Skip to content

ROX-32846: Add repository-to-CPE mapping API to indexer#18705

Draft
BradLugo wants to merge 2 commits intomasterfrom
blugo/ROX-32846-GetRepositoryToCPEMapping
Draft

ROX-32846: Add repository-to-CPE mapping API to indexer#18705
BradLugo wants to merge 2 commits intomasterfrom
blugo/ROX-32846-GetRepositoryToCPEMapping

Conversation

@BradLugo
Copy link
Copy Markdown
Contributor

@BradLugo BradLugo commented Jan 27, 2026
edited
Loading

Description

Adds a new RPC, GetRepositoryToCPEMapping, to the Indexer service that returns the Red Hat repository-to-CPE mapping used for RHEL package vulnerability matching. This mapping will be needed by the matcher's ScanSBOM API to enrich RHEL packages with CPE information during SBOM vulnerability scanning.

Alternatives

  • Individual repository-to-cpe lookup: Frankly, this would be my long-term solution if we weren't planning on moving toward other indexing improvements (i.e., "slim index reports"), which is really my preferred solution here. This is a valid option, and we could prove whether it's better than sending the entire mapping over with performance testing, but the current changes seemed easier to implement at the time. We can revisit this during the Tech Preview implementation.
  • repository-to-cpe mapping in Matcher: We'd need to have the same repository-to-cpe related configurations in the Matcher, which requires deployment configuration changes. Given that this is meant to be a somewhat temporary solution, I didn't see the benefit in that effort.
  • SBOM parsing in the Indexer: Some of the SBOMs are already too large to send over the wire as-is. Sending that data between the Indexer and Matcher seemed like too much. The repository-to-cpe data is much smaller.

PR stack:

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

No automated testing. Will follow up in ROX-27690.

How I validated my change

  1. Deploy stackrox
  2. Optionally set the ROX_SBOM_SCANNING feature flag: 
    ❯ kubectl set env deploy/scanner-v4-indexer ROX_SBOM_SCANNING=true
  3. Port forward Indexer 
    ❯ kubectl port-forward svc/scanner-v4-indexer 8443
  4. Hit the endpoint 
    ❯ grpcurl -insecure \
    -import-path proto \
    -proto internalapi/scanner/v4/indexer_service.proto \
    localhost:8443 scanner.v4.Indexer/GetRepositoryToCPEMapping | head
{
  "mapping": {
    "3scale-amp-2-for-rhel-8-ppc64le-debug-rpms": {
      "cpes": [
        "cpe:/a:redhat:3scale:2.13::el8",
        "cpe:/a:redhat:3scale:2.14::el8",
        "cpe:/a:redhat:3scale:2.15::el8",
        "cpe:/a:redhat:3scale:2.16::el8",
        "cpe:/a:redhat:3scale_amp:2.11::el8",
        "cpe:/a:redhat:3scale_amp:2.12::el8",

@BradLugo BradLugo requested a review from dcaravel January 27, 2026 20:56
@BradLugo BradLugo requested a review from a team as a code owner January 27, 2026 20:56
@BradLugo BradLugo mentioned this pull request Jan 27, 2026
Closed
9 tasks
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Jan 27, 2026
edited
Loading

Images are ready for the commit at 9bff2aa.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-880-g9bff2aaa49.

@codecov
Copy link
Copy Markdown

codecov bot commented Jan 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 156 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.16%. Comparing base (01e65a6) to head (9bff2aa).

Files with missing lines Patch % Lines
scanner/internal/httputil/updater.go 0.00% 51 Missing ⚠️
scanner/indexer/repositorytocpeupdater.go 0.00% 47 Missing ⚠️
pkg/scannerv4/client/client.go 0.00% 21 Missing ⚠️
scanner/indexer/indexer.go 0.00% 18 Missing ⚠️
scanner/services/indexer.go 0.00% 15 Missing ⚠️
scanner/indexer/remote.go 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@                      Coverage Diff                       @@
##           dc/sbom-ingest-central-api   #18705      +/-   ##
==============================================================
- Coverage                       49.20%   49.16%   -0.04%     
==============================================================
  Files                            2659     2661       +2     
  Lines                          199858   200014     +156     
==============================================================
+ Hits                            98344    98345       +1     
- Misses                          94082    94238     +156     
+ Partials                         7432     7431       -1
Flag Coverage Δ
go-unit-tests 49.16% <0.00%> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@BradLugo BradLugo force-pushed the blugo/ROX-32846-GetRepositoryToCPEMapping branch 2 times, most recently from 1d03f53 to 3a3b390 Compare January 27, 2026 23:09
dcaravel
dcaravel approved these changes Jan 28, 2026
View reviewed changes
scanner/internal/httputil/updater.go
Comment on lines +49 to +60
func (u *Updater) Get(ctx context.Context, c *http.Client) (any, error) {
var err error
if u.url != "" && u.reqRate.Allow() {
slog.DebugContext(ctx, "got unlucky, updating mapping file")
err = u.Fetch(ctx, c)
if err != nil {
slog.ErrorContext(ctx, "error updating mapping file", "reason", err)
}
}

return u.value.Load(), err
}
Copy link
Copy Markdown
Contributor

@dcaravel dcaravel Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super nit: non-blocking and realize this is taken directly from quay/claircore - this appears to be the first introduction of slog in StackRox - now using slog, zlog, StackRox specific pkg/logging/logging.go, and maybe more - we may benefit from focusing this a bit in the future.

Copy link
Copy Markdown
Contributor Author

@BradLugo BradLugo Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I think we should definitely standardize on slog and maybe have StackRox-specific provider, it wasn't my intent to introduce it here. Good catch.

scanner/indexer/repositorytocpeupdater.go
Comment on lines +63 to +67
if len(initValue.Data) == 0 {
if _, err := updater.Get(ctx, client); err != nil {
zlog.Warn(ctx).Err(err).Msg("failed to fetch initial repo-to-CPE mapping")
}
}
Copy link
Copy Markdown
Contributor

@dcaravel dcaravel Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: IIUC the first call to updater.Get() will always try to Fetch from the URL regardless if initial data was loaded - if it aligns w/ intent could remove the len() check and always call updater.Get().

@BradLugo BradLugo force-pushed the blugo/ROX-32846-GetRepositoryToCPEMapping branch from 3a3b390 to 9bff2aa Compare January 28, 2026 05:52
This was referenced Jan 28, 2026
Draft
Closed
@BradLugo BradLugo changed the title ROX-32846: add repository-to-CPE mapping API to indexer ROX-32846: Add repository-to-CPE mapping API to indexer Jan 28, 2026
@dcaravel dcaravel force-pushed the dc/sbom-ingest-central-api branch from 01e65a6 to 09f9e5f Compare February 13, 2026 20:18
@dcaravel dcaravel requested a review from a team as a code owner February 13, 2026 20:18
Base automatically changed from dc/sbom-ingest-central-api to master February 13, 2026 23:36
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Feb 14, 2026

@BradLugo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gke-qa-e2e-tests 9bff2aa link false /test gke-qa-e2e-tests
ci/prow/gke-operator-e2e-tests 9bff2aa link false /test gke-operator-e2e-tests
ci/prow/gke-nongroovy-e2e-tests 9bff2aa link true /test gke-nongroovy-e2e-tests
ci/prow/gke-ui-e2e-tests 9bff2aa link true /test gke-ui-e2e-tests
ci/prow/ocp-4-12-nongroovy-e2e-tests 9bff2aa link false /test ocp-4-12-nongroovy-e2e-tests
ci/prow/ocp-4-20-operator-e2e-tests 9bff2aa link false /test ocp-4-20-operator-e2e-tests
ci/prow/ocp-4-20-nongroovy-e2e-tests 9bff2aa link false /test ocp-4-20-nongroovy-e2e-tests
ci/prow/ocp-4-20-ui-e2e-tests 9bff2aa link false /test ocp-4-20-ui-e2e-tests
ci/prow/ocp-4-20-qa-e2e-tests 9bff2aa link false /test ocp-4-20-qa-e2e-tests
ci/prow/ocp-4-12-qa-e2e-tests 9bff2aa link false /test ocp-4-12-qa-e2e-tests
ci/prow/ocp-4-12-operator-e2e-tests 9bff2aa link false /test ocp-4-12-operator-e2e-tests
ci/prow/ocp-4-12-scanner-v4-install-tests 9bff2aa link false /test ocp-4-12-scanner-v4-install-tests
ci/prow/ocp-4-20-scanner-v4-install-tests 9bff2aa link false /test ocp-4-20-scanner-v4-install-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

vikin91
vikin91 reviewed Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vikin91 vikin91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change looks like it would not affect any scanning feature developed in the Sensor team, so it is good to go.
Feel free to request a re-review once the CI checks are resolved.

BradLugo added 2 commits April 9, 2026 10:53
@BradLugo
ROX-32846: Add repository-to-CPE mapping API to indexer
aa738f4 
Adds a new RPC, GetRepositoryToCPEMapping, to the Indexer service that
returns the Red Hat repository-to-CPE mapping used for RHEL package
vulnerability matching. This mapping will be needed by the matcher's
ScanSBOM API to enrich RHEL packages with CPE information during SBOM
vulnerability scanning.
@BradLugo
wip
0ea00c1
@BradLugo BradLugo force-pushed the blugo/ROX-32846-GetRepositoryToCPEMapping branch from 9bff2aa to 0ea00c1 Compare April 9, 2026 17:54
@BradLugo BradLugo marked this pull request as draft April 9, 2026 17:55
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 0ea00c1. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-612-g0ea00c111c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikin91 vikin91 vikin91 left review comments

@dcaravel dcaravel dcaravel approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/scanner do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BradLugo @rhacs-bot @vikin91 @dcaravel