Skip to content

Commit

Permalink
feat(suse): added SUSE Linux Enterprise Micro support (aquasecurity#7294
Browse files Browse the repository at this point in the history
)

Signed-off-by: Marcus Meissner <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>
  • Loading branch information
2 people authored and fhielpos committed Dec 20, 2024
1 parent fa1805b commit 70f85d0
Show file tree
Hide file tree
Showing 23 changed files with 453 additions and 136 deletions.
3 changes: 2 additions & 1 deletion docs/docs/coverage/os/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ Trivy supports operating systems for
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise Micro](suse.md)| 5, 6 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
Expand Down
3 changes: 2 additions & 1 deletion docs/docs/coverage/os/suse.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ Trivy supports the following distributions:

- openSUSE Leap
- openSUSE Tumbleweed
- SUSE Enterprise Linux (SLE)
- SUSE Linux Enterprise (SLE)
- SUSE Linux Enterprise Micro

Please see [here](index.md#supported-os) for supported versions.

Expand Down
7 changes: 7 additions & 0 deletions integration/client_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,13 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/opensuse-tumbleweed.json.golden",
},
{
name: "sle micro rancher 5.4",
args: csArgs{
Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
},
golden: "testdata/sl-micro-rancher5.4.json.golden",
},
{
name: "photon 3.0",
args: csArgs{
Expand Down
6 changes: 6 additions & 0 deletions integration/docker_engine_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,12 @@ func TestDockerEngine(t *testing.T) {
input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
golden: "testdata/opensuse-tumbleweed.json.golden",
},
{
name: "sle micro rancher 5.4",
imageTag: "ghcr.io/aquasecurity/trivy-test-images:sle-micro-rancher-5.4_ndb",
input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
golden: "testdata/sl-micro-rancher5.4.json.golden",
},
{
name: "photon 3.0",
imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",
Expand Down
8 changes: 8 additions & 0 deletions integration/standalone_tar_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,14 @@ func TestTar(t *testing.T) {
},
golden: "testdata/opensuse-tumbleweed.json.golden",
},
{
name: "sle micro rancher 5.4",
args: args{
Format: types.FormatJSON,
Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
},
golden: "testdata/sl-micro-rancher5.4.json.golden",
},
{
name: "photon 3.0",
args: args{
Expand Down
19 changes: 19 additions & 0 deletions integration/testdata/fixtures/db/suse.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
- bucket: "SUSE Linux Enterprise 15-SP3"
pairs:
- bucket: libopenssl1_1
pairs:
- key: "SUSE-SU-2022:2251-1"
value:
FixedVersion: 1.1.1d-150200.11.48.1
- bucket: openssl-1_1
pairs:
- key: "SUSE-SU-2022:2251-1"
value:
FixedVersion: 1.1.1d-150200.11.48.1
- bucket: "SUSE Linux Enterprise Micro 5.3"
pairs:
- bucket: libopenssl1_1
pairs:
- key: "SUSE-SU-2023:0311-1"
value:
FixedVersion: 1.1.1l-150400.7.22.1
9 changes: 9 additions & 0 deletions integration/testdata/fixtures/db/vulnerability.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1349,6 +1349,15 @@
- "https://www.suse.com/security/cve/CVE-2023-2975/"
- "https://www.suse.com/security/cve/CVE-2023-3446/"
- "https://www.suse.com/support/security/rating/"
- key: SUSE-SU-2022:2251-1
value:
Title: "Security update for openssl-1_1"
Description: "This update for openssl-1_1 fixes the following issues:\nCVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).\nCVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)"
Severity: MEDIUM
References:
- "https://www.suse.com/security/cve/CVE-2022-1292/"
- "https://www.suse.com/security/cve/CVE-2022-2068/"
- "https://www.suse.com/support/security/rating/"
- key: CVE-2022-22965
value:
Title: "spring-framework: RCE via Data Binding on JDK 9+"
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/opensuse-leap-151.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"PkgID": "[email protected]_64",
"PkgName": "libopenssl1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.leap/[email protected]?arch=x86_64\u0026distro=opensuse.leap-15.1",
"PURL": "pkg:rpm/opensuse/[email protected]?arch=x86_64\u0026distro=opensuse.leap-15.1",
"UID": "898b73ddd0412f57"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
Expand Down Expand Up @@ -99,7 +99,7 @@
"PkgID": "[email protected]_64",
"PkgName": "openssl-1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.leap/[email protected]?arch=x86_64\u0026distro=opensuse.leap-15.1",
"PURL": "pkg:rpm/opensuse/[email protected]?arch=x86_64\u0026distro=opensuse.leap-15.1",
"UID": "58980d005de43f54"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/opensuse-tumbleweed.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@
"PkgID": "[email protected]_64",
"PkgName": "libopenssl3",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.tumbleweed/[email protected]?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
"PURL": "pkg:rpm/opensuse/[email protected]?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
"UID": "f051425f385d2b99"
},
"InstalledVersion": "3.1.4-9.1",
Expand Down
69 changes: 69 additions & 0 deletions integration/testdata/sl-micro-rancher5.4.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "suse linux enterprise micro",
"Name": "5.4"
},
"ImageID": "sha256:c45ec974938acac29c893b5d273d73e4ebdd7e6a97b6fa861dfbd8dd430b9016",
"DiffIDs": [
"sha256:7cdd3aec849d122d63dc83a5e1e2fb89b341c67b03e25979131ca335a463bb57"
],
"ImageConfig": {
"architecture": "amd64",
"author": "SUSE LLC (https://www.suse.com/)",
"created": "2024-09-03T17:54:39Z",
"history": [
{
"author": "SUSE LLC \u003chttps://www.suse.com/\u003e",
"created": "2024-09-03T17:54:39Z",
"created_by": "KIWI 9.24.43"
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:7cdd3aec849d122d63dc83a5e1e2fb89b341c67b03e25979131ca335a463bb57"
]
},
"config": {
"Cmd": [
"/bin/bash"
],
"Labels": {
"com.suse.eula": "sle-eula",
"com.suse.image-type": "sle-micro",
"com.suse.release-stage": "released",
"com.suse.sle.micro.rancher.created": "2024-09-03T17:53:32.129328086Z",
"com.suse.sle.micro.rancher.description": "Image containing a micro environment for containers based on the SLE Micro for Rancher.",
"com.suse.sle.micro.rancher.disturl": "obs://build.suse.de/SUSE:SLE-15-SP4:Update:Products:Micro54:Update:CR/images/fcaa3a91b132f1955fa900b902aef7f2-SLE-Micro-Rancher",
"com.suse.sle.micro.rancher.reference": "registry.suse.com/suse/sle-micro-rancher/5.4:%PKG_VERSION%-%RELEASE",
"com.suse.sle.micro.rancher.title": "SLE Micro for Rancher Base Container",
"com.suse.sle.micro.rancher.url": "https://www.suse.com/products/micro/",
"com.suse.sle.micro.rancher.vendor": "SUSE LLC",
"com.suse.sle.micro.rancher.version": "5.4",
"com.suse.supportlevel": "l3",
"org.openbuildservice.disturl": "obs://build.suse.de/SUSE:SLE-15-SP4:Update:Products:Micro54:Update:CR/images/fcaa3a91b132f1955fa900b902aef7f2-SLE-Micro-Rancher",
"org.opencontainers.image.created": "2024-09-03T17:53:32.129328086Z",
"org.opencontainers.image.description": "Image containing a micro environment for containers based on the SLE Micro for Rancher.",
"org.opencontainers.image.title": "SLE Micro for Rancher Base Container",
"org.opencontainers.image.url": "https://www.suse.com/products/micro/",
"org.opencontainers.image.vendor": "SUSE LLC",
"org.opencontainers.image.version": "5.4",
"org.suse.reference": "registry.suse.com/suse/sle-micro-rancher/5.4:%PKG_VERSION%-%RELEASE"
}
}
}
},
"Results": [
{
"Target": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz (suse linux enterprise micro 5.4)",
"Class": "os-pkgs",
"Type": "suse linux enterprise micro"
}
]
}
1 change: 1 addition & 0 deletions pkg/detector/ospkg/detect.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ var (
ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux),
ftypes.SLEMicro: suse.NewScanner(suse.SUSEEnterpriseLinuxMicro),
ftypes.Photon: photon.NewScanner(),
ftypes.Wolfi: wolfi.NewScanner(),
ftypes.Chainguard: chainguard.NewScanner(),
Expand Down
21 changes: 21 additions & 0 deletions pkg/detector/ospkg/suse/suse.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,18 @@ var (
// 6 months after SLES 15 SP7 release
// "15.7": time.Date(2031, 7, 31, 23, 59, 59, 0, time.UTC),
}
slemicroEolDates = map[string]time.Time{
// Source: https://www.suse.com/lifecycle/
"5.0": time.Date(2022, 3, 31, 23, 59, 59, 0, time.UTC),
"5.1": time.Date(2025, 10, 31, 23, 59, 59, 0, time.UTC),
"5.2": time.Date(2026, 4, 30, 23, 59, 59, 0, time.UTC),
"5.3": time.Date(2026, 10, 30, 23, 59, 59, 0, time.UTC),
"5.4": time.Date(2027, 4, 30, 23, 59, 59, 0, time.UTC),
"5.5": time.Date(2027, 10, 31, 23, 59, 59, 0, time.UTC),
"6.0": time.Date(2028, 6, 30, 23, 59, 59, 0, time.UTC),
// 6.1 will be released late 2024
// "6.1": time.Date(2028, 11, 30, 23, 59, 59, 0, time.UTC),
}

opensuseEolDates = map[string]time.Time{
// Source: https://en.opensuse.org/Lifetime
Expand All @@ -66,6 +78,8 @@ type Type int
const (
// SUSEEnterpriseLinux is Linux Enterprise version
SUSEEnterpriseLinux Type = iota
// SUSE Linux Enterprise Micro is the micro series
SUSEEnterpriseLinuxMicro
// OpenSUSE for open versions
OpenSUSE
OpenSUSETumbleweed
Expand All @@ -83,6 +97,10 @@ func NewScanner(t Type) *Scanner {
return &Scanner{
vs: susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinux),
}
case SUSEEnterpriseLinuxMicro:
return &Scanner{
vs: susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinuxMicro),
}
case OpenSUSE:
return &Scanner{
vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
Expand Down Expand Up @@ -135,6 +153,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
if osFamily == ftypes.SLES {
return osver.Supported(ctx, slesEolDates, osFamily, osVer)
}
if osFamily == ftypes.SLEMicro {
return osver.Supported(ctx, slemicroEolDates, osFamily, osVer)
}
// tumbleweed is a rolling release, it has no version and no eol
if osFamily == ftypes.OpenSUSETumbleweed {
return true
Expand Down
80 changes: 80 additions & 0 deletions pkg/detector/ospkg/suse/suse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,86 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
{
name: "happy path: suse sle 15sp3",
fixtures: []string{
"testdata/fixtures/suse.yaml",
"testdata/fixtures/data-source.yaml",
},
distribution: suse.SUSEEnterpriseLinux,
args: args{
osVer: "15.3",
pkgs: []ftypes.Package{
{
Name: "libopenssl1_1",
Version: "1.1.1d",
Release: "150200.11.47.1",
SrcName: "libopenssl1_1",
SrcVersion: "1.1.1d",
SrcRelease: "150200.11.47.1",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "libopenssl1_1",
VulnerabilityID: "SUSE-SU-2022:2251-1",
InstalledVersion: "1.1.1d-150200.11.47.1",
FixedVersion: "1.1.1d-150200.11.48.1",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.SuseCVRF,
Name: "SUSE CVRF",
URL: "https://ftp.suse.com/pub/projects/security/cvrf/",
},
},
},
},
{
name: "happy path: suse sle micro 15.3",
fixtures: []string{
"testdata/fixtures/suse.yaml",
"testdata/fixtures/data-source.yaml",
},
distribution: suse.SUSEEnterpriseLinuxMicro,
args: args{
osVer: "5.3",
pkgs: []ftypes.Package{
{
Name: "libopenssl1_1",
Version: "1.1.1l",
Release: "150400.7.21.1",
SrcName: "libopenssl1_1",
SrcVersion: "1.1.1l",
SrcRelease: "150400.7.21.1",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "libopenssl1_1",
VulnerabilityID: "SUSE-SU-2023:0311-1",
InstalledVersion: "1.1.1l-150400.7.21.1",
FixedVersion: "1.1.1l-150400.7.22.1",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.SuseCVRF,
Name: "SUSE CVRF",
URL: "https://ftp.suse.com/pub/projects/security/cvrf/",
},
},
},
},
{
name: "broken bucket",
fixtures: []string{
Expand Down
5 changes: 5 additions & 0 deletions pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,8 @@
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise Micro 5.3
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
20 changes: 20 additions & 0 deletions pkg/detector/ospkg/suse/testdata/fixtures/suse.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,23 @@
- key: CVE-2021-0001
value:
FixedVersion: ""
- bucket: SUSE Linux Enterprise 15.3
pairs:
- bucket: libopenssl1_1
pairs:
- key: "SUSE-SU-2022:2251-1"
value:
FixedVersion: 1.1.1d-150200.11.48.1
- bucket: openssl-1_1
pairs:
- key: "SUSE-SU-2022:2251-1"
value:
FixedVersion: 1.1.1d-150200.11.48.1
- bucket: SUSE Linux Enterprise Micro 5.3
pairs:
- bucket: libopenssl1_1
pairs:
- key: "SUSE-SU-2023:0311-1"
value:
FixedVersion: 1.1.1l-150400.7.22.1

5 changes: 5 additions & 0 deletions pkg/fanal/analyzer/os/release/release.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,11 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp
family = types.OpenSUSELeap
case "sles":
family = types.SLES
// There are various rebrands of SLE Micro, there is also one brief (and reverted rebrand)
// for SLE Micro 6.0. which was called "SL Micro 6.0" until very short before release
// and there is a "SLE Micro for Rancher" rebrand, which is used by SUSEs K8S based offerings.
case "sle-micro", "sl-micro", "sle-micro-rancher":
family = types.SLEMicro
case "photon":
family = types.Photon
case "wolfi":
Expand Down
Loading

0 comments on commit 70f85d0

Please sign in to comment.