Vulnerability Report's report.artifact.digest field is the artifact's image_id not digest

[dkulchinsky]

What steps did you take and what happened:

We've been trying to understand why the report.artifact.digest value doesn't match the actual image digest.

After digging a bit through the code, we realized that the value of report.artifact.digest is actually the image_id.

here's an example:

report:
  artifact:
    digest: sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb
    repository: <image repo>
    tag: v0.47.3
  os:
    family: alpine
    name: 3.18.4
  registry:
    server: <registry>

per above the digest is sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb

however, when we scan the same image with trivy cli, we get the following:

trivy i --format json <registry>/<image repo>:v0.47.3

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-09T21:20:23.838423-04:00",
  "ArtifactName": "<registry>/<image repo>:v0.47.3",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.18.4"
    },
    "ImageID": "sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb",
    "DiffIDs": [
      "sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438",
      "sha256:8d7be0d3cbdd44bc6fa563f60e8bc1a373d5e60f035d8c089918a2bcc92fee25",
      "sha256:94e5b30b4e4869f384d25800811d245e2a09d04eeb6295a0eadd34ef3bf62677",
      "sha256:f9733b6837c92fb7242b3513ccc51ed17051488e31115c5dd57ac1ee229f64e9",
      "sha256:1b1eb4aa471edd83d2c07371ae5c7a43435e8f445d749f055f48cb915ed52c21",
      "sha256:1624be5bf90422992672ea3698f7f48b1835627808d52126c46d4539e14eeb7e",
      "sha256:654cfc253da32ff012d018bb56208d1c5de1657e1f39e8f3a8c78bd016c14834",
      "sha256:bd978dcc58af2e02683ddcadad5142fea925718a2154791a45f41e5944fc8c91"
    ],
    "RepoTags": [
      "<registry>/<image repo>:v0.47.3"
    ],
    "RepoDigests": [
      "<registry>/<image repo>@sha256:cf3e3b3a98edde46eac58d4745a2467b9da2bc49a11191565a893ffac38034a3"
    ],

as you can see, the report.artifact.digest value is Metadata.ImageID in the Trivy report:

"ImageID": "sha256:dde063663e676fb551255dcc41f7b67fbb913becaccadde12da2c3a0abc236eb",

The actual Digest is in the Metadata.RepoDigests field:

    "RepoDigests": [
      "<registry>/<image repo>@sha256:cf3e3b3a98edde46eac58d4745a2467b9da2bc49a11191565a893ffac38034a3"
    ],

What did you expect to happen:

We expect that report.artifact.digest would show the actual image digest value, instead of image_id.

perhaps it's worth to include both?

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

Environment:

• Trivy-Operator version (use trivy-operator version): v0.22.0
• Kubernetes version (use kubectl version): 1.28.13
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): N/A

[github-actions]

This issue is stale because it has been labeled with inactivity.

[d-mankowski-synerise]

Encountered the same issue :/ I guess the source of confusion is the fact, that what Trivy and Docker call image digest, Kubernetes calls imageID (which is a totally different entity) - e.g. for image quay.io/jetstack/cert-manager-controller:v1.15.1 for linux/amd64, Kubernetes reports:

❯ k get pod -o json cert-manager-6947bb5c7f-k7vwj | jq -r '.status.containerStatuses.[].imageID'                                                                (syn-s001-eu-west-aks-loki1-001-admin/cert-manager)
quay.io/jetstack/cert-manager-controller@sha256:057ace5734b53ebdec20b3a0d182c37c9ef0014e9f6364f9b99018e76936e984

while Docker shows:

❯ docker image ls --digests --no-trunc quay.io/jetstack/cert-manager-controller                                                                                 
REPOSITORY                                 TAG       DIGEST                                                                    IMAGE ID                                                                  CREATED        SIZE
quay.io/jetstack/cert-manager-controller   v1.15.1   sha256:057ace5734b53ebdec20b3a0d182c37c9ef0014e9f6364f9b99018e76936e984   sha256:1d33ee05f4c869bf0591c4b176f943833fcdb9e7e48bbd219347eba87f4a7801   4 months ago   66.4MB

[d-mankowski-synerise]

By looking at the logic here, if imageRef is of form xxxx@sha256:yyy, then the image digest reported by Trivy Operator is correct. In other (most) cases, incorrect imageID is returned, instead of the actual digest. Will submit PR to fix this.