Skip to content

ROX-30569: Add SBOM Scanning REST API to Central#18484

Merged
dcaravel merged 7 commits intomasterfrom
dc/sbom-ingest-central-api
Feb 13, 2026
Merged

ROX-30569: Add SBOM Scanning REST API to Central#18484
dcaravel merged 7 commits intomasterfrom
dc/sbom-ingest-central-api

Conversation

@dcaravel
Copy link
Copy Markdown
Contributor

@dcaravel dcaravel commented Jan 14, 2026
edited
Loading

Description

Adds the /api/v1/sboms/scan custom route and handler to facilitate SBOM scanning. Reading the SBOM content from the request and scanning it will be handled in a future PR - a fake response is returned for now.

A few decisions to call out (happy to change as needed):

  • Even though SBOMs can represent 'anything', the new API endpoint requires Image write permission (for now)
    • given there isn't another already existing permission that fits better, and the initial use case is primarily for scanning SBOMs for images, seems an OK compromise until we decide if a new permission should be created.
  • The handler code was placed in the image service location to align with ^^, but was kept isolated from the existing SBOM generation handler so that it can be moved elsewhere easily as needed in the future.
  • Max size of request payload set to 100 MB (changable via env)
  • The env var for enabling/disabling the feature is ROX_SBOM_SCANNING
    • The design called for ROX_SBOM_MATCHING - I'm happy to change it, the API endpoint has scan in its path and other user exposed areas of ACS reference 'scanning' - 'SCAN' seemed like the more consistent value.

File sizes from: https://security.access.redhat.com/data/sbom/v1/spdx/

Total files processed: 250

Maximum uncompressed size: 429.3 MB (spdx/rhel-10.1.z.json.bz2)
Minimum uncompressed size: 2.3 KB (spdx/quarkus-3.27.json.bz2)
Average uncompressed size: 19.5 MB
Median uncompressed size:  416.3 KB
Standard deviation:        65.0 MB
Total uncompressed size:   4.8 GB

PR Stack:

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests

How I validated my change

Unit tests + sending a fake request to the API:

$ curl -ki -H "Authorization: Bearer $ROX_API_TOKEN" -X POST https://$ROX_ENDPOINT/api/v1/sboms/scan
HTTP/2 400 
vary: Accept-Encoding
content-type: text/plain; charset=utf-8
content-length: 129
date: Wed, 14 Jan 2026 04:58:14 GMT

{"code":3,"message":"validating media type: unsupported media type \"\", supported types [text/spdx+json application/spdx+json]"}

$ curl -ki -H "Authorization: Bearer $ROX_API_TOKEN" -H "Content-Type: text/spdx+json" -X POST https://$ROX_ENDPOINT/api/v1/sboms/scan
HTTP/2 200 
content-type: application/json
vary: Accept-Encoding
content-length: 467
date: Wed, 14 Jan 2026 04:58:47 GMT

{
  "id":  "fake HashId",
  "scan":  {
    "scanTime":  "2026-01-14T04:58:47.653925991Z",
    "components":  [
      {
        "name":  "Fake Package #1",
        "vulns":  [
          {
            "cve":  "Fake Vuln #1"
          },
          {
            "cve":  "Fake Vuln #2"
          }
        ]
      }
    ],
    "operatingSystem":  "unknown",
    "dataSource":  {
      "id":  "a87471e6-9678-4e66-8348-91e302b6de07",
      "name":  "Scanner V4"
    }
  }
}

Max request size enforcement

$ k set env deploy/central ROX_SBOM_SCAN_MAX_REQ_SIZE_BYTES=2
$ curl -ki -H "Authorization: Bearer $ROX_API_TOKEN" -H "Content-Type: text/spdx+json" -X POST https://$ROX_ENDPOINT/api/v1/sboms/scan -d "this is not actually an SBOM"
HTTP/2 400 
vary: Accept-Encoding
content-type: text/plain; charset=utf-8
content-length: 67
date: Wed, 14 Jan 2026 05:26:39 GMT

{"code":3,"message":"request body exceeds maximum size of 2 bytes"}

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Jan 14, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 4eaf9ae to 5993fc8 Compare January 14, 2026 05:28
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Jan 14, 2026
edited
Loading

Images are ready for the commit at 09f9e5f.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-103-g09f9e5f702.

@codecov
Copy link
Copy Markdown

codecov bot commented Jan 14, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 36.44444% with 143 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.50%. Comparing base (300a724) to head (09f9e5f).
⚠️ Report is 14 commits behind head on master.

Files with missing lines Patch % Lines
pkg/scanners/scannerv4/scannerv4.go 0.00% 124 Missing ⚠️
central/image/service/sbom_scan_http_handler.go 76.82% 14 Missing and 5 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #18484      +/-   ##
==========================================
- Coverage   49.52%   49.50%   -0.02%     
==========================================
  Files        2666     2667       +1     
  Lines      201181   201389     +208     
==========================================
+ Hits        99629    99698      +69     
- Misses      94115    94249     +134     
- Partials     7437     7442       +5
Flag Coverage Δ
go-unit-tests 49.50% <36.44%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 5993fc8 to 9749407 Compare January 14, 2026 18:27
@dcaravel dcaravel marked this pull request as ready for review January 14, 2026 18:27
@dcaravel dcaravel requested review from a team as code owners January 14, 2026 18:27
@dcaravel dcaravel requested a review from BradLugo January 14, 2026 18:27
@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 9a425e2 to 1aa7166 Compare January 15, 2026 22:39
BradLugo
BradLugo reviewed Jan 16, 2026
View reviewed changes
@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 1aa7166 to be324f8 Compare January 16, 2026 22:49
@dcaravel
Copy link
Copy Markdown
Contributor Author

dcaravel commented Jan 16, 2026

Rebased from master, expecting that to address the prior unrelated UI errors

@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 971c703 to 2643358 Compare January 16, 2026 23:33
@dcaravel dcaravel requested a review from BradLugo January 17, 2026 00:00
@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 2643358 to 01e65a6 Compare January 22, 2026 22:25
@dcaravel
Copy link
Copy Markdown
Contributor Author

dcaravel commented Jan 22, 2026
edited
Loading

Rebased to address conflicts

This was referenced Jan 23, 2026
Open
Merged
This was referenced Jan 27, 2026
Closed
Draft
Draft
Closed
@dcaravel
rename SBOM generation http handler
a4bf97a 
So that it is easier to differentiate between the the generation vs.
scanning handler.
@dcaravel
SBOM Scanning rails
aa9a937 
- HTTP handler
- Pass http request reader to Scanner V4 integration
- Mock conversion of vuln report to Scan SBOM response
@dcaravel
populate scanner version
fa508f2
@dcaravel
add more fields to fake vuln report
8b4017e
@dcaravel
remove extra whitespace in sbom proto comment
cb814ce
@dcaravel
review updates
3c99419 
- made 'getScannerV4SBOMIntegration' reusable from SBOM gen and scan
- now pass request context down to scannerv4 client
- read size exceeds limit from error directly
- removed operating system variable from the sbom response type
@dcaravel
fix style and unit test failures
09f9e5f
@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 01e65a6 to 09f9e5f Compare February 13, 2026 20:18
@dcaravel
Copy link
Copy Markdown
Contributor Author

dcaravel commented Feb 13, 2026

Rebased onto latest master (to get new required CI checks to run)

@dcaravel dcaravel merged commit b325e78 into master Feb 13, 2026
100 of 103 checks passed
@dcaravel dcaravel deleted the dc/sbom-ingest-central-api branch February 13, 2026 23:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BradLugo BradLugo BradLugo approved these changes

Assignees

No one assigned

Labels

area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dcaravel @rhacs-bot @BradLugo