search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.1k stars 2.28k forks source link

feat: add openSUSE tumbleweed detection and scanning #6965

Closed msmeissn closed 2 months ago

msmeissn commented 3 months ago

Description

This adds openSUSE Tumbleweed support. Tumbleweed is a rolling release, it has no version and currently no EOL.

The CVRF data is in the same location as the openSUSE Leap data.

The os detector is already detecting it.

Related issues

Related PRs

Checklist

msmeissn commented 3 months ago

I tried to build using "mage", but it does not work with mage-v1.11.0~git0.07afc7d-150500.1.1.x86_64 on SLES 15 SP5.

"No .go files marked with the mage build tag in this directory." (neither in top or in cmd/trivy/)

go build cmd/trivy/main.go goes through

msmeissn commented 3 months ago

i did some test but i need to figure out how to run tests first, the mage howto does not seem to work on older mage

DmitriyLewen commented 3 months ago

Trivy mage commands - https://aquasecurity.github.io/trivy/v0.52/community/contribute/pr/#development Also you can always use go test

msmeissn commented 3 months ago

One thing, scans work (the image currently will always report this one entry, as the version was lowered after the update):

./trivy image registry.opensuse.org/opensuse/bci/bci-init:latest
2024-07-03T16:48:59+02:00       INFO    Vulnerability scanning is enabled
2024-07-03T16:48:59+02:00       INFO    Secret scanning is enabled
2024-07-03T16:48:59+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-03T16:48:59+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-03T16:49:01+02:00       INFO    Detected OS     family="opensuse.tumbleweed" version="20240607"
2024-07-03T16:49:01+02:00       INFO    [opensuse.tumbleweed] Detecting vulnerabilities...      os_version="20240607" pkg_num=149
2024-07-03T16:49:01+02:00       INFO    Number of language-specific files       num=0

registry.opensuse.org/opensuse/bci/bci-init:latest (opensuse.tumbleweed 20240607)
=================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬──────────────────────────┬──────────┬────────┬───────────────────┬────────────────────┬────────────────────────────────────────┐
│   Library   │      Vulnerability       │ Severity │ Status │ Installed Version │   Fixed Version    │                 Title                  │
├─────────────┼──────────────────────────┼──────────┼────────┼───────────────────┼────────────────────┼────────────────────────────────────────┤
│ permissions │ openSUSE-SU-2024:11165-1 │ MEDIUM   │ fixed  │ 1699_20240522-1.1 │ 20210901.1550-29.2 │ chkstat-1550_20210901-29.2 on GA media │
└─────────────┴──────────────────────────┴──────────┴────────┴───────────────────┴────────────────────┴────────────────────────────────────────┘

I otherwise started on more tests, but the integration tests are a bit large:

DmitriyLewen commented 3 months ago

how does the reference image get onto ghcr.io/aquasecurity/trivy-test-images: ?

you need to add your image to this script - https://github.com/aquasecurity/trivy-test-images/blob/master/copy-images.sh

how is golden generated? manually edited?

Use mage:updateGolden command to update integration golden files

msmeissn commented 3 months ago

https://github.com/aquasecurity/trivy-test-images/pull/32 opened

msmeissn commented 3 months ago

Update:

I added some integration tests now, and mage test:integration seems to go through. trying to get test:unit to work, but i need to find/build a working tinygo for openSUSE first.

knqyf263 commented 2 months ago

@msmeissn Thanks for your great contribution!