feat: support RPM archives

[knqyf263]

Description

Add support for RPM files. It's disabled unless TRIVY_EXPERIMENTAL_RPM_ARCHIVE is set as it's experimental.

$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true ./trivy fs ./redhat-7.9-rpms -f cyclonedx

Details

2024-10-02T13:46:05+04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-10-02T13:46:05+04:00       INFO    Detected OS     family="none" version=""
2024-10-02T13:46:05+04:00       INFO    Number of language-specific files       num=0
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:ca46e752-2b04-49fc-a237-067b200be2e4",
  "version": 1,
  "metadata": {
    "timestamp": "2024-10-02T09:46:05+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.55.0-49-g981a8b3e9"
        }
      ]
    },
    "component": {
      "bom-ref": "48aad1f0-9af0-445e-afd4-26a44dc2acda",
      "type": "application",
      "name": "/tmp/rpms/redhat-7.9-rpm-for-trivy",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "4194564a-f44c-4a33-b848-6e570af8c7b5",
      "type": "operating-system",
      "name": "none",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "none"
        }
      ]
    },
    {
      "bom-ref": "pkg:rpm/redhat/[email protected]",
      "type": "library",
      "supplier": {
        "name": "Red Hat, Inc."
      },
      "name": "adcli-doc",
      "version": "0.8.2-12.el8",
      "licenses": [
        {
          "license": {
            "name": "LGPLv2+"
          }
        }
      ],

TODOs

• Parse RPM files
• Enable/Disable the analyzer
• Add tests

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

@DmitriyLewen Some tests are failing due to 429 from GHCR, but it's ready for review.

[DmitriyLewen]

can we skip splitFileName If SOURCERPM is not found?
(to avoid splitFileName error)
as for rpm:

trivy/pkg/fanal/analyzer/pkg/rpm/rpm.go

Lines 130 to 136 in 096fcd0

	if pkg.SourceRpm != "(none)" && pkg.SourceRpm != "" {
	// source epoch is not included in SOURCERPM
	srcName, srcVer, srcRel, err = splitFileName(pkg.SourceRpm)
	if err != nil {
	log.DebugContext(ctx, "Invalid Source RPM Found", log.String("sourcerpm", pkg.SourceRpm))
	}
	}

[knqyf263]

Fixed in c1fa209

[DmitriyLewen]

IIUC we will overwrite this purl if OS is detected:

trivy/pkg/fanal/applier/docker.go

Lines 223 to 225 in 096fcd0

	if mergedLayer.OS.Family != "" {
	mergedLayer.Packages[i].Identifier.PURL = newPURL(mergedLayer.OS.Family, types.Metadata{OS: &mergedLayer.OS}, pkg)
	}

[knqyf263]

We need to generate PURL here as OS is not detected when scanning RPM files.

[DmitriyLewen]

I agree that we need to generate PURL here.
I am worried about case when we scan image that containing *.rpm file, and OS and vendor of this file are not equal.
In this case we will use namespace from OS.
(example): fedora image contains socat-1.7.3.2-2.el7.x86_64.rpm file (for RedHat).
in analyzer we use redhat namespace.
But in applier we will overwrite purl and use fedora namespace.

I meant that perhaps we need to add purl == nil check in applier.

UPD:

➜ cat Dockerfile 
FROM centos

COPY socat-1.7.3.2-2.el7.x86_64.rpm socat-1.7.3.2-2.el7.x86_64.rpm

➜  TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true ./trivy -q image -f json --list-all-pkgs rpm-archives | grep [email protected]                                                         
            "PURL": "pkg:rpm/centos/[email protected]?arch=x86_64\u0026distro=centos-8.4.2105",

[knqyf263]

It makes sense. Added 9c26be0

[DmitriyLewen]

I found another problem:
we can't detect vulnerabilities if OS is not found and we remove rpm packages:

➜ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true ./trivy -q fs -f json --list-all-pkgs ./pkg/fanal/analyzer/pkg/rpm/testdata/socat-1.7.3.2-2.el7.x86_64.rpm
{
  "SchemaVersion": 2,
  "CreatedAt": "2024-10-02T17:16:45.768306+06:00",
  "ArtifactName": "pkg/fanal/analyzer/pkg/rpm/testdata/socat-1.7.3.2-2.el7.x86_64.rpm",
  "ArtifactType": "filesystem",
  "Metadata": {
    "OS": {
      "Family": "none",
      "Name": ""
    },
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
}

It works only when vuln scanner is disable.

➜  TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true ./trivy -q fs -f cyclonedx  ./pkg/fanal/analyzer/pkg/rpm/testdata/socat-1.7.3.2-2.el7.x86_64.rpm | grep [email protected]
      "bom-ref": "pkg:rpm/redhat/[email protected]",
      "purl": "pkg:rpm/redhat/[email protected]",
        "pkg:rpm/redhat/[email protected]"
      "ref": "pkg:rpm/redhat/[email protected]",

See

trivy/pkg/scanner/local/scan.go

Lines 165 to 166 in 4926da7

	case errors.Is(err, ospkgDetector.ErrUnsupportedOS):
	// do nothing

[knqyf263]

Nice catch. I added a note.
ab37b6a

[DmitriyLewen]

LGTM