[SBOM] Keep layer info in SBOM components #32435

lebauce · 2024-12-20T17:51:22Z

What does this PR do?

Change the sbom.container_image.overlayfs_direct_scan mode to
keep the layers information attached to each component of the SBOM.

This PR also bump Trivy and uses a custom walker to implement
most of the features previously implemented in our Trivy fork.

Motivation

This allows to match vulnerabilities to the layer they are part of.

Describe how you validated your changes

Set sbom.container_image.overlayfs_direct_scan in both host and containerized mode,
for the docker, containerd and crio runtimes.

Possible Drawbacks / Trade-offs

Additional Notes

cit-pr-commenter · 2024-12-20T18:01:14Z

Go Package Import Differences

Baseline: 3982cbd
Comparison: 10f2df4

binary	os	arch	change
agent	linux	amd64	+170, -13 +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval +github.com/aquasecurity/trivy/pkg/cache +github.com/aquasecurity/trivy/pkg/db +github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment +github.com/aquasecurity/trivy/pkg/dependency/parser/executable +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python +github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest +github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile -github.com/aquasecurity/trivy/pkg/dependency/types +github.com/aquasecurity/trivy/pkg/detector/ospkg/azure -github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg -github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner +github.com/aquasecurity/trivy/pkg/fanal/artifact/container -github.com/aquasecurity/trivy/pkg/fanal/cache -github.com/aquasecurity/trivy/pkg/fanal/log +github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf +github.com/aquasecurity/trivy/pkg/iac/rego -github.com/aquasecurity/trivy/pkg/version +github.com/aquasecurity/trivy/pkg/version/app +github.com/aquasecurity/trivy/pkg/version/doc +github.com/aquasecurity/trivy/pkg/vex/repo +github.com/aquasecurity/trivy/pkg/x/slices +github.com/blang/semver +github.com/containerd/continuity/devices +github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer +github.com/digitorus/pkcs7 +github.com/digitorus/timestamp +github.com/docker/docker/pkg/system +github.com/go-chi/chi +github.com/go-chi/chi/middleware -github.com/golang/protobuf/ptypes +github.com/google/certificate-transparency-go +github.com/google/certificate-transparency-go/asn1 +github.com/google/certificate-transparency-go/gossip/minimal/x509ext +github.com/google/certificate-transparency-go/tls +github.com/google/certificate-transparency-go/x509 +github.com/google/certificate-transparency-go/x509/pkix +github.com/google/certificate-transparency-go/x509util +github.com/google/go-containerregistry/internal/windows +github.com/google/go-containerregistry/pkg/crane +github.com/google/go-containerregistry/pkg/legacy +github.com/google/go-containerregistry/pkg/legacy/tarball +github.com/google/go-containerregistry/pkg/v1/static +github.com/google/go-github/v62/github +github.com/google/go-querystring/query +github.com/hashicorp/go-retryablehttp +github.com/jedisct1/go-minisign +github.com/letsencrypt/boulder/core +github.com/letsencrypt/boulder/goodkey +github.com/letsencrypt/boulder/identifier +github.com/letsencrypt/boulder/probs +github.com/letsencrypt/boulder/revocation +github.com/letsencrypt/boulder/strictyaml +github.com/masahiro331/go-disk/fs +github.com/moby/buildkit/frontend/dockerfile/linter +github.com/nozzle/throttler +github.com/openvex/discovery/pkg/discovery +github.com/openvex/discovery/pkg/discovery/options +github.com/openvex/discovery/pkg/oci +github.com/openvex/discovery/pkg/probers/oci +github.com/openvex/go-vex/pkg/attestation -github.com/saracen/walker +github.com/sassoftware/go-rpmutils +github.com/sassoftware/go-rpmutils/cpio +github.com/sassoftware/go-rpmutils/fileutil +github.com/sassoftware/relic/lib/pkcs7 +github.com/sassoftware/relic/lib/x509tools +github.com/secure-systems-lab/go-securesystemslib/encrypted +github.com/sigstore/cosign/v2/internal/pkg/cosign +github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size +github.com/sigstore/cosign/v2/internal/pkg/now +github.com/sigstore/cosign/v2/internal/pkg/oci/remote +github.com/sigstore/cosign/v2/internal/ui +github.com/sigstore/cosign/v2/pkg/blob +github.com/sigstore/cosign/v2/pkg/cosign +github.com/sigstore/cosign/v2/pkg/cosign/bundle +github.com/sigstore/cosign/v2/pkg/cosign/env +github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil +github.com/sigstore/cosign/v2/pkg/oci +github.com/sigstore/cosign/v2/pkg/oci/empty +github.com/sigstore/cosign/v2/pkg/oci/internal/signature +github.com/sigstore/cosign/v2/pkg/oci/layout +github.com/sigstore/cosign/v2/pkg/oci/remote +github.com/sigstore/cosign/v2/pkg/oci/signed +github.com/sigstore/cosign/v2/pkg/oci/static +github.com/sigstore/cosign/v2/pkg/types +github.com/sigstore/rekor/pkg/client +github.com/sigstore/rekor/pkg/log +github.com/sigstore/rekor/pkg/pki +github.com/sigstore/rekor/pkg/pki/identity +github.com/sigstore/rekor/pkg/pki/minisign +github.com/sigstore/rekor/pkg/pki/pgp +github.com/sigstore/rekor/pkg/pki/pkcs7 +github.com/sigstore/rekor/pkg/pki/ssh +github.com/sigstore/rekor/pkg/pki/tuf +github.com/sigstore/rekor/pkg/pki/x509 +github.com/sigstore/rekor/pkg/types +github.com/sigstore/rekor/pkg/types/dsse +github.com/sigstore/rekor/pkg/types/dsse/v0.0.1 +github.com/sigstore/rekor/pkg/types/hashedrekord +github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto +github.com/sigstore/rekor/pkg/types/intoto/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto/v0.0.2 +github.com/sigstore/rekor/pkg/types/rekord +github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 +github.com/sigstore/rekor/pkg/util +github.com/sigstore/sigstore/pkg/cryptoutils +github.com/sigstore/sigstore/pkg/signature +github.com/sigstore/sigstore/pkg/signature/dsse +github.com/sigstore/sigstore/pkg/signature/options +github.com/sigstore/sigstore/pkg/signature/payload +github.com/sigstore/sigstore/pkg/tuf +github.com/sigstore/timestamp-authority/pkg/verification +github.com/syndtr/goleveldb/leveldb +github.com/syndtr/goleveldb/leveldb/cache +github.com/syndtr/goleveldb/leveldb/comparer +github.com/syndtr/goleveldb/leveldb/errors +github.com/syndtr/goleveldb/leveldb/filter +github.com/syndtr/goleveldb/leveldb/iterator +github.com/syndtr/goleveldb/leveldb/journal +github.com/syndtr/goleveldb/leveldb/memdb +github.com/syndtr/goleveldb/leveldb/opt +github.com/syndtr/goleveldb/leveldb/storage +github.com/syndtr/goleveldb/leveldb/table +github.com/syndtr/goleveldb/leveldb/util -github.com/tetratelabs/wazero/internal/close -github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64 +github.com/tetratelabs/wazero/internal/expctxkeys -github.com/tetratelabs/wazero/internal/wazeroir +github.com/theupdateframework/go-tuf +github.com/theupdateframework/go-tuf/client +github.com/theupdateframework/go-tuf/client/leveldbstore +github.com/theupdateframework/go-tuf/data +github.com/theupdateframework/go-tuf/internal/fsutil +github.com/theupdateframework/go-tuf/internal/roles +github.com/theupdateframework/go-tuf/internal/sets +github.com/theupdateframework/go-tuf/internal/signer +github.com/theupdateframework/go-tuf/pkg/keys +github.com/theupdateframework/go-tuf/pkg/targets +github.com/theupdateframework/go-tuf/sign +github.com/theupdateframework/go-tuf/util +github.com/theupdateframework/go-tuf/verify +github.com/titanous/rocacheck +github.com/tonistiigi/go-csvvalue +github.com/transparency-dev/merkle +github.com/transparency-dev/merkle/compact +github.com/transparency-dev/merkle/proof +github.com/transparency-dev/merkle/rfc6962 +github.com/ulikunitz/xz/internal/hash +github.com/ulikunitz/xz/internal/xlog +github.com/ulikunitz/xz/lzma +github.com/xeipuuv/gojsonpointer +github.com/xeipuuv/gojsonreference +github.com/xeipuuv/gojsonschema +golang.org/x/crypto/cryptobyte +golang.org/x/crypto/cryptobyte/asn1 +golang.org/x/crypto/ed25519 +golang.org/x/crypto/nacl/secretbox +golang.org/x/crypto/ocsp +golang.org/x/crypto/openpgp +golang.org/x/crypto/openpgp/armor +golang.org/x/crypto/openpgp/elgamal +golang.org/x/crypto/openpgp/errors +golang.org/x/crypto/openpgp/packet +golang.org/x/crypto/openpgp/s2k +golang.org/x/crypto/salsa20/salsa +golang.org/x/crypto/ssh/terminal +golang.org/x/mod/sumdb/note +gopkg.in/go-jose/go-jose.v2 +gopkg.in/go-jose/go-jose.v2/cipher +gopkg.in/go-jose/go-jose.v2/json +rsc.io/binaryregexp +rsc.io/binaryregexp/syntax
agent	linux	arm64	+170, -13 +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval +github.com/aquasecurity/trivy/pkg/cache +github.com/aquasecurity/trivy/pkg/db +github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment +github.com/aquasecurity/trivy/pkg/dependency/parser/executable +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python +github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest +github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile -github.com/aquasecurity/trivy/pkg/dependency/types +github.com/aquasecurity/trivy/pkg/detector/ospkg/azure -github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg -github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner +github.com/aquasecurity/trivy/pkg/fanal/artifact/container -github.com/aquasecurity/trivy/pkg/fanal/cache -github.com/aquasecurity/trivy/pkg/fanal/log +github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf +github.com/aquasecurity/trivy/pkg/iac/rego -github.com/aquasecurity/trivy/pkg/version +github.com/aquasecurity/trivy/pkg/version/app +github.com/aquasecurity/trivy/pkg/version/doc +github.com/aquasecurity/trivy/pkg/vex/repo +github.com/aquasecurity/trivy/pkg/x/slices +github.com/blang/semver +github.com/containerd/continuity/devices +github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer +github.com/digitorus/pkcs7 +github.com/digitorus/timestamp +github.com/docker/docker/pkg/system +github.com/go-chi/chi +github.com/go-chi/chi/middleware -github.com/golang/protobuf/ptypes +github.com/google/certificate-transparency-go +github.com/google/certificate-transparency-go/asn1 +github.com/google/certificate-transparency-go/gossip/minimal/x509ext +github.com/google/certificate-transparency-go/tls +github.com/google/certificate-transparency-go/x509 +github.com/google/certificate-transparency-go/x509/pkix +github.com/google/certificate-transparency-go/x509util +github.com/google/go-containerregistry/internal/windows +github.com/google/go-containerregistry/pkg/crane +github.com/google/go-containerregistry/pkg/legacy +github.com/google/go-containerregistry/pkg/legacy/tarball +github.com/google/go-containerregistry/pkg/v1/static +github.com/google/go-github/v62/github +github.com/google/go-querystring/query +github.com/hashicorp/go-retryablehttp +github.com/jedisct1/go-minisign +github.com/letsencrypt/boulder/core +github.com/letsencrypt/boulder/goodkey +github.com/letsencrypt/boulder/identifier +github.com/letsencrypt/boulder/probs +github.com/letsencrypt/boulder/revocation +github.com/letsencrypt/boulder/strictyaml +github.com/masahiro331/go-disk/fs +github.com/moby/buildkit/frontend/dockerfile/linter +github.com/nozzle/throttler +github.com/openvex/discovery/pkg/discovery +github.com/openvex/discovery/pkg/discovery/options +github.com/openvex/discovery/pkg/oci +github.com/openvex/discovery/pkg/probers/oci +github.com/openvex/go-vex/pkg/attestation -github.com/saracen/walker +github.com/sassoftware/go-rpmutils +github.com/sassoftware/go-rpmutils/cpio +github.com/sassoftware/go-rpmutils/fileutil +github.com/sassoftware/relic/lib/pkcs7 +github.com/sassoftware/relic/lib/x509tools +github.com/secure-systems-lab/go-securesystemslib/encrypted +github.com/sigstore/cosign/v2/internal/pkg/cosign +github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size +github.com/sigstore/cosign/v2/internal/pkg/now +github.com/sigstore/cosign/v2/internal/pkg/oci/remote +github.com/sigstore/cosign/v2/internal/ui +github.com/sigstore/cosign/v2/pkg/blob +github.com/sigstore/cosign/v2/pkg/cosign +github.com/sigstore/cosign/v2/pkg/cosign/bundle +github.com/sigstore/cosign/v2/pkg/cosign/env +github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil +github.com/sigstore/cosign/v2/pkg/oci +github.com/sigstore/cosign/v2/pkg/oci/empty +github.com/sigstore/cosign/v2/pkg/oci/internal/signature +github.com/sigstore/cosign/v2/pkg/oci/layout +github.com/sigstore/cosign/v2/pkg/oci/remote +github.com/sigstore/cosign/v2/pkg/oci/signed +github.com/sigstore/cosign/v2/pkg/oci/static +github.com/sigstore/cosign/v2/pkg/types +github.com/sigstore/rekor/pkg/client +github.com/sigstore/rekor/pkg/log +github.com/sigstore/rekor/pkg/pki +github.com/sigstore/rekor/pkg/pki/identity +github.com/sigstore/rekor/pkg/pki/minisign +github.com/sigstore/rekor/pkg/pki/pgp +github.com/sigstore/rekor/pkg/pki/pkcs7 +github.com/sigstore/rekor/pkg/pki/ssh +github.com/sigstore/rekor/pkg/pki/tuf +github.com/sigstore/rekor/pkg/pki/x509 +github.com/sigstore/rekor/pkg/types +github.com/sigstore/rekor/pkg/types/dsse +github.com/sigstore/rekor/pkg/types/dsse/v0.0.1 +github.com/sigstore/rekor/pkg/types/hashedrekord +github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto +github.com/sigstore/rekor/pkg/types/intoto/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto/v0.0.2 +github.com/sigstore/rekor/pkg/types/rekord +github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 +github.com/sigstore/rekor/pkg/util +github.com/sigstore/sigstore/pkg/cryptoutils +github.com/sigstore/sigstore/pkg/signature +github.com/sigstore/sigstore/pkg/signature/dsse +github.com/sigstore/sigstore/pkg/signature/options +github.com/sigstore/sigstore/pkg/signature/payload +github.com/sigstore/sigstore/pkg/tuf +github.com/sigstore/timestamp-authority/pkg/verification +github.com/syndtr/goleveldb/leveldb +github.com/syndtr/goleveldb/leveldb/cache +github.com/syndtr/goleveldb/leveldb/comparer +github.com/syndtr/goleveldb/leveldb/errors +github.com/syndtr/goleveldb/leveldb/filter +github.com/syndtr/goleveldb/leveldb/iterator +github.com/syndtr/goleveldb/leveldb/journal +github.com/syndtr/goleveldb/leveldb/memdb +github.com/syndtr/goleveldb/leveldb/opt +github.com/syndtr/goleveldb/leveldb/storage +github.com/syndtr/goleveldb/leveldb/table +github.com/syndtr/goleveldb/leveldb/util -github.com/tetratelabs/wazero/internal/close -github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64 +github.com/tetratelabs/wazero/internal/expctxkeys -github.com/tetratelabs/wazero/internal/wazeroir +github.com/theupdateframework/go-tuf +github.com/theupdateframework/go-tuf/client +github.com/theupdateframework/go-tuf/client/leveldbstore +github.com/theupdateframework/go-tuf/data +github.com/theupdateframework/go-tuf/internal/fsutil +github.com/theupdateframework/go-tuf/internal/roles +github.com/theupdateframework/go-tuf/internal/sets +github.com/theupdateframework/go-tuf/internal/signer +github.com/theupdateframework/go-tuf/pkg/keys +github.com/theupdateframework/go-tuf/pkg/targets +github.com/theupdateframework/go-tuf/sign +github.com/theupdateframework/go-tuf/util +github.com/theupdateframework/go-tuf/verify +github.com/titanous/rocacheck +github.com/tonistiigi/go-csvvalue +github.com/transparency-dev/merkle +github.com/transparency-dev/merkle/compact +github.com/transparency-dev/merkle/proof +github.com/transparency-dev/merkle/rfc6962 +github.com/ulikunitz/xz/internal/hash +github.com/ulikunitz/xz/internal/xlog +github.com/ulikunitz/xz/lzma +github.com/xeipuuv/gojsonpointer +github.com/xeipuuv/gojsonreference +github.com/xeipuuv/gojsonschema +golang.org/x/crypto/cryptobyte +golang.org/x/crypto/cryptobyte/asn1 +golang.org/x/crypto/ed25519 +golang.org/x/crypto/nacl/secretbox +golang.org/x/crypto/ocsp +golang.org/x/crypto/openpgp +golang.org/x/crypto/openpgp/armor +golang.org/x/crypto/openpgp/elgamal +golang.org/x/crypto/openpgp/errors +golang.org/x/crypto/openpgp/packet +golang.org/x/crypto/openpgp/s2k +golang.org/x/crypto/salsa20/salsa +golang.org/x/crypto/ssh/terminal +golang.org/x/mod/sumdb/note +gopkg.in/go-jose/go-jose.v2 +gopkg.in/go-jose/go-jose.v2/cipher +gopkg.in/go-jose/go-jose.v2/json +rsc.io/binaryregexp +rsc.io/binaryregexp/syntax
agent	windows	amd64	+0, -1 -github.com/golang/protobuf/ptypes
agent	darwin	amd64	+0, -1 -github.com/golang/protobuf/ptypes
agent	darwin	arm64	+0, -1 -github.com/golang/protobuf/ptypes
iot-agent	linux	amd64	+0, -1 -github.com/golang/protobuf/ptypes
iot-agent	linux	arm64	+0, -1 -github.com/golang/protobuf/ptypes
heroku-agent	linux	amd64	+0, -1 -github.com/golang/protobuf/ptypes
cluster-agent	linux	amd64	+0, -1 -github.com/golang/protobuf/ptypes
cluster-agent	linux	arm64	+0, -1 -github.com/golang/protobuf/ptypes
cluster-agent-cloudfoundry	linux	amd64	+0, -1 -github.com/golang/protobuf/ptypes
cluster-agent-cloudfoundry	linux	arm64	+0, -1 -github.com/golang/protobuf/ptypes
process-agent	linux	amd64	+0, -1 -github.com/golang/protobuf/ptypes
process-agent	linux	arm64	+0, -1 -github.com/golang/protobuf/ptypes
process-agent	windows	amd64	+0, -1 -github.com/golang/protobuf/ptypes
process-agent	darwin	amd64	+0, -1 -github.com/golang/protobuf/ptypes
process-agent	darwin	arm64	+0, -1 -github.com/golang/protobuf/ptypes
security-agent	linux	amd64	+0, -1 -github.com/golang/protobuf/ptypes
security-agent	linux	arm64	+0, -1 -github.com/golang/protobuf/ptypes
security-agent	windows	amd64	+0, -1 -github.com/golang/protobuf/ptypes
system-probe	linux	amd64	+153, -15 -github.com/DataDog/datadog-agent/pkg/util/crio +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval +github.com/aquasecurity/trivy/pkg/cache +github.com/aquasecurity/trivy/pkg/db +github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment +github.com/aquasecurity/trivy/pkg/dependency/parser/executable +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python +github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest +github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile -github.com/aquasecurity/trivy/pkg/dependency/types +github.com/aquasecurity/trivy/pkg/detector/ospkg/azure -github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg -github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner +github.com/aquasecurity/trivy/pkg/fanal/artifact/container -github.com/aquasecurity/trivy/pkg/fanal/cache -github.com/aquasecurity/trivy/pkg/fanal/log +github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf +github.com/aquasecurity/trivy/pkg/iac/rego -github.com/aquasecurity/trivy/pkg/version +github.com/aquasecurity/trivy/pkg/version/app +github.com/aquasecurity/trivy/pkg/version/doc +github.com/aquasecurity/trivy/pkg/vex/repo +github.com/aquasecurity/trivy/pkg/x/slices +github.com/blang/semver +github.com/containerd/continuity/devices +github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer +github.com/digitorus/pkcs7 +github.com/digitorus/timestamp +github.com/docker/docker/pkg/system +github.com/go-chi/chi +github.com/go-chi/chi/middleware +github.com/google/certificate-transparency-go +github.com/google/certificate-transparency-go/asn1 +github.com/google/certificate-transparency-go/gossip/minimal/x509ext +github.com/google/certificate-transparency-go/tls +github.com/google/certificate-transparency-go/x509 +github.com/google/certificate-transparency-go/x509/pkix +github.com/google/certificate-transparency-go/x509util +github.com/google/go-containerregistry/internal/windows +github.com/google/go-containerregistry/pkg/crane +github.com/google/go-containerregistry/pkg/legacy +github.com/google/go-containerregistry/pkg/legacy/tarball +github.com/google/go-containerregistry/pkg/v1/static +github.com/google/go-github/v62/github +github.com/google/go-querystring/query +github.com/hashicorp/go-cleanhttp +github.com/hashicorp/go-retryablehttp +github.com/jedisct1/go-minisign +github.com/letsencrypt/boulder/core +github.com/letsencrypt/boulder/goodkey +github.com/letsencrypt/boulder/identifier +github.com/letsencrypt/boulder/probs +github.com/letsencrypt/boulder/revocation +github.com/letsencrypt/boulder/strictyaml +github.com/masahiro331/go-disk/fs +github.com/moby/buildkit/frontend/dockerfile/linter +github.com/nozzle/throttler +github.com/openvex/discovery/pkg/discovery +github.com/openvex/discovery/pkg/discovery/options +github.com/openvex/discovery/pkg/oci +github.com/openvex/discovery/pkg/probers/oci +github.com/openvex/go-vex/pkg/attestation -github.com/saracen/walker +github.com/sassoftware/relic/lib/pkcs7 +github.com/sassoftware/relic/lib/x509tools +github.com/secure-systems-lab/go-securesystemslib/encrypted +github.com/sigstore/cosign/v2/internal/pkg/cosign +github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size +github.com/sigstore/cosign/v2/internal/pkg/now +github.com/sigstore/cosign/v2/internal/pkg/oci/remote +github.com/sigstore/cosign/v2/internal/ui +github.com/sigstore/cosign/v2/pkg/blob +github.com/sigstore/cosign/v2/pkg/cosign +github.com/sigstore/cosign/v2/pkg/cosign/bundle +github.com/sigstore/cosign/v2/pkg/cosign/env +github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil +github.com/sigstore/cosign/v2/pkg/oci +github.com/sigstore/cosign/v2/pkg/oci/empty +github.com/sigstore/cosign/v2/pkg/oci/internal/signature +github.com/sigstore/cosign/v2/pkg/oci/layout +github.com/sigstore/cosign/v2/pkg/oci/remote +github.com/sigstore/cosign/v2/pkg/oci/signed +github.com/sigstore/cosign/v2/pkg/oci/static +github.com/sigstore/cosign/v2/pkg/types +github.com/sigstore/rekor/pkg/client +github.com/sigstore/rekor/pkg/log +github.com/sigstore/rekor/pkg/pki +github.com/sigstore/rekor/pkg/pki/identity +github.com/sigstore/rekor/pkg/pki/minisign +github.com/sigstore/rekor/pkg/pki/pgp +github.com/sigstore/rekor/pkg/pki/pkcs7 +github.com/sigstore/rekor/pkg/pki/ssh +github.com/sigstore/rekor/pkg/pki/tuf +github.com/sigstore/rekor/pkg/pki/x509 +github.com/sigstore/rekor/pkg/types +github.com/sigstore/rekor/pkg/types/dsse +github.com/sigstore/rekor/pkg/types/dsse/v0.0.1 +github.com/sigstore/rekor/pkg/types/hashedrekord +github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto +github.com/sigstore/rekor/pkg/types/intoto/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto/v0.0.2 +github.com/sigstore/rekor/pkg/types/rekord +github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 +github.com/sigstore/rekor/pkg/util +github.com/sigstore/sigstore/pkg/cryptoutils +github.com/sigstore/sigstore/pkg/signature +github.com/sigstore/sigstore/pkg/signature/dsse +github.com/sigstore/sigstore/pkg/signature/options +github.com/sigstore/sigstore/pkg/signature/payload +github.com/sigstore/sigstore/pkg/tuf +github.com/sigstore/timestamp-authority/pkg/verification -github.com/tetratelabs/wazero/internal/close -github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64 +github.com/tetratelabs/wazero/internal/expctxkeys -github.com/tetratelabs/wazero/internal/wazeroir +github.com/theupdateframework/go-tuf +github.com/theupdateframework/go-tuf/client +github.com/theupdateframework/go-tuf/client/leveldbstore +github.com/theupdateframework/go-tuf/data +github.com/theupdateframework/go-tuf/internal/fsutil +github.com/theupdateframework/go-tuf/internal/roles +github.com/theupdateframework/go-tuf/internal/sets +github.com/theupdateframework/go-tuf/internal/signer +github.com/theupdateframework/go-tuf/pkg/keys +github.com/theupdateframework/go-tuf/pkg/targets +github.com/theupdateframework/go-tuf/sign +github.com/theupdateframework/go-tuf/util +github.com/theupdateframework/go-tuf/verify +github.com/titanous/rocacheck +github.com/tonistiigi/go-csvvalue +github.com/transparency-dev/merkle +github.com/transparency-dev/merkle/compact +github.com/transparency-dev/merkle/proof +github.com/transparency-dev/merkle/rfc6962 +github.com/xeipuuv/gojsonpointer +github.com/xeipuuv/gojsonreference +github.com/xeipuuv/gojsonschema +golang.org/x/crypto/cryptobyte +golang.org/x/crypto/cryptobyte/asn1 +golang.org/x/crypto/ed25519 +golang.org/x/crypto/nacl/secretbox +golang.org/x/crypto/ocsp +golang.org/x/crypto/openpgp +golang.org/x/crypto/openpgp/armor +golang.org/x/crypto/openpgp/elgamal +golang.org/x/crypto/openpgp/errors +golang.org/x/crypto/openpgp/packet +golang.org/x/crypto/openpgp/s2k +golang.org/x/crypto/salsa20/salsa +golang.org/x/crypto/ssh/terminal +golang.org/x/mod/sumdb/note +gopkg.in/go-jose/go-jose.v2 +gopkg.in/go-jose/go-jose.v2/cipher +gopkg.in/go-jose/go-jose.v2/json -k8s.io/api/core/v1 -k8s.io/cri-api/pkg/apis/runtime/v1 +rsc.io/binaryregexp +rsc.io/binaryregexp/syntax
system-probe	linux	arm64	+153, -15 -github.com/DataDog/datadog-agent/pkg/util/crio +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure +github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner -github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval +github.com/aquasecurity/trivy/pkg/cache +github.com/aquasecurity/trivy/pkg/db +github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment +github.com/aquasecurity/trivy/pkg/dependency/parser/executable +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php +github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python +github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest +github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile -github.com/aquasecurity/trivy/pkg/dependency/types +github.com/aquasecurity/trivy/pkg/detector/ospkg/azure -github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt +github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg -github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner +github.com/aquasecurity/trivy/pkg/fanal/artifact/container -github.com/aquasecurity/trivy/pkg/fanal/cache -github.com/aquasecurity/trivy/pkg/fanal/log +github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf +github.com/aquasecurity/trivy/pkg/iac/rego -github.com/aquasecurity/trivy/pkg/version +github.com/aquasecurity/trivy/pkg/version/app +github.com/aquasecurity/trivy/pkg/version/doc +github.com/aquasecurity/trivy/pkg/vex/repo +github.com/aquasecurity/trivy/pkg/x/slices +github.com/blang/semver +github.com/containerd/continuity/devices +github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer +github.com/digitorus/pkcs7 +github.com/digitorus/timestamp +github.com/docker/docker/pkg/system +github.com/go-chi/chi +github.com/go-chi/chi/middleware +github.com/google/certificate-transparency-go +github.com/google/certificate-transparency-go/asn1 +github.com/google/certificate-transparency-go/gossip/minimal/x509ext +github.com/google/certificate-transparency-go/tls +github.com/google/certificate-transparency-go/x509 +github.com/google/certificate-transparency-go/x509/pkix +github.com/google/certificate-transparency-go/x509util +github.com/google/go-containerregistry/internal/windows +github.com/google/go-containerregistry/pkg/crane +github.com/google/go-containerregistry/pkg/legacy +github.com/google/go-containerregistry/pkg/legacy/tarball +github.com/google/go-containerregistry/pkg/v1/static +github.com/google/go-github/v62/github +github.com/google/go-querystring/query +github.com/hashicorp/go-cleanhttp +github.com/hashicorp/go-retryablehttp +github.com/jedisct1/go-minisign +github.com/letsencrypt/boulder/core +github.com/letsencrypt/boulder/goodkey +github.com/letsencrypt/boulder/identifier +github.com/letsencrypt/boulder/probs +github.com/letsencrypt/boulder/revocation +github.com/letsencrypt/boulder/strictyaml +github.com/masahiro331/go-disk/fs +github.com/moby/buildkit/frontend/dockerfile/linter +github.com/nozzle/throttler +github.com/openvex/discovery/pkg/discovery +github.com/openvex/discovery/pkg/discovery/options +github.com/openvex/discovery/pkg/oci +github.com/openvex/discovery/pkg/probers/oci +github.com/openvex/go-vex/pkg/attestation -github.com/saracen/walker +github.com/sassoftware/relic/lib/pkcs7 +github.com/sassoftware/relic/lib/x509tools +github.com/secure-systems-lab/go-securesystemslib/encrypted +github.com/sigstore/cosign/v2/internal/pkg/cosign +github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size +github.com/sigstore/cosign/v2/internal/pkg/now +github.com/sigstore/cosign/v2/internal/pkg/oci/remote +github.com/sigstore/cosign/v2/internal/ui +github.com/sigstore/cosign/v2/pkg/blob +github.com/sigstore/cosign/v2/pkg/cosign +github.com/sigstore/cosign/v2/pkg/cosign/bundle +github.com/sigstore/cosign/v2/pkg/cosign/env +github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil +github.com/sigstore/cosign/v2/pkg/oci +github.com/sigstore/cosign/v2/pkg/oci/empty +github.com/sigstore/cosign/v2/pkg/oci/internal/signature +github.com/sigstore/cosign/v2/pkg/oci/layout +github.com/sigstore/cosign/v2/pkg/oci/remote +github.com/sigstore/cosign/v2/pkg/oci/signed +github.com/sigstore/cosign/v2/pkg/oci/static +github.com/sigstore/cosign/v2/pkg/types +github.com/sigstore/rekor/pkg/client +github.com/sigstore/rekor/pkg/log +github.com/sigstore/rekor/pkg/pki +github.com/sigstore/rekor/pkg/pki/identity +github.com/sigstore/rekor/pkg/pki/minisign +github.com/sigstore/rekor/pkg/pki/pgp +github.com/sigstore/rekor/pkg/pki/pkcs7 +github.com/sigstore/rekor/pkg/pki/ssh +github.com/sigstore/rekor/pkg/pki/tuf +github.com/sigstore/rekor/pkg/pki/x509 +github.com/sigstore/rekor/pkg/types +github.com/sigstore/rekor/pkg/types/dsse +github.com/sigstore/rekor/pkg/types/dsse/v0.0.1 +github.com/sigstore/rekor/pkg/types/hashedrekord +github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto +github.com/sigstore/rekor/pkg/types/intoto/v0.0.1 +github.com/sigstore/rekor/pkg/types/intoto/v0.0.2 +github.com/sigstore/rekor/pkg/types/rekord +github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 +github.com/sigstore/rekor/pkg/util +github.com/sigstore/sigstore/pkg/cryptoutils +github.com/sigstore/sigstore/pkg/signature +github.com/sigstore/sigstore/pkg/signature/dsse +github.com/sigstore/sigstore/pkg/signature/options +github.com/sigstore/sigstore/pkg/signature/payload +github.com/sigstore/sigstore/pkg/tuf +github.com/sigstore/timestamp-authority/pkg/verification -github.com/tetratelabs/wazero/internal/close -github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64 +github.com/tetratelabs/wazero/internal/expctxkeys -github.com/tetratelabs/wazero/internal/wazeroir +github.com/theupdateframework/go-tuf +github.com/theupdateframework/go-tuf/client +github.com/theupdateframework/go-tuf/client/leveldbstore +github.com/theupdateframework/go-tuf/data +github.com/theupdateframework/go-tuf/internal/fsutil +github.com/theupdateframework/go-tuf/internal/roles +github.com/theupdateframework/go-tuf/internal/sets +github.com/theupdateframework/go-tuf/internal/signer +github.com/theupdateframework/go-tuf/pkg/keys +github.com/theupdateframework/go-tuf/pkg/targets +github.com/theupdateframework/go-tuf/sign +github.com/theupdateframework/go-tuf/util +github.com/theupdateframework/go-tuf/verify +github.com/titanous/rocacheck +github.com/tonistiigi/go-csvvalue +github.com/transparency-dev/merkle +github.com/transparency-dev/merkle/compact +github.com/transparency-dev/merkle/proof +github.com/transparency-dev/merkle/rfc6962 +github.com/xeipuuv/gojsonpointer +github.com/xeipuuv/gojsonreference +github.com/xeipuuv/gojsonschema +golang.org/x/crypto/cryptobyte +golang.org/x/crypto/cryptobyte/asn1 +golang.org/x/crypto/ed25519 +golang.org/x/crypto/nacl/secretbox +golang.org/x/crypto/ocsp +golang.org/x/crypto/openpgp +golang.org/x/crypto/openpgp/armor +golang.org/x/crypto/openpgp/elgamal +golang.org/x/crypto/openpgp/errors +golang.org/x/crypto/openpgp/packet +golang.org/x/crypto/openpgp/s2k +golang.org/x/crypto/salsa20/salsa +golang.org/x/crypto/ssh/terminal +golang.org/x/mod/sumdb/note +gopkg.in/go-jose/go-jose.v2 +gopkg.in/go-jose/go-jose.v2/cipher +gopkg.in/go-jose/go-jose.v2/json -k8s.io/api/core/v1 -k8s.io/cri-api/pkg/apis/runtime/v1 +rsc.io/binaryregexp +rsc.io/binaryregexp/syntax

agent-platform-auto-pr · 2024-12-23T12:27:47Z

Uncompressed package size comparison

Comparison with ancestor 3982cbd7722ac20c42504cd202c2baee64640762

Diff per package

package	diff	status	size	ancestor	threshold
datadog-agent-x86_64-rpm	1.65MB	⚠️	1198.94MB	1197.29MB	140.00MB
datadog-agent-x86_64-suse	1.65MB	⚠️	1198.94MB	1197.29MB	140.00MB
datadog-agent-amd64-deb	1.65MB	⚠️	1189.68MB	1188.03MB	140.00MB
datadog-agent-arm64-deb	0.06MB	⚠️	934.02MB	933.96MB	140.00MB
datadog-agent-aarch64-rpm	0.06MB	⚠️	943.26MB	943.20MB	140.00MB
datadog-heroku-agent-amd64-deb	0.02MB	⚠️	505.11MB	505.09MB	70.00MB
datadog-iot-agent-x86_64-rpm	0.00MB	✅	113.41MB	113.41MB	10.00MB
datadog-iot-agent-x86_64-suse	0.00MB	✅	113.41MB	113.41MB	10.00MB
datadog-iot-agent-amd64-deb	0.00MB	✅	113.34MB	113.34MB	10.00MB
datadog-dogstatsd-amd64-deb	0.00MB	✅	78.57MB	78.57MB	10.00MB
datadog-dogstatsd-x86_64-rpm	0.00MB	✅	78.65MB	78.65MB	10.00MB
datadog-dogstatsd-x86_64-suse	0.00MB	✅	78.65MB	78.65MB	10.00MB
datadog-dogstatsd-arm64-deb	0.00MB	✅	55.77MB	55.77MB	10.00MB
datadog-iot-agent-arm64-deb	-0.01MB	✅	108.81MB	108.81MB	10.00MB
datadog-iot-agent-aarch64-rpm	-0.01MB	✅	108.88MB	108.88MB	10.00MB

Decision

⚠️ Warning

agent-platform-auto-pr · 2024-12-23T12:27:48Z

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv aws.create-vm --pipeline-id=51753970 --os-family=ubuntu

Note: This applies to commit 10f2df4

cit-pr-commenter · 2024-12-23T13:01:31Z

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 6ff3e5f4-52e9-49df-8ebf-3f93a76cd2a2

Baseline: 3982cbd
Comparison: 10f2df4
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+2.33	[-0.95, +5.62]	1	Logs
➖	quality_gate_idle	memory utilization	+1.36	[+1.32, +1.40]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+1.26	[+0.57, +1.95]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.68	[+0.60, +0.77]	1	Logs bounds checks dashboard
➖	file_tree	memory utilization	+0.67	[+0.54, +0.79]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.12	[-0.80, +1.03]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.12	[-0.62, +0.85]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	+0.06	[-0.78, +0.89]	1	Logs
➖	file_to_blackhole_0ms_latency_http1	egress throughput	+0.04	[-0.77, +0.85]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.03	[-0.75, +0.80]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.00	[-0.64, +0.65]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.01, +0.01]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.10, +0.10]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.08	[-0.15, -0.00]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.08	[-0.88, +0.72]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	-0.34	[-0.80, +0.12]	1	Logs
➖	otel_to_otel_logs	ingress throughput	-0.52	[-1.20, +0.16]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10
✅	quality_gate_logs	memory_usage	10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

✅ = significantly better comparison variant performance
❌ = significantly worse comparison variant performance
➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.

.copyright-overrides.yml

pducolin

ok for changes owned by @DataDog/agent-devx-loops

internal/tools/go.mod

pkg/util/trivy/crio.go

pkg/util/trivy/docker.go

pkg/util/trivy/overlayfs.go

pkg/util/trivy/crio.go

pkg/sbom/scanner/scanner.go

sblumenthal · 2024-12-23T16:43:22Z

go.mod

 	// Maps to Trivy fork https://github.com/DataDog/trivy/commits/use-fs-main-dd/
-	github.com/aquasecurity/trivy => github.com/DataDog/trivy v0.0.0-20241216135157-95e0e96002ee
+	github.com/aquasecurity/trivy => github.com/DataDog/trivy v0.0.0-20241223160824-d6db1f1a84ce


This comment doesn't appear to be correct, as it looks like this commit is coming from a different branch. Moreover, it looks like the new branch does not have a bunch of commits that were present in the previous branch, so just double checking that this is expected

The comment is indeed incorrect. The new branch seems to be based on main of Trivy and includes a commit (DataDog/trivy@f11c14f) that bundles a bunch of commits. I did my best to check that we are not missing something here.

lebauce · 2024-12-24T08:19:35Z

/merge

dd-devflow · 2024-12-24T08:19:42Z

Devflow running: `/merge`

View all feedbacks in Devflow UI.

2024-12-24 08:19:41 UTC ℹ️ MergeQueue: pull request added to the queue

The median merge time in main is 35m.

2024-12-24 08:58:46 UTC ℹ️ MergeQueue: This merge request was merged

lebauce added changelog/no-changelog team/agent-security qa/rc-required Only for a PR that requires validation on the Release Candidate labels Dec 20, 2024

lebauce added this to the 7.63.0 milestone Dec 20, 2024

lebauce requested review from a team as code owners December 20, 2024 17:51

lebauce force-pushed the lebauce/trivy-sbom-layers branch from 7da1ad1 to 94636e8 Compare December 23, 2024 01:35

lebauce requested review from a team as code owners December 23, 2024 01:35

github-actions bot added component/system-probe long review PR is complex, plan time to review it labels Dec 23, 2024

lebauce force-pushed the lebauce/trivy-sbom-layers branch 3 times, most recently from 2ebcefb to aa87ba3 Compare December 23, 2024 11:55

chouetz approved these changes Dec 23, 2024

View reviewed changes

.copyright-overrides.yml Show resolved Hide resolved

pducolin approved these changes Dec 23, 2024

View reviewed changes

internal/tools/go.mod Outdated Show resolved Hide resolved

lebauce force-pushed the lebauce/trivy-sbom-layers branch from 1f98c1d to dea78d9 Compare December 23, 2024 15:47

paulcacheux reviewed Dec 23, 2024

View reviewed changes

pkg/util/trivy/crio.go Outdated Show resolved Hide resolved

pkg/util/trivy/docker.go Outdated Show resolved Hide resolved

pkg/util/trivy/overlayfs.go Show resolved Hide resolved

pkg/util/trivy/crio.go Outdated Show resolved Hide resolved

lebauce added 8 commits December 23, 2024 17:30

Keep layers information

76ac638

Bump trivy fork

6705072

Update licenses

0a1b21e

Allow single quote in names

7340b45

Make it work for CRI-O

bd74f5a

Add missing file header

75c54ce

Add sha256 prefix to diff ID for CRI-O

b73d8c8

Fix build tags

9c99405

lebauce added 5 commits December 23, 2024 17:32

Make linters happy

ce29262

Remove commented out lines

b137828

Remove dependency on github.com/google/licenseclassifier/v2

4b46f2c

Use crio build tag

f528bbf

Address comments

f92329a

lebauce force-pushed the lebauce/trivy-sbom-layers branch from 36878b3 to f92329a Compare December 23, 2024 16:33

paulcacheux approved these changes Dec 23, 2024

View reviewed changes

sblumenthal approved these changes Dec 23, 2024

View reviewed changes

lebauce added 5 commits December 23, 2024 18:39

Fix comment regarding trivy fork

6b293a6

Restore default scan timeout to 30 seconds

78c8a35

Fix licenses

71e2d5e

Use fs.WalkDir instead of filepath.WalkDir

3114807

Bump trivy fork

ea04a33

lebauce force-pushed the lebauce/trivy-sbom-layers branch from b65fa2f to ea04a33 Compare December 24, 2024 00:47

Fix support for CRI-O

10f2df4

dd-mergequeue bot merged commit 653ea31 into main Dec 24, 2024
415 checks passed

dd-mergequeue bot deleted the lebauce/trivy-sbom-layers branch December 24, 2024 08:58

github-actions bot modified the milestones: 7.63.0, 7.62.0 Dec 24, 2024

louis-cqrl pushed a commit that referenced this pull request Dec 25, 2024

[SBOM] Keep layer info in SBOM components (#32435)

5d6fd07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SBOM] Keep layer info in SBOM components #32435

[SBOM] Keep layer info in SBOM components #32435

lebauce commented Dec 20, 2024 •

edited

Loading

cit-pr-commenter bot commented Dec 20, 2024 •

edited

Loading

agent-platform-auto-pr bot commented Dec 23, 2024 •

edited

Loading

agent-platform-auto-pr bot commented Dec 23, 2024 •

edited

Loading

cit-pr-commenter bot commented Dec 23, 2024 •

edited

Loading

Fine details of change detection per experiment

Bounds Checks: ✅ Passed

Explanation

pducolin left a comment

sblumenthal Dec 23, 2024

lebauce Dec 23, 2024 •

edited

Loading

lebauce commented Dec 24, 2024

dd-devflow bot commented Dec 24, 2024 •

edited

Loading

[SBOM] Keep layer info in SBOM components #32435

[SBOM] Keep layer info in SBOM components #32435

Conversation

lebauce commented Dec 20, 2024 • edited Loading

What does this PR do?

Motivation

Describe how you validated your changes

Possible Drawbacks / Trade-offs

Additional Notes

cit-pr-commenter bot commented Dec 20, 2024 • edited Loading

Go Package Import Differences

agent-platform-auto-pr bot commented Dec 23, 2024 • edited Loading

Uncompressed package size comparison

Decision

agent-platform-auto-pr bot commented Dec 23, 2024 • edited Loading

Test changes on VM

cit-pr-commenter bot commented Dec 23, 2024 • edited Loading

Regression Detector

Regression Detector Results

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

Bounds Checks: ✅ Passed

Explanation

CI Pass/Fail Decision

pducolin left a comment

Choose a reason for hiding this comment

sblumenthal Dec 23, 2024

Choose a reason for hiding this comment

lebauce Dec 23, 2024 • edited Loading

Choose a reason for hiding this comment

lebauce commented Dec 24, 2024

dd-devflow bot commented Dec 24, 2024 • edited Loading

Devflow running: /merge

lebauce commented Dec 20, 2024 •

edited

Loading

cit-pr-commenter bot commented Dec 20, 2024 •

edited

Loading

agent-platform-auto-pr bot commented Dec 23, 2024 •

edited

Loading

agent-platform-auto-pr bot commented Dec 23, 2024 •

edited

Loading

cit-pr-commenter bot commented Dec 23, 2024 •

edited

Loading

lebauce Dec 23, 2024 •

edited

Loading

dd-devflow bot commented Dec 24, 2024 •

edited

Loading

Devflow running: `/merge`