Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(mariner): Add support for Azure Linux #7186

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(mariner): Add support for Azure Linux #7186

wants to merge 5 commits into from
150 −196

Conversation

tofay
Copy link
Contributor

@tofay tofay commented Jul 17, 2024

Description

Add support for Azure Linux.

Raised this to test the changes in aquasecurity/trivy-db#409

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@tofay tofay mentioned this pull request Jul 17, 2024
Merged
DmitriyLewen
DmitriyLewen reviewed Jul 18, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@tofay left a couple of comments.

docs/docs/scanner/vulnerability.md Outdated Show resolved Hide resolved
pkg/fanal/analyzer/os/release/release.go
Comment on lines 64 to 65
case "azurelinux":
family = types.Azure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We check etc/mariner-release file for mariner images:

trivy/pkg/fanal/analyzer/os/mariner/mariner.go

Lines 29 to 37 in b76a725

func (a marinerOSAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
foundOS, err := a.parseRelease(input.Content)
if err != nil {
return nil, xerrors.Errorf("release parse error: %w", err)
}
return &analyzer.AnalysisResult{
OS: foundOS,
}, nil
}

Does azure contain etc/azure-release file?
if yes - i think we can update logic of this file.

Copy link
Collaborator

@knqyf263 knqyf263 Jul 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some Distroless images (e.g., Alpine) include only /etc/os-release, not /etc/xxx-version or /etc/xxx-release. So, I think it's better to use /etc/os-release now. I mean we can change mariner.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm... i didn't know about this.
then, i think we need to move logic for mariner-release to os-release

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I was confused. Distroless didn't even contain/etc/os-release., and then included /etc/os-release and /etc/alpine-release.
#1975

Here is another discussion about /etc/os-release.
#3485

So, it's anyway good to get a version from /etc/os-release.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Mariner and Azure Linux include an /etc/os-release file. Mariner has a /etc/mariner-release and Azure has /etc/azurelinux-release file.

I've removed the mariner-release parsing and updated Mariner to use /etc/os-release parsing. This means that the build ID is removed from the distro in package URLs:

before that change > ExternalRef: PACKAGE-MANAGER purl pkg:rpm/cbl-mariner/[email protected]?arch=x86_64&distro=cbl-mariner-2.0.20240123
after that change > ExternalRef: PACKAGE-MANAGER purl pkg:rpm/cbl-mariner/[email protected]?arch=x86_64&distro=cbl-mariner-2.0

The PURL spec doesn't say what the distro qualifier should be for RPMs. It seems unnecessary to include the build ID since the package can be identified via the other fields.

knqyf263
knqyf263 reviewed Jul 18, 2024
View reviewed changes
go.mod Outdated
@@ -393,3 393,5 @@ require (
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601168637-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)

replace github.com/aquasecurity/trivy-db => github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merged aquasecurity/trivy-db#409

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 left review comments

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for Azure Linux 3.0 (AKA Mariner)
3 participants
@tofay @knqyf263 @DmitriyLewen