feat: add openSUSE tumbleweed detection and scanning (#6965)

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
2025-12-12 15:50:15 -08:00 · 2024-07-09 06:25:39 +02:00
parent a64993e83a
commit 17b5dbfa12
15 changed files with 3706 additions and 20 deletions
--- a/docs/docs/coverage/os/index.md
+++ b/docs/docs/coverage/os/index.md
@@ -22,6 +22,7 @@ Trivy supports operating systems for
 | [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
 | [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
 | [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)       | (n/a)                               | zypper/rpm       |
 | [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
 | [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
--- a/docs/docs/coverage/os/suse.md
+++ b/docs/docs/coverage/os/suse.md
@@ -2,6 +2,7 @@
 Trivy supports the following distributions:

 - openSUSE Leap
+- openSUSE Tumbleweed
 - SUSE Enterprise Linux (SLE)

 Please see [here](index.md#supported-os) for supported versions.
@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.


 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
+[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/

-[vulnerability statuses]: ../../configuration/filtering.md#by-status
+[vulnerability statuses]: ../../configuration/filtering.md#by-status
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -212,6 +212,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: csArgs{
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -192,6 +192,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			golden:   "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name:     "opensuse tumbleweed",
+			imageTag: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
+			input:    "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			golden:   "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name:     "photon 3.0",
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -322,6 +322,14 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: args{
+				Format: types.FormatJSON,
+				Input:  "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: args{
--- a/integration/testdata/fixtures/db/opensuse.yaml
+++ b/integration/testdata/fixtures/db/opensuse.yaml
@@ -9,4 +9,11 @@
      pairs:
        - key: "openSUSE-SU-2020:0062-1"
          value:
-            FixedVersion: 1.1.0i-lp151.8.6.1
+            FixedVersion: 1.1.0i-lp151.8.6.1
+- bucket: "openSUSE Tumbleweed"
+  pairs:
+    - bucket: libopenssl3
+      pairs:
+        - key: "openSUSE-SU-2024:13065-1"
+          value:
+            FixedVersion: 3.1.5-9.1 # changed for test
--- a/integration/testdata/fixtures/db/vulnerability.yaml
+++ b/integration/testdata/fixtures/db/vulnerability.yaml
@@ -1340,6 +1340,15 @@
        - https://nvd.nist.gov/vuln/detail/CVE-2022-24775
      PublishedDate: "2022-03-25T19:26:33Z"
      LastModifiedDate: "2022-06-14T20:02:29Z"
+  - key: openSUSE-SU-2024:13065-1
+    value:
+      Title: "libopenssl-3-devel-3.1.1-3.1 on GA media"
+      Description: "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed."
+      Severity: MEDIUM
+      References:
+        - "https://www.suse.com/security/cve/CVE-2023-2975/"
+        - "https://www.suse.com/security/cve/CVE-2023-3446/"
+        - "https://www.suse.com/support/security/rating/"
  - key: CVE-2022-22965
    value:
      Title: "spring-framework: RCE via Data Binding on JDK 9+"
@@ -1390,4 +1399,4 @@
        - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155"
        - "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
      PublishedDate: "2020-06-15T17:15:00Z"
-      LastModifiedDate: "2022-04-28T15:06:00Z"
+      LastModifiedDate: "2022-04-28T15:06:00Z"
--- a/integration/testdata/opensuse-tumbleweed.json.golden
+++ b/integration/testdata/opensuse-tumbleweed.json.golden
@@ -0,0 +1,94 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "opensuse.tumbleweed",
+      "Name": "20240607"
+    },
+    "ImageID": "sha256:580e73f5c823232e6587136e9f5428a89afdf77a123bb8575d08208e0cc34b12",
+    "DiffIDs": [
+      "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Fabian Vogt \u003cfvogt@suse.com\u003e",
+      "created": "2024-06-07T17:19:44Z",
+      "history": [
+        {
+          "author": "Fabian Vogt \u003cfvogt@suse.com\u003e",
+          "created": "2024-06-07T17:19:44Z",
+          "created_by": "KIWI 10.0.19",
+          "comment": "openSUSE Tumbleweed 20240607 Base Container"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "org.openbuildservice.disturl": "obs://build.opensuse.org/openSUSE:Factory/images/b068e2522114e1c009e9bfa1b5cb1146-opensuse-tumbleweed-image:docker",
+          "org.opencontainers.image.created": "2024-06-07T17:19:38.229693664Z",
+          "org.opencontainers.image.description": "Image containing a minimal environment for containers based on openSUSE Tumbleweed.",
+          "org.opencontainers.image.source": "https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-tumbleweed-image?rev=b068e2522114e1c009e9bfa1b5cb1146",
+          "org.opencontainers.image.title": "openSUSE Tumbleweed Base Container",
+          "org.opencontainers.image.url": "https://www.opensuse.org/",
+          "org.opencontainers.image.vendor": "openSUSE Project",
+          "org.opencontainers.image.version": "20240607.30.45",
+          "org.opensuse.base.created": "2024-06-07T17:19:38.229693664Z",
+          "org.opensuse.base.description": "Image containing a minimal environment for containers based on openSUSE Tumbleweed.",
+          "org.opensuse.base.disturl": "obs://build.opensuse.org/openSUSE:Factory/images/b068e2522114e1c009e9bfa1b5cb1146-opensuse-tumbleweed-image:docker",
+          "org.opensuse.base.reference": "registry.opensuse.org/opensuse/tumbleweed:20240607.30.45",
+          "org.opensuse.base.source": "https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-tumbleweed-image?rev=b068e2522114e1c009e9bfa1b5cb1146",
+          "org.opensuse.base.title": "openSUSE Tumbleweed Base Container",
+          "org.opensuse.base.url": "https://www.opensuse.org/",
+          "org.opensuse.base.vendor": "openSUSE Project",
+          "org.opensuse.base.version": "20240607.30.45",
+          "org.opensuse.reference": "registry.opensuse.org/opensuse/tumbleweed:20240607.30.45"
+        }
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz (opensuse.tumbleweed 20240607)",
+      "Class": "os-pkgs",
+      "Type": "opensuse.tumbleweed",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "openSUSE-SU-2024:13065-1",
+          "PkgID": "libopenssl3@3.1.4-9.1.x86_64",
+          "PkgName": "libopenssl3",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/opensuse.tumbleweed/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
+            "UID": "f051425f385d2b99"
+          },
+          "InstalledVersion": "3.1.4-9.1",
+          "FixedVersion": "3.1.5-9.1",
+          "Status": "fixed",
+          "Layer": {
+            "Digest": "sha256:427d16a14c45614f51357aeebee0dfe209a1cebfc044b3b724b6ea35663b3111",
+            "DiffID": "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
+          },
+          "Title": "libopenssl-3-devel-3.1.1-3.1 on GA media",
+          "Description": "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed.",
+          "Severity": "MEDIUM",
+          "References": [
+            "https://www.suse.com/security/cve/CVE-2023-2975/",
+            "https://www.suse.com/security/cve/CVE-2023-3446/",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        }
+      ]
+    }
+  ]
+}
--- a/pkg/detector/ospkg/detect.go
+++ b/pkg/detector/ospkg/detect.go
@@ -30,21 +30,22 @@ var (
 	ErrUnsupportedOS = xerrors.New("unsupported os")

 	drivers = map[ftypes.OSType]Driver{
-		ftypes.Alpine:       alpine.NewScanner(),
-		ftypes.Alma:         alma.NewScanner(),
-		ftypes.Amazon:       amazon.NewScanner(),
-		ftypes.CBLMariner:   mariner.NewScanner(),
-		ftypes.Debian:       debian.NewScanner(),
-		ftypes.Ubuntu:       ubuntu.NewScanner(),
-		ftypes.RedHat:       redhat.NewScanner(),
-		ftypes.CentOS:       redhat.NewScanner(),
-		ftypes.Rocky:        rocky.NewScanner(),
-		ftypes.Oracle:       oracle.NewScanner(),
-		ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
-		ftypes.SLES:         suse.NewScanner(suse.SUSEEnterpriseLinux),
-		ftypes.Photon:       photon.NewScanner(),
-		ftypes.Wolfi:        wolfi.NewScanner(),
-		ftypes.Chainguard:   chainguard.NewScanner(),
+		ftypes.Alpine:             alpine.NewScanner(),
+		ftypes.Alma:               alma.NewScanner(),
+		ftypes.Amazon:             amazon.NewScanner(),
+		ftypes.CBLMariner:         mariner.NewScanner(),
+		ftypes.Debian:             debian.NewScanner(),
+		ftypes.Ubuntu:             ubuntu.NewScanner(),
+		ftypes.RedHat:             redhat.NewScanner(),
+		ftypes.CentOS:             redhat.NewScanner(),
+		ftypes.Rocky:              rocky.NewScanner(),
+		ftypes.Oracle:             oracle.NewScanner(),
+		ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
+		ftypes.OpenSUSELeap:       suse.NewScanner(suse.OpenSUSE),
+		ftypes.SLES:               suse.NewScanner(suse.SUSEEnterpriseLinux),
+		ftypes.Photon:             photon.NewScanner(),
+		ftypes.Wolfi:              wolfi.NewScanner(),
+		ftypes.Chainguard:         chainguard.NewScanner(),
 	}
 )

--- a/pkg/detector/ospkg/suse/suse.go
+++ b/pkg/detector/ospkg/suse/suse.go
@@ -68,6 +68,7 @@ const (
 	SUSEEnterpriseLinux Type = iota
 	// OpenSUSE for open versions
 	OpenSUSE
+	OpenSUSETumbleweed
 )

 // Scanner implements the SUSE scanner
@@ -86,6 +87,10 @@ func NewScanner(t Type) *Scanner {
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
 		}
+	case OpenSUSETumbleweed:
+		return &Scanner{
+			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed),
+		}
 	}
 	return nil
 }
@@ -130,5 +135,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
 	if osFamily == ftypes.SLES {
 		return osver.Supported(ctx, slesEolDates, osFamily, osVer)
 	}
+	// tumbleweed is a rolling release, it has no version and no eol
+	if osFamily == ftypes.OpenSUSETumbleweed {
+		return true
+	}
 	return osver.Supported(ctx, opensuseEolDates, osFamily, osVer)
 }
--- a/pkg/detector/ospkg/suse/suse_test.go
+++ b/pkg/detector/ospkg/suse/suse_test.go
@@ -71,6 +71,46 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path: tumbleweed",
+			fixtures: []string{
+				"testdata/fixtures/tumbleweed.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.OpenSUSETumbleweed,
+			args: args{
+				osVer: "",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "singularity-ce",
+						Version:    "4.1.3",
+						Release:    "1.0",
+						SrcName:    "postgresql",
+						SrcVersion: "4.1.3",
+						SrcRelease: "1.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "singularity-ce",
+					VulnerabilityID:  "openSUSE-SU-2024:14059-1",
+					InstalledVersion: "4.1.3-1.0",
+					FixedVersion:     "4.1.3-1.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
 		{
 			name: "broken bucket",
 			fixtures: []string{
@@ -122,6 +162,16 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
 		args         args
 		want         bool
 	}{
+		{
+			name: "opensuse.tumbleweed",
+			now:  time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			args: args{
+				osFamily: "opensuse.tumbleweed",
+				osVer:    "",
+			},
+			distribution: suse.OpenSUSETumbleweed,
+			want:         true,
+		},
 		{
 			name: "opensuse.leap42.3",
 			now:  time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
--- a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
@@ -1,5 +1,10 @@
 - bucket: data-source
  pairs:
+    - key: openSUSE Tumbleweed
+      value:
+        ID: "suse-cvrf"
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
    - key: openSUSE Leap 15.3
      value:
        ID: "suse-cvrf"
@@ -9,4 +14,4 @@
      value:
        ID: "suse-cvrf"
        Name: "SUSE CVRF"
-        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
--- a/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml
+++ b/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml
@@ -0,0 +1,7 @@
+- bucket: openSUSE Tumbleweed
+  pairs:
+    - bucket: singularity-ce
+      pairs:
+        - key: openSUSE-SU-2024:14059-1
+          value:
+            FixedVersion: "4.1.3-1.1"
--- a/pkg/fanal/test/integration/library_test.go
+++ b/pkg/fanal/test/integration/library_test.go
@@ -98,6 +98,15 @@ var tests = []testCase{
 			Family: "opensuse.leap",
 		},
 	},
+	{
+		name:            "happy path, opensuse tumbleweed",
+		remoteImageName: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
+		imageFile:       "../../../../integration/testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+		wantOS: types.OS{
+			Name:   "20240607",
+			Family: "opensuse.tumbleweed",
+		},
+	},
 	{
 		// from registry.suse.com/suse/sle15:15.3.17.8.16
 		name:            "happy path, suse 15.3 (NDB)",
--- a/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden