stackrox
diff --git a/‎central/image/service/http_handler.go‎
Lines changed: 50 additions & 37 deletions b/‎central/image/service/http_handler.go‎
Lines changed: 50 additions & 37 deletions
diff --git a/‎central/image/service/http_handler_test.go‎
Lines changed: 100 additions & 10 deletions b/‎central/image/service/http_handler_test.go‎
Lines changed: 100 additions & 10 deletions
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 
 	"github.com/pkg/errors"
 	clusterUtil "github.com/stackrox/rox/central/cluster/util"
@@ -35,24 +36,22 @@ type sbomHttpHandler struct {
 
 var _ http.Handler = (*sbomHttpHandler)(nil)
 
-// SBOMHandler returns a handler for get sbom http request
+// SBOMHandler returns a handler for get sbom http request.
 func SBOMHandler(integration integration.Set, enricher enricher.ImageEnricher, clusterSACHelper sachelper.ClusterSacHelper, riskManager manager.Manager) http.Handler {
 	return sbomHttpHandler{
 		integration:      integration,
 		enricher:         enricher,
 		clusterSACHelper: clusterSACHelper,
 		riskManager:      riskManager,
 	}
-
 }
 
 func (h sbomHttpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-
 	if r.Method != http.MethodPost {
 		w.WriteHeader(http.StatusMethodNotAllowed)
 		return
 	}
-	// verify scanner v4 is enabled
+	// Verify Scanner V4 is enabled.
 	if !features.ScannerV4.Enabled() {
 		httputil.WriteGRPCStyleError(w, codes.Unimplemented, errors.New("Scanner V4 is disabled. Enable Scanner V4 to generate SBOMs"))
 		return
@@ -61,20 +60,24 @@ func (h sbomHttpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		httputil.WriteGRPCStyleError(w, codes.Unimplemented, errors.New("SBOM feature is not enabled"))
 		return
 	}
-	var params apiparams.SbomRequestBody
+
+	var params apiparams.SBOMRequestBody
 	sbomGenMaxReqSizeBytes := env.SBOMGenerationMaxReqSizeBytes.IntegerSetting()
-	// timeout api after 10 minutes
 	lr := io.LimitReader(r.Body, int64(sbomGenMaxReqSizeBytes))
 	err := json.NewDecoder(lr).Decode(&params)
 	if err != nil {
 		httputil.WriteGRPCStyleError(w, codes.InvalidArgument, errors.Wrap(err, "decoding json request body"))
 		return
 	}
+	params.ImageName = strings.TrimSpace(params.ImageName)
+
 	ctx, cancel := context.WithTimeout(r.Context(), env.ScanTimeout.DurationSetting())
 	defer cancel()
-	bytes, err := h.getSbom(ctx, params)
+	bytes, err := h.getSBOM(ctx, params)
 	if err != nil {
-		httputil.WriteGRPCStyleError(w, codes.Internal, errors.Wrap(err, "generating SBOM"))
+		// Using WriteError instead of WriteGRPCStyleError so that the HTTP status
+		// is derived from the error type.
+		httputil.WriteError(w, errors.Wrap(err, "generating SBOM"))
 		return
 	}
 	if len(bytes) == 0 {
@@ -89,41 +92,38 @@ func (h sbomHttpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	_, _ = w.Write(bytes)
 }
 
-// enrichImage enriches the image with the given name and based on the given enrichment context
+// enrichImage enriches the image with the given name and based on the given enrichment context.
 func (h sbomHttpHandler) enrichImage(ctx context.Context, enrichmentCtx enricher.EnrichmentContext, imgName string) (*storage.Image, bool, error) {
-
 	// forcedEnrichment is set to true when enrichImage forces an enrichment.
-	forceEnrichment := false
+	forcedEnrichment := false
 	img, err := enricher.EnrichImageByName(ctx, h.enricher, enrichmentCtx, imgName)
 	if err != nil {
-		return nil, forceEnrichment, err
+		return nil, forcedEnrichment, err
 	}
-	// verify that image is scanned by scanner v4 if not force enrichment using scanner v4
-	scannedByV4 := h.scannedByScannerv4(img)
 
+	// SBOM generation requires an image to have been scanned by Scanner V4, if the existing image
+	// was scanned by a different scanner we force enrichment using Scanner V4.
+	scannedByV4 := h.scannedByScannerV4(img)
 	if enrichmentCtx.FetchOpt != enricher.UseImageNamesRefetchCachedValues && !scannedByV4 {
-		// force scan by scanner v4
+		// Force scan by Scanner V4.
 		addForceToEnrichmentContext(&enrichmentCtx)
-		forceEnrichment = true
+		forcedEnrichment = true
 		img, err = enricher.EnrichImageByName(ctx, h.enricher, enrichmentCtx, imgName)
 		if err != nil {
-			return nil, forceEnrichment, err
+			return nil, forcedEnrichment, err
 		}
 	}
 
-	// Save the image
-	img.Id = utils.GetSHA(img)
-	if img.GetId() != "" {
-		if err := h.saveImage(img); err != nil {
-			return nil, forceEnrichment, err
-		}
+	err = h.saveImage(img)
+	if err != nil {
+		return nil, forcedEnrichment, err
 	}
 
-	return img, forceEnrichment, nil
+	return img, forcedEnrichment, nil
 }
 
-// getSbom generates an SBOM for the specified parameters
-func (h sbomHttpHandler) getSbom(ctx context.Context, params apiparams.SbomRequestBody) ([]byte, error) {
+// getSBOM generates an SBOM for the specified parameters.
+func (h sbomHttpHandler) getSBOM(ctx context.Context, params apiparams.SBOMRequestBody) ([]byte, error) {
 	enrichmentCtx := enricher.EnrichmentContext{
 		FetchOpt:        enricher.UseCachesIfPossible,
 		Delegable:       true,
@@ -142,42 +142,50 @@ func (h sbomHttpHandler) getSbom(ctx context.Context, params apiparams.SbomReque
 		}
 		enrichmentCtx.ClusterID = clusterID
 	}
+
 	img, alreadyForcedEnrichment, err := h.enrichImage(ctx, enrichmentCtx, params.ImageName)
 	if err != nil {
 		return nil, err
 	}
-	// verify that index report exists. if not force image enrichment using scanner v4
+
+	// Verify the Index Report exists. If it doesn't, force image enrichment using Scanner V4.
 	scannerV4, err := h.getScannerV4SBOMIntegration()
 	if err != nil {
 		return nil, err
 	}
-	sbom, found, err := scannerV4.GetSBOM(img)
 
+	sbom, found, err := scannerV4.GetSBOM(img)
 	if err != nil {
 		return nil, err
 	}
+
 	if !found && !params.Force && !alreadyForcedEnrichment {
-		// since index report for image does not exist force scan by scanner v4
+		// Since the Index Report for image does not exist, force scan by Scanner V4.
 		addForceToEnrichmentContext(&enrichmentCtx)
-		_, err = enricher.EnrichImageByName(ctx, h.enricher, enrichmentCtx, params.ImageName)
+		img, err = enricher.EnrichImageByName(ctx, h.enricher, enrichmentCtx, params.ImageName)
 		if err != nil {
 			return nil, err
 		}
-		sbom, _, err = scannerV4.GetSBOM(img)
 
+		err = h.saveImage(img)
 		if err != nil {
 			return nil, err
 		}
 
+		sbom, _, err = scannerV4.GetSBOM(img)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return sbom, nil
 }
 
 func addForceToEnrichmentContext(enrichmentCtx *enricher.EnrichmentContext) {
 	enrichmentCtx.FetchOpt = enricher.UseImageNamesRefetchCachedValues
 }
 
-// getScannerV4SBOMIntegration returns the SBOM interface of scanner v4
+// getScannerV4SBOMIntegration returns the SBOM interface of Scanner V4.
 func (h sbomHttpHandler) getScannerV4SBOMIntegration() (scannerTypes.SBOMer, error) {
 	scanners := h.integration.ScannerSet()
 	for _, scanner := range scanners.GetAll() {
@@ -187,19 +195,24 @@ func (h sbomHttpHandler) getScannerV4SBOMIntegration() (scannerTypes.SBOMer, err
 			}
 		}
 	}
-	return nil, errors.New("Scanner v4 integration not found")
+	return nil, errors.New("Scanner V4 integration not found")
 }
 
-// scannedByScannerv4 checks if image is scanned by scanner v4
-func (h sbomHttpHandler) scannedByScannerv4(img *storage.Image) bool {
+// scannedByScannerV4 checks if image is scanned by Scanner V4.
+func (h sbomHttpHandler) scannedByScannerV4(img *storage.Image) bool {
 	return img.GetScan().GetDataSource().GetId() == iiStore.DefaultScannerV4Integration.GetId()
 }
 
-// saveImage saves the image to the scanner database
+// saveImage saves the image to Central's database.
 func (h sbomHttpHandler) saveImage(img *storage.Image) error {
+	img.Id = utils.GetSHA(img)
+	if img.GetId() == "" {
+		return nil
+	}
+
 	if err := h.riskManager.CalculateRiskAndUpsertImage(img); err != nil {
 		log.Errorw("Error upserting image", logging.ImageName(img.GetName().GetFullName()), logging.Err(err))
-		return err
+		return fmt.Errorf("saving image: %w", err)
 	}
 	return nil
 }
@@ -2,13 +2,17 @@ package service
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
 	"github.com/pkg/errors"
 	"github.com/stackrox/rox/central/imageintegration"
+	iiStore "github.com/stackrox/rox/central/imageintegration/store"
+	riskManagerMocks "github.com/stackrox/rox/central/risk/manager/mocks"
+	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/apiparams"
 	"github.com/stackrox/rox/pkg/env"
 	"github.com/stackrox/rox/pkg/features"
@@ -22,17 +26,16 @@ import (
 	"go.uber.org/mock/gomock"
 )
 
-func getFakeSbom(_ any) ([]byte, bool, error) {
-	sbom := createMockSbom()
+func getFakeSBOM(_ any) ([]byte, bool, error) {
+	sbom := createMockSBOM()
 	sbomBytes, err := json.Marshal(sbom)
 	if err != nil {
 		return nil, false, err
 	}
 	return sbomBytes, true, nil
 }
 
-func createMockSbom() map[string]interface{} {
-
+func createMockSBOM() map[string]interface{} {
 	return map[string]interface{}{
 		"SPDXID":      "SPDXRef-DOCUMENT",
 		"spdxVersion": "SPDX-2.3",
@@ -47,7 +50,6 @@ func createMockSbom() map[string]interface{} {
 }
 
 func TestHttpHandler_ServeHTTP(t *testing.T) {
-
 	// Test case: Invalid request method
 	t.Run("Invalid request method", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/sbom", nil)
@@ -68,11 +70,11 @@ func TestHttpHandler_ServeHTTP(t *testing.T) {
 		t.Setenv(features.ScannerV4.EnvVar(), "true")
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
-		// initliaze mocks
+		// initialize mocks
 		mockEnricher := enricherMock.NewMockImageEnricher(ctrl)
 		mockEnricher.EXPECT().EnrichImage(gomock.Any(), gomock.Any(), gomock.Any()).Return(enricher.EnrichmentResult{ImageUpdated: false, ScanResult: enricher.ScanNotDone}, errors.New("Image enrichment failed")).AnyTimes()
 
-		reqBody := &apiparams.SbomRequestBody{
+		reqBody := &apiparams.SBOMRequestBody{
 			ImageName: "test-image",
 			Force:     false,
 		}
@@ -97,7 +99,7 @@ func TestHttpHandler_ServeHTTP(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		// initliaze mocks
+		// initialize mocks
 		scannerSet := scannerMocks.NewMockSet(ctrl)
 		set := intergrationMocks.NewMockSet(ctrl)
 		mockEnricher := enricherMock.NewMockImageEnricher(ctrl)
@@ -106,12 +108,12 @@ func TestHttpHandler_ServeHTTP(t *testing.T) {
 
 		mockEnricher.EXPECT().EnrichImage(gomock.Any(), gomock.Any(), gomock.Any()).Return(enricher.EnrichmentResult{ImageUpdated: true, ScanResult: enricher.ScanSucceeded}, nil).AnyTimes()
 		scanner.EXPECT().Type().Return(scannerTypes.ScannerV4).AnyTimes()
-		scanner.EXPECT().GetSBOM(gomock.Any()).DoAndReturn(getFakeSbom).AnyTimes()
+		scanner.EXPECT().GetSBOM(gomock.Any()).DoAndReturn(getFakeSBOM).AnyTimes()
 		set.EXPECT().ScannerSet().Return(scannerSet).AnyTimes()
 		fsr.EXPECT().GetScanner().Return(scanner).AnyTimes()
 		scannerSet.EXPECT().GetAll().Return([]scannerTypes.ImageScannerWithDataSource{fsr}).AnyTimes()
 
-		reqBody := &apiparams.SbomRequestBody{
+		reqBody := &apiparams.SBOMRequestBody{
 			ImageName: "quay.io/quay-qetest/nodejs-test-image:latest",
 			Force:     false,
 		}
@@ -147,6 +149,25 @@ func TestHttpHandler_ServeHTTP(t *testing.T) {
 		assert.Equal(t, http.StatusBadRequest, res.StatusCode)
 	})
 
+	// Test case: empty image name
+	t.Run("empty image name", func(t *testing.T) {
+		t.Setenv(features.SBOMGeneration.EnvVar(), "true")
+		t.Setenv(features.ScannerV4.EnvVar(), "true")
+
+		reqBody := []byte(`{"imageName": "   "}`)
+		req := httptest.NewRequest(http.MethodPost, "/sbom", bytes.NewReader(reqBody))
+		recorder := httptest.NewRecorder()
+
+		handler := SBOMHandler(imageintegration.Set(), nil, nil, nil)
+		handler.ServeHTTP(recorder, req)
+
+		res := recorder.Result()
+		err := res.Body.Close()
+		assert.NoError(t, err)
+		assert.Contains(t, recorder.Body.String(), "image name")
+		assert.Equal(t, http.StatusBadRequest, res.StatusCode)
+	})
+
 	// Test case: Scanner V4 not enabled
 	t.Run("Scanner V4 not enabled", func(t *testing.T) {
 		t.Setenv(features.ScannerV4.EnvVar(), "false")
@@ -196,4 +217,73 @@ func TestHttpHandler_ServeHTTP(t *testing.T) {
 		assert.Equal(t, http.StatusBadRequest, res.StatusCode)
 	})
 
+	// Tests case: edge case where an image scan existed in Central DB from Scanner V4
+	// but the Scanner V4 Indexer did not have the corresponding index report.
+	// A forced enrichment is expected and the result saved to Central DB.
+	t.Run("image saved to Central when index report did not exist", func(t *testing.T) {
+		t.Setenv(features.SBOMGeneration.EnvVar(), "true")
+		t.Setenv(features.ScannerV4.EnvVar(), "true")
+
+		// enrichImageFunc will fake enrich an image by Scanner V4.
+		enrichImageFunc := func(ctx context.Context, enrichCtx enricher.EnrichmentContext, img *storage.Image) (enricher.EnrichmentResult, error) {
+			img.Id = "fake-id"
+			img.Scan = &storage.ImageScan{DataSource: &storage.DataSource{Id: iiStore.DefaultScannerV4Integration.Id}}
+			return enricher.EnrichmentResult{ImageUpdated: true, ScanResult: enricher.ScanSucceeded}, nil
+		}
+
+		// getSBOMFunc will indicate an index report is missing on first invocation and found on subsequent invocations.
+		firstGetSBOMInvocation := true
+		getSBOMFunc := func(_ any) ([]byte, bool, error) {
+			if firstGetSBOMInvocation {
+				firstGetSBOMInvocation = false
+				return nil, false, nil
+			}
+			return getFakeSBOM(nil)
+		}
+
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		// Initialize mocks.
+		mockScanner := scannerTypesMocks.NewMockScannerSBOMer(ctrl)
+		mockScanner.EXPECT().GetSBOM(gomock.Any()).DoAndReturn(getSBOMFunc).AnyTimes()
+		mockScanner.EXPECT().Type().Return(scannerTypes.ScannerV4).AnyTimes()
+
+		mockImageScannerWithDS := scannerTypesMocks.NewMockImageScannerWithDataSource(ctrl)
+		mockImageScannerWithDS.EXPECT().GetScanner().Return(mockScanner).AnyTimes()
+
+		mockScannerSet := scannerMocks.NewMockSet(ctrl)
+		mockScannerSet.EXPECT().GetAll().Return([]scannerTypes.ImageScannerWithDataSource{mockImageScannerWithDS}).AnyTimes()
+
+		mockIntegrationSet := intergrationMocks.NewMockSet(ctrl)
+		mockIntegrationSet.EXPECT().ScannerSet().Return(mockScannerSet).AnyTimes()
+
+		mockEnricher := enricherMock.NewMockImageEnricher(ctrl)
+		mockEnricher.EXPECT().EnrichImage(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(enrichImageFunc).AnyTimes()
+
+		mockRiskManager := riskManagerMocks.NewMockManager(ctrl)
+		// Image is expected to be saved after each successful enrichment, for this edge case will
+		// be multiple successful enrichments.
+		mockRiskManager.EXPECT().CalculateRiskAndUpsertImage(gomock.Any()).Times(2)
+
+		// Prepare the SBOM generation request.
+		reqBody := &apiparams.SBOMRequestBody{
+			ImageName: "quay.io/quay-qetest/nodejs-test-image:latest",
+			Force:     false,
+		}
+		reqJson, err := json.Marshal(reqBody)
+		assert.NoError(t, err)
+		req := httptest.NewRequest(http.MethodPost, "/sbom", bytes.NewReader(reqJson))
+		recorder := httptest.NewRecorder()
+		handler := SBOMHandler(mockIntegrationSet, mockEnricher, nil, mockRiskManager)
+
+		// Make the SBOM generation request.
+		handler.ServeHTTP(recorder, req)
+
+		// Validate was successful.
+		res := recorder.Result()
+		err = res.Body.Close()
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusOK, res.StatusCode)
+	})
 }