gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)

Browse Source
This commit is contained in:
DmitriyLewen
2025-05-12 12:26:14 +06:00
committed by GitHub
parent 6ebde88dbc
commit 9256804df8
6 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/docs/advanced/container/unpacked-filesystem.md
View File

@@ -113,4 +113,4 @@ Total: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
```
</details>
</details>

9
docs/docs/coverage/os/rhel.md
View File

@@ -22,6 +22,13 @@ Trivy detects packages that have been installed through package managers such as
## Vulnerability
Red Hat offers its own security advisories, and these are utilized when scanning Red Hat Enterprise Linux (RHEL) for vulnerabilities.
### Content manifests
Red Hats security advisories use CPEs to identify product sets. For example, even packages installed in the same container image can have different CPEs.
For this reason, Red Hats container images include stored content manifests, which we convert to CPEs, and perform vulnerability scanning.
Since this system ties each content manifest to its packages on a per-layer basis,
if layers get merged (for instance, by using `docker run` or `docker export`) we can no longer determine the correct CPE, which may lead to false detection.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
@@ -82,3 +89,5 @@ Trivy identifies licenses by examining the metadata of RPM packages.
[NVD]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[vulnerability statuses]: ../../configuration/filtering.md#by-status
[content-set-default]: https://github.com/aquasecurity/trivy/blob/c80310d7690d8aeb7d3d77416c18c0c8b9aebe17/pkg/detector/ospkg/redhat/redhat.go#L25-L42

3
docs/docs/target/rootfs.md
View File

@@ -14,6 +14,9 @@ $ trivy rootfs /path/to/rootfs
You should use `trivy fs` to scan your local projects in CI/CD.
See [here](../scanner/vulnerability.md) for the differences.
!!! note
Scanning vulnerabilities for `Red Hat` has a limitation, see the [Red Hat](../coverage/os/rhel.md#content-manifests) page for details.
## Performance Optimization
By default, Trivy traverses all files from the specified root directory to find target files for scanning.

3
docs/docs/target/vm.md
View File

@@ -150,6 +150,9 @@ See [here](../scanner/vulnerability.md) for the detail.
$ trivy vm [YOUR_VM_IMAGE]
```
!!! note
Scanning `Red Hat` has a limitation, see the [Red Hat](../coverage/os/rhel.md#content-manifests) page for details.
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.

3
pkg/fanal/artifact/local/fs.go
View File

@@ -207,6 +207,9 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) {
Secrets: result.Secrets,
Licenses: result.Licenses,
CustomResources: result.CustomResources,
// For Red Hat
BuildInfo: result.BuildInfo,
}
if err = a.handlerManager.PostHandle(ctx, result, &blobInfo); err != nil {

3
pkg/fanal/artifact/vm/vm.go
View File

@@ -157,6 +157,9 @@ func (a *Storage) Analyze(ctx context.Context, r *io.SectionReader) (types.BlobI
Secrets: result.Secrets,
Licenses: result.Licenses,
CustomResources: result.CustomResources,
// For Red Hat
BuildInfo: result.BuildInfo,
}
if err = a.handlerManager.PostHandle(ctx, result, &blobInfo); err != nil {