SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper

.gitignore

@@ -3,4 +3,5 @@ vendor/*
 artifacts/simple-image/storage-apiserver
 artifacts/simple-image/kube-sample-apiserver
 logs-*/*
-tmp/*
+tmp/*
+.claude/

artifacts/collapseconfiguration-default-sample.yaml

@@ -0,0 +1,29 @@
+# Sample CollapseConfiguration. Apply to a cluster running storage to
+# replace the compiled-in defaults at deflate time.
+#
+# The resource is cluster-scoped; the singleton "default" is the only
+# name the deflate path consults.
+#
+#   kubectl apply -f artifacts/collapseconfiguration-default-sample.yaml
+#
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+kind: CollapseConfiguration
+metadata:
+  name: default
+spec:
+  # Fallback threshold for AnalyzeOpens when no per-prefix entry matches.
+  openDynamicThreshold: 50
+  # Fallback threshold for AnalyzeEndpoints.
+  endpointDynamicThreshold: 100
+  # Per-prefix overrides, evaluated longest-prefix-wins.
+  collapseConfigs:
+    - prefix: /etc
+      threshold: 100
+    - prefix: /etc/apache2
+      threshold: 50
+    - prefix: /opt
+      threshold: 50
+    - prefix: /var/run
+      threshold: 50
+    - prefix: /app
+      threshold: 50

go.mod

@@ -6,7 +6,7 @@ go 1.25.8
 
 require (
 	github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74
-	github.com/anchore/syft v1.42.3
+	github.com/anchore/syft v1.32.0
 	github.com/armosec/armoapi-go v0.0.696
 	github.com/armosec/utils-k8s-go v0.0.30
 	github.com/containers/common v0.63.0
@@ -50,7 +50,7 @@ require (
 	github.com/acobaugh/osrelease v0.1.0 // indirect
 	github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 // indirect
 	github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 // indirect
-	github.com/anchore/stereoscope v0.1.22 // indirect
+	github.com/anchore/stereoscope v0.1.9 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/armosec/gojay v1.2.17 // indirect
 	github.com/armosec/utils-go v0.0.58 // indirect
@@ -132,7 +132,7 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opencontainers/runtime-spec v1.3.0 // indirect
+	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect

go.sum

@@ -86,10 +86,10 @@ github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 h1:2SqmFgE7h+Ql4
 github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722/go.mod h1:oFuE8YuTCM+spgMXhePGzk3asS94yO9biUfDzVTFqNw=
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY=
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
-github.com/anchore/stereoscope v0.1.22 h1:L807G/kk0WZzOCGuRGF7knxMKzwW2PGdbPVRystryd8=
-github.com/anchore/stereoscope v0.1.22/go.mod h1:FikPtAb/WnbqwgLHAvQA9O+fWez0K4pbjxzghz++iy4=
-github.com/anchore/syft v1.42.3 h1:eIeeGyqfXm/C8wpBWU50xFbOjdL37VbLatMj9nEJ6n4=
-github.com/anchore/syft v1.42.3/go.mod h1:i2PZ+276IdPcnd/n32aeIv849iO/QqdjRknbIc39yL0=
+github.com/anchore/stereoscope v0.1.9 h1:Nhvk8g6PRx9ubaJU4asAhD3fGcY5HKXZCDGkxI2e0sI=
+github.com/anchore/stereoscope v0.1.9/go.mod h1:YkrCtDgz7A+w6Ggd0yxU9q58CerqQFwYARS+F2RvLQQ=
+github.com/anchore/syft v1.32.0 h1:JcX9W+P/Xjv5DNg3TNBtwiEyZommuTaP16/NC9r0Yfo=
+github.com/anchore/syft v1.32.0/go.mod h1:E6Kd4iBM2ljUOUQvSt7hVK6vBwaHkMXwcvBZmGMSY5o=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -564,8 +564,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
-github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
+github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552 h1:CkXngT0nixZqQUPDVfwVs3GiuhfTqCMk0V+OoHpxIvA=
 github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552/go.mod h1:T487Kf80NeF2i0OyVXHiylg217e0buz8pQsa0T791RA=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=

pkg/apis/softwarecomposition/collapse_types.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2024 The Kubescape Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package softwarecomposition
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfiguration is a cluster-scoped resource carrying per-prefix
+// thresholds for the dynamic-path-detector's open/endpoint collapse step.
+//
+// At runtime the storage server's deflate path reads the singleton
+// CollapseConfiguration (name "default") and feeds its entries into
+// NewPathAnalyzerWithConfigs(...). When the resource is absent the deflate
+// path falls back to the package-level defaultCollapseConfigs slice.
+//
+// Tooling (e.g. bobctl autotune) can write the singleton to push tuned
+// thresholds back into a running cluster without restarting the storage
+// server.
+type CollapseConfiguration struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec CollapseConfigurationSpec
+}
+
+// CollapseConfigurationSpec carries the cluster-wide collapse thresholds.
+type CollapseConfigurationSpec struct {
+	// OpenDynamicThreshold is the fallback threshold for AnalyzeOpens when
+	// no per-prefix entry matches the walked path.
+	OpenDynamicThreshold int32
+	// EndpointDynamicThreshold is the counterpart for AnalyzeEndpoints.
+	EndpointDynamicThreshold int32
+	// CollapseConfigs is the per-prefix threshold override list, evaluated
+	// longest-prefix-wins.
+	CollapseConfigs []CollapseConfigEntry
+}
+
+// CollapseConfigEntry is one per-prefix threshold override.
+type CollapseConfigEntry struct {
+	// Prefix is the path prefix to match (e.g. "/etc", "/opt").
+	Prefix string
+	// Threshold is the maximum number of unique children allowed at any
+	// trie node under Prefix before that node collapses to a single
+	// dynamic identifier.
+	Threshold int32
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfigurationList is a list of CollapseConfiguration objects.
+type CollapseConfigurationList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []CollapseConfiguration
+}

pkg/apis/softwarecomposition/network_types.go

@@ -65,7 +65,11 @@ type NetworkNeighbor struct {
 	Ports             []NetworkPort
 	PodSelector       *metav1.LabelSelector
 	NamespaceSelector *metav1.LabelSelector
-	IPAddress         string
+	IPAddress         string // DEPRECATED - use IPAddresses instead.
+	// IPAddresses is the v0.0.2 list-form replacement for IPAddress.
+	// Each entry MAY be a literal IP, a CIDR (a.b.c.d/n), or the "*" sentinel.
+	// See pkg/registry/file/networkmatch for matcher semantics.
+	IPAddresses []string
 }
 
 type NetworkPort struct {

pkg/apis/softwarecomposition/register.go

@@ -83,6 +83,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&SBOMSyftFilteredList{},
 		&SeccompProfile{},
 		&SeccompProfileList{},
+		&CollapseConfiguration{},
+		&CollapseConfigurationList{},
 	)
 	return nil
 }

pkg/apis/softwarecomposition/v1beta1/collapse_types.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2024 The Kubescape Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfiguration is a cluster-scoped resource carrying per-prefix
+// thresholds for the dynamic-path-detector's open/endpoint collapse step.
+// The storage server's deflate path reads the singleton (name "default")
+// and feeds its entries into NewPathAnalyzerWithConfigs at runtime.
+type CollapseConfiguration struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Spec CollapseConfigurationSpec `json:"spec" protobuf:"bytes,2,req,name=spec"`
+}
+
+// CollapseConfigurationSpec carries the cluster-wide collapse thresholds.
+type CollapseConfigurationSpec struct {
+	// OpenDynamicThreshold is the fallback threshold for AnalyzeOpens when
+	// no per-prefix entry matches the walked path.
+	OpenDynamicThreshold int32 `json:"openDynamicThreshold" protobuf:"varint,1,req,name=openDynamicThreshold"`
+	// EndpointDynamicThreshold is the counterpart for AnalyzeEndpoints.
+	EndpointDynamicThreshold int32 `json:"endpointDynamicThreshold" protobuf:"varint,2,req,name=endpointDynamicThreshold"`
+	// CollapseConfigs is the per-prefix threshold override list, evaluated
+	// longest-prefix-wins. Each entry is keyed by Prefix so server-side
+	// apply patches one entry at a time instead of replacing the slice.
+	// +listType=map
+	// +listMapKey=prefix
+	CollapseConfigs []CollapseConfigEntry `json:"collapseConfigs,omitempty" protobuf:"bytes,3,rep,name=collapseConfigs"`
+}
+
+// CollapseConfigEntry is one per-prefix threshold override.
+type CollapseConfigEntry struct {
+	// Prefix is the path prefix to match (e.g. "/etc", "/opt").
+	Prefix string `json:"prefix" protobuf:"bytes,1,req,name=prefix"`
+	// Threshold is the maximum number of unique children allowed at any
+	// trie node under Prefix before that node collapses to a single
+	// dynamic identifier.
+	Threshold int32 `json:"threshold" protobuf:"varint,2,req,name=threshold"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfigurationList is a list of CollapseConfiguration objects.
+type CollapseConfigurationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []CollapseConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
+}