Closed tofay closed 5 months ago
knqyf263
commented
5 months ago Thanks for your contribution! While it looks good, we also need to update trivy-db before merging this PR. Otherwise, it also inserts Azure Linux 3.0 into trivy-db as CBL-Mariner 3.0.
tofay
commented
5 months ago It sounds like separating mariner and azure info in the vuln-list directory will make compatibility between the trivy repos simpler, and potentially allow easier removal of CBL-Mariner in future when 2.0 is EOL?
tofay
commented
5 months ago I've done that separation now, but happy to revert and update trivy-db to rename mariner/3.0 to azurelinux if you prefer that approach.
knqyf263
commented
5 months ago It sounds like separating mariner and azure info in the vuln-list directory will make compatibility between the trivy repos simpler, and potentially allow easier removal of CBL-Mariner in future when 2.0 is EOL?
Sounds like a plan.
knqyf263
commented
5 months ago Sorry to be late. We're now targeting this support for v0.54.0. I'll review it shortly. https://github.com/aquasecurity/trivy/issues/6673
As part of https://github.com/aquasecurity/trivy/issues/6673, add support for reading the azure linux 3.0 OVAL which resides alongside the cbl-mariner 1.0 and 2.0 OVAL.
I thought it sensible to use the same package in this repo for mariner and azure linux since the OVAL parsing is the same for both.