Skip to content

Commit

Permalink
feat: add openSUSE tumbleweed detection and scanning (#6965)
Browse files Browse the repository at this point in the history
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
  • Loading branch information
3 people authored Jul 9, 2024
1 parent a64993e commit 17b5dbf
Show file tree
Hide file tree
Showing 15 changed files with 3,706 additions and 20 deletions.
1 change: 1 addition & 0 deletions docs/docs/coverage/os/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Trivy supports operating systems for
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
Expand Down
5 changes: 3 additions & 2 deletions docs/docs/coverage/os/suse.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
Trivy supports the following distributions:

- openSUSE Leap
- openSUSE Tumbleweed
- SUSE Enterprise Linux (SLE)

Please see [here](index.md#supported-os) for supported versions.
Expand Down Expand Up @@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.


[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/

[vulnerability statuses]: ../../configuration/filtering.md#by-status
[vulnerability statuses]: ../../configuration/filtering.md#by-status
7 changes: 7 additions & 0 deletions integration/client_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,13 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "opensuse tumbleweed",
args: csArgs{
Input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
},
golden: "testdata/opensuse-tumbleweed.json.golden",
},
{
name: "photon 3.0",
args: csArgs{
Expand Down
6 changes: 6 additions & 0 deletions integration/docker_engine_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,12 @@ func TestDockerEngine(t *testing.T) {
input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "opensuse tumbleweed",
imageTag: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
golden: "testdata/opensuse-tumbleweed.json.golden",
},
{
name: "photon 3.0",
imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",
Expand Down
8 changes: 8 additions & 0 deletions integration/standalone_tar_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,14 @@ func TestTar(t *testing.T) {
},
golden: "testdata/opensuse-leap-151.json.golden",
},
{
name: "opensuse tumbleweed",
args: args{
Format: types.FormatJSON,
Input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
},
golden: "testdata/opensuse-tumbleweed.json.golden",
},
{
name: "photon 3.0",
args: args{
Expand Down
9 changes: 8 additions & 1 deletion integration/testdata/fixtures/db/opensuse.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,11 @@
pairs:
- key: "openSUSE-SU-2020:0062-1"
value:
FixedVersion: 1.1.0i-lp151.8.6.1
FixedVersion: 1.1.0i-lp151.8.6.1
- bucket: "openSUSE Tumbleweed"
pairs:
- bucket: libopenssl3
pairs:
- key: "openSUSE-SU-2024:13065-1"
value:
FixedVersion: 3.1.5-9.1 # changed for test
11 changes: 10 additions & 1 deletion integration/testdata/fixtures/db/vulnerability.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1340,6 +1340,15 @@
- https://nvd.nist.gov/vuln/detail/CVE-2022-24775
PublishedDate: "2022-03-25T19:26:33Z"
LastModifiedDate: "2022-06-14T20:02:29Z"
- key: openSUSE-SU-2024:13065-1
value:
Title: "libopenssl-3-devel-3.1.1-3.1 on GA media"
Description: "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed."
Severity: MEDIUM
References:
- "https://www.suse.com/security/cve/CVE-2023-2975/"
- "https://www.suse.com/security/cve/CVE-2023-3446/"
- "https://www.suse.com/support/security/rating/"
- key: CVE-2022-22965
value:
Title: "spring-framework: RCE via Data Binding on JDK 9+"
Expand Down Expand Up @@ -1390,4 +1399,4 @@
- "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155"
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
PublishedDate: "2020-06-15T17:15:00Z"
LastModifiedDate: "2022-04-28T15:06:00Z"
LastModifiedDate: "2022-04-28T15:06:00Z"
94 changes: 94 additions & 0 deletions integration/testdata/opensuse-tumbleweed.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "opensuse.tumbleweed",
"Name": "20240607"
},
"ImageID": "sha256:580e73f5c823232e6587136e9f5428a89afdf77a123bb8575d08208e0cc34b12",
"DiffIDs": [
"sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
],
"ImageConfig": {
"architecture": "amd64",
"author": "Fabian Vogt \[email protected]\u003e",
"created": "2024-06-07T17:19:44Z",
"history": [
{
"author": "Fabian Vogt \[email protected]\u003e",
"created": "2024-06-07T17:19:44Z",
"created_by": "KIWI 10.0.19",
"comment": "openSUSE Tumbleweed 20240607 Base Container"
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
]
},
"config": {
"Cmd": [
"/bin/bash"
],
"Labels": {
"org.openbuildservice.disturl": "obs://build.opensuse.org/openSUSE:Factory/images/b068e2522114e1c009e9bfa1b5cb1146-opensuse-tumbleweed-image:docker",
"org.opencontainers.image.created": "2024-06-07T17:19:38.229693664Z",
"org.opencontainers.image.description": "Image containing a minimal environment for containers based on openSUSE Tumbleweed.",
"org.opencontainers.image.source": "https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-tumbleweed-image?rev=b068e2522114e1c009e9bfa1b5cb1146",
"org.opencontainers.image.title": "openSUSE Tumbleweed Base Container",
"org.opencontainers.image.url": "https://www.opensuse.org/",
"org.opencontainers.image.vendor": "openSUSE Project",
"org.opencontainers.image.version": "20240607.30.45",
"org.opensuse.base.created": "2024-06-07T17:19:38.229693664Z",
"org.opensuse.base.description": "Image containing a minimal environment for containers based on openSUSE Tumbleweed.",
"org.opensuse.base.disturl": "obs://build.opensuse.org/openSUSE:Factory/images/b068e2522114e1c009e9bfa1b5cb1146-opensuse-tumbleweed-image:docker",
"org.opensuse.base.reference": "registry.opensuse.org/opensuse/tumbleweed:20240607.30.45",
"org.opensuse.base.source": "https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-tumbleweed-image?rev=b068e2522114e1c009e9bfa1b5cb1146",
"org.opensuse.base.title": "openSUSE Tumbleweed Base Container",
"org.opensuse.base.url": "https://www.opensuse.org/",
"org.opensuse.base.vendor": "openSUSE Project",
"org.opensuse.base.version": "20240607.30.45",
"org.opensuse.reference": "registry.opensuse.org/opensuse/tumbleweed:20240607.30.45"
}
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz (opensuse.tumbleweed 20240607)",
"Class": "os-pkgs",
"Type": "opensuse.tumbleweed",
"Vulnerabilities": [
{
"VulnerabilityID": "openSUSE-SU-2024:13065-1",
"PkgID": "[email protected]_64",
"PkgName": "libopenssl3",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.tumbleweed/[email protected]?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
"UID": "f051425f385d2b99"
},
"InstalledVersion": "3.1.4-9.1",
"FixedVersion": "3.1.5-9.1",
"Status": "fixed",
"Layer": {
"Digest": "sha256:427d16a14c45614f51357aeebee0dfe209a1cebfc044b3b724b6ea35663b3111",
"DiffID": "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
},
"Title": "libopenssl-3-devel-3.1.1-3.1 on GA media",
"Description": "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed.",
"Severity": "MEDIUM",
"References": [
"https://www.suse.com/security/cve/CVE-2023-2975/",
"https://www.suse.com/security/cve/CVE-2023-3446/",
"https://www.suse.com/support/security/rating/"
]
}
]
}
]
}
31 changes: 16 additions & 15 deletions pkg/detector/ospkg/detect.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,22 @@ var (
ErrUnsupportedOS = xerrors.New("unsupported os")

drivers = map[ftypes.OSType]Driver{
ftypes.Alpine: alpine.NewScanner(),
ftypes.Alma: alma.NewScanner(),
ftypes.Amazon: amazon.NewScanner(),
ftypes.CBLMariner: mariner.NewScanner(),
ftypes.Debian: debian.NewScanner(),
ftypes.Ubuntu: ubuntu.NewScanner(),
ftypes.RedHat: redhat.NewScanner(),
ftypes.CentOS: redhat.NewScanner(),
ftypes.Rocky: rocky.NewScanner(),
ftypes.Oracle: oracle.NewScanner(),
ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux),
ftypes.Photon: photon.NewScanner(),
ftypes.Wolfi: wolfi.NewScanner(),
ftypes.Chainguard: chainguard.NewScanner(),
ftypes.Alpine: alpine.NewScanner(),
ftypes.Alma: alma.NewScanner(),
ftypes.Amazon: amazon.NewScanner(),
ftypes.CBLMariner: mariner.NewScanner(),
ftypes.Debian: debian.NewScanner(),
ftypes.Ubuntu: ubuntu.NewScanner(),
ftypes.RedHat: redhat.NewScanner(),
ftypes.CentOS: redhat.NewScanner(),
ftypes.Rocky: rocky.NewScanner(),
ftypes.Oracle: oracle.NewScanner(),
ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux),
ftypes.Photon: photon.NewScanner(),
ftypes.Wolfi: wolfi.NewScanner(),
ftypes.Chainguard: chainguard.NewScanner(),
}
)

Expand Down
9 changes: 9 additions & 0 deletions pkg/detector/ospkg/suse/suse.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ const (
SUSEEnterpriseLinux Type = iota
// OpenSUSE for open versions
OpenSUSE
OpenSUSETumbleweed
)

// Scanner implements the SUSE scanner
Expand All @@ -86,6 +87,10 @@ func NewScanner(t Type) *Scanner {
return &Scanner{
vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
}
case OpenSUSETumbleweed:
return &Scanner{
vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed),
}
}
return nil
}
Expand Down Expand Up @@ -130,5 +135,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
if osFamily == ftypes.SLES {
return osver.Supported(ctx, slesEolDates, osFamily, osVer)
}
// tumbleweed is a rolling release, it has no version and no eol
if osFamily == ftypes.OpenSUSETumbleweed {
return true
}
return osver.Supported(ctx, opensuseEolDates, osFamily, osVer)
}
50 changes: 50 additions & 0 deletions pkg/detector/ospkg/suse/suse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,46 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
{
name: "happy path: tumbleweed",
fixtures: []string{
"testdata/fixtures/tumbleweed.yaml",
"testdata/fixtures/data-source.yaml",
},
distribution: suse.OpenSUSETumbleweed,
args: args{
osVer: "",
pkgs: []ftypes.Package{
{
Name: "singularity-ce",
Version: "4.1.3",
Release: "1.0",
SrcName: "postgresql",
SrcVersion: "4.1.3",
SrcRelease: "1.1",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "singularity-ce",
VulnerabilityID: "openSUSE-SU-2024:14059-1",
InstalledVersion: "4.1.3-1.0",
FixedVersion: "4.1.3-1.1",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.SuseCVRF,
Name: "SUSE CVRF",
URL: "https://ftp.suse.com/pub/projects/security/cvrf/",
},
},
},
},
{
name: "broken bucket",
fixtures: []string{
Expand Down Expand Up @@ -122,6 +162,16 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
args args
want bool
}{
{
name: "opensuse.tumbleweed",
now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "opensuse.tumbleweed",
osVer: "",
},
distribution: suse.OpenSUSETumbleweed,
want: true,
},
{
name: "opensuse.leap42.3",
now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
Expand Down
7 changes: 6 additions & 1 deletion pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
- bucket: data-source
pairs:
- key: openSUSE Tumbleweed
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 15.3
value:
ID: "suse-cvrf"
Expand All @@ -9,4 +14,4 @@
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
7 changes: 7 additions & 0 deletions pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
- bucket: openSUSE Tumbleweed
pairs:
- bucket: singularity-ce
pairs:
- key: openSUSE-SU-2024:14059-1
value:
FixedVersion: "4.1.3-1.1"
9 changes: 9 additions & 0 deletions pkg/fanal/test/integration/library_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,15 @@ var tests = []testCase{
Family: "opensuse.leap",
},
},
{
name: "happy path, opensuse tumbleweed",
remoteImageName: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
imageFile: "../../../../integration/testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
wantOS: types.OS{
Name: "20240607",
Family: "opensuse.tumbleweed",
},
},
{
// from registry.suse.com/suse/sle15:15.3.17.8.16
name: "happy path, suse 15.3 (NDB)",
Expand Down
Loading

0 comments on commit 17b5dbf

Please sign in to comment.