Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(mariner): Add support for Azure Linux #7186

Merged
merged 9 commits into from
Jul 22, 2024

Conversation

tofay
Copy link
Contributor

@tofay tofay commented Jul 17, 2024

Description

Add support for Azure Linux.

Raised this to test the changes in aquasecurity/trivy-db#409

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@tofay left a couple of comments.

docs/docs/scanner/vulnerability.md Outdated Show resolved Hide resolved
Comment on lines +64 to +65
case "azurelinux":
family = types.Azure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We check etc/mariner-release file for mariner images:

func (a marinerOSAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
foundOS, err := a.parseRelease(input.Content)
if err != nil {
return nil, xerrors.Errorf("release parse error: %w", err)
}
return &analyzer.AnalysisResult{
OS: foundOS,
}, nil
}

Does azure contain etc/azure-release file?
if yes - i think we can update logic of this file.

Copy link
Collaborator

@knqyf263 knqyf263 Jul 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some Distroless images (e.g., Alpine) include only /etc/os-release, not /etc/xxx-version or /etc/xxx-release. So, I think it's better to use /etc/os-release now. I mean we can change mariner.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm... i didn't know about this.
then, i think we need to move logic for mariner-release to os-release

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I was confused. Distroless didn't even contain/etc/os-release., and then included /etc/os-release and /etc/alpine-release.
#1975

Here is another discussion about /etc/os-release.
#3485

So, it's anyway good to get a version from /etc/os-release.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Mariner and Azure Linux include an /etc/os-release file. Mariner has a /etc/mariner-release and Azure has /etc/azurelinux-release file.

I've removed the mariner-release parsing and updated Mariner to use /etc/os-release parsing. This means that the build ID is removed from the distro in package URLs:

before that change > ExternalRef: PACKAGE-MANAGER purl pkg:rpm/cbl-mariner/[email protected]?arch=x86_64&distro=cbl-mariner-2.0.20240123
after that change > ExternalRef: PACKAGE-MANAGER purl pkg:rpm/cbl-mariner/[email protected]?arch=x86_64&distro=cbl-mariner-2.0

The PURL spec doesn't say what the distro qualifier should be for RPMs. It seems unnecessary to include the build ID since the package can be identified via the other fields.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need the assembly ID to detect vulnerabilities.
Looks like we don't need it.

@knqyf263 do you have any objections?

@tofay Can you add tests for detection of 1.0, 2.0 and 3.0 in release_test.go?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we don't need it.

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tofay Can you add tests for detection of 1.0, 2.0 and 3.0 in release_test.go?

Done

go.mod Outdated
@@ -393,3 +393,5 @@ require (
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)

replace github.com/aquasecurity/trivy-db => github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knqyf263
Copy link
Collaborator

@tofay Is there any public image we can access for testing? I tried azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base, but didn't have access.

@tofay
Copy link
Contributor Author

tofay commented Jul 18, 2024

@tofay Is there any public image we can access for testing? I tried azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base, but didn't have access.

Did you specify the tag 3.0? The following should be publicly available for testing:

  • azurelinuxpreview.azurecr.io/public/azurelinux/base/core:3.0
  • azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0

@DmitriyLewen
Copy link
Contributor

I played around with Mariner 1.0, 2.0 and Azure 3.0 images and found no problems.

@knqyf263
Copy link
Collaborator

Did you specify the tag 3.0?

Oh, I missed it. I could pull it. Thanks!

go.sum Outdated
Comment on lines 2032 to 2033
github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796 h1:3hwn7MNI8lYWxUd8lN7sPGCzBeahvX5i/WahXxEV/R8=
github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go mod tidy should remove this

Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tofay thanks for your work!
LGTM

@knqyf263
Copy link
Collaborator

Is this still relevant?
https://www.githubstatus.com/incidents/m70hk23gx3nx

@tofay
Copy link
Contributor Author

tofay commented Jul 19, 2024

Is this still relevant? https://www.githubstatus.com/incidents/m70hk23gx3nx

Unsure if the jobs are stuck or if that outage is causing large delays.

@knqyf263
Copy link
Collaborator

GitHub is back. I triggered tests.

@knqyf263 knqyf263 added this pull request to the merge queue Jul 22, 2024
Merged via the queue into aquasecurity:main with commit 5cbc452 Jul 22, 2024
17 checks passed
skahn007gl pushed a commit to skahn007gl/trivy that referenced this pull request Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for Azure Linux 3.0 (AKA Mariner)
3 participants