Skip to content

Commit

Permalink
feat(mariner): Add support for Azure Linux (#7186)
Browse files Browse the repository at this point in the history
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
  • Loading branch information
3 people authored Jul 22, 2024
1 parent 5f78045 commit 5cbc452
Show file tree
Hide file tree
Showing 28 changed files with 224 additions and 215 deletions.
2 changes: 1 addition & 1 deletion docs/community/contribute/pr.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ os:
- redhat
- alma
- rocky
- mariner
- azure
- oracle
- debian
- ubuntu
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
# CBL-Mariner
# Azure Linux (CBL-Mariner)

*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*

Trivy supports the following scanners for OS packages.

| Version | SBOM | Vulnerability | License |
Expand All @@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages.
| 1.0 (Distroless) ||| |
| 2.0 ||||
| 2.0 (Distroless) ||| |
| 3.0 ||||
| 3.0 (Distroless) ||| |


The following table provides an outline of the targets Trivy supports.
Expand All @@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports.
| ------- | :-------------: | :-------------: | :----------: |
| 1.0 ||| amd64, arm64 |
| 2.0 ||| amd64, arm64 |
| 3.0 ||| amd64, arm64 |

The table below outlines the features offered by Trivy.

Expand All @@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy.
| [Dependency graph][dependency-graph] ||

## SBOM
Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.

## Vulnerability
CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.

### Data Source
See [here](../../scanner/vulnerability.md#data-sources).

### Fixed Version
Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
Trivy takes fixed versions from [Azure Linux OVAL][oval].

### Severity
Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].

### Status
Trivy supports the following [vulnerability statuses] for CBL-Mariner.
Trivy supports the following [vulnerability statuses] for Azure Linux.

| Status | Supported |
| :-----------------: | :-------: |
Expand All @@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
Trivy identifies licenses by examining the metadata of RPM packages.

!!! note
License detection is not supported for CBL-Mariner Distroless.
License detection is not supported for Azure Linux Distroless images.


[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cbl-mariner]: https://github.com/microsoft/CBL-Mariner

[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/

[vulnerability statuses]: ../../configuration/filtering.md#by-status
38 changes: 19 additions & 19 deletions docs/docs/coverage/os/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,25 @@ Trivy supports operating systems for

## Supported OS

| OS | Supported Versions | Package Managers |
|--------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |
| OS | Supported Versions | Package Managers |
|---------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |

## Supported container images

Expand Down
34 changes: 17 additions & 17 deletions docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.

### Data Sources

| OS | Source |
| ------------- | ------------------------------------------------------------ |
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| CBL-Mariner | [OVAL][mariner] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
| OS | Source |
|---------------------------|--------------------------------------------------------------|
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| Azure Linux (CBL-Mariner) | [OVAL][azure] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |

#### Data Source Selection
Trivy **only** consumes security advisories from the sources listed in the above table.
Expand Down Expand Up @@ -288,7 +288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
[oracle]: https://linux.oracle.com/security/oval/
[suse]: http://ftp.suse.com/pub/projects/security/cvrf/
[photon]: https://packages.vmware.com/photon/photon_cve_metadata/
[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v0.13.0
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
github.com/aws/aws-sdk-go-v2 v1.30.3
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -771,8 +771,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW+Xap4zRYxyctXDTj5luMQdE=
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f+wSW9D5txv8S+tw4D4WNOibaUJYwvNnQuQlGQ8gO6c=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU=
Expand Down
8 changes: 4 additions & 4 deletions integration/testdata/mariner-1.0.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"Metadata": {
"OS": {
"Family": "cbl-mariner",
"Name": "1.0.20220122"
"Name": "1.0"
},
"ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767",
"DiffIDs": [
Expand Down Expand Up @@ -34,15 +34,15 @@
},
"Results": [
{
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0)",
"Class": "os-pkgs",
"Type": "cbl-mariner",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-0261",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
"PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0",
"UID": "3f08cd76fa5ba73d"
},
"InstalledVersion": "8.2.4081-1.cm1",
Expand Down Expand Up @@ -79,7 +79,7 @@
"VulnerabilityID": "CVE-2022-0158",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
"PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0",
"UID": "3f08cd76fa5ba73d"
},
"InstalledVersion": "8.2.4081-1.cm1",
Expand Down
2 changes: 1 addition & 1 deletion mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ nav:
- AlmaLinux: docs/coverage/os/alma.md
- Alpine Linux: docs/coverage/os/alpine.md
- Amazon Linux: docs/coverage/os/amazon.md
- CBL-Mariner: docs/coverage/os/cbl-mariner.md
- Azure Linux (CBL-Mariner): docs/coverage/os/azure.md
- CentOS: docs/coverage/os/centos.md
- Chainguard: docs/coverage/os/chainguard.md
- Conda: docs/coverage/os/conda.md
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
package mariner
package azure

import (
"context"

version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
Expand All @@ -16,16 +16,24 @@ import (

// Scanner implements the CBL-Mariner scanner
type Scanner struct {
vs mariner.VulnSrc
vs azure.VulnSrc
}

// NewScanner is the factory method for Scanner
func NewScanner() *Scanner {
func newScanner(distribution azure.Distribution) *Scanner {
return &Scanner{
vs: mariner.NewVulnSrc(),
vs: azure.NewVulnSrc(distribution),
}
}

func NewAzureScanner() *Scanner {
return newScanner(azure.Azure)
}

func NewMarinerScanner() *Scanner {
return newScanner(azure.Mariner)
}

// Detect vulnerabilities in package using CBL-Mariner scanner
func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
// e.g. 1.0.20210127
Expand All @@ -36,10 +44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository

var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
// CBL Mariner OVAL contains source package names only.
// Azure Linux OVAL contains source package names only.
advisories, err := s.vs.Get(osVer, pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err)
}

sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))
Expand Down
Loading

0 comments on commit 5cbc452

Please sign in to comment.