allowing CIDRs, wildcards and Plural in IP and DNS

[entlein]

Sorry, we do not accept changes directly against this repository. Please see
CONTRIBUTING.md for information on where and how to contribute instead.

[coderabbitai]

Warning

Review limit reached

@entlein, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 55 minutes and 58 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b843b18-035b-48d6-9482-e290ef9ee3ec

📥 Commits

Reviewing files that changed from the base of the PR and between 98649ae and 46f37d3.

⛔ Files ignored due to path filters (1)

• pkg/apis/softwarecomposition/v1beta1/generated.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (18)

• pkg/apis/softwarecomposition/network_types.go
• pkg/apis/softwarecomposition/v1beta1/generated.proto
• pkg/apis/softwarecomposition/v1beta1/network_types.go
• pkg/apis/softwarecomposition/v1beta1/network_types_protobuf_test.go
• pkg/apis/softwarecomposition/v1beta1/zz_generated.conversion.go
• pkg/apis/softwarecomposition/v1beta1/zz_generated.deepcopy.go
• pkg/apis/softwarecomposition/zz_generated.deepcopy.go
• pkg/registry/file/networkmatch/README.md
• pkg/registry/file/networkmatch/bench_test.go
• pkg/registry/file/networkmatch/doc.go
• pkg/registry/file/networkmatch/match_dns.go
• pkg/registry/file/networkmatch/match_dns_test.go
• pkg/registry/file/networkmatch/match_ip.go
• pkg/registry/file/networkmatch/match_ip_test.go
• pkg/registry/file/networkmatch/validate.go
• pkg/registry/file/networkmatch/validate_test.go
• pkg/registry/softwarecomposition/networkneighborhood/strategy.go
• pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[entlein]

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args #323 (path-wildcards core: anchored trailing-*, per-port key, WildcardIdentifier + CollapseConfig API — squash per your "merge first / or squash together" note)
• feat(cel): was_path_opened* CEL helpers in applicationprofile library node-agent#811 (was_path_opened* CEL helpers — NEW)

Tier 2 (execs):

• allowing wildcards in exec args #322 (CompareExecArgs)
• profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle #325 (CollapseConfig CRD + processors)
• allowing wildcards in exec args node-agent#805 (resolveExecPath + 3-arg parse)
• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args node-agent#807 (R0040 args consumer)
• feat(projection): add ExecsByPath composite-key surface to ProjectedContainerProfile node-agent#812 (ExecsByPath composite-key surface — NEW)

Tier 3 (network):

• allowing CIDRs, wildcards and Plural in IP and DNS #324 (networkmatch package)
• allowing CIDRs, wildcards and Plural in IP and DNS node-agent#806 (network wildcards CEL)

Tier 4 (tamper/sign):

• profile-compaction: CollapseConfig CRD + projection overlay + user-ma… node-agent#808 (projection overlay + tamper + non-blocking fanout + NN resource)
• sign and detect tampering node-agent#809 (cosign sign/verify + tamper detection)

Umbrellas:

• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  #326
• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  node-agent#810

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

[coderabbitai]

🧩 Analysis chain

@entlein: Triggering a fresh review of this PR (#324 — networkmatch package, Tier 3 network). While the review runs, let me pull metadata on the relevant PRs to cross-check coupling.

---

🏁 Script executed:

#!/bin/bash
# Fetch details of the current PR
gh pr view 324 --repo kubescape/storage --json title,body,files,baseRefName,headRefName,state

echo "---"
# Fetch related storage PRs
for n in 322 323 325 326; do
  echo "=== storage#$n ==="
  gh pr view $n --repo kubescape/storage --json title,state,files 2>/dev/null | jq '{title,state,files:[.files[].path]}'
  echo ""
done

echo "---"
# Fetch related node-agent PRs
for n in 805 806 807 808 809 810 811 812; do
  echo "=== node-agent#$n ==="
  gh pr view $n --repo kubescape/node-agent --json title,state,files 2>/dev/null | jq '{title,state,files:[.files[].path]}'
  echo ""
done

Length of output: 21242

---

@entlein: Review triggered. Here is the full atomicity and coupling analysis based on actual file diffs across all PRs.

---

Atomicity Confirmation

PR	Tier	Verdict	Notes
storage#322	Exec	✅ Atomic	Single file pair (compare_exec_args.go + test)
storage#323	Opens	✅ Atomic	Scoped to dynamicpathdetector/* + types.go
storage#324	Network	✅ Atomic	New networkmatch/ package + network_types.go field additions + strategy wiring — no tier bleed
storage#325	Exec/CRD	✅ Atomic	CollapseConfig CRD + processors; collapse_config_from_crd.go bridges to #323 types (expected)
storage#326	Umbrella	✅ Correct	File union of #322+#323+#324+#325 confirmed
node-agent#805	Exec	✅ Atomic	parse/ library + event_reporting only
node-agent#806	Network	✅ Atomic	CEL consumer of storage#324 — correct tier
node-agent#807	Exec	⚠️ See below	Touches open.go — overlap with #811
node-agent#808	Tamper/CRD	⚠️ See below	tamper_alert.go + projection_apply.go overlap with #809 and #812
node-agent#809	Sign/Tamper	⚠️ See below	tamper_alert.go overlap with #808
node-agent#810	Umbrella	✅ Correct	File union of all node-agent PRs confirmed
node-agent#811	Opens	⚠️ See below	open.go overlap with #807
node-agent#812	Exec/Proj	⚠️ See below	projection_apply.go + projection_types.go overlap with #808

---

Cross-PR Coupling Flags

🔴 File-Level Conflicts (merge order matters)

1. node-agent#808 ↔ node-agent#809 — tamper_alert.go + tamper_alert_test.go
Both PRs modify the same two files. These are not independent — one must be rebased onto the other before the umbrella (#810) can merge cleanly.

2. node-agent#808 ↔ node-agent#812 — projection_apply.go + projection_types.go
#812 adds ExecsByPath composite-key to ProjectedContainerProfile; #808 restructures projection_apply.go. These will conflict at the hunk level. Suggested order: merge #812 first, then rebase #808 on top.

3. node-agent#807 ↔ node-agent#811 — open.go
#807 modifies open.go for R0040 args; #811 adds was_path_opened* helpers to the same file. One must be rebased on the other. Suggested order: merge #811 first (it's additive/new helpers), then rebase #807.

🟡 Ordering Dependencies (no file conflicts, but merge sequence required)

4. storage#323 → storage#325
collapse_config_from_crd.go in #325 references types introduced by #323's types.go (WildcardIdentifier, CollapseConfig API). Merge #323 before #325.

5. storage#324 → node-agent#806
node-agent#806's network.go CEL library consumes the networkmatch package from this PR. A go.mod bump pointing to the merged commit of storage#324 is required before node-agent#806 can merge.

6. storage#325 → node-agent#808
The projection overlay in #808 consumes the CollapseConfiguration CRD and client introduced in #325. Cross-repo go.mod bump required.

---

Recommended Merge Sequence

graph TD
    A[storage#322] --> E[storage#326 umbrella]
    B[storage#323] --> C[storage#325] --> E
    D[storage#324] --> F[node-agent#806] --> K[node-agent#810 umbrella]
    C --> G[node-agent#808]
    H[node-agent#811] --> I[node-agent#807] --> K
    J[node-agent#812] --> G
    G --> L[node-agent#809] --> K
    A --> E
    D --> E
    H --> K
    J --> K
    F --> K

Loading

In short: the three intra-node-agent file conflicts (#808↔#809, #808↔#812, #807↔#811) are the only remaining non-atomic coupling. Everything else is correctly sequenced by your tier map. This PR (#324) itself is clean and ready for review.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[matthyx]

Blocking: IPAddresses is added here, but the generated protobuf/conversion/deepcopy code is unchanged, so the field is silently dropped on real storage paths. The new TestNetworkNeighbor_IPAddresses_ProtobufRoundtrip already fails (go test ./pkg/apis/softwarecomposition/v1beta1). Please regenerate generated.pb.go, conversion code, and deepcopy code for this field before merge.

[entlein]

This has now been addressed and the PR compiles standalone

[matthyx]

Blocking: IPAddresses does not survive marshal/unmarshal today. The new protobuf roundtrip test fails because generated.pb.go, zz_generated.conversion.go, and zz_generated.deepcopy.go were not regenerated for the new field, so the API loses data on storage/conversion paths. Please regenerate the generated artifacts (and ideally add conversion/deepcopy regression coverage) before merging.

[entlein]

the failed test -> can we rerun- it passed on my arm64 3x in a row 🤷🏻‍♀️

[matthyx]

Rechecked on current head 46f37d3.

The original protobuf/codegen blocker is fixed - go test ./pkg/apis/softwarecomposition/v1beta1 now passes.

Still blocking: pkg/apis/softwarecomposition/v1beta1/zz_generated.conversion.go updates only the internal->v1beta1 conversion. In autoConvert_v1beta1_NetworkNeighbor_To_softwarecomposition_NetworkNeighbor, IPAddresses is still missing, so reads still drop the field after deserialization. Please also add out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) in that function before merge.