SBOM status

[ybelMekk]

This pull request introduces a new SBOM (Software Bill of Materials) status model for workloads and images, and updates the API and tests to use this model. The main focus is on accurately reflecting SBOM processing states, improving the logic for determining SBOM status, and ensuring the API responses and tests align with the new status handling.

SBOM Status Model Implementation and Integration:

• Added new functions to encapsulate SBOM status logic, including deriveSbomStatus, deriveImageSbomStatus, and a priority-based worstCase function, in internal/api/grpcvulnerabilities/sbom_status.go.
• Updated API logic in internal/api/grpcvulnerabilities/summary.go to use the new SBOM status model:
  • ListVulnerabilitySummaries now determines and returns SBOM status per workload, and only includes a vulnerability summary if the SBOM is ready. [1] [2]
  • GetVulnerabilitySummaryForImage now computes SBOM status for images, returns it in the response, and only includes a vulnerability summary when appropriate. [1] [2]

Testing Enhancements:

• Added a comprehensive test suite for SBOM status logic in internal/api/grpcvulnerabilities/sbom_status_test.go, covering all possible state combinations and the status rollup logic.
• Updated and expanded tests in internal/api/grpcvulnerabilities/server_test.go to verify the new SBOM status handling in API responses, including multiple scenarios for both workloads and images. [1] [2]

Code Cleanup and Removal:

• Removed the unused generate.go file and its code generation directive, as it is no longer relevant to the current workflow.

These changes ensure that SBOM status is consistently and accurately reported throughout the API, and that tests validate all relevant status transitions and edge cases.

[Copilot]

Pull request overview

This PR adds first-class SBOM status derivation and propagation through the gRPC vulnerabilities API (workload + image level), updates CLI output to display SBOM status, and extends the manager/database layers to track SBOM processing state and timestamps.

Changes:

• Introduces SbomStatus (proto + Go) and derives/rolls it up from image/workload state for API responses.
• Extends SQL queries/models to include image/workload state and SBOM processing timestamps; adds new query for per-image workload SBOM statuses.
• Updates CLI commands/output and adds tests for the new SBOM status behavior and worker state transitions.

Reviewed changes

Copilot reviewed 26 out of 27 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/cli/commands/list.go	Shows “SBOM Status” column and hides vuln counts when no SBOM.
pkg/cli/commands/get.go	Adds get image-summary CLI command to fetch per-image SBOM status + per-workload statuses.
pkg/api/vulnerabilities/vulnerabilities.pb.go	Generated Go bindings updated for new proto types/fields.
pkg/api/vulnerabilities/schemas/vulnerabilities.proto	Adds SbomStatus enum + SBOM status fields to responses/messages.
internal/mocks/Querier/mock_querier.go	Regenerated mocks for new SQL methods.
internal/manager/upload_attestation_worker_test.go	Tests workload state update behavior on upload flow.
internal/manager/upload_attestation.go	Updates workload state(s) by image when resync is triggered.
internal/manager/get_attestation_worker_test.go	Adds tests for retry/final-attempt logic and enqueueing upload jobs.
internal/manager/get_attestation.go	Avoids marking image failed until final attempt.
internal/manager/finalize_attestation_worker_test.go	Tests workload state update behavior during finalize flow.
internal/manager/finalize_attestation.go	Updates workload state(s) by image when finalize marks resync.
internal/database/sql/workloads.sql.go	Adds UpdateWorkloadStateByImage; adjusts InitializeWorkload update conditions.
internal/database/sql/vulnerbility_summary.sql.go	Includes workload/image state fields and joins images for SBOM/status derivation.
internal/database/sql/status.sql.go	Adds ListWorkloadSbomStatusByImage query.
internal/database/sql/querier.go	Extends Querier interface with new methods.
internal/database/sql/models.go	Extends Image model with SbomProcessingStartedAt.
internal/database/sql/image.sql.go	Persists/updates sbom_processing_started_at alongside image state transitions.
internal/database/queries/workloads.sql	Adds UpdateWorkloadStateByImage; adjusts InitializeWorkload conditions.
internal/database/queries/vulnerbility_summary.sql	Joins images and selects image/workload state fields.
internal/database/queries/status.sql	Adds ListWorkloadSbomStatusByImage.
internal/database/queries/image.sql	Adds/updates sbom_processing_started_at handling.
internal/database/database_test.go	Adds regression tests for InitializeWorkload skip behavior by state.
internal/api/grpcvulnerabilities/vulnerabilities.go	Makes suppression reason extraction nil-safe via helper.
internal/api/grpcvulnerabilities/summary.go	Populates SBOM status fields in summary endpoints and adds per-image workload SBOM statuses.
internal/api/grpcvulnerabilities/server_test.go	Expands server tests for SBOM status propagation and multi-workload rollups.
internal/api/grpcvulnerabilities/sbom_status_test.go	Adds unit tests for SBOM status derivation and rollup priority.
internal/api/grpcvulnerabilities/sbom_status.go	Implements deriveSbomStatus and worstCase rollup helper.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.