Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(mariner): Add support for Azure Linux #7186

Merged
merged 9 commits into from
Jul 22, 2024
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/community/contribute/pr.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ os:
- redhat
- alma
- rocky
- mariner
- azure
- oracle
- debian
- ubuntu
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
# CBL-Mariner
# Azure Linux (CBL-Mariner)

*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*

Trivy supports the following scanners for OS packages.

| Version | SBOM | Vulnerability | License |
Expand All @@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages.
| 1.0 (Distroless) | ✔ | ✔ | |
| 2.0 | ✔ | ✔ | ✔ |
| 2.0 (Distroless) | ✔ | ✔ | |
| 3.0 | ✔ | ✔ | ✔ |
| 3.0 (Distroless) | ✔ | ✔ | |


The following table provides an outline of the targets Trivy supports.
Expand All @@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports.
| ------- | :-------------: | :-------------: | :----------: |
| 1.0 | ✔ | ✔ | amd64, arm64 |
| 2.0 | ✔ | ✔ | amd64, arm64 |
| 3.0 | ✔ | ✔ | amd64, arm64 |

The table below outlines the features offered by Trivy.

Expand All @@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy.
| [Dependency graph][dependency-graph] | ✓ |

## SBOM
Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.

## Vulnerability
CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.

### Data Source
See [here](../../scanner/vulnerability.md#data-sources).

### Fixed Version
Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
Trivy takes fixed versions from [Azure Linux OVAL][oval].

### Severity
Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].

### Status
Trivy supports the following [vulnerability statuses] for CBL-Mariner.
Trivy supports the following [vulnerability statuses] for Azure Linux.

| Status | Supported |
| :-----------------: | :-------: |
Expand All @@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
Trivy identifies licenses by examining the metadata of RPM packages.

!!! note
License detection is not supported for CBL-Mariner Distroless.
License detection is not supported for Azure Linux Distroless images.


[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[cbl-mariner]: https://github.com/microsoft/CBL-Mariner

[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/

[vulnerability statuses]: ../../configuration/filtering.md#by-status
38 changes: 19 additions & 19 deletions docs/docs/coverage/os/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,25 @@ Trivy supports operating systems for

## Supported OS

| OS | Supported Versions | Package Managers |
|--------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |
| OS | Supported Versions | Package Managers |
|---------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |

## Supported container images

Expand Down
34 changes: 17 additions & 17 deletions docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.

### Data Sources

| OS | Source |
| ------------- | ------------------------------------------------------------ |
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| CBL-Mariner | [OVAL][mariner] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |
| OS | Source |
|---------------------------|--------------------------------------------------------------|
| Arch Linux | [Vulnerable Issues][arch] |
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
| AlmaLinux | [AlmaLinux Product Errata][alma] |
| Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
| Oracle Linux | [OVAL][oracle] |
| Azure Linux (CBL-Mariner) | [OVAL][azure] |
| OpenSUSE/SLES | [CVRF][suse] |
| Photon OS | [Photon Security Advisory][photon] |

#### Data Source Selection
Trivy **only** consumes security advisories from the sources listed in the above table.
Expand Down Expand Up @@ -288,7 +288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
[oracle]: https://linux.oracle.com/security/oval/
[suse]: http://ftp.suse.com/pub/projects/security/cvrf/
[photon]: https://packages.vmware.com/photon/photon_cve_metadata/
[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/

[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v0.13.0
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
github.com/aws/aws-sdk-go-v2 v1.30.3
Expand Down
6 changes: 4 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -771,8 +771,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW+Xap4zRYxyctXDTj5luMQdE=
github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f+wSW9D5txv8S+tw4D4WNOibaUJYwvNnQuQlGQ8gO6c=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU=
Expand Down Expand Up @@ -2029,6 +2029,8 @@ github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr
github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY=
github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796 h1:3hwn7MNI8lYWxUd8lN7sPGCzBeahvX5i/WahXxEV/R8=
github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go mod tidy should remove this

github.com/twitchtv/twirp v8.1.3+incompatible h1:+F4TdErPgSUbMZMwp13Q/KgDVuI7HJXP61mNV3/7iuU=
github.com/twitchtv/twirp v8.1.3+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
Expand Down
2 changes: 1 addition & 1 deletion mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ nav:
- AlmaLinux: docs/coverage/os/alma.md
- Alpine Linux: docs/coverage/os/alpine.md
- Amazon Linux: docs/coverage/os/amazon.md
- CBL-Mariner: docs/coverage/os/cbl-mariner.md
- Azure Linux (CBL-Mariner): docs/coverage/os/azure.md
- CentOS: docs/coverage/os/centos.md
- Chainguard: docs/coverage/os/chainguard.md
- Conda: docs/coverage/os/conda.md
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
package mariner
package azure

import (
"context"

version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
Expand All @@ -16,16 +16,24 @@ import (

// Scanner implements the CBL-Mariner scanner
type Scanner struct {
vs mariner.VulnSrc
vs azure.VulnSrc
}

// NewScanner is the factory method for Scanner
func NewScanner() *Scanner {
func newScanner(distribution azure.Distribution) *Scanner {
return &Scanner{
vs: mariner.NewVulnSrc(),
vs: azure.NewVulnSrc(distribution),
}
}

func NewAzureScanner() *Scanner {
return newScanner(azure.Azure)
}

func NewMarinerScanner() *Scanner {
return newScanner(azure.Mariner)
}

// Detect vulnerabilities in package using CBL-Mariner scanner
func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
// e.g. 1.0.20210127
Expand All @@ -36,10 +44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository

var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
// CBL Mariner OVAL contains source package names only.
// Azure Linux OVAL contains source package names only.
advisories, err := s.vs.Get(osVer, pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err)
}

sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package mariner_test
package azure_test

import (
"testing"
Expand All @@ -8,15 +8,17 @@ import (

"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
azurevs "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/internal/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/azure"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)

func TestScanner_Detect(t *testing.T) {
type args struct {
dist azurevs.Distribution
osVer string
pkgs []ftypes.Package
}
Expand All @@ -30,10 +32,11 @@ func TestScanner_Detect(t *testing.T) {
{
name: "happy path 1.0 SrcName and Name are different",
fixtures: []string{
"testdata/fixtures/mariner.yaml",
"testdata/fixtures/azure.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Mariner,
osVer: "1.0",
pkgs: []ftypes.Package{
{
Expand Down Expand Up @@ -69,10 +72,11 @@ func TestScanner_Detect(t *testing.T) {
{
name: "happy path 2.0",
fixtures: []string{
"testdata/fixtures/mariner.yaml",
"testdata/fixtures/azure.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Mariner,
osVer: "2.0",
pkgs: []ftypes.Package{
{
Expand Down Expand Up @@ -104,13 +108,54 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
{
name: "happy path 3.0",
fixtures: []string{
"testdata/fixtures/azure.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Azure,
osVer: "3.0",
pkgs: []ftypes.Package{
{
Name: "php",
Epoch: 0,
Version: "8.3.6",
Release: "1.azl3",
Arch: "aarch64",
SrcName: "php",
SrcEpoch: 0,
SrcVersion: "8.3.6",
SrcRelease: "1.azl3",
Licenses: []string{"Php"},
Layer: ftypes.Layer{},
},
},
},
want: []types.DetectedVulnerability{
{
PkgName: "php",
VulnerabilityID: "CVE-2024-2408",
InstalledVersion: "8.3.6-1.azl3",
FixedVersion: "8.3.8-1.azl3",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
ID: vulnerability.AzureLinux,
Name: "Azure Linux Vulnerability Data",
URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData",
},
},
},
},
{
name: "broken advisory",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
dist: azurevs.Mariner,
osVer: "1.0",
pkgs: []ftypes.Package{
{
Expand All @@ -128,15 +173,18 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
wantErr: "failed to get CBL-Mariner advisories",
wantErr: "failed to get Azure Linux advisories",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()

s := mariner.NewScanner()
s := azure.NewAzureScanner()
if tt.args.dist == azurevs.Mariner {
s = azure.NewMarinerScanner()
}
got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
if tt.wantErr != "" {
require.Error(t, err)
Expand Down
Loading
Loading