Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add openSUSE tumbleweed detection and scanning #6965

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add openSUSE tumbleweed detection and scanning #6965

wants to merge 2 commits into from
+99 −4

Conversation

msmeissn
Copy link

@msmeissn msmeissn commented Jun 19, 2024
edited
Loading

Description

This adds openSUSE Tumbleweed support. Tumbleweed is a rolling release, it has no version and currently no EOL.

The CVRF data is in the same location as the openSUSE Leap data.

The os detector is already detecting it.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@msmeissn msmeissn requested a review from knqyf263 as a code owner June 19, 2024 09:44
@msmeissn
Copy link
Author

I tried to build using "mage", but it does not work with mage-v1.11.0~git0.07afc7d-150500.1.1.x86_64 on SLES 15 SP5.

"No .go files marked with the mage build tag in this directory." (neither in top or in cmd/trivy/)

go build cmd/trivy/main.go goes through

@msmeissn msmeissn force-pushed the main branch 2 times, most recently from fb89e70 to 3e9c836 Compare June 19, 2024 12:35
DmitriyLewen
DmitriyLewen reviewed Jun 20, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

2 moment:

@msmeissn
Copy link
Author

i did some test but i need to figure out how to run tests first, the mage howto does not seem to work on older mage

@DmitriyLewen
Copy link
Contributor

Trivy mage commands - https://aquasecurity.github.io/trivy/v0.52/community/contribute/pr/#development
Also you can always use go test

@msmeissn
Copy link
Author

msmeissn commented Jul 3, 2024
edited by DmitriyLewen
Loading

One thing, scans work (the image currently will always report this one entry, as the version was lowered after the update):

./trivy image registry.opensuse.org/opensuse/bci/bci-init:latest
2024-07-03T16:48:59+02:00       INFO    Vulnerability scanning is enabled
2024-07-03T16:48:59+02:00       INFO    Secret scanning is enabled
2024-07-03T16:48:59+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-03T16:48:59+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-03T16:49:01+02:00       INFO    Detected OS     family="opensuse.tumbleweed" version="20240607"
2024-07-03T16:49:01+02:00       INFO    [opensuse.tumbleweed] Detecting vulnerabilities...      os_version="20240607" pkg_num=149
2024-07-03T16:49:01+02:00       INFO    Number of language-specific files       num=0

registry.opensuse.org/opensuse/bci/bci-init:latest (opensuse.tumbleweed 20240607)
=================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬──────────────────────────┬──────────┬────────┬───────────────────┬────────────────────┬────────────────────────────────────────┐
│   Library   │      Vulnerability       │ Severity │ Status │ Installed Version │   Fixed Version    │                 Title                  │
├─────────────┼──────────────────────────┼──────────┼────────┼───────────────────┼────────────────────┼────────────────────────────────────────┤
│ permissions │ openSUSE-SU-2024:11165-1 │ MEDIUM   │ fixed  │ 1699_20240522-1.1 │ 20210901.1550-29.2 │ chkstat-1550_20210901-29.2 on GA media │
└─────────────┴──────────────────────────┴──────────┴────────┴───────────────────┴────────────────────┴────────────────────────────────────────┘

I otherwise started on more tests, but the integration tests are a bit large:

  • how does the reference image get onto ghcr.io/aquasecurity/trivy-test-images: ?
  • how is golden generated? manually edited?

@DmitriyLewen
Copy link
Contributor

how does the reference image get onto ghcr.io/aquasecurity/trivy-test-images: ?

you need to add your image to this script - https://github.com/aquasecurity/trivy-test-images/blob/master/copy-images.sh

how is golden generated? manually edited?

Use mage:updateGolden command to update integration golden files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

@dirkmueller dirkmueller dirkmueller approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: support openSUSE Tumbleweed
3 participants
@msmeissn @DmitriyLewen @dirkmueller