kubescape · Jan 16, 2024 · Jan 16, 2024 · Jan 16, 2024 · Jan 17, 2024 · Jan 17, 2024
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,3 @@
+**/.git
+vendor
+artifacts
diff --git a/.github/workflows/pr-created.yaml b/.github/workflows/pr-created.yaml
@@ -3,7 +3,7 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]
     paths-ignore:
-      - '*.md' 
+      - '*.md'
       - '*.yaml'
       - '.github/workflows/*'
 
@@ -16,5 +16,5 @@ jobs:
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-created.yaml@main
     with:
       CGO_ENABLED: 0
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.23"
     secrets: inherit
diff --git a/.github/workflows/pr-merged.yaml b/.github/workflows/pr-merged.yaml
@@ -2,15 +2,15 @@ name: build
 on:
   pull_request_target:
     types: [closed]
-    branches: 
+    branches:
     - 'main'
     paths-ignore:
       - '**.md' ### Ignore running when README.MD changed.
       - '.github/workflows/*' ### Ignore running when files under path: .github/workflows/* changed.
-      
+
 jobs:
   pr-merged:
-    if: ${{ github.event.pull_request.merged == true }} ## Skip if not merged 
+    if: ${{ github.event.pull_request.merged == true }} ## Skip if not merged
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
     with:
       IMAGE_NAME: quay.io/${{ github.repository_owner }}/storage
@@ -19,7 +19,7 @@ jobs:
       CGO_ENABLED: 0
       GO111MODULE: "on"
       BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.23"
       REQUIRED_TESTS: '[
                         "relevantCVEs",
                         "relevancy_enabled_stop_sniffing",

diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -0,0 +1,5 @@
+# Adopters
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md)
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,5 @@
+# Code of Conduct
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md)
diff --git a/COMMUNITY.md b/COMMUNITY.md
@@ -0,0 +1,5 @@
+# Community
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,7 +1,5 @@
-# Contributing guidelines
+# Contributing
 
-Do not open pull requests directly against this repository, they will be ignored. Instead, please open pull requests against [kubernetes/kubernetes](https://git.k8s.io/kubernetes/).  Please follow the same [contributing guide](https://git.k8s.io/kubernetes/CONTRIBUTING.md) you would follow for any other pull request made to kubernetes/kubernetes.
+The Kubescape project manages this document in the central project repository.
 
-This repository is published from [kubernetes/kubernetes/staging/src/k8s.io/sample-apiserver](https://git.k8s.io/kubernetes/staging/src/k8s.io/sample-apiserver) by the [kubernetes publishing-bot](https://git.k8s.io/publishing-bot).
-
-Please see [Staging Directory and Publishing](https://git.k8s.io/community/contributors/devel/sig-architecture/staging.md) for more information
+Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -0,0 +1,5 @@
+# Governance
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -1,3 +1,5 @@
-# Project maintainers
+# Maintainers
 
-Kubescape Storage is part of the Kubescape project, see maintainers [here](https://github.com/kubescape/kubescape/blob/master/MAINTAINERS.md)
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)
diff --git a/Makefile b/Makefile
@@ -1,13 +1,14 @@
 DOCKERFILE_PATH=./build/Dockerfile
 BINARY_NAME=storage
 
+TAG?=test
 IMAGE?=quay.io/kubescape/$(BINARY_NAME)
 
 
 build:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $(BINARY_NAME)
 
 docker-build:
-	docker buildx build --platform linux/amd64 -t $(IMAGE):$(TAG) -f $(DOCKERFILE_PATH) .
+	docker buildx build --platform linux/amd64 -t $(IMAGE):$(TAG) --load -f $(DOCKERFILE_PATH) .
 docker-push:
 	docker push $(IMAGE):$(TAG)
diff --git a/README.md b/README.md
@@ -60,6 +60,56 @@ then you already have a copy of this demo in
 `kubernetes/staging/src/k8s.io/sample-apiserver` and its dependencies
 --- including the code generator --- are in usable locations.
 
+## Design changes
+
+Compared to the upstream repository, the following changes have been made:
+- metadata are stored in a SQLite database
+- payload are stored in a virtual filesystem (afero) mapping to a directory
+
+### Database schema
+
+```mermaid
+erDiagram
+   METADATA {
+        string kind
+        string namespace
+        string name
+        JSON metadata
+    }
+    RESOURCE only one to one METADATA : has
+```
+
+Metadata are stored in JSON format, and should be unmarshalled to the appropriate struct when needed.
+
+GetList() operations should support pagination, we are using ROWID to sort the results and limit the number
+of rows returned. On subsequent calls, the client provides the last ROWID to get the next page.
+
+### Filesystem layout
+
+The filesystem contains both the metadata database and the payload files.
+
+```mermaid
+graph LR
+    root["/data/"] --> metadata.sq3
+    root --> metadata.sq3-shm
+    root --> metadata.sq3-wal
+    root --> spdx["spdx.softwarecomposition.kubescape.io/"]
+    spdx --> ap["applicationprofiles/"]
+    ap --> aps["..."]
+    spdx --> sbom["sbomsyft/"]
+    sbom --> sboms["..."]
+    spdx --> sbomf["sbomsyftfiltered/"]
+    sbomf --> sbomfs["..."]
+    spdx --> vuln["vulnerabilitymanifests/"]
+    vuln --> ns1["namespace1/"]
+    ns1 --> dp1["deployment-deployment1.g"]
+    ns1 --> dp2["deployment-deployment2.g"]
+    ns1 --> pod1["pod-pod1.g"]
+    ns1 --> st1["statefulset-statefulset1.g"]
+```
+
+Payloads are stored in Gob format, and since they can be quite big, we are using direct I/O when possible
+to reduce memory allocations when unmarshalling them.
 
 ## Normal Build and Deploy
 
@@ -91,22 +141,31 @@ The code generation script will give you warnings about API rule violations.
 Don’t mind them. To address these warnings, add them to the exclusion list as
 show in the updated upstream repo.
 
-You will also see a warning about `generate-internal-groups.sh` being deprecated:
+Now it's time to generate the protobuf code:
 ```
-WARNING: generate-internal-groups.sh is deprecated.
-WARNING: Please use k8s.io/code-generator/kube_codegen.sh instead.
+docker buildx build --file build/protoc.Dockerfile --platform linux/amd64 --tag protoc --load .
+docker run --rm -it -v "$(pwd):/work" protoc
+mkdir -p github.com/kubescape/storage
+ln -sf /work/pkg github.com/kubescape/storage/
+/go/bin/go-to-protobuf --packages=github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1 --go-header-file=./hack/boilerplate.go.txt --apimachinery-packages='-k8s.io/apimachinery/pkg/util/intstr,-k8s.io/apimachinery/pkg/api/resource,-k8s.io/apimachinery/pkg/runtime/schema,-k8s.io/apimachinery/pkg/runtime,-k8s.io/apimachinery/pkg/apis/meta/v1,-k8s.io/apimachinery/pkg/apis/meta/v1beta1,-k8s.io/api/core/v1,-k8s.io/api/rbac/v1' --proto-import=/go/src/k8s.io/kubernetes/staging/src/ --proto-import=/go/src/k8s.io/kubernetes/vendor
 ```
 
-This is valid, and upstream has also been updated to use the latest code
-generation script — `kube_codegen.sh`. However, as of now it breaks code
-generation for us, and we had no opportunity to reconcile the changes.
-
 Once the code generation finishes successfully, you should be able to run tests and build the binary with no errors:
 ```
 go build -v ./...
 go test -v -failfast -count=1 ./...
 ```
 
+### Storage operations
+
+During storage operations there are several opportunities to either reject the request or modify the stored object before it is written.
+
+Each type of operation (Create/Update/Delete) has its own set of functions that will run in the lifecycle of the request.
+
+These functions are declared in `pkg/registry/softwarecomposition/<type>/strategy.go`
+
+Read more about each function and its use [here](https://github.com/kubernetes-sigs/apiserver-builder-alpha/blob/master/docs/concepts/api_building_overview.md#storage-operations)
+
 ### Authentication plugins
 
 The normal build supports only a very spare selection of

diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -4,15 +4,19 @@ header:
   last-reviewed: '2023-10-12'
   expiration-date: '2024-10-12T01:00:00.000Z'
   project-url: https://github.com/kubescape/kubevuln/
-  project-release: '1.0.0'
+  project-release: 1.0.0
 project-lifecycle:
   stage: active
   bug-fixes-only: false
   core-maintainers:
-  - github:slashben
+  - github:amirmalka
+  - github:amitschendel
+  - github:bezbran
   - github:craigbox
-  - github:matthyx
   - github:dwertent
+  - github:matthyx
+  - github:rotemamsa
+  - github:slashben
 contribution-policy:
   accepts-pull-requests: true
   accepts-automated-pull-requests: false

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,7 +1,5 @@
-# Reporting Security Issues
+# Security
 
-To report a security issue or vulnerability, submit a [private vulnerability report via GitHub](https://github.com/kubescape/kubevuln/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+The Kubescape project manages this document in the central project repository.
 
-The maintainers will respond within 7 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.
-
-Other contacts: cncf-kubescape-maintainers@lists.cncf.io
+Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)
diff --git a/artifacts/configurationscansummaries/01-example.yaml b/artifacts/configurationscansummaries/01-example.yaml
@@ -13,4 +13,3 @@ spec:
     low: 2
     unknown: 2
   controls: {}
-
diff --git a/artifacts/configurationscansummaries/02-example.yaml b/artifacts/configurationscansummaries/02-example.yaml
@@ -13,6 +13,3 @@ spec:
     low: 5
     unknown: 5
   controls: {}
-
-
-
diff --git a/artifacts/configurationscansummaries/03-example.yaml b/artifacts/configurationscansummaries/03-example.yaml
@@ -12,4 +12,4 @@ spec:
     medium: 5
     low: 5
     unknown: 5
-  controls: {}
+  controls: {}
diff --git a/artifacts/configurationscansummaries/04-example.yaml b/artifacts/configurationscansummaries/04-example.yaml
@@ -12,4 +12,4 @@ spec:
     medium: 5
     low: 5
     unknown: 5
-  controls: {}
+  controls: {}
diff --git a/artifacts/networkneighborhood/01-example.yaml b/artifacts/networkneighborhood/01-example.yaml
@@ -0,0 +1,42 @@
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+kind: NetworkNeighborhood
+metadata:
+  name: deployment-nginx
+  annotations:
+    kubescape.io/status: ready
+  labels:
+      "kubescape.io/workload-api-group": "apps"
+      "kubescape.io/workload-api-version": "v1"
+      "kubescape.io/workload-name": "nginx"
+      "kubescape.io/workload-kind": "deployment"
+      "kubescape.io/workload-namespace": "kubescape"
+
+spec:
+  matchLabels:
+      app: nginx
+
+  containers:
+    - name: nginx
+      ingress:
+      - type: internal
+        identifier: bla
+        namespaceSelector:
+            matchLabels:
+              name: kubescape
+        podSelector:
+            matchLabels:
+              app: kubescape-ui
+        ports:
+        -   name: TCP-6379
+            protocol: TCP
+            port: 6379
+
+      egress:
+      - type: external
+        identifier: bla
+        ipAddress: 123.5.2.3
+        dns: stripe.com
+        ports:
+        - name: TCP-5978
+          protocol: TCP
+          port: 5978
diff --git a/artifacts/sbomsummaries/01-example.yaml b/artifacts/sbomsummaries/01-example.yaml
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm AS builder
 
 ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
@@ -9,7 +9,7 @@ RUN --mount=target=. \
     --mount=type=cache,target=/go/pkg \
     GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/storage .
 
-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot
 
 COPY --from=builder /out/storage /usr/bin/storage
 

diff --git a/build/protoc.Dockerfile b/build/protoc.Dockerfile
@@ -0,0 +1,13 @@
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm AS builder
+
+ENV GO111MODULE=on CGO_ENABLED=0
+WORKDIR /work
+
+RUN git clone -q --depth 1 https://github.com/kubernetes/kubernetes.git /go/src/k8s.io/kubernetes
+RUN go install github.com/gogo/protobuf/protoc-gen-gogo@latest
+RUN go install golang.org/x/tools/cmd/goimports@latest
+RUN go install k8s.io/code-generator/cmd/go-to-protobuf@latest
+RUN apt-get update && apt-get install -y unzip
+RUN wget -q -O /tmp/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v28.0/protoc-28.0-linux-x86_64.zip && \
+    unzip -q /tmp/protoc.zip -d /usr/local && \
+    rm /tmp/protoc.zip