4c995404ff038f97b1748e3018e234b1255d7989a8ed7647a2e"
time="2022-09-20T09:11:41Z" level=error msg="An error occurred while processing /work/sbom/aks/sbom" error="lstat /work/sbom/aks/sbom: permission denied"
time="2022-09-20T09:11:44Z" level=error msg="Directory could not be created" error="mkdir /work/sbom/aks: permission denied"
time="2022-09-20T09:12:16Z" level=info msg="Processing image registry.k8s.io/ingress-nginx/kube-webhook-certgen@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47"
time="2022-09-20T09:12:18Z" level=error msg="Directory could not be created" error="mkdir /work/sbom/aks: permission denied"
time="2022-09-20T09:12:18Z" level=debug msg="Image registry.k8s.io/ingress-nginx/kube-webhook-certgen@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47 marked for removal"
time="2022-09-20T09:12:18Z" level=debug msg="Start to remove old SBOMs"
time="2022-09-20T09:12:18Z" level=error msg="Open failed" error="stat /work/sbom/.git: permission denied"
time="2022-09-20T09:12:18Z" level=debug msg="Deleted old SBOM: /work/sbom/aks/sbom/registry.k8s.io/ingress-nginx/kube-webhook-certgen/sha256_549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47/sbom.json"

Could it be that the plain git clone return is seen as an error by the wrapper code? Just guessing since it is saying 'Cloning into ...' as if it worked.