Support for AlmaLinux

[alclonky]

AlmaLinux should be detected as RHEL/CentOS. Trivy should be able to detect RHEL/CentOS vulnerabilities

https://almalinux.org/

[knqyf263]

Sounds nice! Is there a specific security advisory for AlmaLinux? Or does AlmaLinux just import packages from RHEL/CentOS?

[sll552]

They seem to have a bug tracker for security related things (https://almalinux.atlassian.net/jira/software/c/projects/SEC/issues/) but I haven't found anything related for their packages, so I guess it would be a good start to treat it as RHEL/CentOS.

[srbala]

AlmaLinux and Rocky would be family of RHEL, Any issues reported would affect all

[kfox1111]

unfortunately not. see #1053 for details.

[Conan-Kudo]

Alma has their own OVAL and Errata metadata. @jaboutboul would be able to help here.

[github-actions]

This issue is stale because it has been labeled with inactivity.

[knqyf263]

@MaineK00n told me that Alma Linux had security advisories here.
https://errata.almalinux.org/8/errata.json

We might be able to make use of it.

[knqyf263]

1. Add a script to vuln-list-update for committing those advisories to vuln-list
2. Insert those data into trivy-db
3. Detect OS and packages in fanal
4. Detect vulnerabilities in Trivy

Let me know if someone is interested in this contribution. I'll explain the detail more.

[MaineK00n]

I'm interested.

[knqyf263]

Thanks! Could you add a new script for parsing errata.json under alma directory first?
https://github.com/aquasecurity/vuln-list-update

You can refer to this script.
https://github.com/aquasecurity/vuln-list-update/blob/96e4364d1ba144455492e3e822778dbb221f1acd/arch/archlinux.go

[srbala]

I'm interested.

@MaineK00n @knqyf263 Looking forward for this feature. I can help to test/verify or any other way.

[samifruit514]

Hello, I know this issue is in progress according to the roadmap but I'd would like to ask if it would be possible to priorize the delivery of this feature. Centos 8 reached the EOL on 2021-12-31 and I am pretty sure a lot of people are using this OS-version and are in the same situation. Unfortunately centos stream 8 is considered as centos 8 (according to the code) so trivy blocks this version. The best option I have right now is to use almalinux, which is not accepted by the latest version of trivy.

Thanks a lot

[knqyf263]

We've merged the PR for AlmaLinux🎉 Thanks, @MaineK00n!
#1238

This commit will be included in the next release. We are planning to cut it off this month.

[srbala]

@knqyf263 woudl like me to close this issue

[knqyf263]

Hi @srbala, thanks for all your help to support AlmaLinux. I'm not sure if I should ask you, but I have a question. AlmaLinux seems to be missing modular information. As shown below, MODULARITYLABEL is always empty.

$ docker run --rm -it almalinux:latest /bin/bash
[root@876e75ead4aa /]# cat /etc/almalinux-release
AlmaLinux release 8.5 (Arctic Sphynx)
[root@876e75ead4aa /]# dnf install -y PHP
...
Complete!
[root@876e75ead4aa /]# rpm -q php --qf "%{NAME} %{VERSION} %{MODULARITYLABEL}\n"
php 7.2.24 (none)

On the other hand, RHEL, CentOS and Rocky Linux have that.

[root@f39ea864af73 /]# cat /etc/rocky-release
Rocky Linux release 8.5 (Green Obsidian)
[root@f39ea864af73 /]# rpm -q php --qf "%{NAME} %{VERSION} %{MODULARITYLABEL}\n"
php 7.2.24 php:7.2:8040020210530192442:02bae935

Is this a bug or intended? If intended, how can we get the attribute? If you know the best place where I can ask this question, please let me know. I'll post it there.

[andrewlukoshko]

@knqyf263 this is definitely a bug. Thank you for pointing this out.
I've opened a bug in AlmaLinux bug tracker: https://bugs.almalinux.org/view.php?id=173
It will take time to fix this because we'll need to rebuild all modules.

[knqyf263]

Thanks for the quick response! Trivy cannot accurately detect vulnerabilities of modular packages due to this bug now. We'll show a warning until it will be fixed.