gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(mariner): Add support for Azure Linux (#7186)

Browse Source 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
Tom Fay
2024-07-22 07:58:53 +01:00
committed by GitHub
parent 5f780450ff
commit 5cbc452a09
28 changed files with 224 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/community/contribute/pr.md
View File

@@ -121,7 +121,7 @@ os:
- redhat
- alma
- rocky
- mariner
- azure
- oracle
- debian
- ubuntu

23
docs/docs/coverage/os/cbl-mariner.md → docs/docs/coverage/os/azure.md
View File

@@ -1,4 +1,7 @@
# CBL-Mariner
# Azure Linux (CBL-Mariner)
*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*
Trivy supports the following scanners for OS packages.
| Version | SBOM | Vulnerability | License |
@@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages.
| 1.0 (Distroless) | ✔ | ✔ | |
| 2.0 | ✔ | ✔ | ✔ |
| 2.0 (Distroless) | ✔ | ✔ | |
| 3.0 | ✔ | ✔ | ✔ |
| 3.0 (Distroless) | ✔ | ✔ | |
The following table provides an outline of the targets Trivy supports.
@@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports.
| ------- | :-------------: | :-------------: | :----------: |
| 1.0 | ✔ | ✔ | amd64, arm64 |
| 2.0 | ✔ | ✔ | amd64, arm64 |
| 3.0 | ✔ | ✔ | amd64, arm64 |
The table below outlines the features offered by Trivy.
@@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy.
| [Dependency graph][dependency-graph] | ✓ |
## SBOM
Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.
## Vulnerability
CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
### Fixed Version
Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
Trivy takes fixed versions from [Azure Linux OVAL][oval].
### Severity
Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].
### Status
Trivy supports the following [vulnerability statuses] for CBL-Mariner.
Trivy supports the following [vulnerability statuses] for Azure Linux.
| Status | Supported |
| :-----------------: | :-------: |
@@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
Trivy identifies licenses by examining the metadata of RPM packages.
!!! note
License detection is not supported for CBL-Mariner Distroless.
License detection is not supported for Azure Linux Distroless images.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cbl-mariner]: https://github.com/microsoft/CBL-Mariner
[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
[vulnerability statuses]: ../../configuration/filtering.md#by-status

38
docs/docs/coverage/os/index.md
View File

@@ -9,25 +9,25 @@ Trivy supports operating systems for
## Supported OS
| OS | Supported Versions | Package Managers |
|--------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |
| OS | Supported Versions | Package Managers |
|---------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |
## Supported container images

34
docs/docs/scanner/vulnerability.md
View File

@@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
### Data Sources
| OS | Source |
| ------------- | ------------------------------------------------------------ |
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| CBL-Mariner | [OVAL][mariner] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
| OS | Source |
|---------------------------|--------------------------------------------------------------|
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| Azure Linux (CBL-Mariner) | [OVAL][azure] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
#### Data Source Selection
Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -288,7 +288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
[oracle]: https://linux.oracle.com/security/oval/
[suse]: http://ftp.suse.com/pub/projects/security/cvrf/
[photon]: https://packages.vmware.com/photon/photon_cve_metadata/
[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip

2
go.mod
View File

@@ -26,7 +26,7 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v0.13.0
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
github.com/aws/aws-sdk-go-v2 v1.30.3

4
go.sum
View File

@@ -771,8 +771,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW+Xap4zRYxyctXDTj5luMQdE=
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f+wSW9D5txv8S+tw4D4WNOibaUJYwvNnQuQlGQ8gO6c=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU=

8
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -6,7 +6,7 @@
"Metadata": {
"OS": {
"Family": "cbl-mariner",
"Name": "1.0.20220122"
"Name": "1.0"
},
"ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767",
"DiffIDs": [
@@ -34,7 +34,7 @@
},
"Results": [
{
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0)",
"Class": "os-pkgs",
"Type": "cbl-mariner",
"Vulnerabilities": [
@@ -42,7 +42,7 @@
"VulnerabilityID": "CVE-2022-0261",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
"PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0",
"UID": "3f08cd76fa5ba73d"
},
"InstalledVersion": "8.2.4081-1.cm1",
@@ -79,7 +79,7 @@
"VulnerabilityID": "CVE-2022-0158",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
"PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0",
"UID": "3f08cd76fa5ba73d"
},
"InstalledVersion": "8.2.4081-1.cm1",

2
mkdocs.yml
View File

@@ -75,7 +75,7 @@ nav:
- AlmaLinux: docs/coverage/os/alma.md
- Alpine Linux: docs/coverage/os/alpine.md
- Amazon Linux: docs/coverage/os/amazon.md
- CBL-Mariner: docs/coverage/os/cbl-mariner.md
- Azure Linux (CBL-Mariner): docs/coverage/os/azure.md
- CentOS: docs/coverage/os/centos.md
- Chainguard: docs/coverage/os/chainguard.md
- Conda: docs/coverage/os/conda.md

22
pkg/detector/ospkg/mariner/mariner.go → pkg/detector/ospkg/azure/azure.go
View File

@@ -1,4 +1,4 @@
package mariner
package azure
import (
"context"
@@ -6,7 +6,7 @@ import (
version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
@@ -16,16 +16,24 @@ import (
// Scanner implements the CBL-Mariner scanner
type Scanner struct {
vs mariner.VulnSrc
vs azure.VulnSrc
}
// NewScanner is the factory method for Scanner
func NewScanner() *Scanner {
func newScanner(distribution azure.Distribution) *Scanner {
return &Scanner{
vs: mariner.NewVulnSrc(),
vs: azure.NewVulnSrc(distribution),
}
}
func NewAzureScanner() *Scanner {
return newScanner(azure.Azure)
}
func NewMarinerScanner() *Scanner {
return newScanner(azure.Mariner)
}
// Detect vulnerabilities in package using CBL-Mariner scanner
func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
// e.g. 1.0.20210127
@@ -36,10 +44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
// CBL Mariner OVAL contains source package names only.
// Azure Linux OVAL contains source package names only.
advisories, err := s.vs.Get(osVer, pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err)
}
sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))

60
pkg/detector/ospkg/mariner/mariner_test.go → pkg/detector/ospkg/azure/azure_test.go
View File

@@ -1,4 +1,4 @@
package mariner_test
package azure_test
import (
"testing"
@@ -8,15 +8,17 @@ import (
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
azurevs "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/internal/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/azure"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestScanner_Detect(t *testing.T) {
type args struct {
dist azurevs.Distribution
osVer string
pkgs []ftypes.Package
}
@@ -30,10 +32,11 @@ func TestScanner_Detect(t *testing.T) {
{
name: "happy path 1.0 SrcName and Name are different",
fixtures: []string{
"testdata/fixtures/mariner.yaml",
"testdata/fixtures/azure.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Mariner,
osVer: "1.0",
pkgs: []ftypes.Package{
{
@@ -69,10 +72,11 @@ func TestScanner_Detect(t *testing.T) {
{
name: "happy path 2.0",
fixtures: []string{
"testdata/fixtures/mariner.yaml",
"testdata/fixtures/azure.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Mariner,
osVer: "2.0",
pkgs: []ftypes.Package{
{
@@ -104,6 +108,46 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
{
name: "happy path 3.0",
fixtures: []string{
"testdata/fixtures/azure.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Azure,
osVer: "3.0",
pkgs: []ftypes.Package{
{
Name: "php",
Epoch: 0,
Version: "8.3.6",
Release: "1.azl3",
Arch: "aarch64",
SrcName: "php",
SrcEpoch: 0,
SrcVersion: "8.3.6",
SrcRelease: "1.azl3",
Licenses: []string{"Php"},
Layer: ftypes.Layer{},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "php",
VulnerabilityID: "CVE-2024-2408",
InstalledVersion: "8.3.6-1.azl3",
FixedVersion: "8.3.8-1.azl3",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
ID: vulnerability.AzureLinux,
Name: "Azure Linux Vulnerability Data",
URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData",
},
},
},
},
{
name: "broken advisory",
fixtures: []string{
@@ -111,6 +155,7 @@ func TestScanner_Detect(t *testing.T) {
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Mariner,
osVer: "1.0",
pkgs: []ftypes.Package{
{
@@ -128,7 +173,7 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
wantErr: "failed to get CBL-Mariner advisories",
wantErr: "failed to get Azure Linux advisories",
},
}
for _, tt := range tests {
@@ -136,7 +181,10 @@ func TestScanner_Detect(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
s := mariner.NewScanner()
s := azure.NewAzureScanner()
if tt.args.dist == azurevs.Mariner {
s = azure.NewMarinerScanner()
}
got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
if tt.wantErr != "" {
require.Error(t, err)

8
pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml → pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml vendored
View File

@@ -14,3 +14,11 @@
- bucket: vim
pairs:
- key: CVE-2022-0261
- bucket: Azure Linux 3.0
pairs:
- bucket: php
pairs:
- key: CVE-2024-2408
value:
FixedVersion: 8.3.8-1.azl3

21
pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml vendored Normal file
View File

@@ -0,0 +1,21 @@
- bucket: data-source
pairs:
- key: CBL-Mariner 1.0
value:
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- bucket: data-source
pairs:
- key: CBL-Mariner 2.0
value:
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- bucket: data-source
pairs:
- key: Azure Linux 3.0
value:
ID: "azure"
Name: "Azure Linux Vulnerability Data"
URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData"

0
pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml → pkg/detector/ospkg/azure/testdata/fixtures/invalid.yaml vendored
View File

5
pkg/detector/ospkg/detect.go
View File

@@ -10,9 +10,9 @@ import (
"github.com/aquasecurity/trivy/pkg/detector/ospkg/alma"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/azure"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/photon"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat"
@@ -33,7 +33,8 @@ var (
ftypes.Alpine: alpine.NewScanner(),
ftypes.Alma: alma.NewScanner(),
ftypes.Amazon: amazon.NewScanner(),
ftypes.CBLMariner: mariner.NewScanner(),
ftypes.Azure: azure.NewAzureScanner(),
ftypes.CBLMariner: azure.NewMarinerScanner(),
ftypes.Debian: debian.NewScanner(),
ftypes.Ubuntu: ubuntu.NewScanner(),
ftypes.RedHat: redhat.NewScanner(),

14
pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml vendored
View File

@@ -1,14 +0,0 @@
- bucket: data-source
pairs:
- key: CBL-Mariner 1.0
value:
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- bucket: data-source
pairs:
- key: CBL-Mariner 2.0
value:
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"

1
pkg/fanal/analyzer/all/import.go
View File

@@ -41,7 +41,6 @@ import (
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/alpine"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/amazonlinux"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/debian"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/redhatbase"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/release"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/ubuntu"

1
pkg/fanal/analyzer/const.go
View File

@@ -13,6 +13,7 @@ const (
TypeOSRelease Type = "os-release"
TypeAlpine Type = "alpine"
TypeAmazon Type = "amazon"
TypeAzure Type = "azurelinux"
TypeCBLMariner Type = "cbl-mariner"
TypeDebian Type = "debian"
TypePhoton Type = "photon"

67
pkg/fanal/analyzer/os/mariner/mariner.go
View File

@@ -1,67 +0,0 @@
package mariner
import (
"bufio"
"context"
"io"
"os"
"path/filepath"
"strings"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
fos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
func init() {
analyzer.RegisterAnalyzer(&marinerOSAnalyzer{})
}
const (
version = 1
requiredFile = "etc/mariner-release"
)
type marinerOSAnalyzer struct{}
func (a marinerOSAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
foundOS, err := a.parseRelease(input.Content)
if err != nil {
return nil, xerrors.Errorf("release parse error: %w", err)
}
return &analyzer.AnalysisResult{
OS: foundOS,
}, nil
}
func (a marinerOSAnalyzer) parseRelease(r io.Reader) (types.OS, error) {
scanner := bufio.NewScanner(r)
for scanner.Scan() {
line := scanner.Text()
fields := strings.Fields(line)
if len(fields) != 2 {
continue
}
if strings.EqualFold(fields[0], "cbl-mariner") {
return types.OS{
Family: types.CBLMariner,
Name: fields[1],
}, nil
}
}
return types.OS{}, xerrors.Errorf("cbl-mariner: %w", fos.AnalyzeOSError)
}
func (a marinerOSAnalyzer) Required(filePath string, _ os.FileInfo) bool {
return filepath.ToSlash(filePath) == requiredFile
}
func (a marinerOSAnalyzer) Type() analyzer.Type {
return analyzer.TypeCBLMariner
}
func (a marinerOSAnalyzer) Version() int {
return version
}

60
pkg/fanal/analyzer/os/mariner/mariner_test.go
View File

@@ -1,60 +0,0 @@
package mariner
import (
"context"
"os"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
func Test_marinerOSAnalyzer_Analyze(t *testing.T) {
tests := []struct {
name string
inputFile string
want *analyzer.AnalysisResult
wantErr string
}{
{
name: "happy path with CBL Mariner 1.0",
inputFile: "testdata/1.0/mariner-release",
want: &analyzer.AnalysisResult{
OS: types.OS{
Family: types.CBLMariner,
Name: "1.0.20220122",
},
},
},
{
name: "sad path",
inputFile: "testdata/sad/mariner-release",
wantErr: "cbl-mariner: unable to analyze OS information",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := marinerOSAnalyzer{}
f, err := os.Open(tt.inputFile)
require.NoError(t, err)
defer f.Close()
ctx := context.Background()
got, err := a.Analyze(ctx, analyzer.AnalysisInput{
FilePath: "etc/mariner-release",
Content: f,
})
if tt.wantErr != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
}
require.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}
}

2
pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release vendored
View File

@@ -1,2 +0,0 @@
CBL-Mariner 1.0.20220122
MARINER_BUILD_NUMBER=7da4f23

1
pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release vendored
View File

@@ -1 +0,0 @@
MARINER_BUILD_NUMBER=7da4f23

4
pkg/fanal/analyzer/os/release/release.go
View File

@@ -61,6 +61,10 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp
family = types.Wolfi
case "chainguard":
family = types.Chainguard
case "azurelinux":
family = types.Azure
case "mariner":
family = types.CBLMariner
}
if family != "" && versionID != "" {

30
pkg/fanal/analyzer/os/release/release_test.go
View File

@@ -90,6 +90,36 @@ func Test_osReleaseAnalyzer_Analyze(t *testing.T) {
},
},
},
{
name: "Azure Linux",
inputFile: "testdata/azurelinux-3.0",
want: &analyzer.AnalysisResult{
OS: types.OS{
Family: types.Azure,
Name: "3.0",
},
},
},
{
name: "Mariner 2.0",
inputFile: "testdata/mariner-2.0",
want: &analyzer.AnalysisResult{
OS: types.OS{
Family: types.CBLMariner,
Name: "2.0",
},
},
},
{
name: "Mariner 1.0",
inputFile: "testdata/mariner-1.0",
want: &analyzer.AnalysisResult{
OS: types.OS{
Family: types.CBLMariner,
Name: "1.0",
},
},
},
{
name: "Unknown OS",
inputFile: "testdata/unknown",

9
pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 vendored Normal file
View File

@@ -0,0 +1,9 @@
NAME="Microsoft Azure Linux"
VERSION="3.0.20240624"
ID=azurelinux
VERSION_ID="3.0"
PRETTY_NAME="Microsoft Azure Linux 3.0"
ANSI_COLOR="1;34"
HOME_URL="https://aka.ms/azurelinux"
BUG_REPORT_URL="https://aka.ms/azurelinux"
SUPPORT_URL="https://aka.ms/azurelinux"

9
pkg/fanal/analyzer/os/release/testdata/mariner-1.0 vendored Normal file
View File

@@ -0,0 +1,9 @@
NAME="Common Base Linux Mariner"
VERSION="1.0.20230713"
ID=mariner
VERSION_ID="1.0"
PRETTY_NAME="CBL-Mariner/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://aka.ms/cbl-mariner"
BUG_REPORT_URL="https://aka.ms/cbl-mariner"
SUPPORT_URL="https://aka.ms/cbl-mariner"

9
pkg/fanal/analyzer/os/release/testdata/mariner-2.0 vendored Normal file
View File

@@ -0,0 +1,9 @@
NAME="Common Base Linux Mariner"
VERSION="2.0.20240123"
ID=mariner
VERSION_ID="2.0"
PRETTY_NAME="CBL-Mariner/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://aka.ms/cbl-mariner"
BUG_REPORT_URL="https://aka.ms/cbl-mariner"
SUPPORT_URL="https://aka.ms/cbl-mariner"

1
pkg/fanal/types/const.go
View File

@@ -24,6 +24,7 @@ const (
Alma OSType = "alma"
Alpine OSType = "alpine"
Amazon OSType = "amazon"
Azure OSType = "azurelinux"
CBLMariner OSType = "cbl-mariner"
CentOS OSType = "centos"
Chainguard OSType = "chainguard"

2
pkg/purl/purl.go
View File

@@ -477,7 +477,7 @@ func purlType(t ftypes.TargetType) string {
case ftypes.RedHat, ftypes.CentOS, ftypes.Rocky, ftypes.Alma,
ftypes.Amazon, ftypes.Fedora, ftypes.Oracle, ftypes.OpenSUSE,
ftypes.OpenSUSELeap, ftypes.OpenSUSETumbleweed, ftypes.SLES, ftypes.Photon,
ftypes.CBLMariner:
ftypes.Azure, ftypes.CBLMariner:
return packageurl.TypeRPM
case TypeOCI:
return packageurl.TypeOCI