# # spec file for package scanner-databases # # Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define _dbdir /var/lib/clamav %define trivydbversion 202601080628 %define neuvectordbversion 4.034 Name: scanner-databases Version: 202601081624 Release: 0.0 Summary: Various scanner databases License: GPL-2.0 Group: Security # adds changes entry Source9: refresh-spec.sh # clamav stuff Source0: clamav-database.tar.bz2 Source1: clamav-database-refresh.sh # local database , currently containing equation group hash Source2: local.hdb # trivy stuff Source10: trivy-database-%trivydbversion.tar.xz Source11: trivy-database-refresh.sh # neuvector stuff Source20: neuvector-scanner-database-%neuvectordbversion.tar.xz Source21: neuvector-scanner-database-refresh.sh BuildRequires: clamav BuildRequires: xz BuildRoot: %{_tmppath}/%{name}-%{version}-build %package -n clamav-database Summary: Offline availability for clamav database License: GPL-2.0 Group: Security #!BuildIgnore: clamav-nodb Requires: clamav BuildArch: noarch %description This is a shared package for multiple scanner engines that contain their offline data. %description -n clamav-database Open Build Service package build environments do not have network access and need to have a recent version of the clamav database stored offline. This package just wraps up /var/lib/clamav into an RPM package. After installing, clamav can be used as usual, no need for special commandline arguments. %package -n trivy-database Summary: Trivy database archive Version: %trivydbversion License: Apache-2.0 Group: Security URL: https://aquasecurity.github.io/trivy/latest/docs/configuration/db/ # must be arch dependend due to endianess %description -n trivy-database Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues. This package contains the database archive that can be used to run the Trivy scanner in an isolated environment. Use the offline database: trivy image --cache-dir /usr/share/trivy/cache --format cosign-vuln --offline-scan --skip-db-update --skip-java-db-update --output trivy.result.txt $containertag %package -n neuvector-scanner-database Summary: Neuvector database archive Version: %neuvectordbversion License: Apache-2.0 Group: Security URL: https://github.com/neuvector/vul-dbgen BuildArch: noarch %description -n neuvector-scanner-database This package contains the NeuVector scanner vulnerability database archive that can be used to run the NeuVector scanner in an isolated environment. %prep %setup -n db -c db mkdir trivy-database pushd trivy-database tar xf %{SOURCE10} popd tar xf %{SOURCE20} %install pwd ls -la # clamav stuff mkdir -p $RPM_BUILD_ROOT/var cp -al var/* $RPM_BUILD_ROOT/var/ find $RPM_BUILD_ROOT cp %SOURCE2 $RPM_BUILD_ROOT/%_dbdir # trivy stuf pushd trivy-database install -d -m 0755 %{buildroot}%{_datadir}/trivy/cache cp -av * %{buildroot}%{_datadir}/trivy/cache/ popd # neuvector stuff pushd neuvector-scanner-database-%neuvectordbversion install -d -m 0755 %{buildroot}%{_sysconfdir}/neuvector cp -av * %{buildroot} popd %files -n clamav-database %defattr(-,vscan,vscan,644) %attr(755,vscan,vscan) %_dbdir %attr(644,vscan,vscan) %_dbdir/* %files -n trivy-database %defattr(-,root,root) %dir %{_datadir}/trivy %{_datadir}/trivy/cache %files -n neuvector-scanner-database %defattr(-,root,root) %{_sysconfdir}/neuvector %changelog