fix(oracle): add architectures support for advisories (#4809)

Author: DmitriyLewen

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.4.0
-	github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45
+	github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc
 	github.com/aws/aws-sdk-go-v2 v1.32.5

go.sum

@@ -355,8 +355,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.4.0 h1:XFGPuA8C4f31GO9g7xOkubHq4W87y9iXrWnulsIoZFs=
 github.com/aquasecurity/trivy-checks v1.4.0/go.mod h1:TSUbI3wBy9jgQl5lRUCR+B5pNiOxp6M26Jep8VCL/eM=
-github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw=
-github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0=
+github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e h1:O5j5SeCNBrXApgBTOobO06q4LMxJxIhcSGE7H6Y154E=
+github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e/go.mod h1:gS8VhlNxhraiq60BBnJw9kGtjeMspQ9E8pX24jCL4jg=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc h1:/mFBYIK9RY+L8s1CIbQbJ5B3v0YmoDSu5eAzavvMa+Y=

integration/testdata/fixtures/db/oracle.yaml

@@ -7,8 +7,14 @@
             FixedVersion: "7.61.1-11.el8"
             Entries:
               - FixedVersion: "7.61.1-11.el8"
+                Arches:
+                  - x86_64
+                  - aarch64
         - key: CVE-2019-5436
           value:
             FixedVersion: "7.61.1-12.el8"
             Entries:
               - FixedVersion: "7.61.1-12.el8"
+                Arches:
+                  - x86_64
+                  - aarch64

pkg/detector/ospkg/oracle/oracle.go

@@ -50,7 +50,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 
 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
-		advisories, err := s.vs.Get(osVer, pkg.Name)
+		advisories, err := s.vs.Get(osVer, pkg.Name, pkg.Arch)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to get Oracle Linux advisory: %w", err)
 		}

pkg/detector/ospkg/oracle/oracle_test.go

@@ -139,6 +139,60 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "different fixed versions for different arches",
+			fixtures: []string{
+				"testdata/fixtures/oracle7.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			args: args{
+				osVer: "7",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "rsyslog",
+						Version:    "8.24.0",
+						Release:    "57.0.0.el7",
+						Arch:       "x86_64",
+						SrcName:    "rsyslog",
+						SrcVersion: "8.24.0",
+						SrcRelease: "57.0.0.el7",
+					},
+					{
+						Name:       "rsyslog",
+						Version:    "8.24.0",
+						Release:    "57.0.0.el7",
+						Arch:       "aarch64",
+						SrcName:    "rsyslog",
+						SrcVersion: "8.24.0",
+						SrcRelease: "57.0.0.el7",
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2022-24903",
+					PkgName:          "rsyslog",
+					InstalledVersion: "8.24.0-57.0.0.el7",
+					FixedVersion:     "8.24.0-57.0.1.el7_9.3",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.OracleOVAL,
+						Name: "Oracle Linux OVAL definitions",
+						URL:  "https://linux.oracle.com/security/oval/",
+					},
+				},
+				{
+					VulnerabilityID:  "CVE-2022-24903",
+					PkgName:          "rsyslog",
+					InstalledVersion: "8.24.0-57.0.0.el7",
+					FixedVersion:     "8.24.0-57.0.4.el7_9.3",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.OracleOVAL,
+						Name: "Oracle Linux OVAL definitions",
+						URL:  "https://linux.oracle.com/security/oval/",
+					},
+				},
+			},
+		},
 		{
 			name: "without ksplice",
 			fixtures: []string{

pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml

@@ -7,19 +7,40 @@
             FixedVersion: "7.29.0-59.0.1.el7_9.1"
             Entries:
               - FixedVersion: "7.29.0-59.0.1.el7_9.1"
+                Arches:
+                  - x86_64
+                  - aarch64
     - bucket: glibc
       pairs:
         - key: CVE-2017-1000364
           value:
             FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
             Entries:
               - FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
+                Arches:
+                  - x86_64
+                  - aarch64
     - bucket: gnutls
       pairs:
         - key: CVE-2021-20232
           value:
             FixedVersion: "3.6.16-4.el8"
             Entries:
               - FixedVersion: "10:3.6.16-4.0.1.el8_fips"
+                Arches:
+                  - x86_64
               - FixedVersion: "3.6.16-4.el8"
-
+                Arches:
+                  - x86_64
+    - bucket: rsyslog
+      pairs:
+        - key: CVE-2022-24903
+          value:
+            FixedVersion: "8.24.0-57.0.1.el7_9.3"
+            Entries:
+              - FixedVersion: "8.24.0-57.0.1.el7_9.3"
+                Arches:
+                  - x86_64
+              - FixedVersion: "8.24.0-57.0.4.el7_9.3"
+                Arches:
+                  - aarch64