Fix: Update related kind labels and allow overriding

[matthyx]

Summary by CodeRabbit

• Chores
  • Updated numerous third‑party dependencies for compatibility, stability, and observability.
  • Refined metadata label handling and validation for more consistent resource metadata (including cloud account identifier normalization) and switched workload metadata sourcing for improved consistency.
  • Added an optional label-overrides capability to allow explicit label adjustments.
  • Added additional informational logging when container profiles are enqueued/saved to improve observability.
• Tests
  • Updated a unit test input to exercise case/format variations in instance IDs.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Bumps multiple Go module versions and changes label handling: adds LabelOverrides, uses RelatedName/RelatedKind labels from InstanceID, validates with content.IsLabelValue, replaces AWS account key with CloudAccountIdentifierMetadataKey, and adds an Info log after saving container profiles.

Changes

Cohort / File(s)	Summary
Dependency updates go.mod, go.sum	Bumped many direct and indirect Go modules (e.g., github.com/armosec/armoapi-go, github.com/kubescape/*, golang.org/x/*, google.golang.org/grpc, OpenTelemetry, etc.) and updated checksums.
Object cache label handling pkg/objectcache/shared_container_data.go, pkg/objectcache/shared_container_data_test.go	Added exported LabelOverrides map[string]string; GetLabels now: skips container key when stripping, uses content.IsLabelValue for validation, applies LabelOverrides (set/delete), no longer auto-populates Kind/Name from WLID, and writes cloud account under CloudAccountIdentifierMetadataKey. Test input adjusted for InstanceID kind casing.
Network stream enrichment pkg/networkstream/v1/network_stream.go	enrichWorkloadDetails now derives WorkloadName/WorkloadKind from sharedData.InstanceID.GetLabels() using RelatedNameMetadataKey/RelatedKindMetadataKey instead of parsing WLID; removed WLID parsing import.
Container profile logging pkg/containerprofilemanager/v1/monitoring.go	Added apName derivation and an Info-level structured log (apName, profile slug/name, namespace, instanceID, wlid, annotations, labels) after enqueuing/saving a container profile.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• add new metadata to CPs #745 — Modifies GetLabels in pkg/objectcache/shared_container_data.go, overlapping label-handling changes.
• bump: update armoapi-go dependency to v0.0.671 #702 — Earlier dependency bump for github.com/armosec/armoapi-go, related to module version updates.
• bump: update dependencies for backend, storage, and OpenAPI packages #704 — Related dependency version bumps in go.mod (overlapping modules updated).

Suggested labels

release

Poem

🐇 I hopped through go.mod and nudged versions bright,
I trimmed label prefixes and set overrides right.
I swapped a key, logged names with a cheer,
Tests snug in the burrow — the cache hops clear! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix: Update related kind labels and allow overriding' addresses the label key updates and label override feature, but omits the significant dependency bump changes affecting multiple direct and indirect packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch backend-integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 403-414: The go.mod contains mismatched OpenTelemetry versions:
core modules (go.opentelemetry.io/otel, /trace, /metric, /sdk, etc.) are at
v1.42.0 while OTLP exporters
(go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp,
/otlpmetric/otlpmetrichttp, /otlptrace, /otlptrace/otlptracehttp) are still at
v1.38.0; update those exporter module versions to v1.42.0 to align with the core
modules (or alternatively downgrade the core modules to v1.38.0 if that is
required), ensuring go.mod entries for otlploghttp, otlpmetrichttp, otlptrace,
and otlptracehttp match the chosen version and then run go mod tidy to apply the
changes.

In `@pkg/objectcache/shared_container_data.go`:
- Around line 102-108: The code may produce empty normalized related labels
(e.g., labels[i] becomes "") after the switch on
helpersv1.RelatedKindMetadataKey / helpersv1.RelatedNameMetadataKey using
wlid.GetKindFromWlid or wlid.GetNameFromWlid; add a post-switch guard that
checks if labels[i] == "" and, if so, skip validation/processing for that entry
(same cleanup behavior as earlier) before calling content.IsLabelValue so you
don't emit incomplete metadata. Locate the switch block that assigns labels[i],
insert the empty-string check immediately after it, and return/continue/omit
that label from further validation/emit paths referenced by
content.IsLabelValue.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a456c779-5c9b-483d-92e9-e0297b8a5a79

📥 Commits

Reviewing files that changed from the base of the PR and between f673d45 and c0e73f7.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

[coderabbitai]

♻️ Duplicate comments (1)

pkg/objectcache/shared_container_data.go (1)

102-108: ⚠️ Potential issue | 🟡 Minor

Add a post-normalization empty-value guard.

After Line 102-Line 105, a normalized related value can become empty (for example, kind "ECS" → ""), but empty cleanup currently happens only before the switch. Add a second empty check before Line 107 validation.

💡 Proposed patch

 			switch i {
 			case helpersv1.RelatedKindMetadataKey:
 				labels[i] = strings.TrimPrefix(wlid.GetKindFromWlid(watchedContainer.Wlid), "ECS")
 			case helpersv1.RelatedNameMetadataKey:
 				labels[i] = wlid.GetNameFromWlid(watchedContainer.Wlid)
 			}
+			if labels[i] == "" {
+				delete(labels, i)
+				continue
+			}
 			errs := content.IsLabelValue(labels[i])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data.go` around lines 102 - 108, After you
normalize the related value inside the switch (the cases using
wlid.GetKindFromWlid(watchedContainer.Wlid) and
wlid.GetNameFromWlid(watchedContainer.Wlid) that assign to labels[i]), add a
post-normalization guard that skips validation if labels[i] is now empty (e.g.,
if strings.TrimPrefix returned an empty string) before calling
content.IsLabelValue(labels[i]); in short, ensure labels[i] is checked for == ""
right after the switch and return/continue or skip adding errors so
content.IsLabelValue is not run on an empty normalized value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/objectcache/shared_container_data.go`:
- Around line 102-108: After you normalize the related value inside the switch
(the cases using wlid.GetKindFromWlid(watchedContainer.Wlid) and
wlid.GetNameFromWlid(watchedContainer.Wlid) that assign to labels[i]), add a
post-normalization guard that skips validation if labels[i] is now empty (e.g.,
if strings.TrimPrefix returned an empty string) before calling
content.IsLabelValue(labels[i]); in short, ensure labels[i] is checked for == ""
right after the switch and return/continue or skip adding errors so
content.IsLabelValue is not run on an empty normalized value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b4af0e9e-5088-4032-9e82-46cd79cc48ee

📥 Commits

Reviewing files that changed from the base of the PR and between c0e73f7 and 4eab851.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 58: Update the pinned dependency for google.golang.org/grpc from v1.79.2
to v1.79.3 (or newer) in go.mod to address GHSA-p77j-4mvh-x3m3, then refresh
module metadata by re-resolving modules (e.g., run the equivalent of go get to
the new version and run go mod tidy) so go.sum is updated; target the dependency
named google.golang.org/grpc and ensure no other code references a stricter
version constraint.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f03f7af7-9862-436e-9914-1cf08fc68a31

📥 Commits

Reviewing files that changed from the base of the PR and between 4eab851 and 386e450.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/objectcache/shared_container_data.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

58-58: ⚠️ Potential issue | 🔴 Critical

Upgrade vulnerable google.golang.org/grpc before merge.

Line 58 still pins google.golang.org/grpc v1.79.2, which is affected by GHSA-p77j-4mvh-x3m3. Please bump to v1.79.3 or newer and re-run module tidy.

🔧 Proposed fix

-	google.golang.org/grpc v1.79.2
+	google.golang.org/grpc v1.79.3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 58, Update the pinned module google.golang.org/grpc from
v1.79.2 to v1.79.3 (or newer) in the go.mod entry and then run `go mod tidy` to
refresh go.sum and ensure dependencies are consistent; verify the updated
version is committed so the GHSA-p77j-4mvh-x3m3 vulnerability is resolved.

🧹 Nitpick comments (1)

pkg/objectcache/shared_container_data_test.go (1)

133-140: Test case name is misleading.

The name "no match case sensitivity" suggests the prefix shouldn't match, but the expected result "o world" shows that "Hell" does match "Hello" case-insensitively. Consider renaming to something like "partial word prefix match" or "prefix matches start of word".

✏️ Suggested name fix

 		{
-			name: "no match case sensitivity",
+			name: "partial word prefix match",
 			args: args{
 				s:      "Hello world",
 				prefix: "Hell",
 			},
 			want: "o world",
 		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data_test.go` around lines 133 - 140, Rename
the misleading test case name "no match case sensitivity" in the table-driven
test in shared_container_data_test.go to accurately reflect the behavior (e.g.,
"prefix matches start of word" or "partial word prefix match"); update the name
field of the specific test entry that has args {s: "Hello world", prefix:
"Hell"} and want "o world" so the test name matches the expected outcome and
clarifies intent for future readers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/containerprofilemanager/v1/monitoring.go`:
- Around line 204-208: The Info log message contains a developer name and should
be removed or replaced; remove or rename the logger.L().Info call that logs
"Matthias container profile saved successfully" and instead emit a neutral
message (e.g., "container profile saved successfully") or drop the log entirely;
also stop discarding the error from watchedContainer.InstanceID.GetSlug(true) —
capture the returned error from GetSlug(true) and, if non-nil, log it at Debug
level (or handle appropriately) before using apName, referencing
watchedContainer.InstanceID.GetSlug, logger.L().Info, and
watchedContainer.InstanceID.GetStringFormatted to locate the code to change.

---

Duplicate comments:
In `@go.mod`:
- Line 58: Update the pinned module google.golang.org/grpc from v1.79.2 to
v1.79.3 (or newer) in the go.mod entry and then run `go mod tidy` to refresh
go.sum and ensure dependencies are consistent; verify the updated version is
committed so the GHSA-p77j-4mvh-x3m3 vulnerability is resolved.

---

Nitpick comments:
In `@pkg/objectcache/shared_container_data_test.go`:
- Around line 133-140: Rename the misleading test case name "no match case
sensitivity" in the table-driven test in shared_container_data_test.go to
accurately reflect the behavior (e.g., "prefix matches start of word" or
"partial word prefix match"); update the name field of the specific test entry
that has args {s: "Hello world", prefix: "Hell"} and want "o world" so the test
name matches the expected outcome and clarifies intent for future readers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1ae0caab-0090-4bd0-aec3-6c0ef676be74

📥 Commits

Reviewing files that changed from the base of the PR and between 386e450 and e3beadf.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• go.mod
• pkg/containerprofilemanager/v1/monitoring.go
• pkg/objectcache/shared_container_data.go
• pkg/objectcache/shared_container_data_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/objectcache/shared_container_data.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove debug log with developer name before merging.

This appears to be a development/debug log that was accidentally included. The message "Matthias container profile saved successfully" contains a developer name and should not be committed to the codebase.

Additionally, the error from GetSlug(true) is silently discarded. If this logging is intended to remain (with a proper message), consider at least logging the error at Debug level if it occurs.

Suggested fix: Remove the debug log

 	logger.L().Debug("container profile saved successfully",
 		helpers.String("containerID", watchedContainer.ContainerID),
 		helpers.String("containerName", container.Runtime.ContainerName),
 		helpers.String("podName", container.K8s.PodName))
-	apName, _ := watchedContainer.InstanceID.GetSlug(true)
-	logger.L().Info("Matthias container profile saved successfully",
-		helpers.String("apName", apName), helpers.String("name", slug),
-		helpers.String("namespace", container.K8s.Namespace), helpers.String("instanceID", watchedContainer.InstanceID.GetStringFormatted()),
-		helpers.String("wlid", watchedContainer.Wlid), helpers.Interface("annotations", containerProfile.ObjectMeta.Annotations), helpers.Interface("labels", containerProfile.ObjectMeta.Labels))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	apName, _ := watchedContainer.InstanceID.GetSlug(true)
	logger.L().Info("Matthias container profile saved successfully",
	helpers.String("apName", apName), helpers.String("name", slug),
	helpers.String("namespace", container.K8s.Namespace), helpers.String("instanceID", watchedContainer.InstanceID.GetStringFormatted()),
	helpers.String("wlid", watchedContainer.Wlid), helpers.Interface("annotations", containerProfile.ObjectMeta.Annotations), helpers.Interface("labels", containerProfile.ObjectMeta.Labels))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/containerprofilemanager/v1/monitoring.go` around lines 204 - 208, The
Info log message contains a developer name and should be removed or replaced;
remove or rename the logger.L().Info call that logs "Matthias container profile
saved successfully" and instead emit a neutral message (e.g., "container profile
saved successfully") or drop the log entirely; also stop discarding the error
from watchedContainer.InstanceID.GetSlug(true) — capture the returned error from
GetSlug(true) and, if non-nil, log it at Debug level (or handle appropriately)
before using apName, referencing watchedContainer.InstanceID.GetSlug,
logger.L().Info, and watchedContainer.InstanceID.GetStringFormatted to locate
the code to change.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/objectcache/shared_container_data.go`:
- Around line 108-115: The override loop for watchedContainer.LabelOverrides
applies values without validation; update it to validate each non-empty override
with content.IsLabelValue before assigning to labels (keep the current behavior
of deleting when v == ""), and if content.IsLabelValue(v) returns false then
skip/delete that key (and optionally log a warning) instead of assigning the
invalid value; modify the loop over watchedContainer.LabelOverrides (the section
that assigns to the labels map) to perform this validation check before setting
labels[k] = v.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f204d68-00ee-47ce-85ee-ff292777b057

📥 Commits

Reviewing files that changed from the base of the PR and between e3beadf and 17eb69d.

📒 Files selected for processing (3)

• pkg/networkstream/v1/network_stream.go
• pkg/objectcache/shared_container_data.go
• pkg/objectcache/shared_container_data_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/objectcache/shared_container_data_test.go