fix: return the image manifest digest instead of image id (#2399)

* correctly return the image manifest digest instead of image id * rerun CI
aquasecurity · Jan 29, 2025 · fe40535 · fe40535
1 parent a742539
commit fe40535
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 6 deletions.
diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io"
 	"path/filepath"
+	"strings"
 
 	"github.com/aquasecurity/trivy-operator/pkg/exposedsecretreport"
 	"github.com/aquasecurity/trivy-operator/pkg/sbomreport"
@@ -154,7 +155,9 @@ func (p *plugin) ParseReportData(ctx trivyoperator.PluginContext, imageRef strin
 		return vulnReport, secretReport, nil, err
 	}
 
-	registry, artifact, err := p.parseImageRef(imageRef, reports.Metadata.ImageID)
+	imageDigest := p.getImageDigest(reports)
+
+	registry, artifact, err := p.parseImageRef(imageRef, imageDigest)
 	if err != nil {
 		return vulnReport, secretReport, nil, err
 	}
@@ -212,7 +215,7 @@ func (p *plugin) NewConfigForConfigAudit(ctx trivyoperator.PluginContext) (confi
 	return getConfig(ctx)
 }
 
-func (p *plugin) parseImageRef(imageRef string, imageID string) (v1alpha1.Registry, v1alpha1.Artifact, error) {
+func (p *plugin) parseImageRef(imageRef string, imageDigest string) (v1alpha1.Registry, v1alpha1.Artifact, error) {
 	ref, err := containerimage.ParseReference(imageRef)
 	if err != nil {
 		return v1alpha1.Registry{}, v1alpha1.Artifact{}, err
@@ -230,7 +233,7 @@ func (p *plugin) parseImageRef(imageRef string, imageID string) (v1alpha1.Regist
 		artifact.Digest = t.DigestStr()
 	}
 	if len(artifact.Digest) == 0 {
-		artifact.Digest = imageID
+		artifact.Digest = imageDigest
 	}
 	return registry, artifact, nil
 }
@@ -261,3 +264,17 @@ func ExcludeImage(excludeImagePattern []string, imageName string) bool {
 	}
 	return false
 }
+
+// getImageDigest extracts the image digest from the report metadata, returns empty string if not available
+func (p *plugin) getImageDigest(reports ty.Report) (string) {
+    if len(reports.Metadata.RepoDigests) == 0 {
+        return ""
+    }
+
+    split := strings.Split(reports.Metadata.RepoDigests[0], "@")
+    if len(split) < 2 {
+        return ""
+    }
+
+    return split[1]
+}
diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go
@@ -6542,6 +6542,7 @@ var (
 		Artifact: v1alpha1.Artifact{
 			Repository: "library/alpine",
 			Tag:        "3.10.2",
+			Digest:     "sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb",
 		},
 		OS: v1alpha1.OS{
 			Family: "alpine",
@@ -6592,6 +6593,7 @@ var (
 		Artifact: v1alpha1.Artifact{
 			Repository: "library/alpine",
 			Tag:        "3.10.2",
+			Digest:     "sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb",
 		},
 		Summary: v1alpha1.ExposedSecretSummary{
 			CriticalCount: 3,
@@ -6648,6 +6650,7 @@ var (
 		Artifact: v1alpha1.Artifact{
 			Repository: "library/alpine",
 			Tag:        "3.10.2",
+			Digest:     "sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb",
 		},
 		OS: v1alpha1.OS{
 			Family: "alpine",
@@ -6678,6 +6681,7 @@ var (
 		Artifact: v1alpha1.Artifact{
 			Repository: "library/alpine",
 			Tag:        "3.10.2",
+			Digest:     "sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb",
 		},
 		Summary: v1alpha1.ExposedSecretSummary{
 			CriticalCount: 0,

diff --git a/pkg/plugins/trivy/testdata/fixture/exposedsecret_report.json b/pkg/plugins/trivy/testdata/fixture/exposedsecret_report.json
@@ -5,7 +5,17 @@
       "Family": "alpine",
       "Name": "3.10.2",
       "EOSL": true
-    }
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "RepoTags": [
+      "alpine:3.10.2"
+    ],
+    "RepoDigests": [
+      "alpine@sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb"
+    ]
   },
   "Results": [
     {

diff --git a/pkg/plugins/trivy/testdata/fixture/full_report.json b/pkg/plugins/trivy/testdata/fixture/full_report.json
@@ -5,7 +5,17 @@
       "Family": "alpine",
       "Name": "3.10.2",
       "EOSL": true
-    }
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "RepoTags": [
+      "alpine:3.10.2"
+    ],
+    "RepoDigests": [
+      "alpine@sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb"
+    ]
   },
   "Results": [
     {

diff --git a/pkg/plugins/trivy/testdata/fixture/vulnerability_report.json b/pkg/plugins/trivy/testdata/fixture/vulnerability_report.json
@@ -5,7 +5,17 @@
       "Family": "alpine",
       "Name": "3.10.2",
       "EOSL": true
-    }
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "RepoTags": [
+      "alpine:3.10.2"
+    ],
+    "RepoDigests": [
+      "alpine@sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb"
+    ]
   },
   "Results": [
     {