Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(azure): Add Azure Linux support #409

Merged
merged 5 commits into from
Jul 18, 2024
Merged

feat(azure): Add Azure Linux support #409

merged 5 commits into from
Jul 18, 2024

Conversation

tofay
Copy link
Contributor

@tofay tofay commented Jun 6, 2024

Another part of aquasecurity/trivy#6673, along with aquasecurity/vuln-list-update#294.

Azure Linux is a rebranding of CBL-Mariner, starting at version 3.0, so this updates the existing Mariner parsing code to be used by both azure linux/cbl-mariner vulnsrcs.

@tofay
feat(azure): Add Azure Linux support
0bf9524 
Azure Linux is a rebranding of CBL-Mariner, starting at version 3.0, so this reuses the existing Mariner
parsing function.
@tofay tofay requested a review from knqyf263 as a code owner June 6, 2024 14:36
DmitriyLewen
DmitriyLewen reviewed Jul 2, 2024
View reviewed changes
pkg/vulnsrc/mariner/mariner.go Outdated
@@ -36,21 27,31 @@ type resolvedTest struct {
}

type VulnSrc struct {
dbc db.Operation
Dbc db.Operation
VulnListDir string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VulnListDir is usually vuln-list dir.
Let's use more obvious name

Suggested change
VulnListDir string
MarinerDir string

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renamed. (I called it vulnListDir as that's the variable used in the redhat and nvd vuln srcs)

pkg/vulnsrc/azure/azure.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

azure is a renamed mariner.
So I think we can use one package for them:

➜  trivy-db git:(azure-linux) ✗ ls -hl ./pkg/vulnsrc/azure 
total 36K
-rw-rw-r-- 1 dmitriy dmitriy  690 июл  2 13:12 azure.go
-rw-rw-r-- 1 dmitriy dmitriy 2,4K июл  2 13:12 azure_test.go
-rw-rw-r-- 1 dmitriy dmitriy 6,9K июл  2 13:39 mariner.go
-rw-rw-r-- 1 dmitriy dmitriy 6,1K июн 20 10:12 mariner_test.go
drwxrwxr-x 2 dmitriy dmitriy 4,0K июл  2 13:57 oval
drwxrwxr-x 4 dmitriy dmitriy 4,0K июл  2 13:12 testdata
-rw-rw-r-- 1 dmitriy dmitriy  206 окт 25  2022 types.go

I suggest the following refactoring:

  1. move logic from mariner.go to azure.go
  2. create only NewMarinerVulnSrc() function in mariner.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done this refactoring. Happy to rebase and git mv the mariner package if it makes reviewing easier.

pkg/vulnsrc/azure/azure.go Outdated
ErrNotSupported = xerrors.New("format not supported")
)

func NewVulnSrc() mariner.VulnSrc {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add this function to this map

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, done.

pkg/vulnsrc/azure/azure_test.go
{
name: "happy path",
dir: filepath.Join("testdata", "happy"),
wantValues: []vulnsrctest.WantValues{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about vulnerability-detail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this.

@DmitriyLewen
Copy link
Contributor

@tofay I did some refactoring.
Can you take a look?

@tofay
Copy link
Contributor Author

tofay commented Jul 16, 2024

@tofay I did some refactoring. Can you take a look?

LGTM, thanks. (I noted that the mariner URL changed from https://github.com/microsoft/CBL-MarinerVulnerabilityData to https://github.com/microsoft/AzureLinuxVulnerabilityData, which should be fine as the former repo was renamed to the latter)

@DmitriyLewen
Copy link
Contributor

Cool 👍
Do you have time to do Trivy PR?
It will be better to test how Trivy will work with these changes before merging this PR.

You can use go mod edit -replace command in Trivy PR to get a commit from that PR.

@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 17, 2024
edited
Loading

LGTM. As @DmitriyLewen suggested, we need to test this change with Trivy before merging it.

CleanShot 2024-07-17 at 11 15 50

@tofay tofay mentioned this pull request Jul 17, 2024
Merged
6 tasks
@tofay
Copy link
Contributor Author

tofay commented Jul 17, 2024

I've tested this changes with aquasecurity/trivy#7186.

Testing setup:

  • used this branch of trivy-db to build a new database using the updated vuln-list repo, which now includes azure vulnerability data
  • created a Azure Linux 3.0 container image vulnerable packages

Testing

  1. cbl-mariner 2.0 scanning still works:
$ /trivy image --skip-db-update --cache-dir ~/trivy-db/cache/ mcr.microsoft.com/cbl-mariner/base/core:2.0.20240123
2024-07-17T15:05:46 01:00       INFO    Vulnerability scanning is enabled
2024-07-17T15:05:46 01:00       INFO    Secret scanning is enabled
2024-07-17T15:05:46 01:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-17T15:05:46 01:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-17T15:05:50 01:00       INFO    Detected OS     family="cbl-mariner" version="2.0.20240123"
2024-07-17T15:05:50 01:00       INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=69
2024-07-17T15:05:50 01:00       INFO    Number of language-specific files       num=0

mcr.microsoft.com/cbl-mariner/base/core:2.0.20240123 (cbl-mariner 2.0.20240123)

Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 15, CRITICAL: 0)
  1. Azure linux 3 scanning works
./trivy image --skip-db-update --cache-dir ~/trivy-db/cache/ azure:test                                 
2024-07-17T15:07:36 01:00       INFO    Vulnerability scanning is enabled
2024-07-17T15:07:36 01:00       INFO    Secret scanning is enabled
2024-07-17T15:07:36 01:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-17T15:07:36 01:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-17T15:07:40 01:00       INFO    Detected OS     family="azurelinux" version="3.0"
2024-07-17T15:07:40 01:00       INFO    [azurelinux] Detecting vulnerabilities...       os_version="3.0" pkg_num=140
2024-07-17T15:07:40 01:00       INFO    Number of language-specific files       num=0

azure:test (azurelinux 3.0)

Total: 45 (UNKNOWN: 0, LOW: 0, MEDIUM: 18, HIGH: 9, CRITICAL: 18)
┌──────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ php          │ CVE-2024-1874 │ CRITICAL │ fixed  │ 8.3.6-1.azl3      │ 8.3.8-1.azl3  │ php: Fail to Escape Arguments Properly in Microsoft Windows │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-1874 
...
  1. Azure linux 3 distroless package detection works
$  ./trivy image --skip-db-update --cache-dir ~/trivy-db/cache/ --format spdx-json -d azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0
... sample package
{
      "name": "SymCrypt-OpenSSL",
      "SPDXID": "SPDXRef-Package-b2b020d896a1d8ea",
      "versionInfo": "1.4.3-1.azl3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "built package from: SymCrypt-OpenSSL 1.4.3-1.azl3",
      "licenseConcluded": "NONE",
      "licenseDeclared": "NONE",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:rpm/azurelinux/[email protected]?arch=x86_64\u0026distro=azurelinux-3.0"
        }
      ],
      "attributionTexts": [
        "LayerDiffID: sha256:e9b7cd9ba369135d7d8e35b3db2debcb12bf48bd8a5716e27acf26a7cb4780fe",
        "LayerDigest: sha256:76c39ef1a031378e77828a68e5bdb3ae948fd8daaf0d8ae3642ac98123bea23c",
        "PkgType: azurelinux"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
...

DmitriyLewen
DmitriyLewen approved these changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tofay
Thanks for your work!

@knqyf263 looks like it works correctly with Trivy.
I approved PR.

@knqyf263 knqyf263 merged commit d23a6ca into aquasecurity:main Jul 18, 2024
2 checks passed
@knqyf263
Copy link
Collaborator

Thanks!

@TsubasaKanemitsu TsubasaKanemitsu mentioned this pull request Aug 14, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tofay @DmitriyLewen @knqyf263