feat(mariner): Add support for Azure Linux (#7186)

Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: Tom Fay

docs/community/contribute/pr.md

@@ -121,7 +121,7 @@ os:
 - redhat
 - alma
 - rocky
-- mariner
+- azure
 - oracle
 - debian
 - ubuntu

docs/docs/coverage/os/cbl-mariner.md renamed to docs/docs/coverage/os/azure.md

@@ -1,4 +1,7 @@
-# CBL-Mariner
+# Azure Linux (CBL-Mariner)
+
+*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*
+
 Trivy supports the following scanners for OS packages.
 
 | Version          | SBOM  | Vulnerability | License |
@@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages.
 | 1.0 (Distroless) |   ✔   |       ✔       |         |
 | 2.0              |   ✔   |       ✔       |    ✔    |
 | 2.0 (Distroless) |   ✔   |       ✔       |         |
+| 3.0              |   ✔   |       ✔       |    ✔    |
+| 3.0 (Distroless) |   ✔   |       ✔       |         |
 
 
 The following table provides an outline of the targets Trivy supports.
@@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports.
 | ------- | :-------------: | :-------------: | :----------: |
 | 1.0     |        ✔        |        ✔        | amd64, arm64 |
 | 2.0     |        ✔        |        ✔        | amd64, arm64 |
+| 3.0     |        ✔        |        ✔        | amd64, arm64 |
 
 The table below outlines the features offered by Trivy.
 
@@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy.
 | [Dependency graph][dependency-graph] |     ✓     |
 
 ## SBOM
-Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
+Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.
 
 ## Vulnerability
-CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
+Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
 
 ### Data Source
 See [here](../../scanner/vulnerability.md#data-sources).
 
 ### Fixed Version
-Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
+Trivy takes fixed versions from [Azure Linux OVAL][oval].
 
 ### Severity
-Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
+Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].
 
 ### Status
-Trivy supports the following [vulnerability statuses] for CBL-Mariner.
+Trivy supports the following [vulnerability statuses] for Azure Linux.
 
 |       Status        | Supported |
 | :-----------------: | :-------: |
@@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
 Trivy identifies licenses by examining the metadata of RPM packages.
 
 !!! note
-    License detection is not supported for CBL-Mariner Distroless.
+    License detection is not supported for Azure Linux Distroless images.
 
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cbl-mariner]: https://github.com/microsoft/CBL-Mariner
 
-[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
+[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 
 [vulnerability statuses]: ../../configuration/filtering.md#by-status

docs/docs/coverage/os/index.md

@@ -9,25 +9,25 @@ Trivy supports operating systems for
 
 ## Supported OS
 
-| OS                                   | Supported Versions                  | Package Managers |
-|--------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)            | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
-| [Wolfi Linux](wolfi.md)              | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)          | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)  | 6, 7, 8                             | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]              | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                 | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)              | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)            | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
-| [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
-| [openSUSE Tumbleweed](suse.md)       | (n/a)                               | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
-| [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                  | All versions supported by Canonical | apt/dpkg         |
-| [OSs with installed Conda](conda.md) | -                                   | conda            |
+| OS                                    | Supported Versions                  | Package Managers |
+|---------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
+| [Wolfi Linux](wolfi.md)               | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)           | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)   | 6, 7, 8                             | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]               | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                  | 8, 9                                | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)               | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)             | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
+| [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
+| [SUSE Enterprise Linux](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |
+| [OSs with installed Conda](conda.md)  | -                                   | conda            |
 
 ## Supported container images
 

docs/docs/scanner/vulnerability.md

@@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 
 ### Data Sources
 
-| OS            | Source                                                       |
-| ------------- | ------------------------------------------------------------ |
-| Arch Linux    | [Vulnerable Issues][arch]                                    |
-| Alpine Linux  | [secdb][alpine]                                              |
-| Wolfi Linux   | [secdb][wolfi]                                               |
-| Chainguard    | [secdb][chainguard]                                          |
-| Amazon Linux  | [Amazon Linux Security Center][amazon]                       |
-| Debian        | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
-| Ubuntu        | [Ubuntu CVE Tracker][ubuntu]                                 |
-| RHEL/CentOS   | [OVAL][rhel-oval] / [Security Data][rhel-api]                |
-| AlmaLinux     | [AlmaLinux Product Errata][alma]                             |
-| Rocky Linux   | [Rocky Linux UpdateInfo][rocky]                              |
-| Oracle Linux  | [OVAL][oracle]                                               |
-| CBL-Mariner   | [OVAL][mariner]                                              |
-| OpenSUSE/SLES | [CVRF][suse]                                                 |
-| Photon OS     | [Photon Security Advisory][photon]                           |
+| OS                        | Source                                                       |
+|---------------------------|--------------------------------------------------------------|
+| Arch Linux                | [Vulnerable Issues][arch]                                    |
+| Alpine Linux              | [secdb][alpine]                                              |
+| Wolfi Linux               | [secdb][wolfi]                                               |
+| Chainguard                | [secdb][chainguard]                                          |
+| Amazon Linux              | [Amazon Linux Security Center][amazon]                       |
+| Debian                    | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
+| Ubuntu                    | [Ubuntu CVE Tracker][ubuntu]                                 |
+| RHEL/CentOS               | [OVAL][rhel-oval] / [Security Data][rhel-api]                |
+| AlmaLinux                 | [AlmaLinux Product Errata][alma]                             |
+| Rocky Linux               | [Rocky Linux UpdateInfo][rocky]                              |
+| Oracle Linux              | [OVAL][oracle]                                               |
+| Azure Linux (CBL-Mariner) | [OVAL][azure]                                                |
+| OpenSUSE/SLES             | [CVRF][suse]                                                 |
+| Photon OS                 | [Photon Security Advisory][photon]                           |
 
 #### Data Source Selection
 Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -288,7 +288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
-[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
+[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v0.13.0
-	github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab
+	github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
 	github.com/aws/aws-sdk-go-v2 v1.30.3

go.sum

@@ -771,8 +771,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
 github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
-github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW+Xap4zRYxyctXDTj5luMQdE=
-github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f+wSW9D5txv8S+tw4D4WNOibaUJYwvNnQuQlGQ8gO6c=
+github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
+github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU=

integration/testdata/mariner-1.0.json.golden

@@ -6,7 +6,7 @@
   "Metadata": {
     "OS": {
       "Family": "cbl-mariner",
-      "Name": "1.0.20220122"
+      "Name": "1.0"
     },
     "ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767",
     "DiffIDs": [
@@ -34,15 +34,15 @@
   },
   "Results": [
     {
-      "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
+      "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0)",
       "Class": "os-pkgs",
       "Type": "cbl-mariner",
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2022-0261",
           "PkgName": "vim",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
+            "PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0",
             "UID": "3f08cd76fa5ba73d"
           },
           "InstalledVersion": "8.2.4081-1.cm1",
@@ -79,7 +79,7 @@
           "VulnerabilityID": "CVE-2022-0158",
           "PkgName": "vim",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
+            "PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0",
             "UID": "3f08cd76fa5ba73d"
           },
           "InstalledVersion": "8.2.4081-1.cm1",

mkdocs.yml

@@ -75,7 +75,7 @@ nav:
               - AlmaLinux: docs/coverage/os/alma.md
               - Alpine Linux: docs/coverage/os/alpine.md
               - Amazon Linux: docs/coverage/os/amazon.md
-              - CBL-Mariner: docs/coverage/os/cbl-mariner.md
+              - Azure Linux (CBL-Mariner): docs/coverage/os/azure.md
               - CentOS: docs/coverage/os/centos.md
               - Chainguard: docs/coverage/os/chainguard.md
               - Conda: docs/coverage/os/conda.md

pkg/detector/ospkg/mariner/mariner.go renamed to pkg/detector/ospkg/azure/azure.go

@@ -1,12 +1,12 @@
-package mariner
+package azure
 
 import (
 	"context"
 
 	version "github.com/knqyf263/go-rpm-version"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
 	osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -16,16 +16,24 @@ import (
 
 // Scanner implements the CBL-Mariner scanner
 type Scanner struct {
-	vs mariner.VulnSrc
+	vs azure.VulnSrc
 }
 
 // NewScanner is the factory method for Scanner
-func NewScanner() *Scanner {
+func newScanner(distribution azure.Distribution) *Scanner {
 	return &Scanner{
-		vs: mariner.NewVulnSrc(),
+		vs: azure.NewVulnSrc(distribution),
 	}
 }
 
+func NewAzureScanner() *Scanner {
+	return newScanner(azure.Azure)
+}
+
+func NewMarinerScanner() *Scanner {
+	return newScanner(azure.Mariner)
+}
+
 // Detect vulnerabilities in package using CBL-Mariner scanner
 func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	// e.g. 1.0.20210127
@@ -36,10 +44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 
 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
-		// CBL Mariner OVAL contains source package names only.
+		// Azure Linux OVAL contains source package names only.
 		advisories, err := s.vs.Get(osVer, pkg.SrcName)
 		if err != nil {
-			return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
+			return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err)
 		}
 
 		sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))