From 661ba9512713191dbad2929ae1a76f9ef89bbcaa0f3da1fac367aa96b97f6054 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Wed, 19 Jun 2024 18:19:40 +0200 Subject: [PATCH] Update to 0.52.2 --- _service | 2 +- _servicedata | 2 +- add-opensuse-tumbleweed-db.patch | 103 ++++++++++++++++++++++++++ add-opensuse-tumbleweed-support.patch | 94 +++++++++++++++++++++++ trivy-0.52.1.tar.zst | 3 - trivy-0.52.2.tar.zst | 3 + trivy.changes | 14 ++++ trivy.spec | 11 ++- vendor.tar.zst | 4 +- 9 files changed, 227 insertions(+), 9 deletions(-) create mode 100644 add-opensuse-tumbleweed-db.patch create mode 100644 add-opensuse-tumbleweed-support.patch delete mode 100644 trivy-0.52.1.tar.zst create mode 100644 trivy-0.52.2.tar.zst diff --git a/_service b/_service index 3042066..a7556a8 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/aquasecurity/trivy git - v0.52.1 + v0.52.2 @PARENT_TAG@ v(.*) enable diff --git a/_servicedata b/_servicedata index 60fedb1..4346b9d 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/aquasecurity/trivy - a3caf0658c9eccea18c261123112f2679a205ad9 \ No newline at end of file + 8709d4f9c8ae29df1ff2e0d45b414cc075d3ea0b \ No newline at end of file diff --git a/add-opensuse-tumbleweed-db.patch b/add-opensuse-tumbleweed-db.patch new file mode 100644 index 0000000..d363228 --- /dev/null +++ b/add-opensuse-tumbleweed-db.patch @@ -0,0 +1,103 @@ +From f055a591d0ad779eab39ad0b13bd240653c9f137 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 19 Jun 2024 09:59:41 +0200 +Subject: [PATCH 1/2] added openSUSE Tumbleweed version detection + +(Tumbleweed has no version as it is rolling) + +https://github.com/aquasecurity/trivy-db/issues/410 +--- + pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 18 +++++++++++++++--- + pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go | 4 ++++ + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +index be3d4eff..297b29eb 100644 +--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go ++++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +@@ -24,8 +24,10 @@ type Distribution int + const ( + SUSEEnterpriseLinux Distribution = iota + OpenSUSE ++ OpenSUSETumbleweed + +- platformOpenSUSEFormat = "openSUSE Leap %s" ++ platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed" ++ platformOpenSUSELeapFormat = "openSUSE Leap %s" + platformSUSELinuxFormat = "SUSE Linux Enterprise %s" + ) + +@@ -55,6 +57,9 @@ func (vs VulnSrc) Name() types.SourceID { + if vs.dist == OpenSUSE { + return "opensuse-cvrf" + } ++ if vs.dist == OpenSUSETumbleweed { ++ return "opensuse-tumbleweed-cvrf" ++ } + return source.ID + } + +@@ -66,6 +71,7 @@ func (vs VulnSrc) Update(dir string) error { + case SUSEEnterpriseLinux: + rootDir = filepath.Join(rootDir, "suse") + case OpenSUSE: ++ case OpenSUSETumbleweed: + rootDir = filepath.Join(rootDir, "opensuse") + default: + return xerrors.New("unknown distribution") +@@ -185,6 +191,10 @@ func getOSVersion(platformName string) string { + // SUSE Linux Enterprise Module for SUSE Manager Server 4.0 + return "" + } ++ if strings.HasPrefix(platformName, "openSUSE Tumbleweed") { ++ // Tumbleweed has no version, it is a rolling release ++ return platformOpenSUSETumbleweedFormat ++ } + if strings.HasPrefix(platformName, "openSUSE Leap") { + // openSUSE Leap 15.0 + ss := strings.Split(platformName, " ") +@@ -196,7 +206,7 @@ func getOSVersion(platformName string) string { + log.Printf("invalid version: %s, err: %s", platformName, err) + return "" + } +- return fmt.Sprintf(platformOpenSUSEFormat, ss[2]) ++ return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2]) + } + if strings.Contains(platformName, "SUSE Linux Enterprise") { + // e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1 +@@ -276,7 +286,9 @@ func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error) + case SUSEEnterpriseLinux: + bucket = fmt.Sprintf(platformSUSELinuxFormat, version) + case OpenSUSE: +- bucket = fmt.Sprintf(platformOpenSUSEFormat, version) ++ bucket = fmt.Sprintf(platformOpenSUSELeapFormat, version) ++ case OpenSUSETumbleweed: ++ bucket = platformOpenSUSETumbleweedFormat + default: + return nil, xerrors.New("unknown distribution") + } + +From a6bad64919d94263c6e075f2f3676b6cdbfe811d Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 19 Jun 2024 16:07:49 +0200 +Subject: [PATCH 2/2] Update pkg/vulnsrc/suse-cvrf/suse-cvrf.go + +Co-authored-by: Teppei Fukuda +--- + pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +index 297b29eb..f616990e 100644 +--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go ++++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +@@ -70,8 +70,7 @@ func (vs VulnSrc) Update(dir string) error { + switch vs.dist { + case SUSEEnterpriseLinux: + rootDir = filepath.Join(rootDir, "suse") +- case OpenSUSE: +- case OpenSUSETumbleweed: ++ case OpenSUSE, OpenSUSETumbleweed: + rootDir = filepath.Join(rootDir, "opensuse") + default: + return xerrors.New("unknown distribution") diff --git a/add-opensuse-tumbleweed-support.patch b/add-opensuse-tumbleweed-support.patch new file mode 100644 index 0000000..461cf47 --- /dev/null +++ b/add-opensuse-tumbleweed-support.patch @@ -0,0 +1,94 @@ +From 3e9c8361a53b33bdd8bfe3009fae69a50fe5f261 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 19 Jun 2024 10:32:34 +0200 +Subject: [PATCH] feat: add openSUSE tumbleweed detection and scanning + +needs changes in trivy-db to go along from https://github.com/aquasecurity/trivy-db/pull/411 to go along + +https://github.com/aquasecurity/trivy-db/issues/410 +--- + docs/docs/coverage/os/index.md | 1 + + docs/docs/coverage/os/suse.md | 5 +++-- + pkg/detector/ospkg/detect.go | 1 + + pkg/detector/ospkg/suse/suse.go | 9 +++++++++ + 4 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md +index a8d2670d7d6..49982b1b2d6 100644 +--- a/docs/docs/coverage/os/index.md ++++ b/docs/docs/coverage/os/index.md +@@ -22,6 +22,7 @@ Trivy supports operating systems for + | [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm | + | [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | + | [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | ++| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | + | [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | + | [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | + | [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | +diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md +index 6ff52de31c8..15cfb1e9379 100644 +--- a/docs/docs/coverage/os/suse.md ++++ b/docs/docs/coverage/os/suse.md +@@ -2,6 +2,7 @@ + Trivy supports the following distributions: + + - openSUSE Leap ++- openSUSE Tumbleweed + - SUSE Enterprise Linux (SLE) + + Please see [here](index.md#supported-os) for supported versions. +@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages. + + + [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies +-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/ ++[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/ + +-[vulnerability statuses]: ../../configuration/filtering.md#by-status +\ No newline at end of file ++[vulnerability statuses]: ../../configuration/filtering.md#by-status +diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go +index bbeb8e8649d..56c4b76d147 100644 +--- a/pkg/detector/ospkg/detect.go ++++ b/pkg/detector/ospkg/detect.go +@@ -40,6 +40,7 @@ var ( + ftypes.CentOS: redhat.NewScanner(), + ftypes.Rocky: rocky.NewScanner(), + ftypes.Oracle: oracle.NewScanner(), ++ ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed), + ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE), + ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux), + ftypes.Photon: photon.NewScanner(), +diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go +index a5ccade5c81..439cad3ce28 100644 +--- a/pkg/detector/ospkg/suse/suse.go ++++ b/pkg/detector/ospkg/suse/suse.go +@@ -66,6 +66,7 @@ const ( + SUSEEnterpriseLinux Type = iota + // OpenSUSE for open versions + OpenSUSE ++ OpenSUSETumbleweed + ) + + // Scanner implements the SUSE scanner +@@ -84,6 +85,10 @@ func NewScanner(t Type) *Scanner { + return &Scanner{ + vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE), + } ++ case OpenSUSETumbleweed: ++ return &Scanner{ ++ vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed), ++ } + } + return nil + } +@@ -128,5 +133,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType + if osFamily == ftypes.SLES { + return osver.Supported(ctx, slesEolDates, osFamily, osVer) + } ++ // tumbleweed is a rolling release, it has no version and no eol ++ if osFamily == ftypes.OpenSUSETumbleweed { ++ return true ++ } + return osver.Supported(ctx, opensuseEolDates, osFamily, osVer) + } diff --git a/trivy-0.52.1.tar.zst b/trivy-0.52.1.tar.zst deleted file mode 100644 index 9276395..0000000 --- a/trivy-0.52.1.tar.zst +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:468105619fa0a066fd1915deadce5bd8b870e6b333b747d76cfabaa1b4a71512 -size 51995809 diff --git a/trivy-0.52.2.tar.zst b/trivy-0.52.2.tar.zst new file mode 100644 index 0000000..4321d85 --- /dev/null +++ b/trivy-0.52.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff5a9e30ebb5fabc0d8bd5f11f9d4874cbbcf728ba163d7f4125cffc10e7f1d6 +size 51992543 diff --git a/trivy.changes b/trivy.changes index d6a67f2..033a0a9 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Wed Jun 19 15:58:20 UTC 2024 - dmueller@suse.com + +- Update to version 0.52.2: + * release: v0.52.2 [release/v0.52] (#6896) + * ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919) + * test: bump docker API to 1.45 [backport: release/v0.52] (#6922) + * ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893) + * fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892) +- add add-opensuse-tumbleweed-db.patch, + add-opensuse-tumbleweed-support.patch: patches for tumbleweed + support + ------------------------------------------------------------------- Wed Jun 12 14:19:45 UTC 2024 - dmueller@suse.com diff --git a/trivy.spec b/trivy.spec index c1c9e8d..e6493ad 100644 --- a/trivy.spec +++ b/trivy.spec @@ -17,7 +17,7 @@ Name: trivy -Version: 0.52.1 +Version: 0.52.2 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 @@ -25,6 +25,9 @@ Group: System/Management URL: https://github.com/aquasecurity/trivy Source: %{name}-%{version}.tar.zst Source1: vendor.tar.zst +# From https://github.com/aquasecurity/trivy-db/pull/411.patch +Patch1: add-opensuse-tumbleweed-db.patch +Patch2: https://github.com/aquasecurity/trivy/pull/6965.patch#/add-opensuse-tumbleweed-support.patch BuildRequires: golang(API) = 1.22 BuildRequires: golang-packaging BuildRequires: zstd @@ -43,7 +46,11 @@ scan. All you need to do for scanning is to specify a target such as an image name of the container. %prep -%autosetup -p1 -a1 +%setup -a1 +pushd vendor/github.com/aquasecurity/trivy-db +%patch -P 1 -p1 +popd +%patch -P 2 -p1 %build export CGO_ENABLED=1 diff --git a/vendor.tar.zst b/vendor.tar.zst index 51b22f4..5a85a5d 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d7f702a920df8fc129cb96dca47b2e974350041206c71faf4571d896f1f6ed87 -size 35496439 +oid sha256:24ef9542d19cec2325c75b8d9872e02f2475ad1704da5dae59eb2d16ad8ec50f +size 35584664