Update to 0.52.2

Reviewed-on: pool/trivy#1

_scmsync.obsinfo

@@ -1,4 +1,4 @@
-mtime: 1717679875
-commit: 579ede4865fcf5783c98eab0446e1c095dd85e84
-url: https://src.opensuse.org/dirkmueller/trivy.git
-revision: 579ede4865fcf5783c98eab0446e1c095dd85e84
+mtime: 1717765405
+commit: 96ac2f27c0ccdd6423580fc28d828483ef3309a85f4741eb93d275b73f7ef52c
+url: https://src.opensuse.org/pool/trivy.git
+revision: factory

_service

@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/aquasecurity/trivy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.52.0</param>
+    <param name="revision">v0.52.2</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">c24dfbab68056a42aff9589b024c6f2d067f9f52</param></service></servicedata>
+              <param name="changesrevision">8709d4f9c8ae29df1ff2e0d45b414cc075d3ea0b</param></service></servicedata>

add-opensuse-tumbleweed-db.patch

@@ -0,0 +1,103 @@
+From f055a591d0ad779eab39ad0b13bd240653c9f137 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Wed, 19 Jun 2024 09:59:41 +0200
+Subject: [PATCH 1/2] added openSUSE Tumbleweed version detection
+
+(Tumbleweed has no version as it is rolling)
+
+https://github.com/aquasecurity/trivy-db/issues/410
+---
+ pkg/vulnsrc/suse-cvrf/suse-cvrf.go      | 18 +++++++++++++++---
+ pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go |  4 ++++
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+index be3d4eff..297b29eb 100644
+--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
++++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+@@ -24,8 +24,10 @@ type Distribution int
+ const (
+ 	SUSEEnterpriseLinux Distribution = iota
+ 	OpenSUSE
++	OpenSUSETumbleweed
+ 
+-	platformOpenSUSEFormat  = "openSUSE Leap %s"
++	platformOpenSUSETumbleweedFormat  = "openSUSE Tumbleweed"
++	platformOpenSUSELeapFormat  = "openSUSE Leap %s"
+ 	platformSUSELinuxFormat = "SUSE Linux Enterprise %s"
+ )
+ 
+@@ -55,6 +57,9 @@ func (vs VulnSrc) Name() types.SourceID {
+ 	if vs.dist == OpenSUSE {
+ 		return "opensuse-cvrf"
+ 	}
++	if vs.dist == OpenSUSETumbleweed {
++		return "opensuse-tumbleweed-cvrf"
++	}
+ 	return source.ID
+ }
+ 
+@@ -66,6 +71,7 @@ func (vs VulnSrc) Update(dir string) error {
+ 	case SUSEEnterpriseLinux:
+ 		rootDir = filepath.Join(rootDir, "suse")
+ 	case OpenSUSE:
++	case OpenSUSETumbleweed:
+ 		rootDir = filepath.Join(rootDir, "opensuse")
+ 	default:
+ 		return xerrors.New("unknown distribution")
+@@ -185,6 +191,10 @@ func getOSVersion(platformName string) string {
+ 		// SUSE Linux Enterprise Module for SUSE Manager Server 4.0
+ 		return ""
+ 	}
++	if strings.HasPrefix(platformName, "openSUSE Tumbleweed") {
++		// Tumbleweed has no version, it is a rolling release
++		return platformOpenSUSETumbleweedFormat
++	}
+ 	if strings.HasPrefix(platformName, "openSUSE Leap") {
+ 		// openSUSE Leap 15.0
+ 		ss := strings.Split(platformName, " ")
+@@ -196,7 +206,7 @@ func getOSVersion(platformName string) string {
+ 			log.Printf("invalid version: %s, err: %s", platformName, err)
+ 			return ""
+ 		}
+-		return fmt.Sprintf(platformOpenSUSEFormat, ss[2])
++		return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2])
+ 	}
+ 	if strings.Contains(platformName, "SUSE Linux Enterprise") {
+ 		// e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1
+@@ -276,7 +286,9 @@ func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error)
+ 	case SUSEEnterpriseLinux:
+ 		bucket = fmt.Sprintf(platformSUSELinuxFormat, version)
+ 	case OpenSUSE:
+-		bucket = fmt.Sprintf(platformOpenSUSEFormat, version)
++		bucket = fmt.Sprintf(platformOpenSUSELeapFormat, version)
++	case OpenSUSETumbleweed:
++		bucket = platformOpenSUSETumbleweedFormat
+ 	default:
+ 		return nil, xerrors.New("unknown distribution")
+ 	}
+
+From a6bad64919d94263c6e075f2f3676b6cdbfe811d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Wed, 19 Jun 2024 16:07:49 +0200
+Subject: [PATCH 2/2] Update pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+
+Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
+---
+ pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+index 297b29eb..f616990e 100644
+--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
++++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+@@ -70,8 +70,7 @@ func (vs VulnSrc) Update(dir string) error {
+ 	switch vs.dist {
+ 	case SUSEEnterpriseLinux:
+ 		rootDir = filepath.Join(rootDir, "suse")
+-	case OpenSUSE:
+-	case OpenSUSETumbleweed:
++	case OpenSUSE, OpenSUSETumbleweed:
+ 		rootDir = filepath.Join(rootDir, "opensuse")
+ 	default:
+ 		return xerrors.New("unknown distribution")

add-opensuse-tumbleweed-support.patch

@@ -0,0 +1,94 @@
+From 3e9c8361a53b33bdd8bfe3009fae69a50fe5f261 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Wed, 19 Jun 2024 10:32:34 +0200
+Subject: [PATCH] feat: add openSUSE tumbleweed detection and scanning
+
+needs changes in trivy-db to go along from https://github.com/aquasecurity/trivy-db/pull/411 to go along
+
+https://github.com/aquasecurity/trivy-db/issues/410
+---
+ docs/docs/coverage/os/index.md  | 1 +
+ docs/docs/coverage/os/suse.md   | 5 +++--
+ pkg/detector/ospkg/detect.go    | 1 +
+ pkg/detector/ospkg/suse/suse.go | 9 +++++++++
+ 4 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md
+index a8d2670d7d6..49982b1b2d6 100644
+--- a/docs/docs/coverage/os/index.md
++++ b/docs/docs/coverage/os/index.md
+@@ -22,6 +22,7 @@ Trivy supports operating systems for
+ | [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
+ | [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
+ | [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
++| [openSUSE Tumbleweed](suse.md)       | (n/a)                               | zypper/rpm       |
+ | [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
+ | [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+ | [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md
+index 6ff52de31c8..15cfb1e9379 100644
+--- a/docs/docs/coverage/os/suse.md
++++ b/docs/docs/coverage/os/suse.md
+@@ -2,6 +2,7 @@
+ Trivy supports the following distributions:
+ 
+ - openSUSE Leap
++- openSUSE Tumbleweed
+ - SUSE Enterprise Linux (SLE)
+ 
+ Please see [here](index.md#supported-os) for supported versions.
+@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.
+ 
+ 
+ [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
++[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/
+ 
+-[vulnerability statuses]: ../../configuration/filtering.md#by-status
+\ No newline at end of file
++[vulnerability statuses]: ../../configuration/filtering.md#by-status
+diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go
+index bbeb8e8649d..56c4b76d147 100644
+--- a/pkg/detector/ospkg/detect.go
++++ b/pkg/detector/ospkg/detect.go
+@@ -40,6 +40,7 @@ var (
+ 		ftypes.CentOS:       redhat.NewScanner(),
+ 		ftypes.Rocky:        rocky.NewScanner(),
+ 		ftypes.Oracle:       oracle.NewScanner(),
++		ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
+ 		ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
+ 		ftypes.SLES:         suse.NewScanner(suse.SUSEEnterpriseLinux),
+ 		ftypes.Photon:       photon.NewScanner(),
+diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go
+index a5ccade5c81..439cad3ce28 100644
+--- a/pkg/detector/ospkg/suse/suse.go
++++ b/pkg/detector/ospkg/suse/suse.go
+@@ -66,6 +66,7 @@ const (
+ 	SUSEEnterpriseLinux Type = iota
+ 	// OpenSUSE for open versions
+ 	OpenSUSE
++	OpenSUSETumbleweed
+ )
+ 
+ // Scanner implements the SUSE scanner
+@@ -84,6 +85,10 @@ func NewScanner(t Type) *Scanner {
+ 		return &Scanner{
+ 			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
+ 		}
++	case OpenSUSETumbleweed:
++		return &Scanner{
++			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed),
++		}
+ 	}
+ 	return nil
+ }
+@@ -128,5 +133,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
+ 	if osFamily == ftypes.SLES {
+ 		return osver.Supported(ctx, slesEolDates, osFamily, osVer)
+ 	}
++	// tumbleweed is a rolling release, it has no version and no eol
++	if osFamily == ftypes.OpenSUSETumbleweed {
++		return true
++	}
+ 	return osver.Supported(ctx, opensuseEolDates, osFamily, osVer)
+ }

trivy.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Wed Jun 19 15:58:20 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.52.2:
+  * release: v0.52.2 [release/v0.52] (#6896)
+  * ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919)
+  * test: bump docker API to 1.45  [backport: release/v0.52] (#6922)
+  * ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893)
+  * fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)
+- add add-opensuse-tumbleweed-db.patch,
+  add-opensuse-tumbleweed-support.patch: patches for tumbleweed
+  support
+
+-------------------------------------------------------------------
+Wed Jun 12 14:19:45 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.52.1:
+  * release: v0.52.1 [release/v0.52] (#6877)
+  * fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
+  * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
+  * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
+  * docs: explain how VEX is applied (#6864)
+  * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
+
 -------------------------------------------------------------------
 Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com
 

trivy.spec

@@ -17,7 +17,7 @@
 
 
 Name:           trivy
-Version:        0.52.0
+Version:        0.52.2
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@@ -25,6 +25,9 @@ Group:          System/Management
 URL:            https://github.com/aquasecurity/trivy
 Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
+# From https://github.com/aquasecurity/trivy-db/pull/411.patch
+Patch1:         add-opensuse-tumbleweed-db.patch
+Patch2:         https://github.com/aquasecurity/trivy/pull/6965.patch#/add-opensuse-tumbleweed-support.patch
 BuildRequires:  golang(API) = 1.22
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
@@ -43,7 +46,11 @@ scan. All you need to do for scanning is to specify a target such as an image
 name of the container.
 
 %prep
-%autosetup -p1 -a1
+%setup -a1
+pushd vendor/github.com/aquasecurity/trivy-db
+%patch -P 1 -p1
+popd
+%patch -P 2 -p1
 
 %build
 export CGO_ENABLED=1