DmitriyLewen
commented
2 months ago @tofay I did some refactoring. Can you take a look?
Closed tofay closed 1 month ago
DmitriyLewen
commented
2 months ago @tofay I did some refactoring. Can you take a look?
tofay
commented
2 months ago @tofay I did some refactoring. Can you take a look?
LGTM, thanks. (I noted that the mariner URL changed from https://github.com/microsoft/CBL-MarinerVulnerabilityData to https://github.com/microsoft/AzureLinuxVulnerabilityData, which should be fine as the former repo was renamed to the latter)
DmitriyLewen
commented
1 month ago Cool :+1: Do you have time to do Trivy PR? It will be better to test how Trivy will work with these changes before merging this PR.
You can use go mod edit -replace command in Trivy PR to get a commit from that PR.
knqyf263
commented
1 month ago LGTM. As @DmitriyLewen suggested, we need to test this change with Trivy before merging it.
tofay
commented
1 month ago I've tested this changes with https://github.com/aquasecurity/trivy/pull/7186.
Testing setup:
Testing
$ /trivy image --skip-db-update --cache-dir ~/trivy-db/cache/ mcr.microsoft.com/cbl-mariner/base/core:2.0.20240123
2024-07-17T15:05:46+01:00 INFO Vulnerability scanning is enabled
2024-07-17T15:05:46+01:00 INFO Secret scanning is enabled
2024-07-17T15:05:46+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-17T15:05:46+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-17T15:05:50+01:00 INFO Detected OS family="cbl-mariner" version="2.0.20240123"
2024-07-17T15:05:50+01:00 INFO [cbl-mariner] Detecting vulnerabilities... os_version="2.0" pkg_num=69
2024-07-17T15:05:50+01:00 INFO Number of language-specific files num=0mcr.microsoft.com/cbl-mariner/base/core:2.0.20240123 (cbl-mariner 2.0.20240123)
Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 15, CRITICAL: 0)
2. Azure linux 3 scanning works./trivy image --skip-db-update --cache-dir ~/trivy-db/cache/ azure:test
2024-07-17T15:07:36+01:00 INFO Vulnerability scanning is enabled
2024-07-17T15:07:36+01:00 INFO Secret scanning is enabled
2024-07-17T15:07:36+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-17T15:07:36+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-17T15:07:40+01:00 INFO Detected OS family="azurelinux" version="3.0"
2024-07-17T15:07:40+01:00 INFO [azurelinux] Detecting vulnerabilities... os_version="3.0" pkg_num=140
2024-07-17T15:07:40+01:00 INFO Number of language-specific files num=0
azure:test (azurelinux 3.0)
Total: 45 (UNKNOWN: 0, LOW: 0, MEDIUM: 18, HIGH: 9, CRITICAL: 18) ┌──────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ php │ CVE-2024-1874 │ CRITICAL │ fixed │ 8.3.6-1.azl3 │ 8.3.8-1.azl3 │ php: Fail to Escape Arguments Properly in Microsoft Windows │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-1874 ...
3. Azure linux 3 distroless package detection works$ ./trivy image --skip-db-update --cache-dir ~/trivy-db/cache/ --format spdx-json -d azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0 ... sample package { "name": "SymCrypt-OpenSSL", "SPDXID": "SPDXRef-Package-b2b020d896a1d8ea", "versionInfo": "1.4.3-1.azl3", "supplier": "NOASSERTION", "downloadLocation": "NONE", "filesAnalyzed": false, "sourceInfo": "built package from: SymCrypt-OpenSSL 1.4.3-1.azl3", "licenseConcluded": "NONE", "licenseDeclared": "NONE", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/azurelinux/SymCrypt-OpenSSL@1.4.3-1.azl3?arch=x86_64\u0026distro=azurelinux-3.0" } ], "attributionTexts": [ "LayerDiffID: sha256:e9b7cd9ba369135d7d8e35b3db2debcb12bf48bd8a5716e27acf26a7cb4780fe", "LayerDigest: sha256:76c39ef1a031378e77828a68e5bdb3ae948fd8daaf0d8ae3642ac98123bea23c", "PkgType: azurelinux" ], "primaryPackagePurpose": "LIBRARY" }, ...
Thanks!
Another part of https://github.com/aquasecurity/trivy/issues/6673, along with https://github.com/aquasecurity/vuln-list-update/pull/294.
Azure Linux is a rebranding of CBL-Mariner, starting at version 3.0, so this updates the existing Mariner parsing code to be used by both azure linux/cbl-mariner vulnsrcs.