1
0
forked from pool/trivy

Compare commits

..

3 Commits

Author SHA256 Message Date
Dirk Müller
661ba95127
Update to 0.52.2 2024-06-19 18:22:29 +02:00
Dirk Mueller
adb3b06bd8 Merge pull request 'Update to 0.52.1' (#1) from dirkmueller/trivy:factory into factory
Reviewed-on: pool/trivy#1
2024-06-19 18:22:04 +02:00
Dirk Müller
7d888486b3
Update to 0.52.1 2024-06-12 16:23:06 +02:00
10 changed files with 242 additions and 13 deletions

View File

@ -1,4 +1,4 @@
mtime: 1717679875
commit: 579ede4865fcf5783c98eab0446e1c095dd85e84
url: https://src.opensuse.org/dirkmueller/trivy.git
revision: 579ede4865fcf5783c98eab0446e1c095dd85e84
mtime: 1717765405
commit: 96ac2f27c0ccdd6423580fc28d828483ef3309a85f4741eb93d275b73f7ef52c
url: https://src.opensuse.org/pool/trivy.git
revision: factory

View File

@ -2,7 +2,7 @@
<service name="tar_scm" mode="manual">
<param name="url">https://github.com/aquasecurity/trivy</param>
<param name="scm">git</param>
<param name="revision">v0.52.0</param>
<param name="revision">v0.52.2</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>

View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/aquasecurity/trivy</param>
<param name="changesrevision">c24dfbab68056a42aff9589b024c6f2d067f9f52</param></service></servicedata>
<param name="changesrevision">8709d4f9c8ae29df1ff2e0d45b414cc075d3ea0b</param></service></servicedata>

View File

@ -0,0 +1,103 @@
From f055a591d0ad779eab39ad0b13bd240653c9f137 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Wed, 19 Jun 2024 09:59:41 +0200
Subject: [PATCH 1/2] added openSUSE Tumbleweed version detection
(Tumbleweed has no version as it is rolling)
https://github.com/aquasecurity/trivy-db/issues/410
---
pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 18 +++++++++++++++---
pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go | 4 ++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
index be3d4eff..297b29eb 100644
--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
@@ -24,8 +24,10 @@ type Distribution int
const (
SUSEEnterpriseLinux Distribution = iota
OpenSUSE
+ OpenSUSETumbleweed
- platformOpenSUSEFormat = "openSUSE Leap %s"
+ platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed"
+ platformOpenSUSELeapFormat = "openSUSE Leap %s"
platformSUSELinuxFormat = "SUSE Linux Enterprise %s"
)
@@ -55,6 +57,9 @@ func (vs VulnSrc) Name() types.SourceID {
if vs.dist == OpenSUSE {
return "opensuse-cvrf"
}
+ if vs.dist == OpenSUSETumbleweed {
+ return "opensuse-tumbleweed-cvrf"
+ }
return source.ID
}
@@ -66,6 +71,7 @@ func (vs VulnSrc) Update(dir string) error {
case SUSEEnterpriseLinux:
rootDir = filepath.Join(rootDir, "suse")
case OpenSUSE:
+ case OpenSUSETumbleweed:
rootDir = filepath.Join(rootDir, "opensuse")
default:
return xerrors.New("unknown distribution")
@@ -185,6 +191,10 @@ func getOSVersion(platformName string) string {
// SUSE Linux Enterprise Module for SUSE Manager Server 4.0
return ""
}
+ if strings.HasPrefix(platformName, "openSUSE Tumbleweed") {
+ // Tumbleweed has no version, it is a rolling release
+ return platformOpenSUSETumbleweedFormat
+ }
if strings.HasPrefix(platformName, "openSUSE Leap") {
// openSUSE Leap 15.0
ss := strings.Split(platformName, " ")
@@ -196,7 +206,7 @@ func getOSVersion(platformName string) string {
log.Printf("invalid version: %s, err: %s", platformName, err)
return ""
}
- return fmt.Sprintf(platformOpenSUSEFormat, ss[2])
+ return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2])
}
if strings.Contains(platformName, "SUSE Linux Enterprise") {
// e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1
@@ -276,7 +286,9 @@ func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error)
case SUSEEnterpriseLinux:
bucket = fmt.Sprintf(platformSUSELinuxFormat, version)
case OpenSUSE:
- bucket = fmt.Sprintf(platformOpenSUSEFormat, version)
+ bucket = fmt.Sprintf(platformOpenSUSELeapFormat, version)
+ case OpenSUSETumbleweed:
+ bucket = platformOpenSUSETumbleweedFormat
default:
return nil, xerrors.New("unknown distribution")
}
From a6bad64919d94263c6e075f2f3676b6cdbfe811d Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Wed, 19 Jun 2024 16:07:49 +0200
Subject: [PATCH 2/2] Update pkg/vulnsrc/suse-cvrf/suse-cvrf.go
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
---
pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
index 297b29eb..f616990e 100644
--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
+++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
@@ -70,8 +70,7 @@ func (vs VulnSrc) Update(dir string) error {
switch vs.dist {
case SUSEEnterpriseLinux:
rootDir = filepath.Join(rootDir, "suse")
- case OpenSUSE:
- case OpenSUSETumbleweed:
+ case OpenSUSE, OpenSUSETumbleweed:
rootDir = filepath.Join(rootDir, "opensuse")
default:
return xerrors.New("unknown distribution")

View File

@ -0,0 +1,94 @@
From 3e9c8361a53b33bdd8bfe3009fae69a50fe5f261 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Wed, 19 Jun 2024 10:32:34 +0200
Subject: [PATCH] feat: add openSUSE tumbleweed detection and scanning
needs changes in trivy-db to go along from https://github.com/aquasecurity/trivy-db/pull/411 to go along
https://github.com/aquasecurity/trivy-db/issues/410
---
docs/docs/coverage/os/index.md | 1 +
docs/docs/coverage/os/suse.md | 5 +++--
pkg/detector/ospkg/detect.go | 1 +
pkg/detector/ospkg/suse/suse.go | 9 +++++++++
4 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md
index a8d2670d7d6..49982b1b2d6 100644
--- a/docs/docs/coverage/os/index.md
+++ b/docs/docs/coverage/os/index.md
@@ -22,6 +22,7 @@ Trivy supports operating systems for
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
+| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md
index 6ff52de31c8..15cfb1e9379 100644
--- a/docs/docs/coverage/os/suse.md
+++ b/docs/docs/coverage/os/suse.md
@@ -2,6 +2,7 @@
Trivy supports the following distributions:
- openSUSE Leap
+- openSUSE Tumbleweed
- SUSE Enterprise Linux (SLE)
Please see [here](index.md#supported-os) for supported versions.
@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
+[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/
-[vulnerability statuses]: ../../configuration/filtering.md#by-status
\ No newline at end of file
+[vulnerability statuses]: ../../configuration/filtering.md#by-status
diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go
index bbeb8e8649d..56c4b76d147 100644
--- a/pkg/detector/ospkg/detect.go
+++ b/pkg/detector/ospkg/detect.go
@@ -40,6 +40,7 @@ var (
ftypes.CentOS: redhat.NewScanner(),
ftypes.Rocky: rocky.NewScanner(),
ftypes.Oracle: oracle.NewScanner(),
+ ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux),
ftypes.Photon: photon.NewScanner(),
diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go
index a5ccade5c81..439cad3ce28 100644
--- a/pkg/detector/ospkg/suse/suse.go
+++ b/pkg/detector/ospkg/suse/suse.go
@@ -66,6 +66,7 @@ const (
SUSEEnterpriseLinux Type = iota
// OpenSUSE for open versions
OpenSUSE
+ OpenSUSETumbleweed
)
// Scanner implements the SUSE scanner
@@ -84,6 +85,10 @@ func NewScanner(t Type) *Scanner {
return &Scanner{
vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
}
+ case OpenSUSETumbleweed:
+ return &Scanner{
+ vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed),
+ }
}
return nil
}
@@ -128,5 +133,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
if osFamily == ftypes.SLES {
return osver.Supported(ctx, slesEolDates, osFamily, osVer)
}
+ // tumbleweed is a rolling release, it has no version and no eol
+ if osFamily == ftypes.OpenSUSETumbleweed {
+ return true
+ }
return osver.Supported(ctx, opensuseEolDates, osFamily, osVer)
}

BIN
trivy-0.52.0.tar.zst (Stored with Git LFS)

Binary file not shown.

BIN
trivy-0.52.2.tar.zst (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Wed Jun 19 15:58:20 UTC 2024 - dmueller@suse.com
- Update to version 0.52.2:
* release: v0.52.2 [release/v0.52] (#6896)
* ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919)
* test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
* ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893)
* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)
- add add-opensuse-tumbleweed-db.patch,
add-opensuse-tumbleweed-support.patch: patches for tumbleweed
support
-------------------------------------------------------------------
Wed Jun 12 14:19:45 UTC 2024 - dmueller@suse.com
- Update to version 0.52.1:
* release: v0.52.1 [release/v0.52] (#6877)
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
* docs: explain how VEX is applied (#6864)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
-------------------------------------------------------------------
Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com

View File

@ -17,7 +17,7 @@
Name: trivy
Version: 0.52.0
Version: 0.52.2
Release: 0
Summary: A Simple and Comprehensive Vulnerability Scanner for Containers
License: Apache-2.0
@ -25,6 +25,9 @@ Group: System/Management
URL: https://github.com/aquasecurity/trivy
Source: %{name}-%{version}.tar.zst
Source1: vendor.tar.zst
# From https://github.com/aquasecurity/trivy-db/pull/411.patch
Patch1: add-opensuse-tumbleweed-db.patch
Patch2: https://github.com/aquasecurity/trivy/pull/6965.patch#/add-opensuse-tumbleweed-support.patch
BuildRequires: golang(API) = 1.22
BuildRequires: golang-packaging
BuildRequires: zstd
@ -43,7 +46,11 @@ scan. All you need to do for scanning is to specify a target such as an image
name of the container.
%prep
%autosetup -p1 -a1
%setup -a1
pushd vendor/github.com/aquasecurity/trivy-db
%patch -P 1 -p1
popd
%patch -P 2 -p1
%build
export CGO_ENABLED=1

BIN
vendor.tar.zst (Stored with Git LFS)

Binary file not shown.