feat: add openSUSE tumbleweed detection and scanning (aquasecurity#6965)

Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: 2 people

docs/docs/coverage/os/index.md

@@ -22,6 +22,7 @@ Trivy supports operating systems for
 | [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
 | [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
 | [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)       | (n/a)                               | zypper/rpm       |
 | [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
 | [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |

docs/docs/coverage/os/suse.md

@@ -2,6 +2,7 @@
 Trivy supports the following distributions:
 
 - openSUSE Leap
+- openSUSE Tumbleweed
 - SUSE Enterprise Linux (SLE)
 
 Please see [here](index.md#supported-os) for supported versions.
@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.
 
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
+[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/
 
-[vulnerability statuses]: ../../configuration/filtering.md#by-status
+[vulnerability statuses]: ../../configuration/filtering.md#by-status

integration/client_server_test.go

@@ -212,6 +212,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: csArgs{

integration/docker_engine_test.go

@@ -192,6 +192,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			golden:   "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name:     "opensuse tumbleweed",
+			imageTag: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
+			input:    "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			golden:   "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name:     "photon 3.0",
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",

integration/standalone_tar_test.go

@@ -322,6 +322,14 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: args{
+				Format: types.FormatJSON,
+				Input:  "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: args{

integration/testdata/fixtures/db/opensuse.yaml

@@ -9,4 +9,11 @@
       pairs:
         - key: "openSUSE-SU-2020:0062-1"
           value:
-            FixedVersion: 1.1.0i-lp151.8.6.1
+            FixedVersion: 1.1.0i-lp151.8.6.1
+- bucket: "openSUSE Tumbleweed"
+  pairs:
+    - bucket: libopenssl3
+      pairs:
+        - key: "openSUSE-SU-2024:13065-1"
+          value:
+            FixedVersion: 3.1.5-9.1 # changed for test

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1340,6 +1340,15 @@
         - https://nvd.nist.gov/vuln/detail/CVE-2022-24775
       PublishedDate: "2022-03-25T19:26:33Z"
       LastModifiedDate: "2022-06-14T20:02:29Z"
+  - key: openSUSE-SU-2024:13065-1
+    value:
+      Title: "libopenssl-3-devel-3.1.1-3.1 on GA media"
+      Description: "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed."
+      Severity: MEDIUM
+      References:
+        - "https://www.suse.com/security/cve/CVE-2023-2975/"
+        - "https://www.suse.com/security/cve/CVE-2023-3446/"
+        - "https://www.suse.com/support/security/rating/"
   - key: CVE-2022-22965
     value:
       Title: "spring-framework: RCE via Data Binding on JDK 9+"

integration/testdata/opensuse-tumbleweed.json.golden

@@ -0,0 +1,94 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "opensuse.tumbleweed",
+      "Name": "20240607"
+    },
+    "ImageID": "sha256:580e73f5c823232e6587136e9f5428a89afdf77a123bb8575d08208e0cc34b12",
+    "DiffIDs": [
+      "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Fabian Vogt \[email protected]\u003e",
+      "created": "2024-06-07T17:19:44Z",
+      "history": [
+        {
+          "author": "Fabian Vogt \[email protected]\u003e",
+          "created": "2024-06-07T17:19:44Z",
+          "created_by": "KIWI 10.0.19",
+          "comment": "openSUSE Tumbleweed 20240607 Base Container"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "org.openbuildservice.disturl": "obs://build.opensuse.org/openSUSE:Factory/images/b068e2522114e1c009e9bfa1b5cb1146-opensuse-tumbleweed-image:docker",
+          "org.opencontainers.image.created": "2024-06-07T17:19:38.229693664Z",
+          "org.opencontainers.image.description": "Image containing a minimal environment for containers based on openSUSE Tumbleweed.",
+          "org.opencontainers.image.source": "https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-tumbleweed-image?rev=b068e2522114e1c009e9bfa1b5cb1146",
+          "org.opencontainers.image.title": "openSUSE Tumbleweed Base Container",
+          "org.opencontainers.image.url": "https://www.opensuse.org/",
+          "org.opencontainers.image.vendor": "openSUSE Project",
+          "org.opencontainers.image.version": "20240607.30.45",
+          "org.opensuse.base.created": "2024-06-07T17:19:38.229693664Z",
+          "org.opensuse.base.description": "Image containing a minimal environment for containers based on openSUSE Tumbleweed.",
+          "org.opensuse.base.disturl": "obs://build.opensuse.org/openSUSE:Factory/images/b068e2522114e1c009e9bfa1b5cb1146-opensuse-tumbleweed-image:docker",
+          "org.opensuse.base.reference": "registry.opensuse.org/opensuse/tumbleweed:20240607.30.45",
+          "org.opensuse.base.source": "https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-tumbleweed-image?rev=b068e2522114e1c009e9bfa1b5cb1146",
+          "org.opensuse.base.title": "openSUSE Tumbleweed Base Container",
+          "org.opensuse.base.url": "https://www.opensuse.org/",
+          "org.opensuse.base.vendor": "openSUSE Project",
+          "org.opensuse.base.version": "20240607.30.45",
+          "org.opensuse.reference": "registry.opensuse.org/opensuse/tumbleweed:20240607.30.45"
+        }
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz (opensuse.tumbleweed 20240607)",
+      "Class": "os-pkgs",
+      "Type": "opensuse.tumbleweed",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "openSUSE-SU-2024:13065-1",
+          "PkgID": "[email protected]_64",
+          "PkgName": "libopenssl3",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/opensuse.tumbleweed/[email protected]?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
+            "UID": "f051425f385d2b99"
+          },
+          "InstalledVersion": "3.1.4-9.1",
+          "FixedVersion": "3.1.5-9.1",
+          "Status": "fixed",
+          "Layer": {
+            "Digest": "sha256:427d16a14c45614f51357aeebee0dfe209a1cebfc044b3b724b6ea35663b3111",
+            "DiffID": "sha256:7a335bdf2d91d6d158da360054aa7e477d708187d43fe9d0ac20144cdf90f763"
+          },
+          "Title": "libopenssl-3-devel-3.1.1-3.1 on GA media",
+          "Description": "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed.",
+          "Severity": "MEDIUM",
+          "References": [
+            "https://www.suse.com/security/cve/CVE-2023-2975/",
+            "https://www.suse.com/security/cve/CVE-2023-3446/",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        }
+      ]
+    }
+  ]
+}

pkg/detector/ospkg/detect.go

@@ -30,21 +30,22 @@ var (
 	ErrUnsupportedOS = xerrors.New("unsupported os")
 
 	drivers = map[ftypes.OSType]Driver{
-		ftypes.Alpine:       alpine.NewScanner(),
-		ftypes.Alma:         alma.NewScanner(),
-		ftypes.Amazon:       amazon.NewScanner(),
-		ftypes.CBLMariner:   mariner.NewScanner(),
-		ftypes.Debian:       debian.NewScanner(),
-		ftypes.Ubuntu:       ubuntu.NewScanner(),
-		ftypes.RedHat:       redhat.NewScanner(),
-		ftypes.CentOS:       redhat.NewScanner(),
-		ftypes.Rocky:        rocky.NewScanner(),
-		ftypes.Oracle:       oracle.NewScanner(),
-		ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
-		ftypes.SLES:         suse.NewScanner(suse.SUSEEnterpriseLinux),
-		ftypes.Photon:       photon.NewScanner(),
-		ftypes.Wolfi:        wolfi.NewScanner(),
-		ftypes.Chainguard:   chainguard.NewScanner(),
+		ftypes.Alpine:             alpine.NewScanner(),
+		ftypes.Alma:               alma.NewScanner(),
+		ftypes.Amazon:             amazon.NewScanner(),
+		ftypes.CBLMariner:         mariner.NewScanner(),
+		ftypes.Debian:             debian.NewScanner(),
+		ftypes.Ubuntu:             ubuntu.NewScanner(),
+		ftypes.RedHat:             redhat.NewScanner(),
+		ftypes.CentOS:             redhat.NewScanner(),
+		ftypes.Rocky:              rocky.NewScanner(),
+		ftypes.Oracle:             oracle.NewScanner(),
+		ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
+		ftypes.OpenSUSELeap:       suse.NewScanner(suse.OpenSUSE),
+		ftypes.SLES:               suse.NewScanner(suse.SUSEEnterpriseLinux),
+		ftypes.Photon:             photon.NewScanner(),
+		ftypes.Wolfi:              wolfi.NewScanner(),
+		ftypes.Chainguard:         chainguard.NewScanner(),
 	}
 )
 

pkg/detector/ospkg/suse/suse.go

@@ -68,6 +68,7 @@ const (
 	SUSEEnterpriseLinux Type = iota
 	// OpenSUSE for open versions
 	OpenSUSE
+	OpenSUSETumbleweed
 )
 
 // Scanner implements the SUSE scanner
@@ -86,6 +87,10 @@ func NewScanner(t Type) *Scanner {
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
 		}
+	case OpenSUSETumbleweed:
+		return &Scanner{
+			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed),
+		}
 	}
 	return nil
 }
@@ -130,5 +135,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
 	if osFamily == ftypes.SLES {
 		return osver.Supported(ctx, slesEolDates, osFamily, osVer)
 	}
+	// tumbleweed is a rolling release, it has no version and no eol
+	if osFamily == ftypes.OpenSUSETumbleweed {
+		return true
+	}
 	return osver.Supported(ctx, opensuseEolDates, osFamily, osVer)
 }

pkg/detector/ospkg/suse/suse_test.go

@@ -71,6 +71,46 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path: tumbleweed",
+			fixtures: []string{
+				"testdata/fixtures/tumbleweed.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.OpenSUSETumbleweed,
+			args: args{
+				osVer: "",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "singularity-ce",
+						Version:    "4.1.3",
+						Release:    "1.0",
+						SrcName:    "postgresql",
+						SrcVersion: "4.1.3",
+						SrcRelease: "1.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "singularity-ce",
+					VulnerabilityID:  "openSUSE-SU-2024:14059-1",
+					InstalledVersion: "4.1.3-1.0",
+					FixedVersion:     "4.1.3-1.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
 		{
 			name: "broken bucket",
 			fixtures: []string{
@@ -122,6 +162,16 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
 		args         args
 		want         bool
 	}{
+		{
+			name: "opensuse.tumbleweed",
+			now:  time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			args: args{
+				osFamily: "opensuse.tumbleweed",
+				osVer:    "",
+			},
+			distribution: suse.OpenSUSETumbleweed,
+			want:         true,
+		},
 		{
 			name: "opensuse.leap42.3",
 			now:  time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),

pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml

@@ -1,5 +1,10 @@
 - bucket: data-source
   pairs:
+    - key: openSUSE Tumbleweed
+      value:
+        ID: "suse-cvrf"
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
     - key: openSUSE Leap 15.3
       value:
         ID: "suse-cvrf"
@@ -9,4 +14,4 @@
       value:
         ID: "suse-cvrf"
         Name: "SUSE CVRF"
-        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"

pkg/detector/ospkg/suse/testdata/fixtures/tumbleweed.yaml

@@ -0,0 +1,7 @@
+- bucket: openSUSE Tumbleweed
+  pairs:
+    - bucket: singularity-ce
+      pairs:
+        - key: openSUSE-SU-2024:14059-1
+          value:
+            FixedVersion: "4.1.3-1.1"

pkg/fanal/test/integration/library_test.go

@@ -98,6 +98,15 @@ var tests = []testCase{
 			Family: "opensuse.leap",
 		},
 	},
+	{
+		name:            "happy path, opensuse tumbleweed",
+		remoteImageName: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
+		imageFile:       "../../../../integration/testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+		wantOS: types.OS{
+			Name:   "20240607",
+			Family: "opensuse.tumbleweed",
+		},
+	},
 	{
 		// from registry.suse.com/suse/sle15:15.3.17.8.16
 		name:            "happy path, suse 15.3 (NDB)",