fetching digest from image field when using cri-o

image/image.go

@@ -91,9 +91,10 @@ func ParsePullSecrets(ctx context.Context, secretClient corev1.SecretInterface,
 }
 
 // Formats:
-//     {scheme}://{repo}@{digest} (images from dockerhub)
-//     {scheme}://{namespace}/{repo}@{digest} (images from dockerhub)
-//     {scheme}://{host}/{namespace}/{repo}@{digest}
+//
+//	{scheme}://{repo}@{digest} (images from dockerhub)
+//	{scheme}://{namespace}/{repo}@{digest} (images from dockerhub)
+//	{scheme}://{host}/{namespace}/{repo}@{digest}
 type Image struct {
 	ContainerName string
 	ContainerID   string
@@ -250,7 +251,18 @@ func ParseImageID(imageID string) (*Image, error) {
 
 func ParseContainerStatus(containerStatus v1.ContainerStatus) (*Image, error) {
 	// Parse imageID (digest)
-	image, err := ParseImageID(containerStatus.ImageID)
+	// cri-o will set the imageID to a random digest, in which case fallback to image
+	var imageID string
+	if regexp.MustCompile("^[a-zA-Z0-9_]*$").MatchString(containerStatus.ImageID) {
+		imageID = containerStatus.Image
+		digest := strings.SplitN(imageID, "@", 2)
+		if len(digest) != 2 {
+			return nil, fmt.Errorf("both image and imageID status fields do not contain digest: %s", imageID)
+		}
+	} else {
+		imageID = containerStatus.ImageID
+	}
+	image, err := ParseImageID(imageID)
 	if err != nil {
 		return nil, err
 	}
@@ -269,7 +281,7 @@ func ParseContainerStatus(containerStatus v1.ContainerStatus) (*Image, error) {
 	// Set tag name
 	s := strings.Split(containerStatus.Image, ":")
 	if len(s) != 2 && len(s) != 3 {
-		return nil, fmt.Errorf("Wrong image format")
+		return nil, fmt.Errorf("Wrong image format: %s", containerStatus.Image)
 	}
 
 	tagname := s[len(s)-1]

image/image_test.go

@@ -129,6 +129,20 @@ var containerStatusTable = []struct {
 
 	expectedError error
 }{
+	{
+		"my-test-repository",
+		"QUAY:443/my-test-namespace/my-test-repository@sha256:c549c6151dd8f4098fd02198913c0f6c55b240b156475588257f19d57e7b1fba",
+		"cf879a45faaacd2806705321f157c4c77682c7599589fed65d80f19bb61615a6",
+
+		"my-test-repository",
+		"QUAY:443",
+		"my-test-namespace",
+		"my-test-repository",
+		"sha256:c549c6151dd8f4098fd02198913c0f6c55b240b156475588257f19d57e7b1fba",
+		"",
+
+		nil,
+	},
 	{
 		"my-test-repository",
 		"QUAY:443/my-test-namespace/my-test-repository:latest",
@@ -239,6 +253,20 @@ var containerStatusTable = []struct {
 
 		fmt.Errorf("Invalid imageID format: %s", "sha256:94033a42da840b970fd9d2b04dae5fec56add2714ca674a758d030ce5acba27e"),
 	},
+	{
+		"my-test-repository",
+		"QUAY:443/my-test-namespace/my-test-repository:latest",
+		"cf879a45faaacd2806705321f157c4c77682c7599589fed65d80f19bb61615a6",
+
+		"",
+		"",
+		"",
+		"",
+		"",
+		"",
+
+		fmt.Errorf("both image and imageID status fields do not contain digest: %s", "QUAY:443/my-test-namespace/my-test-repository:latest"),
+	},
 }
 
 func TestParseContainerStatus(t *testing.T) {

labeller/labeller.go

@@ -403,7 +403,7 @@ func (l *Labeller) scan(ctx context.Context, pod *corev1.Pod, img *image.Image,
 			return fmt.Errorf("error updating image manifest vuln: %w", err)
 		}
 
-		level.Info(l.logger).Log("msg", "image manifest vuln creted", "image", img.String())
+		level.Info(l.logger).Log("msg", "image manifest vuln created", "image", img.String())
 		return nil
 	}
 
@@ -523,7 +523,7 @@ func (l *Labeller) Reconcile(ctx context.Context, key string) error {
 	for _, containerStatus := range pod.Status.ContainerStatuses {
 		img, err := image.ParseContainerStatus(containerStatus)
 		if err != nil {
-			level.Error(l.logger).Log("msg", "Error parsing imageID", "imageID", containerStatus.ImageID)
+			level.Error(l.logger).Log("msg", "Error parsing imageID", "err", err)
 			continue
 		}