feat: add openSUSE tumbleweed detection and scanning

(merged: changes in trivy-db from aquasecurity/trivy-db#411) aquasecurity/trivy-db#410
aquasecurity · Jun 26, 2024 · e2c3433 · e2c3433
1 parent 0ccdbfb
commit e2c3433
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 3 deletions.
diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md
@@ -22,6 +22,7 @@ Trivy supports operating systems for
 | [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
 | [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
 | [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)       | (n/a)                               | zypper/rpm       |
 | [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
 | [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |

diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md
@@ -2,6 +2,7 @@
 Trivy supports the following distributions:
 
 - openSUSE Leap
+- openSUSE Tumbleweed
 - SUSE Enterprise Linux (SLE)
 
 Please see [here](index.md#supported-os) for supported versions.
@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.
 
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
+[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/
 
-[vulnerability statuses]: ../../configuration/filtering.md#by-status
+[vulnerability statuses]: ../../configuration/filtering.md#by-status
diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go
@@ -40,6 +40,7 @@ var (
 		ftypes.CentOS:       redhat.NewScanner(),
 		ftypes.Rocky:        rocky.NewScanner(),
 		ftypes.Oracle:       oracle.NewScanner(),
+		ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
 		ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
 		ftypes.SLES:         suse.NewScanner(suse.SUSEEnterpriseLinux),
 		ftypes.Photon:       photon.NewScanner(),

diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go
@@ -68,6 +68,7 @@ const (
 	SUSEEnterpriseLinux Type = iota
 	// OpenSUSE for open versions
 	OpenSUSE
+	OpenSUSETumbleweed
 )
 
 // Scanner implements the SUSE scanner
@@ -86,6 +87,10 @@ func NewScanner(t Type) *Scanner {
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
 		}
+	case OpenSUSETumbleweed:
+		return &Scanner{
+			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed),
+		}
 	}
 	return nil
 }
@@ -130,5 +135,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
 	if osFamily == ftypes.SLES {
 		return osver.Supported(ctx, slesEolDates, osFamily, osVer)
 	}
+	// tumbleweed is a rolling release, it has no version and no eol
+	if osFamily == ftypes.OpenSUSETumbleweed {
+		return true
+	}
 	return osver.Supported(ctx, opensuseEolDates, osFamily, osVer)
 }
diff --git a/pkg/detector/ospkg/suse/suse_test.go b/pkg/detector/ospkg/suse/suse_test.go
@@ -71,6 +71,46 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy tumbleweed path",
+			fixtures: []string{
+				"testdata/fixtures/tumbleweed.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.OpenSUSETumbleweed,
+			args: args{
+				osVer: "",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "singularity-ce",
+						Version:    "4.1.3",
+						Release:    "1.0",
+						SrcName:    "postgresql",
+						SrcVersion: "4.1.3",
+						SrcRelease: "1.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "singularity-ce",
+					VulnerabilityID:  "openSUSE-SU-2024:14059-1",
+					InstalledVersion: "4.1.3-1.0",
+					FixedVersion:     "4.1.3-1.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
 		{
 			name: "broken bucket",
 			fixtures: []string{

diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
@@ -1,5 +1,10 @@
 - bucket: data-source
   pairs:
+    - key: openSUSE Tumbleweed
+      value:
+        ID: "suse-cvrf"
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
     - key: openSUSE Leap 15.3
       value:
         ID: "suse-cvrf"
@@ -9,4 +14,4 @@
       value:
         ID: "suse-cvrf"
         Name: "SUSE CVRF"
-        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml
@@ -0,0 +1,10 @@
+- bucket: openSUSE Tumbleweed
+  pairs:
+    - bucket: singularity-ce
+      pairs:
+        - key: openSUSE-SU-2024:14059-1
+          value:
+            FixedVersion: "4.1.3-1.1"
+        - key: CVE-2022-23538
+          value:
+            FixedVersion: ""