Strip unused SBOM fields to reduce object size by ~52%

[slashben]

Summary

This PR strips unnecessary fields from generated SBOMs at creation time to reduce memory consumption across the entire system (node-agent, etcd, synchronizer, storage, kubevuln).

Size reduction: ~3.6 MB / 52% for large images (tested with Elasticsearch 8.7.1: 6.89 MB → 3.29 MB)

Changes

Fields stripped from pkg/sbommanager/v1/sbom_manager.go:

• Package metadata and metadataType (JAR manifests, dpkg file lists, pomProperties, etc) - saves ~3.19 MB / 46%
• License locations - saves ~228 KB / 3.2%
• Location accessPath and annotations - saves ~159 KB / 2.2%
• Package foundBy cataloger name - saves ~15 KB
• Source metadata and descriptor configuration - saves ~20 KB

Why these fields are safe to remove

These fields are not used by:

• ✅ Grype/kubevuln for vulnerability matching (uses name, version, type, purl, cpes)
• ✅ Third party backend (already stripped by synchronizer before sending)
• ✅ Relevancy scanning (uses files and artifactRelationships which are preserved)

Impact

This change reduces memory pressure in:

• node-agent (SBOM generation and storage)
• etcd (CRD storage)
• synchronizer (SBOM forwarding)
• kubevuln (vulnerability scanning)

Testing

• Existing tests continue to pass (no conversion logic tests exist)
• Validated against ARMO backend field usage analysis
• Files and artifactRelationships preserved for relevancy feature
• CPEs preserved for Phase 2 (requires kubevuln changes)

Related

This is Phase 1 of a multi-phase optimization:

• Phase 1 (this PR): Strip safe fields - saves 52%
• Phase 2 (future): Enable CPE regeneration in kubevuln and strip CPEs - saves additional 11%
• Phase 3 (future): Redesign relevancy feature to eliminate files/relationships - saves additional 32%

Summary by CodeRabbit

• Optimization
  • Reduced SBOM file sizes by stripping non‑essential metadata and configuration from generated reports, producing smaller payloads and more efficient delivery.
  • This change occurs as an added processing step after SBOM generation, improving transfer and storage efficiency without altering public outputs or interfaces.

[coderabbitai]

Warning

Rate limit exceeded

@matthyx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 4b54ffe and 27dd309.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/sbommanager/v1/sbom_manager.go

📝 Walkthrough

Walkthrough

After SBOM generation, the code now calls v1beta1.StripSBOM(syftSBOM) to remove non-essential content and reduce payload size before preparing and saving. No public APIs or control flow exits were altered.

Changes

Cohort / File(s)	Summary
SBOM Payload Optimization pkg/sbommanager/v1/sbom_manager.go	Adds a post-generation step calling v1beta1.StripSBOM(syftSBOM) to strip non-essential SBOM fields and reduce payload size. Review for impacts on downstream consumers that expect omitted fields.
Dependency Update go.mod	Bumps github.com/kubescape/storage require from v0.0.239 to v0.0.246-0.20260223110517-7f69ac32ce07. Check go.sum and modules for coherence.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hopped through code with nimble paws,

I trimmed the SBOM without a pause.
Smaller payloads, lighter and bright,
Fewer fields, a sleeker flight.
Hooray — the burrow's bytes feel light! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and accurately summarizes the main change: stripping unused SBOM fields to reduce object size. It is concise, specific, and directly reflects the primary objective documented in the PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/sbom-size-reduction

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}