gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(sbom): added support for CoreOS (#9448)

Browse Source 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
amitbhardwaj
2025-09-22 12:16:45 +05:30
committed by GitHub
parent c9388069a4
commit 6d562a3b48
13 changed files with 192 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/docs/coverage/os/coreos.md Normal file
View File

@@ -0,0 +1,17 @@
# CoreOS
This page describes the deprecated `CoreOS Container Linux` (EOL) and its successor, [Fedora CoreOS][fedora-coreos].
Trivy supports the following scanners for OS packages on these systems.
| Scanner | Supported |
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | - |
| License | - |
Please see [here](index.md#supported-os) for supported versions.
## SBOM
Trivy detects packages that are listed in the RPM database.
[fedora-coreos]: https://fedoraproject.org/coreos/

58
docs/docs/coverage/os/index.md
View File

@@ -9,42 +9,44 @@ Trivy supports operating systems for
## Supported OS
| OS | Supported Versions | Package Managers |
|---------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.22, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [MinimOS](minimos.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8, 9 | dnf/yum/rpm |
| [Red Hat Enterprise Linux](rhel.md) | 10 (SBOM only) | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9, 10 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Linux Enterprise](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise Micro](suse.md)| 5, 6 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Echo](echo.md) | (n/a) | apt/dpkg |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [Bottlerocket](bottlerocket.md) | 1.7.0 and upper | bottlerocket |
| [OSs with installed Conda](../others/conda.md) | - | conda |
| OS | Supported Versions | Package Managers |
|------------------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.22, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [MinimOS](minimos.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8, 9 | dnf/yum/rpm |
| [Red Hat Enterprise Linux](rhel.md) | 10 (SBOM only) | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9, 10 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm |
| [SUSE Linux Enterprise](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise Micro](suse.md) | 5, 6 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [CoreOS](coreos.md)[^3] | All versions (SBOM only) | rpm |
| [Echo](echo.md) | (n/a) | apt/dpkg |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [Bottlerocket](bottlerocket.md) | 1.7.0 and upper | bottlerocket |
| [OSs with installed Conda](../others/conda.md) | - | conda |
## Supported container images
| Container image | Supported Versions | Package Managers |
|-----------------------------------------------|-------------------------------------|------------------|
| [Google Distroless](google-distroless.md)[^2] | Any | apt/dpkg |
| [Bitnami](../others/bitnami.md) | Any | - |
| Container image | Supported Versions | Package Managers |
|-----------------------------------------------|--------------------|------------------|
| [Google Distroless](google-distroless.md)[^2] | Any | apt/dpkg |
| [Bitnami](../others/bitnami.md) | Any | - |
Each page gives more details.
[^1]: CentOS Stream is not supported
[^2]: https://github.com/GoogleContainerTools/distroless
[^3]: Fedora CoreOS and the deprecated CoreOS Container Linux
[sbom]: ../../supply-chain/sbom.md

1
mkdocs.yml
View File

@@ -79,6 +79,7 @@ nav:
- Bottlerocket: docs/coverage/os/bottlerocket.md
- CentOS: docs/coverage/os/centos.md
- Chainguard: docs/coverage/os/chainguard.md
- CoreOS: docs/coverage/os/coreos.md
- Debian: docs/coverage/os/debian.md
- Echo: docs/coverage/os/echo.md
- MinimOS: docs/coverage/os/minimos.md

28
pkg/detector/ospkg/coreos/coreos.go Normal file
View File

@@ -0,0 +1,28 @@
package coreos
import (
"context"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
)
// Scanner implements the CoreOS scanner
type Scanner struct {
}
// NewScanner is the factory method for Scanner
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(ctx context.Context, _ string, _ *ftypes.Repository, _ []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.InfoContext(ctx, "Vulnerability detection of CoreOS packages is currently not supported.")
return nil, nil
}
func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(ctx, nil, osFamily, osver.Minor(osVer))
}

2
pkg/detector/ospkg/detect.go
View File

@@ -12,6 +12,7 @@ import (
"github.com/aquasecurity/trivy/pkg/detector/ospkg/azure"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/bottlerocket"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/coreos"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/driver"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/echo"
@@ -55,6 +56,7 @@ var (
ftypes.Chainguard: chainguard.NewScanner(),
ftypes.Echo: echo.NewScanner(),
ftypes.MinimOS: minimos.NewScanner(),
ftypes.CoreOS: coreos.NewScanner(),
}
// providers dynamically generate drivers based on package information

2
pkg/fanal/analyzer/const.go
View File

@@ -26,6 +26,7 @@ const (
TypeSUSE Type = "suse"
TypeUbuntu Type = "ubuntu"
TypeUbuntuESM Type = "ubuntu-esm"
TypeCoreOS Type = "coreos"
// OS Package
TypeApk Type = "apk"
@@ -156,6 +157,7 @@ var (
TypeAlpine,
TypeAmazon,
TypeCBLMariner,
TypeCoreOS,
TypeDebian,
TypePhoton,
TypeCentOS,

3
pkg/fanal/analyzer/os/release/release.go
View File

@@ -62,6 +62,7 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp
return nil, nil
}
//nolint:gocyclo
func idToOSFamily(id string) types.OSType {
switch id {
case "rhel":
@@ -105,6 +106,8 @@ func idToOSFamily(id string) types.OSType {
return types.Echo
case "minimos":
return types.MinimOS
case "coreos":
return types.CoreOS
}
// This OS is not supported for this analyzer.
return ""

10
pkg/fanal/analyzer/os/release/release_test.go
View File

@@ -239,6 +239,16 @@ func Test_osReleaseAnalyzer_Analyze(t *testing.T) {
},
},
},
{
name: "CoreOS",
inputFile: "testdata/coreos",
want: &analyzer.AnalysisResult{
OS: types.OS{
Family: types.CoreOS,
Name: "3.15.4",
},
},
},
{
name: "Unknown OS",
inputFile: "testdata/unknown",

2
pkg/fanal/analyzer/os/release/testdata/coreos vendored Normal file
View File

@@ -0,0 +1,2 @@
ID=coreos
VERSION_ID=3.15.4

3
pkg/fanal/analyzer/pkg/rpm/rpm.go
View File

@@ -40,6 +40,9 @@ var (
// SQLite3
"usr/lib/sysimage/rpm/rpmdb.sqlite",
"var/lib/rpm/rpmdb.sqlite",
// CoreOS
"usr/share/rpm/rpmdb.sqlite",
}
errUnexpectedNameFormat = xerrors.New("unexpected name format")

2
pkg/fanal/types/const.go
View File

@@ -29,6 +29,7 @@ const (
CBLMariner OSType = "cbl-mariner"
CentOS OSType = "centos"
Chainguard OSType = "chainguard"
CoreOS OSType = "coreos"
Debian OSType = "debian"
Echo OSType = "echo"
Fedora OSType = "fedora"
@@ -114,6 +115,7 @@ var (
CBLMariner,
CentOS,
Chainguard,
CoreOS,
Debian,
Echo,
Fedora,

14
pkg/purl/purl.go
View File

@@ -85,7 +85,17 @@ func New(t ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) (*Pac
namespace = string(metadata.OS.Family)
}
case packageurlTypeBottlerocket:
qualifiers = append(qualifiers, packageurl.Qualifiers{packageurl.Qualifier{Key: "distro", Value: fmt.Sprintf("bottlerocket-%s", metadata.OS.Name)}}...)
qualifiers = append(qualifiers, packageurl.Qualifiers{
packageurl.Qualifier{
Key: "distro", Value: fmt.Sprintf("bottlerocket-%s", metadata.OS.Name),
},
}...)
case packageurl.TypeCoreos:
qualifiers = append(qualifiers, packageurl.Qualifiers{
packageurl.Qualifier{
Key: "distro", Value: fmt.Sprintf("coreos-%s", metadata.OS.Name),
},
}...)
case packageurl.TypeApk:
var qs packageurl.Qualifiers
name, namespace, qs = parseApk(name, metadata.OS)
@@ -487,7 +497,7 @@ func purlType(t ftypes.TargetType) string {
case ftypes.RedHat, ftypes.CentOS, ftypes.Rocky, ftypes.Alma,
ftypes.Amazon, ftypes.Fedora, ftypes.Oracle, ftypes.OpenSUSE,
ftypes.OpenSUSELeap, ftypes.OpenSUSETumbleweed, ftypes.SLES, ftypes.SLEMicro, ftypes.Photon,
ftypes.Azure, ftypes.CBLMariner:
ftypes.Azure, ftypes.CBLMariner, ftypes.CoreOS:
return packageurl.TypeRPM
case ftypes.Bottlerocket:
return packageurlTypeBottlerocket

80
pkg/purl/purl_test.go
View File

@@ -489,6 +489,43 @@ func TestNewPackageURL(t *testing.T) {
},
},
},
{
name: "coreos package",
typ: ftypes.CoreOS,
metadata: types.Metadata{
OS: &ftypes.OS{
Family: ftypes.CoreOS,
Name: "1.34.0",
},
},
pkg: ftypes.Package{
ID: "glibc@2.40",
Name: "glibc",
Version: "2.40",
Epoch: 1,
Arch: "x86_64",
},
want: &purl.PackageURL{
Type: "rpm",
Namespace: "coreos",
Name: "glibc",
Version: "2.40",
Qualifiers: packageurl.Qualifiers{
{
Key: "arch",
Value: "x86_64",
},
{
Key: "epoch",
Value: "1",
},
{
Key: "distro",
Value: "coreos-1.34.0",
},
},
},
},
}
for _, tc := range testCases {
@@ -800,6 +837,49 @@ func TestPackageURL_Package(t *testing.T) {
},
},
},
{
name: "coreos with epoch",
pkgURL: &purl.PackageURL{
Type: "rpm",
Namespace: "coreos",
Name: "glibc",
Version: "2.40",
Qualifiers: packageurl.Qualifiers{
{
Key: "epoch",
Value: "1",
},
{
Key: "distro",
Value: "coreos-1.34.0",
},
},
},
wantPkg: &ftypes.Package{
ID: "glibc@2.40",
Name: "glibc",
Version: "2.40",
Epoch: 1,
Identifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: "rpm",
Namespace: "coreos",
Name: "glibc",
Version: "2.40",
Qualifiers: packageurl.Qualifiers{
{
Key: "epoch",
Value: "1",
},
{
Key: "distro",
Value: "coreos-1.34.0",
},
},
},
},
},
},
{
name: "wrong epoch",
pkgURL: &purl.PackageURL{