Skip to content

ROX-31409: Add digest parameter to SBOM generation requests #18432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dcaravel wants to merge 4 commits into
base: master
Choose a base branch
from
Open

ROX-31409: Add digest parameter to SBOM generation requests #18432

dcaravel wants to merge 4 commits into from
+405 −139

Conversation

@dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Jan 11, 2026
edited
Loading

Description

This PR adds a new digest parameter to the /api/v1/images/sbom API that allows an SBOM to be generated for a specific image without changing the name of the stored image.

Today, the "Generate SBOM" feature in the UI may not generate the correct SBOM if the image is referenced by a tag and the tag now points to a different digest. The UI will be updated separately from this PR to use the new digest field.

This PR also adds support for the new ROX_FLATTEN_IMAGE_DATA feature to the SBOM generation handler (note: this overlaps with #18234, will address conflicts as needed when merged)

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • modified existing tests

How I validated my change

Built two images, generated sboms for the images after changing where the tag points, then before the fix verified the incorrect package is shown (mimicking the current API requests from the UI):

sbomgen.sh 
#!/bin/bash
set -e

ROX_API_TOKEN=$(cat "${token_file}")
ROX_ENDPOINT=$(cat "${endpoint_file}")

baseimage=quay.io/dcaravel/temp:sbom-gen-demo

# digest for quay.io/dcaravel/temp:sbom-gen-demo-1
digest1=sha256:f281ce39b78b5e09ee5712d2c325d1c3ec295e7530c8c764cc07a9abb8bcc3d6

# digest for quay.io/dcaravel/temp:sbom-gen-demo-2
digest2=sha256:6aadc70f3f04659d559eef9fe7d6e7dd02802a811254f3b12d75bcf3fd3e7c0e

# Request SBOM for image with digest1
echo "Requesting SBOM for ${baseimage} with digest ${digest1}..."
curl -sSk -X POST "https://${ROX_ENDPOINT}/api/v1/images/sbom" \
  -H "Authorization: Bearer ${ROX_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d "{\"imageName\":\"${baseimage}\",\"digest\":\"${digest1}\",\"force\":true}" | jq '.packages[] | select(.name == "org.apache.logging.log4j:log4j-core")'

echo ""
echo ""

# Request SBOM for image with digest2
echo "Requesting SBOM for ${baseimage} with digest ${digest2}..."
curl -sSk -X POST "https://${ROX_ENDPOINT}/api/v1/images/sbom" \
  -H "Authorization: Bearer ${ROX_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d "{\"imageName\":\"${baseimage}\",\"digest\":\"${digest2}\",\"force\":true}" | jq '.packages[] | select(.name == "org.apache.logging.log4j:log4j-core")'

Before:

When quay.io/dcaravel/temp:sbom-gen-demo == quay.io/dcaravel/temp:sbom-gen-demo-1

$ ./sbomgen.sh 
Requesting SBOM for quay.io/dcaravel/temp:sbom-gen-demo with digest sha256:f281ce39b78b5e09ee5712d2c325d1c3ec295e7530c8c764cc07a9abb8bcc3d6...
{
  "name": "org.apache.logging.log4j:log4j-core",
  "SPDXID": "SPDXRef-Package-65346",
  "versionInfo": "2.14.1",
  "packageFileName": "maven:app/log4j.jar",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "primaryPackagePurpose": "APPLICATION"
}


Requesting SBOM for quay.io/dcaravel/temp:sbom-gen-demo with digest sha256:6aadc70f3f04659d559eef9fe7d6e7dd02802a811254f3b12d75bcf3fd3e7c0e...
{
  "name": "org.apache.logging.log4j:log4j-core",
  "SPDXID": "SPDXRef-Package-65346",
  "versionInfo": "2.14.1",
  "packageFileName": "maven:app/log4j.jar",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "primaryPackagePurpose": "APPLICATION"
}

When quay.io/dcaravel/temp:sbom-gen-demo == quay.io/dcaravel/temp:sbom-gen-demo-2

$ ./sbomgen.sh 
Requesting SBOM for quay.io/dcaravel/temp:sbom-gen-demo with digest sha256:f281ce39b78b5e09ee5712d2c325d1c3ec295e7530c8c764cc07a9abb8bcc3d6...
{
  "name": "org.apache.logging.log4j:log4j-core",
  "SPDXID": "SPDXRef-Package-65344",
  "versionInfo": "2.17.1",
  "packageFileName": "maven:app/log4j.jar",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "primaryPackagePurpose": "APPLICATION"
}


Requesting SBOM for quay.io/dcaravel/temp:sbom-gen-demo with digest sha256:6aadc70f3f04659d559eef9fe7d6e7dd02802a811254f3b12d75bcf3fd3e7c0e...
{
  "name": "org.apache.logging.log4j:log4j-core",
  "SPDXID": "SPDXRef-Package-65344",
  "versionInfo": "2.17.1",
  "packageFileName": "maven:app/log4j.jar",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "primaryPackagePurpose": "APPLICATION"
}

After fix applied (notice that different package versions are detected as expected):

Requesting SBOM for quay.io/dcaravel/temp:sbom-gen-demo with digest sha256:f281ce39b78b5e09ee5712d2c325d1c3ec295e7530c8c764cc07a9abb8bcc3d6...
{
  "name": "org.apache.logging.log4j:log4j-core",
  "SPDXID": "SPDXRef-Package-65346",
  "versionInfo": "2.14.1",
  "packageFileName": "maven:app/log4j.jar",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "primaryPackagePurpose": "APPLICATION"
}


Requesting SBOM for quay.io/dcaravel/temp:sbom-gen-demo with digest sha256:6aadc70f3f04659d559eef9fe7d6e7dd02802a811254f3b12d75bcf3fd3e7c0e...
{
  "name": "org.apache.logging.log4j:log4j-core",
  "SPDXID": "SPDXRef-Package-65344",
  "versionInfo": "2.17.1",
  "packageFileName": "maven:app/log4j.jar",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "primaryPackagePurpose": "APPLICATION"
}

@dcaravel
add missing sbom gen api params from past
9bf6120
@dcaravel
add digest to sbom gen api defs
924baed 
This is necessary when tags change (ie: latest), a SBOM may
be desired for an older digest for that image but the name
of the image should stay the same in StackRox.
@openshift-ci
Copy link

openshift-ci bot commented Jan 11, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@codecov
Copy link

codecov bot commented Jan 11, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.21978% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 48.94%. Comparing base (0976bab) to head (69e5cd3).
⚠️ Report is 11 commits behind head on master.

Files with missing lines Patch % Lines
central/image/service/http_handler.go 80.21% 12 Missing and 6 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #18432      +/-   ##
==========================================
+ Coverage   48.89%   48.94%   +0.05%     
==========================================
  Files        2629     2631       +2     
  Lines      197912   198034     +122     
==========================================
+ Hits        96762    96934     +172     
+ Misses      93766    93709      -57     
- Partials     7384     7391       +7
Flag Coverage Δ
go-unit-tests 48.94% <80.21%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Jan 11, 2026
edited
Loading

Images are ready for the commit at 69e5cd3.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-745-g69e5cd3ece.

@dcaravel dcaravel force-pushed the dc/sbom-gen-add-image-digest branch from 6808f5d to 928782c Compare January 11, 2026 23:33
@dcaravel dcaravel force-pushed the dc/sbom-gen-add-image-digest branch from 928782c to 0998fe7 Compare January 12, 2026 01:27
@dcaravel dcaravel marked this pull request as ready for review January 12, 2026 04:18
@dcaravel dcaravel requested a review from a team as a code owner January 12, 2026 04:18
@openshift-ci
Copy link

openshift-ci bot commented Jan 12, 2026

@dcaravel: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gke-ui-e2e-tests 69e5cd3 link true /test gke-ui-e2e-tests
ci/prow/ocp-4-20-ui-e2e-tests 69e5cd3 link false /test ocp-4-20-ui-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcaravel @rhacs-bot