From e2c343310d4ceff0f38795c9f6618e44006d70d9 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 19 Jun 2024 10:32:34 +0200 Subject: [PATCH] feat: add openSUSE tumbleweed detection and scanning (merged: changes in trivy-db from https://github.com/aquasecurity/trivy-db/pull/411) https://github.com/aquasecurity/trivy-db/issues/410 --- docs/docs/coverage/os/index.md | 1 + docs/docs/coverage/os/suse.md | 5 ++- pkg/detector/ospkg/detect.go | 1 + pkg/detector/ospkg/suse/suse.go | 9 +++++ pkg/detector/ospkg/suse/suse_test.go | 40 +++++++++++++++++++ .../suse/testdata/fixtures/data-source.yaml | 7 +++- .../suse/testdata/fixtures/tumbleweed.yaml | 10 +++++ 7 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md index a8d2670d7d65..49982b1b2d69 100644 --- a/docs/docs/coverage/os/index.md +++ b/docs/docs/coverage/os/index.md @@ -22,6 +22,7 @@ Trivy supports operating systems for | [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm | | [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | | [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | +| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | | [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | | [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | | [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md index 6ff52de31c86..15cfb1e9379a 100644 --- a/docs/docs/coverage/os/suse.md +++ b/docs/docs/coverage/os/suse.md @@ -2,6 +2,7 @@ Trivy supports the following distributions: - openSUSE Leap +- openSUSE Tumbleweed - SUSE Enterprise Linux (SLE) Please see [here](index.md#supported-os) for supported versions. @@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages. [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies -[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/ +[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/ -[vulnerability statuses]: ../../configuration/filtering.md#by-status \ No newline at end of file +[vulnerability statuses]: ../../configuration/filtering.md#by-status diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go index bbeb8e8649d8..56c4b76d1471 100644 --- a/pkg/detector/ospkg/detect.go +++ b/pkg/detector/ospkg/detect.go @@ -40,6 +40,7 @@ var ( ftypes.CentOS: redhat.NewScanner(), ftypes.Rocky: rocky.NewScanner(), ftypes.Oracle: oracle.NewScanner(), + ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed), ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE), ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux), ftypes.Photon: photon.NewScanner(), diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go index eb2fed82cda0..b999e1dafb22 100644 --- a/pkg/detector/ospkg/suse/suse.go +++ b/pkg/detector/ospkg/suse/suse.go @@ -68,6 +68,7 @@ const ( SUSEEnterpriseLinux Type = iota // OpenSUSE for open versions OpenSUSE + OpenSUSETumbleweed ) // Scanner implements the SUSE scanner @@ -86,6 +87,10 @@ func NewScanner(t Type) *Scanner { return &Scanner{ vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE), } + case OpenSUSETumbleweed: + return &Scanner{ + vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed), + } } return nil } @@ -130,5 +135,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType if osFamily == ftypes.SLES { return osver.Supported(ctx, slesEolDates, osFamily, osVer) } + // tumbleweed is a rolling release, it has no version and no eol + if osFamily == ftypes.OpenSUSETumbleweed { + return true + } return osver.Supported(ctx, opensuseEolDates, osFamily, osVer) } diff --git a/pkg/detector/ospkg/suse/suse_test.go b/pkg/detector/ospkg/suse/suse_test.go index 011fc3332b6a..c3842eb7adc1 100644 --- a/pkg/detector/ospkg/suse/suse_test.go +++ b/pkg/detector/ospkg/suse/suse_test.go @@ -71,6 +71,46 @@ func TestScanner_Detect(t *testing.T) { }, }, }, + { + name: "happy tumbleweed path", + fixtures: []string{ + "testdata/fixtures/tumbleweed.yaml", + "testdata/fixtures/data-source.yaml", + }, + distribution: suse.OpenSUSETumbleweed, + args: args{ + osVer: "", + pkgs: []ftypes.Package{ + { + Name: "singularity-ce", + Version: "4.1.3", + Release: "1.0", + SrcName: "postgresql", + SrcVersion: "4.1.3", + SrcRelease: "1.1", + Layer: ftypes.Layer{ + DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", + }, + }, + }, + }, + want: []types.DetectedVulnerability{ + { + PkgName: "singularity-ce", + VulnerabilityID: "openSUSE-SU-2024:14059-1", + InstalledVersion: "4.1.3-1.0", + FixedVersion: "4.1.3-1.1", + Layer: ftypes.Layer{ + DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", + }, + DataSource: &dbTypes.DataSource{ + ID: vulnerability.SuseCVRF, + Name: "SUSE CVRF", + URL: "https://ftp.suse.com/pub/projects/security/cvrf/", + }, + }, + }, + }, { name: "broken bucket", fixtures: []string{ diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml index 13eb48d0a0ea..b917b7e19da1 100644 --- a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml +++ b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml @@ -1,5 +1,10 @@ - bucket: data-source pairs: + - key: openSUSE Tumbleweed + value: + ID: "suse-cvrf" + Name: "SUSE CVRF" + URL: "https://ftp.suse.com/pub/projects/security/cvrf/" - key: openSUSE Leap 15.3 value: ID: "suse-cvrf" @@ -9,4 +14,4 @@ value: ID: "suse-cvrf" Name: "SUSE CVRF" - URL: "https://ftp.suse.com/pub/projects/security/cvrf/" \ No newline at end of file + URL: "https://ftp.suse.com/pub/projects/security/cvrf/" diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml new file mode 100644 index 000000000000..ff2606a4c29d --- /dev/null +++ b/pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml @@ -0,0 +1,10 @@ +- bucket: openSUSE Tumbleweed + pairs: + - bucket: singularity-ce + pairs: + - key: openSUSE-SU-2024:14059-1 + value: + FixedVersion: "4.1.3-1.1" + - key: CVE-2022-23538 + value: + FixedVersion: ""