From 5cbc452a09822d1bf300ead88f0d613d4cf0349a Mon Sep 17 00:00:00 2001 From: Tom Fay Date: Mon, 22 Jul 2024 07:58:53 +0100 Subject: [PATCH] feat(mariner): Add support for Azure Linux (#7186) Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: DmitriyLewen --- docs/community/contribute/pr.md | 2 +- .../coverage/os/{cbl-mariner.md => azure.md} | 23 ++++--- docs/docs/coverage/os/index.md | 38 +++++------ docs/docs/scanner/vulnerability.md | 34 +++++----- go.mod | 2 +- go.sum | 4 +- integration/testdata/mariner-1.0.json.golden | 8 +-- mkdocs.yml | 2 +- .../{mariner/mariner.go => azure/azure.go} | 22 ++++-- .../mariner_test.go => azure/azure_test.go} | 60 +++++++++++++++-- .../testdata/fixtures/azure.yaml} | 8 +++ .../azure/testdata/fixtures/data-source.yaml | 21 ++++++ .../testdata/fixtures/invalid.yaml | 0 pkg/detector/ospkg/detect.go | 5 +- .../testdata/fixtures/data-source.yaml | 14 ---- pkg/fanal/analyzer/all/import.go | 1 - pkg/fanal/analyzer/const.go | 1 + pkg/fanal/analyzer/os/mariner/mariner.go | 67 ------------------- pkg/fanal/analyzer/os/mariner/mariner_test.go | 60 ----------------- .../os/mariner/testdata/1.0/mariner-release | 2 - .../os/mariner/testdata/sad/mariner-release | 1 - pkg/fanal/analyzer/os/release/release.go | 4 ++ pkg/fanal/analyzer/os/release/release_test.go | 30 +++++++++ .../os/release/testdata/azurelinux-3.0 | 9 +++ .../analyzer/os/release/testdata/mariner-1.0 | 9 +++ .../analyzer/os/release/testdata/mariner-2.0 | 9 +++ pkg/fanal/types/const.go | 1 + pkg/purl/purl.go | 2 +- 28 files changed, 224 insertions(+), 215 deletions(-) rename docs/docs/coverage/os/{cbl-mariner.md => azure.md} (70%) rename pkg/detector/ospkg/{mariner/mariner.go => azure/azure.go} (81%) rename pkg/detector/ospkg/{mariner/mariner_test.go => azure/azure_test.go} (69%) rename pkg/detector/ospkg/{mariner/testdata/fixtures/mariner.yaml => azure/testdata/fixtures/azure.yaml} (68%) create mode 100644 pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml rename pkg/detector/ospkg/{mariner => azure}/testdata/fixtures/invalid.yaml (100%) delete mode 100644 pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml delete mode 100644 pkg/fanal/analyzer/os/mariner/mariner.go delete mode 100644 pkg/fanal/analyzer/os/mariner/mariner_test.go delete mode 100644 pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release delete mode 100644 pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release create mode 100644 pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 create mode 100644 pkg/fanal/analyzer/os/release/testdata/mariner-1.0 create mode 100644 pkg/fanal/analyzer/os/release/testdata/mariner-2.0 diff --git a/docs/community/contribute/pr.md b/docs/community/contribute/pr.md index 584f502b9fb9..e60b3d987c08 100644 --- a/docs/community/contribute/pr.md +++ b/docs/community/contribute/pr.md @@ -121,7 +121,7 @@ os: - redhat - alma - rocky -- mariner +- azure - oracle - debian - ubuntu diff --git a/docs/docs/coverage/os/cbl-mariner.md b/docs/docs/coverage/os/azure.md similarity index 70% rename from docs/docs/coverage/os/cbl-mariner.md rename to docs/docs/coverage/os/azure.md index 0ca42bbb9993..9b4151a0be3c 100644 --- a/docs/docs/coverage/os/cbl-mariner.md +++ b/docs/docs/coverage/os/azure.md @@ -1,4 +1,7 @@ -# CBL-Mariner +# Azure Linux (CBL-Mariner) + +*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.* + Trivy supports the following scanners for OS packages. | Version | SBOM | Vulnerability | License | @@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages. | 1.0 (Distroless) | ✔ | ✔ | | | 2.0 | ✔ | ✔ | ✔ | | 2.0 (Distroless) | ✔ | ✔ | | +| 3.0 | ✔ | ✔ | ✔ | +| 3.0 (Distroless) | ✔ | ✔ | | The following table provides an outline of the targets Trivy supports. @@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports. | ------- | :-------------: | :-------------: | :----------: | | 1.0 | ✔ | ✔ | amd64, arm64 | | 2.0 | ✔ | ✔ | amd64, arm64 | +| 3.0 | ✔ | ✔ | amd64, arm64 | The table below outlines the features offered by Trivy. @@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy. | [Dependency graph][dependency-graph] | ✓ | ## SBOM -Trivy detects packages that have been installed through package managers such as `dnf` and `yum`. +Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`. ## Vulnerability -CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities. +Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities. ### Data Source See [here](../../scanner/vulnerability.md#data-sources). ### Fixed Version -Trivy takes fixed versions from [CBL-Mariner OVAL][oval]. +Trivy takes fixed versions from [Azure Linux OVAL][oval]. ### Severity -Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval]. +Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval]. ### Status -Trivy supports the following [vulnerability statuses] for CBL-Mariner. +Trivy supports the following [vulnerability statuses] for Azure Linux. | Status | Supported | | :-----------------: | :-------: | @@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner. Trivy identifies licenses by examining the metadata of RPM packages. !!! note - License detection is not supported for CBL-Mariner Distroless. + License detection is not supported for Azure Linux Distroless images. [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies -[cbl-mariner]: https://github.com/microsoft/CBL-Mariner -[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/ +[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/ [vulnerability statuses]: ../../configuration/filtering.md#by-status diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md index 49982b1b2d69..a28e113f07c9 100644 --- a/docs/docs/coverage/os/index.md +++ b/docs/docs/coverage/os/index.md @@ -9,25 +9,25 @@ Trivy supports operating systems for ## Supported OS -| OS | Supported Versions | Package Managers | -|--------------------------------------|-------------------------------------|------------------| -| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk | -| [Wolfi Linux](wolfi.md) | (n/a) | apk | -| [Chainguard](chainguard.md) | (n/a) | apk | -| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm | -| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm | -| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm | -| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm | -| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm | -| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm | -| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | -| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | -| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | -| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | -| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | -| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | -| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg | -| [OSs with installed Conda](conda.md) | - | conda | +| OS | Supported Versions | Package Managers | +|---------------------------------------|-------------------------------------|------------------| +| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk | +| [Wolfi Linux](wolfi.md) | (n/a) | apk | +| [Chainguard](chainguard.md) | (n/a) | apk | +| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm | +| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm | +| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm | +| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm | +| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm | +| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm | +| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | +| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | +| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | +| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | +| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | +| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | +| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg | +| [OSs with installed Conda](conda.md) | - | conda | ## Supported container images diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md index ef233b4db4da..ba612ee06b28 100644 --- a/docs/docs/scanner/vulnerability.md +++ b/docs/docs/scanner/vulnerability.md @@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes. ### Data Sources -| OS | Source | -| ------------- | ------------------------------------------------------------ | -| Arch Linux | [Vulnerable Issues][arch] | -| Alpine Linux | [secdb][alpine] | -| Wolfi Linux | [secdb][wolfi] | -| Chainguard | [secdb][chainguard] | -| Amazon Linux | [Amazon Linux Security Center][amazon] | -| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] | -| Ubuntu | [Ubuntu CVE Tracker][ubuntu] | -| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] | -| AlmaLinux | [AlmaLinux Product Errata][alma] | -| Rocky Linux | [Rocky Linux UpdateInfo][rocky] | -| Oracle Linux | [OVAL][oracle] | -| CBL-Mariner | [OVAL][mariner] | -| OpenSUSE/SLES | [CVRF][suse] | -| Photon OS | [Photon Security Advisory][photon] | +| OS | Source | +|---------------------------|--------------------------------------------------------------| +| Arch Linux | [Vulnerable Issues][arch] | +| Alpine Linux | [secdb][alpine] | +| Wolfi Linux | [secdb][wolfi] | +| Chainguard | [secdb][chainguard] | +| Amazon Linux | [Amazon Linux Security Center][amazon] | +| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] | +| Ubuntu | [Ubuntu CVE Tracker][ubuntu] | +| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] | +| AlmaLinux | [AlmaLinux Product Errata][alma] | +| Rocky Linux | [Rocky Linux UpdateInfo][rocky] | +| Oracle Linux | [OVAL][oracle] | +| Azure Linux (CBL-Mariner) | [OVAL][azure] | +| OpenSUSE/SLES | [CVRF][suse] | +| Photon OS | [Photon Security Advisory][photon] | #### Data Source Selection Trivy **only** consumes security advisories from the sources listed in the above table. @@ -288,7 +288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2) [oracle]: https://linux.oracle.com/security/oval/ [suse]: http://ftp.suse.com/pub/projects/security/cvrf/ [photon]: https://packages.vmware.com/photon/photon_cve_metadata/ -[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/ +[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/ [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip diff --git a/go.mod b/go.mod index 98dab8d4fff2..b01cd7c01e22 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/trivy-checks v0.13.0 - github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab + github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b github.com/aws/aws-sdk-go-v2 v1.30.3 diff --git a/go.sum b/go.sum index 114f8585b370..0770f06bb8f2 100644 --- a/go.sum +++ b/go.sum @@ -771,8 +771,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w= github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E= -github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW+Xap4zRYxyctXDTj5luMQdE= -github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f+wSW9D5txv8S+tw4D4WNOibaUJYwvNnQuQlGQ8gO6c= +github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM= +github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU= diff --git a/integration/testdata/mariner-1.0.json.golden b/integration/testdata/mariner-1.0.json.golden index 7325bf74f6e6..8805f104c60c 100644 --- a/integration/testdata/mariner-1.0.json.golden +++ b/integration/testdata/mariner-1.0.json.golden @@ -6,7 +6,7 @@ "Metadata": { "OS": { "Family": "cbl-mariner", - "Name": "1.0.20220122" + "Name": "1.0" }, "ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767", "DiffIDs": [ @@ -34,7 +34,7 @@ }, "Results": [ { - "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)", + "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0)", "Class": "os-pkgs", "Type": "cbl-mariner", "Vulnerabilities": [ @@ -42,7 +42,7 @@ "VulnerabilityID": "CVE-2022-0261", "PkgName": "vim", "PkgIdentifier": { - "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122", + "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0", "UID": "3f08cd76fa5ba73d" }, "InstalledVersion": "8.2.4081-1.cm1", @@ -79,7 +79,7 @@ "VulnerabilityID": "CVE-2022-0158", "PkgName": "vim", "PkgIdentifier": { - "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122", + "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0", "UID": "3f08cd76fa5ba73d" }, "InstalledVersion": "8.2.4081-1.cm1", diff --git a/mkdocs.yml b/mkdocs.yml index 2222a30220fb..deddf4a896e4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -75,7 +75,7 @@ nav: - AlmaLinux: docs/coverage/os/alma.md - Alpine Linux: docs/coverage/os/alpine.md - Amazon Linux: docs/coverage/os/amazon.md - - CBL-Mariner: docs/coverage/os/cbl-mariner.md + - Azure Linux (CBL-Mariner): docs/coverage/os/azure.md - CentOS: docs/coverage/os/centos.md - Chainguard: docs/coverage/os/chainguard.md - Conda: docs/coverage/os/conda.md diff --git a/pkg/detector/ospkg/mariner/mariner.go b/pkg/detector/ospkg/azure/azure.go similarity index 81% rename from pkg/detector/ospkg/mariner/mariner.go rename to pkg/detector/ospkg/azure/azure.go index ae9d80157381..98f235353a2d 100644 --- a/pkg/detector/ospkg/mariner/mariner.go +++ b/pkg/detector/ospkg/azure/azure.go @@ -1,4 +1,4 @@ -package mariner +package azure import ( "context" @@ -6,7 +6,7 @@ import ( version "github.com/knqyf263/go-rpm-version" "golang.org/x/xerrors" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure" osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/log" @@ -16,16 +16,24 @@ import ( // Scanner implements the CBL-Mariner scanner type Scanner struct { - vs mariner.VulnSrc + vs azure.VulnSrc } // NewScanner is the factory method for Scanner -func NewScanner() *Scanner { +func newScanner(distribution azure.Distribution) *Scanner { return &Scanner{ - vs: mariner.NewVulnSrc(), + vs: azure.NewVulnSrc(distribution), } } +func NewAzureScanner() *Scanner { + return newScanner(azure.Azure) +} + +func NewMarinerScanner() *Scanner { + return newScanner(azure.Mariner) +} + // Detect vulnerabilities in package using CBL-Mariner scanner func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) { // e.g. 1.0.20210127 @@ -36,10 +44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - // CBL Mariner OVAL contains source package names only. + // Azure Linux OVAL contains source package names only. advisories, err := s.vs.Get(osVer, pkg.SrcName) if err != nil { - return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err) + return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err) } sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg)) diff --git a/pkg/detector/ospkg/mariner/mariner_test.go b/pkg/detector/ospkg/azure/azure_test.go similarity index 69% rename from pkg/detector/ospkg/mariner/mariner_test.go rename to pkg/detector/ospkg/azure/azure_test.go index 6e1ee9a37583..cc9f0a92d2af 100644 --- a/pkg/detector/ospkg/mariner/mariner_test.go +++ b/pkg/detector/ospkg/azure/azure_test.go @@ -1,4 +1,4 @@ -package mariner_test +package azure_test import ( "testing" @@ -8,15 +8,17 @@ import ( "github.com/aquasecurity/trivy-db/pkg/db" dbTypes "github.com/aquasecurity/trivy-db/pkg/types" + azurevs "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" "github.com/aquasecurity/trivy/internal/dbtest" - "github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner" + "github.com/aquasecurity/trivy/pkg/detector/ospkg/azure" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/types" ) func TestScanner_Detect(t *testing.T) { type args struct { + dist azurevs.Distribution osVer string pkgs []ftypes.Package } @@ -30,10 +32,11 @@ func TestScanner_Detect(t *testing.T) { { name: "happy path 1.0 SrcName and Name are different", fixtures: []string{ - "testdata/fixtures/mariner.yaml", + "testdata/fixtures/azure.yaml", "testdata/fixtures/data-source.yaml", }, args: args{ + dist: azurevs.Mariner, osVer: "1.0", pkgs: []ftypes.Package{ { @@ -69,10 +72,11 @@ func TestScanner_Detect(t *testing.T) { { name: "happy path 2.0", fixtures: []string{ - "testdata/fixtures/mariner.yaml", + "testdata/fixtures/azure.yaml", "testdata/fixtures/data-source.yaml", }, args: args{ + dist: azurevs.Mariner, osVer: "2.0", pkgs: []ftypes.Package{ { @@ -104,6 +108,46 @@ func TestScanner_Detect(t *testing.T) { }, }, }, + { + name: "happy path 3.0", + fixtures: []string{ + "testdata/fixtures/azure.yaml", + "testdata/fixtures/data-source.yaml", + }, + args: args{ + dist: azurevs.Azure, + osVer: "3.0", + pkgs: []ftypes.Package{ + { + Name: "php", + Epoch: 0, + Version: "8.3.6", + Release: "1.azl3", + Arch: "aarch64", + SrcName: "php", + SrcEpoch: 0, + SrcVersion: "8.3.6", + SrcRelease: "1.azl3", + Licenses: []string{"Php"}, + Layer: ftypes.Layer{}, + }, + }, + }, + want: []types.DetectedVulnerability{ + { + PkgName: "php", + VulnerabilityID: "CVE-2024-2408", + InstalledVersion: "8.3.6-1.azl3", + FixedVersion: "8.3.8-1.azl3", + Layer: ftypes.Layer{}, + DataSource: &dbTypes.DataSource{ + ID: vulnerability.AzureLinux, + Name: "Azure Linux Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + }, + }, + }, + }, { name: "broken advisory", fixtures: []string{ @@ -111,6 +155,7 @@ func TestScanner_Detect(t *testing.T) { "testdata/fixtures/data-source.yaml", }, args: args{ + dist: azurevs.Mariner, osVer: "1.0", pkgs: []ftypes.Package{ { @@ -128,7 +173,7 @@ func TestScanner_Detect(t *testing.T) { }, }, }, - wantErr: "failed to get CBL-Mariner advisories", + wantErr: "failed to get Azure Linux advisories", }, } for _, tt := range tests { @@ -136,7 +181,10 @@ func TestScanner_Detect(t *testing.T) { _ = dbtest.InitDB(t, tt.fixtures) defer db.Close() - s := mariner.NewScanner() + s := azure.NewAzureScanner() + if tt.args.dist == azurevs.Mariner { + s = azure.NewMarinerScanner() + } got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs) if tt.wantErr != "" { require.Error(t, err) diff --git a/pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml b/pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml similarity index 68% rename from pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml rename to pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml index 7f044d1a8b1a..f9829e17ad41 100644 --- a/pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml +++ b/pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml @@ -14,3 +14,11 @@ - bucket: vim pairs: - key: CVE-2022-0261 + +- bucket: Azure Linux 3.0 + pairs: + - bucket: php + pairs: + - key: CVE-2024-2408 + value: + FixedVersion: 8.3.8-1.azl3 diff --git a/pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml new file mode 100644 index 000000000000..7c9f386f157d --- /dev/null +++ b/pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml @@ -0,0 +1,21 @@ +- bucket: data-source + pairs: + - key: CBL-Mariner 1.0 + value: + ID: "cbl-mariner" + Name: "CBL-Mariner Vulnerability Data" + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" +- bucket: data-source + pairs: + - key: CBL-Mariner 2.0 + value: + ID: "cbl-mariner" + Name: "CBL-Mariner Vulnerability Data" + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" +- bucket: data-source + pairs: + - key: Azure Linux 3.0 + value: + ID: "azure" + Name: "Azure Linux Vulnerability Data" + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData" diff --git a/pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml b/pkg/detector/ospkg/azure/testdata/fixtures/invalid.yaml similarity index 100% rename from pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml rename to pkg/detector/ospkg/azure/testdata/fixtures/invalid.yaml diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go index e05b590107ca..0f4a1df2a9d3 100644 --- a/pkg/detector/ospkg/detect.go +++ b/pkg/detector/ospkg/detect.go @@ -10,9 +10,9 @@ import ( "github.com/aquasecurity/trivy/pkg/detector/ospkg/alma" "github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine" "github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon" + "github.com/aquasecurity/trivy/pkg/detector/ospkg/azure" "github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard" "github.com/aquasecurity/trivy/pkg/detector/ospkg/debian" - "github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner" "github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle" "github.com/aquasecurity/trivy/pkg/detector/ospkg/photon" "github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat" @@ -33,7 +33,8 @@ var ( ftypes.Alpine: alpine.NewScanner(), ftypes.Alma: alma.NewScanner(), ftypes.Amazon: amazon.NewScanner(), - ftypes.CBLMariner: mariner.NewScanner(), + ftypes.Azure: azure.NewAzureScanner(), + ftypes.CBLMariner: azure.NewMarinerScanner(), ftypes.Debian: debian.NewScanner(), ftypes.Ubuntu: ubuntu.NewScanner(), ftypes.RedHat: redhat.NewScanner(), diff --git a/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml deleted file mode 100644 index 57ce67b2ecd8..000000000000 --- a/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- bucket: data-source - pairs: - - key: CBL-Mariner 1.0 - value: - ID: "cbl-mariner" - Name: "CBL-Mariner Vulnerability Data" - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" -- bucket: data-source - pairs: - - key: CBL-Mariner 2.0 - value: - ID: "cbl-mariner" - Name: "CBL-Mariner Vulnerability Data" - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" diff --git a/pkg/fanal/analyzer/all/import.go b/pkg/fanal/analyzer/all/import.go index 1849bcebf682..5345073fd3cf 100644 --- a/pkg/fanal/analyzer/all/import.go +++ b/pkg/fanal/analyzer/all/import.go @@ -41,7 +41,6 @@ import ( _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/alpine" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/amazonlinux" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/debian" - _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/redhatbase" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/release" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/ubuntu" diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 6e9d0332eb61..681f8b9987cc 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -13,6 +13,7 @@ const ( TypeOSRelease Type = "os-release" TypeAlpine Type = "alpine" TypeAmazon Type = "amazon" + TypeAzure Type = "azurelinux" TypeCBLMariner Type = "cbl-mariner" TypeDebian Type = "debian" TypePhoton Type = "photon" diff --git a/pkg/fanal/analyzer/os/mariner/mariner.go b/pkg/fanal/analyzer/os/mariner/mariner.go deleted file mode 100644 index f24a8b1886b3..000000000000 --- a/pkg/fanal/analyzer/os/mariner/mariner.go +++ /dev/null @@ -1,67 +0,0 @@ -package mariner - -import ( - "bufio" - "context" - "io" - "os" - "path/filepath" - "strings" - - "golang.org/x/xerrors" - - "github.com/aquasecurity/trivy/pkg/fanal/analyzer" - fos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os" - "github.com/aquasecurity/trivy/pkg/fanal/types" -) - -func init() { - analyzer.RegisterAnalyzer(&marinerOSAnalyzer{}) -} - -const ( - version = 1 - requiredFile = "etc/mariner-release" -) - -type marinerOSAnalyzer struct{} - -func (a marinerOSAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - foundOS, err := a.parseRelease(input.Content) - if err != nil { - return nil, xerrors.Errorf("release parse error: %w", err) - } - return &analyzer.AnalysisResult{ - OS: foundOS, - }, nil -} - -func (a marinerOSAnalyzer) parseRelease(r io.Reader) (types.OS, error) { - scanner := bufio.NewScanner(r) - for scanner.Scan() { - line := scanner.Text() - fields := strings.Fields(line) - if len(fields) != 2 { - continue - } - if strings.EqualFold(fields[0], "cbl-mariner") { - return types.OS{ - Family: types.CBLMariner, - Name: fields[1], - }, nil - } - } - return types.OS{}, xerrors.Errorf("cbl-mariner: %w", fos.AnalyzeOSError) -} - -func (a marinerOSAnalyzer) Required(filePath string, _ os.FileInfo) bool { - return filepath.ToSlash(filePath) == requiredFile -} - -func (a marinerOSAnalyzer) Type() analyzer.Type { - return analyzer.TypeCBLMariner -} - -func (a marinerOSAnalyzer) Version() int { - return version -} diff --git a/pkg/fanal/analyzer/os/mariner/mariner_test.go b/pkg/fanal/analyzer/os/mariner/mariner_test.go deleted file mode 100644 index e13730a021cb..000000000000 --- a/pkg/fanal/analyzer/os/mariner/mariner_test.go +++ /dev/null @@ -1,60 +0,0 @@ -package mariner - -import ( - "context" - "os" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/aquasecurity/trivy/pkg/fanal/analyzer" - "github.com/aquasecurity/trivy/pkg/fanal/types" -) - -func Test_marinerOSAnalyzer_Analyze(t *testing.T) { - tests := []struct { - name string - inputFile string - want *analyzer.AnalysisResult - wantErr string - }{ - { - name: "happy path with CBL Mariner 1.0", - inputFile: "testdata/1.0/mariner-release", - want: &analyzer.AnalysisResult{ - OS: types.OS{ - Family: types.CBLMariner, - Name: "1.0.20220122", - }, - }, - }, - { - name: "sad path", - inputFile: "testdata/sad/mariner-release", - wantErr: "cbl-mariner: unable to analyze OS information", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - a := marinerOSAnalyzer{} - f, err := os.Open(tt.inputFile) - require.NoError(t, err) - defer f.Close() - - ctx := context.Background() - got, err := a.Analyze(ctx, analyzer.AnalysisInput{ - FilePath: "etc/mariner-release", - Content: f, - }) - if tt.wantErr != "" { - require.Error(t, err) - assert.Contains(t, err.Error(), tt.wantErr) - return - } - - require.NoError(t, err) - assert.Equal(t, tt.want, got) - }) - } -} diff --git a/pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release b/pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release deleted file mode 100644 index 1a8769674acf..000000000000 --- a/pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release +++ /dev/null @@ -1,2 +0,0 @@ -CBL-Mariner 1.0.20220122 -MARINER_BUILD_NUMBER=7da4f23 diff --git a/pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release b/pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release deleted file mode 100644 index 4fda2bc57d30..000000000000 --- a/pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release +++ /dev/null @@ -1 +0,0 @@ -MARINER_BUILD_NUMBER=7da4f23 diff --git a/pkg/fanal/analyzer/os/release/release.go b/pkg/fanal/analyzer/os/release/release.go index 229c13c932aa..8da24644d5f7 100644 --- a/pkg/fanal/analyzer/os/release/release.go +++ b/pkg/fanal/analyzer/os/release/release.go @@ -61,6 +61,10 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp family = types.Wolfi case "chainguard": family = types.Chainguard + case "azurelinux": + family = types.Azure + case "mariner": + family = types.CBLMariner } if family != "" && versionID != "" { diff --git a/pkg/fanal/analyzer/os/release/release_test.go b/pkg/fanal/analyzer/os/release/release_test.go index 862f39f4cf17..3b534ad7b14d 100644 --- a/pkg/fanal/analyzer/os/release/release_test.go +++ b/pkg/fanal/analyzer/os/release/release_test.go @@ -90,6 +90,36 @@ func Test_osReleaseAnalyzer_Analyze(t *testing.T) { }, }, }, + { + name: "Azure Linux", + inputFile: "testdata/azurelinux-3.0", + want: &analyzer.AnalysisResult{ + OS: types.OS{ + Family: types.Azure, + Name: "3.0", + }, + }, + }, + { + name: "Mariner 2.0", + inputFile: "testdata/mariner-2.0", + want: &analyzer.AnalysisResult{ + OS: types.OS{ + Family: types.CBLMariner, + Name: "2.0", + }, + }, + }, + { + name: "Mariner 1.0", + inputFile: "testdata/mariner-1.0", + want: &analyzer.AnalysisResult{ + OS: types.OS{ + Family: types.CBLMariner, + Name: "1.0", + }, + }, + }, { name: "Unknown OS", inputFile: "testdata/unknown", diff --git a/pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 b/pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 new file mode 100644 index 000000000000..a033cb09377e --- /dev/null +++ b/pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 @@ -0,0 +1,9 @@ +NAME="Microsoft Azure Linux" +VERSION="3.0.20240624" +ID=azurelinux +VERSION_ID="3.0" +PRETTY_NAME="Microsoft Azure Linux 3.0" +ANSI_COLOR="1;34" +HOME_URL="https://aka.ms/azurelinux" +BUG_REPORT_URL="https://aka.ms/azurelinux" +SUPPORT_URL="https://aka.ms/azurelinux" diff --git a/pkg/fanal/analyzer/os/release/testdata/mariner-1.0 b/pkg/fanal/analyzer/os/release/testdata/mariner-1.0 new file mode 100644 index 000000000000..aef312e77294 --- /dev/null +++ b/pkg/fanal/analyzer/os/release/testdata/mariner-1.0 @@ -0,0 +1,9 @@ +NAME="Common Base Linux Mariner" +VERSION="1.0.20230713" +ID=mariner +VERSION_ID="1.0" +PRETTY_NAME="CBL-Mariner/Linux" +ANSI_COLOR="1;34" +HOME_URL="https://aka.ms/cbl-mariner" +BUG_REPORT_URL="https://aka.ms/cbl-mariner" +SUPPORT_URL="https://aka.ms/cbl-mariner" diff --git a/pkg/fanal/analyzer/os/release/testdata/mariner-2.0 b/pkg/fanal/analyzer/os/release/testdata/mariner-2.0 new file mode 100644 index 000000000000..c8a70bc4464c --- /dev/null +++ b/pkg/fanal/analyzer/os/release/testdata/mariner-2.0 @@ -0,0 +1,9 @@ +NAME="Common Base Linux Mariner" +VERSION="2.0.20240123" +ID=mariner +VERSION_ID="2.0" +PRETTY_NAME="CBL-Mariner/Linux" +ANSI_COLOR="1;34" +HOME_URL="https://aka.ms/cbl-mariner" +BUG_REPORT_URL="https://aka.ms/cbl-mariner" +SUPPORT_URL="https://aka.ms/cbl-mariner" diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index 7253404c0be1..c257154e24ea 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -24,6 +24,7 @@ const ( Alma OSType = "alma" Alpine OSType = "alpine" Amazon OSType = "amazon" + Azure OSType = "azurelinux" CBLMariner OSType = "cbl-mariner" CentOS OSType = "centos" Chainguard OSType = "chainguard" diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go index 12b27e6290e6..ba19d40c26a9 100644 --- a/pkg/purl/purl.go +++ b/pkg/purl/purl.go @@ -477,7 +477,7 @@ func purlType(t ftypes.TargetType) string { case ftypes.RedHat, ftypes.CentOS, ftypes.Rocky, ftypes.Alma, ftypes.Amazon, ftypes.Fedora, ftypes.Oracle, ftypes.OpenSUSE, ftypes.OpenSUSELeap, ftypes.OpenSUSETumbleweed, ftypes.SLES, ftypes.Photon, - ftypes.CBLMariner: + ftypes.Azure, ftypes.CBLMariner: return packageurl.TypeRPM case TypeOCI: return packageurl.TypeOCI