feat(rocky): Add Rootio Rocky Support#557
feat(rocky): Add Rootio Rocky Support#557urimils wants to merge 11 commits intoaquasecurity:mainfrom
Conversation
|
Uri seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
pkg/db/db.go
Outdated
| Get(string, string) ([]types.Advisory, error) | ||
| } | ||
|
|
||
| type TrioGetter interface { |
There was a problem hiding this comment.
Thats exactly the rational behind this part of the PR - the differences between the two argument and three argument getters (otherwise it would of been a very simple addition). Do you want me to rebase above the #558 branch?
There was a problem hiding this comment.
Ok, so I will wait for the merge there before updating this PR (I just wanted to be proactive)
There was a problem hiding this comment.
For now you can edit other comments :)
pkg/vulnsrc/rootio/rootio_test.go
Outdated
| args: args{ | ||
| osVer: "11", | ||
| pkgName: "openssl", | ||
| arch: "amd64", |
There was a problem hiding this comment.
this change can confusing (debian advisories don't use arches).
So let's add arch only for rocky related advisories.
Rocky feeds will be added on our side very shortly (matter of a week or two) with exactly the same format as Debian and Ubuntu. We our opening this PR now to allow Trivy to catch these on the July release |
thank you for trying to prepare PRs in advance!
|
Will update the file. Thanks! |
chait-slim
force-pushed
the
rootio-rocky-support
branch
2 times, most recently
from
f40ec08 to
892f5bc
Compare
| { | ||
| "pkg": { | ||
| "name": "nginx", | ||
| "cves": { |
There was a problem hiding this comment.
Will there be architectures in the root.io feed?
I think we can't use Rocky's arches because:
- There is a case where Rocky's advisory doesn't contain a CVE, but root.io has a fix for that CVE.
- There seems to be a case where
root.ioandRockyadvisories contain different architectures.
There was a problem hiding this comment.
From our point of view archs don't really matter:
- A vulnerability is relevant for both archs and we create fixes for both
- A vulnerability is only relevant for one arch and we create a fix for it
There was a problem hiding this comment.
let's see the following example:
There are CVE-2000-0001 for pkgA (affected versions are > 0.0.1 < 0.0.5) for amd64 only.
You create fix for this CVE and add it into feed (vulnerable_ranges is > 0.0.1 < 0.0.5-root.io.1)
User scans pkgA@0.0.2 for aarch64.
We find that feed contains CVE-2000-0001 for this package and show this package as vulnerable.
This is false positive.
There was a problem hiding this comment.
I see two options here:
- I add arch per cve for rocky
- There can be logic that checks - if no advisory from redhat, dont add the root vulnerability
There was a problem hiding this comment.
I add arch per cve for rocky
You mean in root.io feed, right?
I think this is best solution.
in this case advisories will be "transparent" for users.
User will clearly see vulnerable version, patched version and architecture.
User will not need to refer to other advisory source, etc.
There was a problem hiding this comment.
Ok, after discussing internally, I will update the feed for all cves with the archs (to make the feed consistent). From Trivy's pov there shouldn't be any change - the arch will be ignored for Debian, Ubuntu, Alpine and used for Rocky,
There was a problem hiding this comment.
we only need arches for Rocky.
The rest of distrs are at your discretion.
BTW changes will be required in vuln-list-update
we did not specify the arch in schema:
https://github.com/aquasecurity/vuln-list-update/blob/be8391dd6bbdc696d65fd50adeb629aabde0a206/rootio/types.go#L23-L27
chait-slim
force-pushed
the
rootio-rocky-support
branch
from
892f5bc to
a897efc
Compare
|
@DmitriyLewen Rebased |
| "path/filepath" | ||
| "testing" | ||
|
|
||
| "github.com/aquasecurity/trivy-db/pkg/db" |
There was a problem hiding this comment.
We use this import:
trivy-db/pkg/vulnsrc/amazon/amazon_test.go
Line 155 in a897efc
| "path/filepath" | ||
| "testing" | ||
|
|
||
| "github.com/aquasecurity/trivy-db/pkg/db" |
| "path/filepath" | ||
| "testing" | ||
|
|
||
| "github.com/aquasecurity/trivy-db/pkg/db" |
| "path/filepath" | ||
| "testing" | ||
|
|
||
| "github.com/aquasecurity/trivy-db/pkg/db" |
pkg/vulnsrc/photon/photon_test.go
Outdated
| package photon | ||
|
|
||
| import ( | ||
| "github.com/aquasecurity/trivy-db/pkg/db" |
There was a problem hiding this comment.
it will be linter error
| - bucket: rocky 9 | ||
| pairs: | ||
| - bucket: openssl | ||
| pairs: | ||
| - key: CVE-2023-0464 | ||
| value: | ||
| FixedVersion: "" | ||
| Status: 2 | ||
| - key: CVE-2024-13176 | ||
| value: | ||
| FixedVersion: "" | ||
| Status: 2 No newline at end of file |
There was a problem hiding this comment.
IIRC rocky always contains arch.
Tell me if you know CVEs without arch
| - bucket: root.io rocky 8 | ||
| pairs: | ||
| - bucket: openssl | ||
| pairs: | ||
| - key: CVE-2023-0464 | ||
| value: | ||
| VulnerableVersions: | ||
| - "<1.1.1k-7.el8_6.root.io.1" | ||
| PatchedVersions: | ||
| - "1.1.1k-7.el8_6.root.io.1" | ||
| - key: CVE-2024-13176 | ||
| value: | ||
| VulnerableVersions: | ||
| - "<3.0.7-1.el8.root.io.2" | ||
| PatchedVersions: | ||
| - "3.0.7-1.el8.root.io.2" |
There was a problem hiding this comment.
As we discussed before - root.io advisories will contain arches.
Add arches here.
|
|
||
| "github.com/stretchr/testify/assert" | ||
|
|
||
| "github.com/aquasecurity/trivy-db/pkg/db" |
There was a problem hiding this comment.
as for amazon_test.go
There was a problem hiding this comment.
let's add testcase for Update function
There was a problem hiding this comment.
We need to add filter be arch in Get function.
example from Rocky:
trivy-db/pkg/vulnsrc/rocky/rocky.go
Lines 296 to 298 in 56ec1e4
…o-rocky-support Resolved merge conflicts by accepting upstream changes that use db.GetParams interface instead of individual parameters in Get methods. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Hello @chait-slim, |
4 participants
Add support for Rocky in Root.io flow.
Since Rocky uses Arch as well as os and pkg versions, added an adapter so both options can be used where "Get" is required