allowing CIDRs, wildcards and Plural in IP and DNS

[entlein]

Sorry, we do not accept changes directly against this repository. Please see
CONTRIBUTING.md for information on where and how to contribute instead.

[coderabbitai]

Warning

Rate limit exceeded

@entlein has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 54 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0509ee26-9868-45ff-8f4b-c0948b1026dc

📥 Commits

Reviewing files that changed from the base of the PR and between 2a689d8 and 0a8a0b8.

📒 Files selected for processing (14)

• pkg/apis/softwarecomposition/network_types.go
• pkg/apis/softwarecomposition/v1beta1/network_types.go
• pkg/apis/softwarecomposition/v1beta1/network_types_protobuf_test.go
• pkg/registry/file/networkmatch/README.md
• pkg/registry/file/networkmatch/bench_test.go
• pkg/registry/file/networkmatch/doc.go
• pkg/registry/file/networkmatch/match_dns.go
• pkg/registry/file/networkmatch/match_dns_test.go
• pkg/registry/file/networkmatch/match_ip.go
• pkg/registry/file/networkmatch/match_ip_test.go
• pkg/registry/file/networkmatch/validate.go
• pkg/registry/file/networkmatch/validate_test.go
• pkg/registry/softwarecomposition/networkneighborhood/strategy.go
• pkg/registry/softwarecomposition/networkneighborhood/strategy_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[entlein]

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args #323 (path-wildcards core: anchored trailing-*, per-port key, WildcardIdentifier + CollapseConfig API — squash per your "merge first / or squash together" note)
• feat(cel): was_path_opened* CEL helpers in applicationprofile library node-agent#811 (was_path_opened* CEL helpers — NEW)

Tier 2 (execs):

• allowing wildcards in exec args #322 (CompareExecArgs)
• profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle #325 (CollapseConfig CRD + processors)
• allowing wildcards in exec args node-agent#805 (resolveExecPath + 3-arg parse)
• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args node-agent#807 (R0040 args consumer)
• feat(projection): add ExecsByPath composite-key surface to ProjectedContainerProfile node-agent#812 (ExecsByPath composite-key surface — NEW)

Tier 3 (network):

• allowing CIDRs, wildcards and Plural in IP and DNS #324 (networkmatch package)
• allowing CIDRs, wildcards and Plural in IP and DNS node-agent#806 (network wildcards CEL)

Tier 4 (tamper/sign):

• profile-compaction: CollapseConfig CRD + projection overlay + user-ma… node-agent#808 (projection overlay + tamper + non-blocking fanout + NN resource)
• sign and detect tampering node-agent#809 (cosign sign/verify + tamper detection)

Umbrellas:

• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  #326
• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  node-agent#810

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

[coderabbitai]

🧩 Analysis chain

@entlein: Triggering a fresh review of this PR (#324 — networkmatch package, Tier 3 network). While the review runs, let me pull metadata on the relevant PRs to cross-check coupling.

---

🏁 Script executed:

#!/bin/bash
# Fetch details of the current PR
gh pr view 324 --repo kubescape/storage --json title,body,files,baseRefName,headRefName,state

echo "---"
# Fetch related storage PRs
for n in 322 323 325 326; do
  echo "=== storage#$n ==="
  gh pr view $n --repo kubescape/storage --json title,state,files 2>/dev/null | jq '{title,state,files:[.files[].path]}'
  echo ""
done

echo "---"
# Fetch related node-agent PRs
for n in 805 806 807 808 809 810 811 812; do
  echo "=== node-agent#$n ==="
  gh pr view $n --repo kubescape/node-agent --json title,state,files 2>/dev/null | jq '{title,state,files:[.files[].path]}'
  echo ""
done

Length of output: 21242

---

@entlein: Review triggered. Here is the full atomicity and coupling analysis based on actual file diffs across all PRs.

---

Atomicity Confirmation

PR	Tier	Verdict	Notes
storage#322	Exec	✅ Atomic	Single file pair (compare_exec_args.go + test)
storage#323	Opens	✅ Atomic	Scoped to dynamicpathdetector/* + types.go
storage#324	Network	✅ Atomic	New networkmatch/ package + network_types.go field additions + strategy wiring — no tier bleed
storage#325	Exec/CRD	✅ Atomic	CollapseConfig CRD + processors; collapse_config_from_crd.go bridges to #323 types (expected)
storage#326	Umbrella	✅ Correct	File union of #322+#323+#324+#325 confirmed
node-agent#805	Exec	✅ Atomic	parse/ library + event_reporting only
node-agent#806	Network	✅ Atomic	CEL consumer of storage#324 — correct tier
node-agent#807	Exec	⚠️ See below	Touches open.go — overlap with #811
node-agent#808	Tamper/CRD	⚠️ See below	tamper_alert.go + projection_apply.go overlap with #809 and #812
node-agent#809	Sign/Tamper	⚠️ See below	tamper_alert.go overlap with #808
node-agent#810	Umbrella	✅ Correct	File union of all node-agent PRs confirmed
node-agent#811	Opens	⚠️ See below	open.go overlap with #807
node-agent#812	Exec/Proj	⚠️ See below	projection_apply.go + projection_types.go overlap with #808

---

Cross-PR Coupling Flags

🔴 File-Level Conflicts (merge order matters)

1. node-agent#808 ↔ node-agent#809 — tamper_alert.go + tamper_alert_test.go
Both PRs modify the same two files. These are not independent — one must be rebased onto the other before the umbrella (#810) can merge cleanly.

2. node-agent#808 ↔ node-agent#812 — projection_apply.go + projection_types.go
#812 adds ExecsByPath composite-key to ProjectedContainerProfile; #808 restructures projection_apply.go. These will conflict at the hunk level. Suggested order: merge #812 first, then rebase #808 on top.

3. node-agent#807 ↔ node-agent#811 — open.go
#807 modifies open.go for R0040 args; #811 adds was_path_opened* helpers to the same file. One must be rebased on the other. Suggested order: merge #811 first (it's additive/new helpers), then rebase #807.

🟡 Ordering Dependencies (no file conflicts, but merge sequence required)

4. storage#323 → storage#325
collapse_config_from_crd.go in #325 references types introduced by #323's types.go (WildcardIdentifier, CollapseConfig API). Merge #323 before #325.

5. storage#324 → node-agent#806
node-agent#806's network.go CEL library consumes the networkmatch package from this PR. A go.mod bump pointing to the merged commit of storage#324 is required before node-agent#806 can merge.

6. storage#325 → node-agent#808
The projection overlay in #808 consumes the CollapseConfiguration CRD and client introduced in #325. Cross-repo go.mod bump required.

---

Recommended Merge Sequence

graph TD
    A[storage#322] --> E[storage#326 umbrella]
    B[storage#323] --> C[storage#325] --> E
    D[storage#324] --> F[node-agent#806] --> K[node-agent#810 umbrella]
    C --> G[node-agent#808]
    H[node-agent#811] --> I[node-agent#807] --> K
    J[node-agent#812] --> G
    G --> L[node-agent#809] --> K
    A --> E
    D --> E
    H --> K
    J --> K
    F --> K

Loading

In short: the three intra-node-agent file conflicts (#808↔#809, #808↔#812, #807↔#811) are the only remaining non-atomic coupling. Everything else is correctly sequenced by your tier map. This PR (#324) itself is clean and ready for review.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.