Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SBOM] Keep layer info in SBOM components #32435

Merged
merged 19 commits into from
Dec 24, 2024
Merged

[SBOM] Keep layer info in SBOM components #32435

merged 19 commits into from
Dec 24, 2024

Conversation

lebauce
Copy link
Contributor

@lebauce lebauce commented Dec 20, 2024
edited
Loading

What does this PR do?

Change the sbom.container_image.overlayfs_direct_scan mode to
keep the layers information attached to each component of the SBOM.

This PR also bump Trivy and uses a custom walker to implement
most of the features previously implemented in our Trivy fork.

Motivation

This allows to match vulnerabilities to the layer they are part of.

Describe how you validated your changes

Set sbom.container_image.overlayfs_direct_scan in both host and containerized mode,
for the docker, containerd and crio runtimes.

Possible Drawbacks / Trade-offs

Additional Notes

@lebauce lebauce added changelog/no-changelog team/agent-security qa/rc-required Only for a PR that requires validation on the Release Candidate labels Dec 20, 2024
@lebauce lebauce added this to the 7.63.0 milestone Dec 20, 2024
@lebauce lebauce requested review from a team as code owners December 20, 2024 17:51
@cit-pr-commenter cit-pr-commenter
Copy link

cit-pr-commenter bot commented Dec 20, 2024
edited
Loading

Go Package Import Differences

Baseline: 3982cbd
Comparison: 10f2df4

binaryosarchchange
agentlinuxamd64
+170, -13 
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
-github.com/golang/protobuf/ptypes
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/go-rpmutils
+github.com/sassoftware/go-rpmutils/cpio
+github.com/sassoftware/go-rpmutils/fileutil
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
+github.com/syndtr/goleveldb/leveldb
+github.com/syndtr/goleveldb/leveldb/cache
+github.com/syndtr/goleveldb/leveldb/comparer
+github.com/syndtr/goleveldb/leveldb/errors
+github.com/syndtr/goleveldb/leveldb/filter
+github.com/syndtr/goleveldb/leveldb/iterator
+github.com/syndtr/goleveldb/leveldb/journal
+github.com/syndtr/goleveldb/leveldb/memdb
+github.com/syndtr/goleveldb/leveldb/opt
+github.com/syndtr/goleveldb/leveldb/storage
+github.com/syndtr/goleveldb/leveldb/table
+github.com/syndtr/goleveldb/leveldb/util
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/ulikunitz/xz/internal/hash
+github.com/ulikunitz/xz/internal/xlog
+github.com/ulikunitz/xz/lzma
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
agentlinuxarm64
+170, -13 
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
-github.com/golang/protobuf/ptypes
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/go-rpmutils
+github.com/sassoftware/go-rpmutils/cpio
+github.com/sassoftware/go-rpmutils/fileutil
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
+github.com/syndtr/goleveldb/leveldb
+github.com/syndtr/goleveldb/leveldb/cache
+github.com/syndtr/goleveldb/leveldb/comparer
+github.com/syndtr/goleveldb/leveldb/errors
+github.com/syndtr/goleveldb/leveldb/filter
+github.com/syndtr/goleveldb/leveldb/iterator
+github.com/syndtr/goleveldb/leveldb/journal
+github.com/syndtr/goleveldb/leveldb/memdb
+github.com/syndtr/goleveldb/leveldb/opt
+github.com/syndtr/goleveldb/leveldb/storage
+github.com/syndtr/goleveldb/leveldb/table
+github.com/syndtr/goleveldb/leveldb/util
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/ulikunitz/xz/internal/hash
+github.com/ulikunitz/xz/internal/xlog
+github.com/ulikunitz/xz/lzma
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
agentdarwinamd64
+0, -1 
-github.com/golang/protobuf/ptypes
agentdarwinarm64
+0, -1 
-github.com/golang/protobuf/ptypes
iot-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
iot-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
heroku-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agent-cloudfoundrylinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agent-cloudfoundrylinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentdarwinamd64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentdarwinarm64
+0, -1 
-github.com/golang/protobuf/ptypes
security-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
security-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
security-agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
system-probelinuxamd64
+153, -15 
-github.com/DataDog/datadog-agent/pkg/util/crio
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-cleanhttp
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
-k8s.io/api/core/v1
-k8s.io/cri-api/pkg/apis/runtime/v1
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
system-probelinuxarm64
+153, -15 
-github.com/DataDog/datadog-agent/pkg/util/crio
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-cleanhttp
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
-k8s.io/api/core/v1
-k8s.io/cri-api/pkg/apis/runtime/v1
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax

@lebauce lebauce force-pushed the lebauce/trivy-sbom-layers branch from 7da1ad1 to 94636e8 Compare December 23, 2024 01:35
@lebauce lebauce requested review from a team as code owners December 23, 2024 01:35
@github-actions github-actions bot added component/system-probe long review PR is complex, plan time to review it labels Dec 23, 2024
@lebauce lebauce force-pushed the lebauce/trivy-sbom-layers branch 3 times, most recently from 2ebcefb to aa87ba3 Compare December 23, 2024 11:55
@agent-platform-auto-pr
Copy link
Contributor

agent-platform-auto-pr bot commented Dec 23, 2024
edited
Loading

Uncompressed package size comparison

Comparison with ancestor 3982cbd7722ac20c42504cd202c2baee64640762

Diff per package
package diff status size ancestor threshold
datadog-agent-x86_64-rpm 1.65MB ⚠️ 1198.94MB 1197.29MB 140.00MB
datadog-agent-x86_64-suse 1.65MB ⚠️ 1198.94MB 1197.29MB 140.00MB
datadog-agent-amd64-deb 1.65MB ⚠️ 1189.68MB 1188.03MB 140.00MB
datadog-agent-arm64-deb 0.06MB ⚠️ 934.02MB 933.96MB 140.00MB
datadog-agent-aarch64-rpm 0.06MB ⚠️ 943.26MB 943.20MB 140.00MB
datadog-heroku-agent-amd64-deb 0.02MB ⚠️ 505.11MB 505.09MB 70.00MB
datadog-iot-agent-x86_64-rpm 0.00MB 113.41MB 113.41MB 10.00MB
datadog-iot-agent-x86_64-suse 0.00MB 113.41MB 113.41MB 10.00MB
datadog-iot-agent-amd64-deb 0.00MB 113.34MB 113.34MB 10.00MB
datadog-dogstatsd-amd64-deb 0.00MB 78.57MB 78.57MB 10.00MB
datadog-dogstatsd-x86_64-rpm 0.00MB 78.65MB 78.65MB 10.00MB
datadog-dogstatsd-x86_64-suse 0.00MB 78.65MB 78.65MB 10.00MB
datadog-dogstatsd-arm64-deb 0.00MB 55.77MB 55.77MB 10.00MB
datadog-iot-agent-arm64-deb -0.01MB 108.81MB 108.81MB 10.00MB
datadog-iot-agent-aarch64-rpm -0.01MB 108.88MB 108.88MB 10.00MB

Decision

⚠️ Warning

@agent-platform-auto-pr
Copy link
Contributor

agent-platform-auto-pr bot commented Dec 23, 2024
edited
Loading

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv aws.create-vm --pipeline-id=51753970 --os-family=ubuntu

Note: This applies to commit 10f2df4

@cit-pr-commenter cit-pr-commenter
Copy link

cit-pr-commenter bot commented Dec 23, 2024
edited
Loading

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 6ff3e5f4-52e9-49df-8ebf-3f93a76cd2a2

Baseline: 3982cbd
Comparison: 10f2df4
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gate_logs % cpu utilization +2.33 [-0.95, +5.62] 1 Logs
quality_gate_idle memory utilization +1.36 [+1.32, +1.40] 1 Logs bounds checks dashboard
uds_dogstatsd_to_api_cpu % cpu utilization +1.26 [+0.57, +1.95] 1 Logs
quality_gate_idle_all_features memory utilization +0.68 [+0.60, +0.77] 1 Logs bounds checks dashboard
file_tree memory utilization +0.67 [+0.54, +0.79] 1 Logs
file_to_blackhole_0ms_latency egress throughput +0.12 [-0.80, +1.03] 1 Logs
file_to_blackhole_100ms_latency egress throughput +0.12 [-0.62, +0.85] 1 Logs
file_to_blackhole_0ms_latency_http2 egress throughput +0.06 [-0.78, +0.89] 1 Logs
file_to_blackhole_0ms_latency_http1 egress throughput +0.04 [-0.77, +0.85] 1 Logs
file_to_blackhole_500ms_latency egress throughput +0.03 [-0.75, +0.80] 1 Logs
file_to_blackhole_300ms_latency egress throughput +0.00 [-0.64, +0.65] 1 Logs
tcp_dd_logs_filter_exclude ingress throughput -0.00 [-0.01, +0.01] 1 Logs
uds_dogstatsd_to_api ingress throughput -0.00 [-0.10, +0.10] 1 Logs
tcp_syslog_to_blackhole ingress throughput -0.08 [-0.15, -0.00] 1 Logs
file_to_blackhole_1000ms_latency egress throughput -0.08 [-0.88, +0.72] 1 Logs
file_to_blackhole_1000ms_latency_linear_load egress throughput -0.34 [-0.80, +0.12] 1 Logs
otel_to_otel_logs ingress throughput -0.52 [-1.20, +0.16] 1 Logs

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed links
file_to_blackhole_0ms_latency lost_bytes 10/10
file_to_blackhole_0ms_latency memory_usage 10/10
file_to_blackhole_0ms_latency_http1 lost_bytes 10/10
file_to_blackhole_0ms_latency_http1 memory_usage 10/10
file_to_blackhole_0ms_latency_http2 lost_bytes 10/10
file_to_blackhole_0ms_latency_http2 memory_usage 10/10
file_to_blackhole_1000ms_latency memory_usage 10/10
file_to_blackhole_1000ms_latency_linear_load memory_usage 10/10
file_to_blackhole_100ms_latency lost_bytes 10/10
file_to_blackhole_100ms_latency memory_usage 10/10
file_to_blackhole_300ms_latency lost_bytes 10/10
file_to_blackhole_300ms_latency memory_usage 10/10
file_to_blackhole_500ms_latency lost_bytes 10/10
file_to_blackhole_500ms_latency memory_usage 10/10
quality_gate_idle memory_usage 10/10 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 bounds checks dashboard
quality_gate_logs lost_bytes 10/10
quality_gate_logs memory_usage 10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

Passed. All Quality Gates passed.

  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.

chouetz
chouetz approved these changes Dec 23, 2024
View reviewed changes
.copyright-overrides.yml Show resolved Hide resolved
pducolin
pducolin approved these changes Dec 23, 2024
View reviewed changes
Copy link
Contributor

@pducolin pducolin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok for changes owned by @DataDog/agent-devx-loops

internal/tools/go.mod Outdated Show resolved Hide resolved
@lebauce lebauce force-pushed the lebauce/trivy-sbom-layers branch from 1f98c1d to dea78d9 Compare December 23, 2024 15:47
paulcacheux
paulcacheux reviewed Dec 23, 2024
View reviewed changes
pkg/util/trivy/crio.go Outdated Show resolved Hide resolved
pkg/util/trivy/docker.go Outdated Show resolved Hide resolved
pkg/util/trivy/overlayfs.go Show resolved Hide resolved
pkg/util/trivy/crio.go Outdated Show resolved Hide resolved
@lebauce lebauce force-pushed the lebauce/trivy-sbom-layers branch from 36878b3 to f92329a Compare December 23, 2024 16:33
sblumenthal
sblumenthal approved these changes Dec 23, 2024
View reviewed changes
pkg/sbom/scanner/scanner.go Outdated Show resolved Hide resolved
go.mod Outdated
Comment on lines 1084 to 1085
// Maps to Trivy fork https://github.com/DataDog/trivy/commits/use-fs-main-dd/
github.com/aquasecurity/trivy => github.com/DataDog/trivy v0.0.0-20241216135157-95e0e96002ee
github.com/aquasecurity/trivy => github.com/DataDog/trivy v0.0.0-20241223160824-d6db1f1a84ce
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn't appear to be correct, as it looks like this commit is coming from a different branch. Moreover, it looks like the new branch does not have a bunch of commits that were present in the previous branch, so just double checking that this is expected

Copy link
Contributor Author

@lebauce lebauce Dec 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment is indeed incorrect. The new branch seems to be based on main of Trivy and includes a commit (DataDog/trivy@f11c14f) that bundles a bunch of commits. I did my best to check that we are not missing something here.

@lebauce lebauce force-pushed the lebauce/trivy-sbom-layers branch from b65fa2f to ea04a33 Compare December 24, 2024 00:47
@lebauce
Copy link
Contributor Author

lebauce commented Dec 24, 2024

/merge

@dd-devflow
Copy link

dd-devflow bot commented Dec 24, 2024
edited
Loading

Devflow running: /merge

View all feedbacks in Devflow UI.

2024-12-24 08:19:41 UTC ℹ️ MergeQueue: pull request added to the queue

The median merge time in main is 35m.

2024-12-24 08:58:46 UTC ℹ️ MergeQueue: This merge request was merged

@dd-mergequeue dd-mergequeue bot merged commit 653ea31 into main Dec 24, 2024
415 checks passed
@dd-mergequeue dd-mergequeue bot deleted the lebauce/trivy-sbom-layers branch December 24, 2024 08:58
@github-actions github-actions bot modified the milestones: 7.63.0, 7.62.0 Dec 24, 2024
louis-cqrl pushed a commit that referenced this pull request Dec 25, 2024
@lebauce @louis-cqrl
[SBOM] Keep layer info in SBOM components (#32435)
5d6fd07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pducolin pducolin pducolin approved these changes

@chouetz chouetz chouetz approved these changes

@sblumenthal sblumenthal sblumenthal approved these changes

@paulcacheux paulcacheux paulcacheux approved these changes

Assignees
No one assigned
Labels
changelog/no-changelog component/system-probe long review PR is complex, plan time to review it qa/rc-required Only for a PR that requires validation on the Release Candidate team/agent-security
Projects
None yet
Milestone
7.62.0
Development

Successfully merging this pull request may close these issues.
5 participants
@lebauce @paulcacheux @sblumenthal @chouetz @pducolin