aquasecurity · knqyf263 · Jul 22, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 18, 2024
@@ -121,7 121,7 @@ os:
 - redhat
 - alma
 - rocky
-- mariner
 - azure
 - oracle
 - debian
 - ubuntu

@@ -1,4 1,7 @@
-# CBL-Mariner
 # Azure Linux (CBL-Mariner)
 
 *CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*
 
 Trivy supports the following scanners for OS packages.
 
 | Version | SBOM | Vulnerability | License |
@@ -7,6 10,8 @@ Trivy supports the following scanners for OS packages.
 | 1.0 (Distroless) | ✔ | ✔ | |
 | 2.0 | ✔ | ✔ | ✔ |
 | 2.0 (Distroless) | ✔ | ✔ | |
 | 3.0 | ✔ | ✔ | ✔ |
 | 3.0 (Distroless) | ✔ | ✔ | |
 
 
 The following table provides an outline of the targets Trivy supports.
@@ -15,6 20,7 @@ The following table provides an outline of the targets Trivy supports.
 | ------- | :-------------: | :-------------: | :----------: |
 | 1.0 | ✔ | ✔ | amd64, arm64 |
 | 2.0 | ✔ | ✔ | amd64, arm64 |
 | 3.0 | ✔ | ✔ | amd64, arm64 |
 
 The table below outlines the features offered by Trivy.
 
@@ -24,22 30,22 @@ The table below outlines the features offered by Trivy.
 | [Dependency graph][dependency-graph] | ✓ |
 
 ## SBOM
-Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
 Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.
 
 ## Vulnerability
-CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
 Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
 
 ### Data Source
 See [here](../../scanner/vulnerability.md#data-sources).
 
 ### Fixed Version
-Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
 Trivy takes fixed versions from [Azure Linux OVAL][oval].
 
 ### Severity
-Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
 Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].
 
 ### Status
-Trivy supports the following [vulnerability statuses] for CBL-Mariner.
 Trivy supports the following [vulnerability statuses] for Azure Linux.
 
 | Status | Supported |
 | :-----------------: | :-------: |
@@ -55,12 61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
 Trivy identifies licenses by examining the metadata of RPM packages.
 
 !!! note
- License detection is not supported for CBL-Mariner Distroless.
  License detection is not supported for Azure Linux Distroless images.
 
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cbl-mariner]: https://github.com/microsoft/CBL-Mariner
 
-[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
 [oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 
 [vulnerability statuses]: ../../configuration/filtering.md#by-status
@@ -9,25 9,25 @@ Trivy supports operating systems for
 
 ## Supported OS
 
-| OS | Supported Versions | Package Managers |
-|--------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
-| [Wolfi Linux](wolfi.md) | (n/a) | apk |
-| [Chainguard](chainguard.md) | (n/a) | apk |
-| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
-| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
-| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
-| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
-| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
-| [CBL-Mariner](cbl-mariner.md)  | 1.0, 2.0   | dnf/yum/rpm  |
-| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
-| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
-| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
-| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
-| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
-| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
-| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
-| [OSs with installed Conda](conda.md) | - | conda |
 | OS  | Supported Versions | Package Managers |
 |---------------------------------------|-------------------------------------|------------------|
 | [Alpine Linux](alpine.md)  | 2.2 - 2.7, 3.0 - 3.20, edge | apk |
 | [Wolfi Linux](wolfi.md)  | (n/a) | apk |
 | [Chainguard](chainguard.md)  | (n/a) | apk |
 | [Red Hat Enterprise Linux](rhel.md)  | 6, 7, 8 | dnf/yum/rpm |
 | [CentOS](centos.md)[^1]  | 6, 7, 8 | dnf/yum/rpm |
 | [AlmaLinux](alma.md)  | 8, 9 | dnf/yum/rpm |
 | [Rocky Linux](rocky.md)  | 8, 9 | dnf/yum/rpm |
 | [Oracle Linux](oracle.md)  | 5, 6, 7, 8 | dnf/yum/rpm |
 | [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
 | [Amazon Linux](amazon.md)  | 1, 2, 2023 | dnf/yum/rpm |
 | [openSUSE Leap](suse.md)  | 42, 15 | zypper/rpm |
 | [openSUSE Tumbleweed](suse.md)  | (n/a) | zypper/rpm |
 | [SUSE Enterprise Linux](suse.md)  | 11, 12, 15 | zypper/rpm |
 | [Photon OS](photon.md)  | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
 | [Debian GNU/Linux](debian.md)  | 7, 8, 9, 10, 11, 12 | apt/dpkg |
 | [Ubuntu](ubuntu.md)  | All versions supported by Canonical | apt/dpkg |
 | [OSs with installed Conda](conda.md)  | - | conda |
 
 ## Supported container images
 

@@ -32,7 32,7 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 | AlmaLinux | [AlmaLinux Product Errata][alma] |
 | Rocky Linux | [Rocky Linux UpdateInfo][rocky] |
 | Oracle Linux | [OVAL][oracle] |
-| CBL-Mariner | [OVAL][mariner] |
 | Azure Linux (CBL-Mariner)] | [OVAL][azure]  |
 | OpenSUSE/SLES | [CVRF][suse] |
 | Photon OS | [Photon Security Advisory][photon] |
 
@@ -288,7 288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
-[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
 [azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem:composer
 [python-ghsa]: https://github.com/advisories?query=ecosystem:pip

@@ -393,3 393,5 @@ require (
  sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601168637-6ce0bf390ce3 // indirect
  sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
 
 replace github.com/aquasecurity/trivy-db => github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796
@@ -771,8 771,6 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
 github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr YxBqHXDVLTYmpspPi3E=
-github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW Xap4zRYxyctXDTj5luMQdE=
-github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f wSW9D5txv8S tw4D4WNOibaUJYwvNnQuQlGQ8gO6c=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua 2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7 8rVcqhV6G5bM3KVFyJU=
@@ -2029,6 2027,8 @@ github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr
 github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC bZgJeR0sMTm6dMHP7U=
 github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796 h1:3hwn7MNI8lYWxUd8lN7sPGCzBeahvX5i/WahXxEV/R8=
 github.com/tofay/trivy-db v0.0.0-20240717131741-056f5431b796/go.mod h1:0T6oy2t1Iedt yi3Ml5cpOYp5FZT4MI1/mx 3p PIs8=
 github.com/twitchtv/twirp v8.1.3 incompatible h1: F4TdErPgSUbMZMwp13Q/KgDVuI7HJXP61mNV3/7iuU=
 github.com/twitchtv/twirp v8.1.3 incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk RGrc=

@@ -75,7 75,7 @@ nav:
  - AlmaLinux: docs/coverage/os/alma.md
  - Alpine Linux: docs/coverage/os/alpine.md
  - Amazon Linux: docs/coverage/os/amazon.md
- - CBL-Mariner: docs/coverage/os/cbl-mariner.md
  - Azure Linux (CBL-Mariner): docs/coverage/os/azure.md
  - CentOS: docs/coverage/os/centos.md
  - Chainguard: docs/coverage/os/chainguard.md
  - Conda: docs/coverage/os/conda.md

@@ -1,12 1,12 @@
-package mariner
 package azure
 
 import (
  "context"
 
  version "github.com/knqyf263/go-rpm-version"
  "golang.org/x/xerrors"
 
- "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
  "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
  osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
  ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
  "github.com/aquasecurity/trivy/pkg/log"
@@ -16,16 16,24 @@ import (
 
 // Scanner implements the CBL-Mariner scanner
 type Scanner struct {
- vs mariner.VulnSrc
  vs azure.VulnSrc
 }
 
 // NewScanner is the factory method for Scanner
-func NewScanner() *Scanner {
 func newScanner(distribution azure.Distribution) *Scanner {
  return &Scanner{
- vs: mariner.NewVulnSrc(),
  vs: azure.NewVulnSrc(distribution),
  }
 }
 
 func NewAzureScanner() *Scanner {
  return newScanner(azure.Azure)
 }
 
 func NewMarinerScanner() *Scanner {
  return newScanner(azure.Mariner)
 }
 
 // Detect vulnerabilities in package using CBL-Mariner scanner
 func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
  // e.g. 1.0.20210127
@@ -36,10 44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 
  var vulns []types.DetectedVulnerability
  for _, pkg := range pkgs {
- // CBL Mariner OVAL contains source package names only.
  // Azure Linux OVAL contains source package names only.
  advisories, err := s.vs.Get(osVer, pkg.SrcName)
  if err != nil {
- return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
  return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err)
  }
 
  sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))

@@ -1,4 1,4 @@
-package mariner_test
 package azure_test
 
 import (
  "testing"
@@ -8,15 8,17 @@ import (
 
  "github.com/aquasecurity/trivy-db/pkg/db"
  dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
  azurevs "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
  "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
  "github.com/aquasecurity/trivy/internal/dbtest"
- "github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
  "github.com/aquasecurity/trivy/pkg/detector/ospkg/azure"
  ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
  "github.com/aquasecurity/trivy/pkg/types"
 )
 
 func TestScanner_Detect(t *testing.T) {
  type args struct {
  dist azurevs.Distribution
  osVer string
  pkgs []ftypes.Package
  }
@@ -30,10 32,11 @@ func TestScanner_Detect(t *testing.T) {
  {
  name: "happy path 1.0 SrcName and Name are different",
  fixtures: []string{
- "testdata/fixtures/mariner.yaml",
  "testdata/fixtures/azure.yaml",
  "testdata/fixtures/data-source.yaml",
  },
  args: args{
  dist: azurevs.Mariner,
  osVer: "1.0",
  pkgs: []ftypes.Package{
  {
@@ -69,10 72,11 @@ func TestScanner_Detect(t *testing.T) {
  {
  name: "happy path 2.0",
  fixtures: []string{
- "testdata/fixtures/mariner.yaml",
  "testdata/fixtures/azure.yaml",
  "testdata/fixtures/data-source.yaml",
  },
  args: args{
  dist: azurevs.Mariner,
  osVer: "2.0",
  pkgs: []ftypes.Package{
  {
@@ -104,13 108,54 @@ func TestScanner_Detect(t *testing.T) {
  },
  },
  },
  {
  name: "happy path 3.0",
  fixtures: []string{
  "testdata/fixtures/azure.yaml",
  "testdata/fixtures/data-source.yaml",
  },
  args: args{
  dist: azurevs.Azure,
  osVer: "3.0",
  pkgs: []ftypes.Package{
  {
  Name: "php",
  Epoch: 0,
  Version: "8.3.6",
  Release: "1.azl3",
  Arch: "aarch64",
  SrcName: "php",
  SrcEpoch: 0,
  SrcVersion: "8.3.6",
  SrcRelease: "1.azl3",
  Licenses: []string{"Php"},
  Layer: ftypes.Layer{},
  },
  },
  },
  want: []types.DetectedVulnerability{
  {
  PkgName: "php",
  VulnerabilityID: "CVE-2024-2408",
  InstalledVersion: "8.3.6-1.azl3",
  FixedVersion: "8.3.8-1.azl3",
  Layer: ftypes.Layer{},
  DataSource: &dbTypes.DataSource{
  ID: vulnerability.AzureLinux,
  Name: "Azure Linux Vulnerability Data",
  URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData",
  },
  },
  },
  },
  {
  name: "broken advisory",
  fixtures: []string{
  "testdata/fixtures/invalid.yaml",
  "testdata/fixtures/data-source.yaml",
  },
  args: args{
  dist: azurevs.Mariner,
  osVer: "1.0",
  pkgs: []ftypes.Package{
  {
@@ -128,15 173,18 @@ func TestScanner_Detect(t *testing.T) {
  },
  },
  },
- wantErr: "failed to get CBL-Mariner advisories",
  wantErr: "failed to get Azure Linux advisories",
  },
  }
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {
  _ = dbtest.InitDB(t, tt.fixtures)
  defer db.Close()
 
- s := mariner.NewScanner()
  s := azure.NewAzureScanner()
  if tt.args.dist == azurevs.Mariner {
  s = azure.NewMarinerScanner()
  }
  got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
  if tt.wantErr != "" {
  require.Error(t, err)

@@ -14,3 14,11 @@
  - bucket: vim
  pairs:
  - key: CVE-2022-0261
 
 - bucket: Azure Linux 3.0
  pairs:
  - bucket: php
  pairs:
  - key: CVE-2024-2408
  value:
  FixedVersion: 8.3.8-1.azl3
@@ -0,0 1,21 @@
 - bucket: data-source
  pairs:
  - key: CBL-Mariner 1.0
  value:
  ID: "cbl-mariner"
  Name: "CBL-Mariner Vulnerability Data"
  URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
 - bucket: data-source
  pairs:
  - key: CBL-Mariner 2.0
  value:
  ID: "cbl-mariner"
  Name: "CBL-Mariner Vulnerability Data"
  URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
 - bucket: data-source
  pairs:
  - key: Azure Linux 3.0
  value:
  ID: "azure"
  Name: "Azure Linux Vulnerability Data"
  URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData"