compress opens only if path isn't in sbom

Signed-off-by: Matthias Bertschy <[email protected]>
kubescape · Nov 26, 2024 · ba2b48e · ba2b48e
1 parent 07fc386
commit ba2b48e
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 7 deletions.
diff --git a/pkg/registry/file/applicationprofile_processor.go b/pkg/registry/file/applicationprofile_processor.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"strconv"
 
+	mapset "github.com/deckarep/golang-set/v2"
 	"github.com/kubescape/go-logger"
 	loggerhelpers "github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers"
@@ -42,13 +43,17 @@ func (a ApplicationProfileProcessor) PreSave(object runtime.Object) error {
 		return fmt.Errorf("given object is not an ApplicationProfile")
 	}
 
+	// get corresponding sbom
+	// TODO get SBOM and generate the sbomSet
+	sbomSet := mapset.NewSet[string]()
+
 	// size is the sum of all execs/opens in all containers
 	var size int
 
 	// Define a function to process a slice of containers
 	processContainers := func(containers []softwarecomposition.ApplicationProfileContainer) []softwarecomposition.ApplicationProfileContainer {
 		for i, container := range containers {
-			containers[i] = deflateApplicationProfileContainer(container)
+			containers[i] = deflateApplicationProfileContainer(container, sbomSet)
 			size += len(containers[i].Execs)
 			size += len(containers[i].Opens)
 		}
@@ -75,8 +80,8 @@ func (a ApplicationProfileProcessor) PreSave(object runtime.Object) error {
 	return nil
 }
 
-func deflateApplicationProfileContainer(container softwarecomposition.ApplicationProfileContainer) softwarecomposition.ApplicationProfileContainer {
-	opens, err := dynamicpathdetector.AnalyzeOpens(container.Opens, dynamicpathdetector.NewPathAnalyzer(OpenDynamicThreshold))
+func deflateApplicationProfileContainer(container softwarecomposition.ApplicationProfileContainer, sbomSet mapset.Set[string]) softwarecomposition.ApplicationProfileContainer {
+	opens, err := dynamicpathdetector.AnalyzeOpens(container.Opens, dynamicpathdetector.NewPathAnalyzer(OpenDynamicThreshold), sbomSet)
 	if err != nil {
 		logger.L().Warning("failed to analyze opens", loggerhelpers.Error(err))
 		opens = DeflateStringer(container.Opens)

diff --git a/pkg/registry/file/dynamicpathdetector/analyze_opens.go b/pkg/registry/file/dynamicpathdetector/analyze_opens.go
@@ -1,6 +1,7 @@
 package dynamicpathdetector
 
 import (
+	"errors"
 	"maps"
 	"slices"
 	"strings"
@@ -9,17 +10,27 @@ import (
 	types "github.com/kubescape/storage/pkg/apis/softwarecomposition"
 )
 
-func AnalyzeOpens(opens []types.OpenCalls, analyzer *PathAnalyzer) ([]types.OpenCalls, error) {
+func AnalyzeOpens(opens []types.OpenCalls, analyzer *PathAnalyzer, sbomSet mapset.Set[string]) ([]types.OpenCalls, error) {
 	if opens == nil {
 		return nil, nil
 	}
 
+	if sbomSet.Cardinality() == 0 {
+		return nil, errors.New("sbomSet is empty")
+	}
+
 	dynamicOpens := make(map[string]types.OpenCalls)
 	for _, open := range opens {
 		_, _ = AnalyzeOpen(open.Path, analyzer)
 	}
 
 	for i := range opens {
+		// sbomSet files have to be always present in the dynamicOpens
+		if sbomSet.ContainsOne(opens[i].Path) {
+			dynamicOpens[opens[i].Path] = opens[i]
+			continue
+		}
+
 		result, err := AnalyzeOpen(opens[i].Path, analyzer)
 		if err != nil {
 			continue

diff --git a/pkg/registry/file/dynamicpathdetector/tests/analyze_opens_test.go b/pkg/registry/file/dynamicpathdetector/tests/analyze_opens_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	mapset "github.com/deckarep/golang-set/v2"
 	types "github.com/kubescape/storage/pkg/apis/softwarecomposition"
 	"github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector"
 	"github.com/stretchr/testify/assert"
@@ -26,7 +27,34 @@ func TestAnalyzeOpensWithThreshold(t *testing.T) {
 		},
 	}
 
-	result, err := dynamicpathdetector.AnalyzeOpens(input, analyzer)
+	result, err := dynamicpathdetector.AnalyzeOpens(input, analyzer, mapset.NewSet[string]("toto"))
+	assert.NoError(t, err)
+	assert.Equal(t, expected, result)
+}
+
+func TestAnalyzeOpensWithThresholdAndExclusion(t *testing.T) {
+	analyzer := dynamicpathdetector.NewPathAnalyzer(100)
+
+	var input []types.OpenCalls
+	for i := 0; i < 101; i++ {
+		input = append(input, types.OpenCalls{
+			Path:  fmt.Sprintf("/home/user%d/file.txt", i),
+			Flags: []string{"READ"},
+		})
+	}
+
+	expected := []types.OpenCalls{
+		{
+			Path:  "/home/user42/file.txt",
+			Flags: []string{"READ"},
+		},
+		{
+			Path:  "/home/\u22ef/file.txt",
+			Flags: []string{"READ"},
+		},
+	}
+
+	result, err := dynamicpathdetector.AnalyzeOpens(input, analyzer, mapset.NewSet[string]("/home/user42/file.txt"))
 	assert.NoError(t, err)
 	assert.Equal(t, expected, result)
 }
@@ -98,7 +126,7 @@ func TestAnalyzeOpensWithFlagMergingAndThreshold(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			analyzer := dynamicpathdetector.NewPathAnalyzer(3)
-			result, err := dynamicpathdetector.AnalyzeOpens(tt.input, analyzer)
+			result, err := dynamicpathdetector.AnalyzeOpens(tt.input, analyzer, mapset.NewSet[string]("toto"))
 			assert.NoError(t, err)
 
 			assert.Equal(t, tt.expected, result)

diff --git a/pkg/registry/file/dynamicpathdetector/tests/benchmark_test.go b/pkg/registry/file/dynamicpathdetector/tests/benchmark_test.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"testing"
 
+	mapset "github.com/deckarep/golang-set/v2"
 	types "github.com/kubescape/storage/pkg/apis/softwarecomposition"
 	"github.com/kubescape/storage/pkg/registry/file"
 	"github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector"
@@ -57,7 +58,7 @@ func BenchmarkAnalyzeOpensVsDeflateStringer(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			_ = file.DeflateStringer(paths)
-			_, _ = dynamicpathdetector.AnalyzeOpens(paths, analyzer)
+			_, _ = dynamicpathdetector.AnalyzeOpens(paths, analyzer, mapset.NewSet[string]("toto"))
 		}
 		b.ReportAllocs()
 	})