Skip to content

Comments

Strip unused SBOM fields to reduce object size by ~52%#720

Open
slashben wants to merge 1 commit intomainfrom
feature/sbom-size-reduction
Open

Strip unused SBOM fields to reduce object size by ~52%#720
slashben wants to merge 1 commit intomainfrom
feature/sbom-size-reduction

Conversation

@slashben
Copy link
Contributor

@slashben slashben commented Feb 11, 2026

Summary

This PR strips unnecessary fields from generated SBOMs at creation time to reduce memory consumption across the entire system (node-agent, etcd, synchronizer, storage, kubevuln).

Size reduction: ~3.6 MB / 52% for large images (tested with Elasticsearch 8.7.1: 6.89 MB → 3.29 MB)

Changes

Fields stripped from pkg/sbommanager/v1/sbom_manager.go:

  • Package metadata and metadataType (JAR manifests, dpkg file lists, pomProperties, etc) - saves ~3.19 MB / 46%
  • License locations - saves ~228 KB / 3.2%
  • Location accessPath and annotations - saves ~159 KB / 2.2%
  • Package foundBy cataloger name - saves ~15 KB
  • Source metadata and descriptor configuration - saves ~20 KB

Why these fields are safe to remove

These fields are not used by:

  • Grype/kubevuln for vulnerability matching (uses name, version, type, purl, cpes)
  • Third party backend (already stripped by synchronizer before sending)
  • Relevancy scanning (uses files and artifactRelationships which are preserved)

Impact

This change reduces memory pressure in:

  • node-agent (SBOM generation and storage)
  • etcd (CRD storage)
  • synchronizer (SBOM forwarding)
  • kubevuln (vulnerability scanning)

Testing

  • Existing tests continue to pass (no conversion logic tests exist)
  • Validated against ARMO backend field usage analysis
  • Files and artifactRelationships preserved for relevancy feature
  • CPEs preserved for Phase 2 (requires kubevuln changes)

Related

This is Phase 1 of a multi-phase optimization:

  • Phase 1 (this PR): Strip safe fields - saves 52%
  • Phase 2 (future): Enable CPE regeneration in kubevuln and strip CPEs - saves additional 11%
  • Phase 3 (future): Redesign relevancy feature to eliminate files/relationships - saves additional 32%

Summary by CodeRabbit

  • Optimization
    • Reduced SBOM file sizes by stripping non‑essential metadata and configuration from generated reports, producing smaller payloads and more efficient delivery.
    • This change occurs as an added processing step after SBOM generation, improving transfer and storage efficiency without altering public outputs or interfaces.

@coderabbitai
Copy link

coderabbitai bot commented Feb 11, 2026

Warning

Rate limit exceeded

@matthyx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 4b54ffe and 27dd309.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • go.mod
  • pkg/sbommanager/v1/sbom_manager.go
📝 Walkthrough

Walkthrough

After SBOM generation, the code now calls v1beta1.StripSBOM(syftSBOM) to remove non-essential content and reduce payload size before preparing and saving. No public APIs or control flow exits were altered.

Changes

Cohort / File(s) Summary
SBOM Payload Optimization
pkg/sbommanager/v1/sbom_manager.go
Adds a post-generation step calling v1beta1.StripSBOM(syftSBOM) to strip non-essential SBOM fields and reduce payload size. Review for impacts on downstream consumers that expect omitted fields.
Dependency Update
go.mod
Bumps github.com/kubescape/storage require from v0.0.239 to v0.0.246-0.20260223110517-7f69ac32ce07. Check go.sum and modules for coherence.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hopped through code with nimble paws,

I trimmed the SBOM without a pause.
Smaller payloads, lighter and bright,
Fewer fields, a sleeker flight.
Hooray — the burrow's bytes feel light! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title clearly and accurately summarizes the main change: stripping unused SBOM fields to reduce object size. It is concise, specific, and directly reflects the primary objective documented in the PR objectives.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/sbom-size-reduction

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Signed-off-by: Ben <ben@armosec.io>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
@matthyx matthyx force-pushed the feature/sbom-size-reduction branch from 4b54ffe to 27dd309 Compare February 23, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

1 participant