Container scanning generating Incorrect sbom_source.image.name for self-managed and development

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Summary

The container scanning generating incorrect sbom_source.image.name for development and self-managed users.

Steps to reproduce

1. Run a container scanning job in your GDK against a container image in the container registry.
2. Verify the generated SBOM file for properties, gitlab:container_scanning:image:name, and gitlab:container_scanning:image:tag.
3. For the image gdk.test:5000/root/container-scanning/foobar20:latest, the name will be gdk.test and the tag will be 5000/root/container-scanning/foobar20:latest.

What is the expected correct behavior?

For the image gdk.test:5000/root/container-scanning/foobar20:latest, the name should be gdk.test:5000/root/container-scanning/foobar20 and the tag should be latest.

Possible fixes

1. Split the string by last : instead of first while splitting image name here https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/master/lib/gcs/sbom_converter.rb?ref_type=heads#L53

2. Explore if existing data needs correction.