feat: add openSUSE tumbleweed detection and scanning #6965
Conversation
|
I tried to build using "mage", but it does not work with mage-v1.11.0~git0.07afc7d-150500.1.1.x86_64 on SLES 15 SP5. "No .go files marked with the mage build tag in this directory." (neither in top or in cmd/trivy/) go build cmd/trivy/main.go goes through |
msmeissn
force-pushed
the
main
branch
2 times, most recently
from
fb89e70 to
3e9c836
Compare
There was a problem hiding this comment.
LGTM
2 moment:
- we need to merge added openSUSE Tumbleweed version detection trivy-db#411 first
- @msmeissn can you add test for
openSUSE tumbleweed?
|
i did some test but i need to figure out how to run tests first, the mage howto does not seem to work on older mage |
|
Trivy mage commands - https://aquasecurity.github.io/trivy/v0.52/community/contribute/pr/#development |
|
One thing, scans work (the image currently will always report this one entry, as the version was lowered after the update): ./trivy image registry.opensuse.org/opensuse/bci/bci-init:latest
2024-07-03T16:48:59+02:00 INFO Vulnerability scanning is enabled
2024-07-03T16:48:59+02:00 INFO Secret scanning is enabled
2024-07-03T16:48:59+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-03T16:48:59+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-03T16:49:01+02:00 INFO Detected OS family="opensuse.tumbleweed" version="20240607"
2024-07-03T16:49:01+02:00 INFO [opensuse.tumbleweed] Detecting vulnerabilities... os_version="20240607" pkg_num=149
2024-07-03T16:49:01+02:00 INFO Number of language-specific files num=0
registry.opensuse.org/opensuse/bci/bci-init:latest (opensuse.tumbleweed 20240607)
=================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────────┬──────────────────────────┬──────────┬────────┬───────────────────┬────────────────────┬────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼──────────────────────────┼──────────┼────────┼───────────────────┼────────────────────┼────────────────────────────────────────┤
│ permissions │ openSUSE-SU-2024:11165-1 │ MEDIUM │ fixed │ 1699_20240522-1.1 │ 20210901.1550-29.2 │ chkstat-1550_20210901-29.2 on GA media │
└─────────────┴──────────────────────────┴──────────┴────────┴───────────────────┴────────────────────┴────────────────────────────────────────┘I otherwise started on more tests, but the integration tests are a bit large:
|
you need to add your image to this script - https://github.com/aquasecurity/trivy-test-images/blob/master/copy-images.sh
Use |
(merged: changes in trivy-db from aquasecurity/trivy-db#411) aquasecurity/trivy-db#410
|
Update: I added some integration tests now, and |
pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
Outdated
Show resolved
Hide resolved
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
also updated tumbleweed golden file.
|
@msmeissn Thanks for your great contribution! |
Co-authored-by: DmitriyLewen <[email protected]> Co-authored-by: DmitriyLewen <[email protected]>
Description
This adds openSUSE Tumbleweed support. Tumbleweed is a rolling release, it has no version and currently no EOL.
The CVRF data is in the same location as the openSUSE Leap data.
The os detector is already detecting it.
Related issues
Related PRs
Checklist