Skip to content

Commit 0b26c3b

Browse files
G-RathG-Rath
committed
feat: support scanning rpm databases
1 parent 4a538ae commit 0b26c3b

File tree

6 files changed

+122
-0
lines changed

6 files changed

+122
-0
lines changed

cmd/osv-scanner/scan/image/__snapshots__/command_test.snap

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -632,6 +632,108 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
632632
633633
---
634634
635+
[TestCommand_OCIImage/rockylinux_empty_image - 1]
636+
Scanning local image tarball "./testdata/test-rockylinux.tar"
637+
638+
Container Scanning Result (Rocky Linux 9.2 (Blue Onyx)):
639+
Total 13 packages affected by 32 known vulnerabilities (0 Critical, 15 High, 3 Medium, 0 Low, 14 Unknown) from 2 ecosystems.
640+
4 vulnerabilities can be fixed.
641+
642+
643+
PyPI
644+
+--------------------------------------------------------------------------------------------------+
645+
| Source:artifact:/usr/share/python3-wheels/pip-21.2.3-py3-none-any.whl |
646+
+---------+-------------------+---------------+------------+------------------+--------------------+
647+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
648+
+---------+-------------------+---------------+------------+------------------+--------------------+
649+
| pip | 21.2.3 | Fix Available | 1 | # 0 Layer | library/rockylinux |
650+
+---------+-------------------+---------------+------------+------------------+--------------------+
651+
+-----------------------------------------------------------------------------------------------------+
652+
| Source:artifact:/usr/share/python3-wheels/setuptools-53.0.0-py3-none-any.whl |
653+
+------------+-------------------+---------------+------------+------------------+--------------------+
654+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
655+
+------------+-------------------+---------------+------------+------------------+--------------------+
656+
| setuptools | 53.0.0 | Fix Available | 3 | # 0 Layer | library/rockylinux |
657+
+------------+-------------------+---------------+------------+------------------+--------------------+
658+
Rocky Linux
659+
+--------------------------------------------------------------------------------------------------------------------------------------+
660+
| Source:os:/var/lib/rpm/rpmdb.sqlite |
661+
+----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
662+
| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
663+
+----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
664+
| expat | 2.5.0-1.el9 | No fix available | 2 | expat | # 0 Layer | library/rockylinux |
665+
| glib2 | 2.68.4-6.el9 | No fix available | 1 | glib2 | # 0 Layer | library/rockylinux |
666+
| glibc | 2.34-60.el9 | No fix available | 2 | glibc | # 0 Layer | library/rockylinux |
667+
| gnutls | 3.7.6-20.el9_2 | No fix available | 1 | gnutls | # 0 Layer | library/rockylinux |
668+
| less | 590-1.el9_0 | No fix available | 3 | less | # 0 Layer | library/rockylinux |
669+
| libeconf | 0.4.1-2.el9 | No fix available | 1 | libeconf | # 0 Layer | library/rockylinux |
670+
| libgcrypt | 1.10.0-10.el9_2 | No fix available | 1 | libgcrypt | # 0 Layer | library/rockylinux |
671+
| libxml2 | 2.9.13-3.el9_1 | No fix available | 2 | libxml2 | # 0 Layer | library/rockylinux |
672+
| openssl | 3.0.7-6.el9_2 | No fix available | 12 | openssl | # 0 Layer | library/rockylinux |
673+
| pam | 1.5.1-14.el9 | No fix available | 1 | pam | # 0 Layer | library/rockylinux |
674+
| tar | 1.34-6.el9_1 | No fix available | 2 | tar | # 0 Layer | library/rockylinux |
675+
+----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
676+
677+
For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
678+
You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
679+
680+
---
681+
682+
[TestCommand_OCIImage/rockylinux_empty_image - 2]
683+
684+
---
685+
686+
[TestCommand_OCIImage/rockylinux_empty_image_all_vulns - 1]
687+
Scanning local image tarball "./testdata/test-rockylinux.tar"
688+
689+
Container Scanning Result (Rocky Linux 9.2 (Blue Onyx)):
690+
Total 13 packages affected by 32 known vulnerabilities (0 Critical, 15 High, 3 Medium, 0 Low, 14 Unknown) from 2 ecosystems.
691+
4 vulnerabilities can be fixed.
692+
693+
694+
PyPI
695+
+--------------------------------------------------------------------------------------------------+
696+
| Source:artifact:/usr/share/python3-wheels/pip-21.2.3-py3-none-any.whl |
697+
+---------+-------------------+---------------+------------+------------------+--------------------+
698+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
699+
+---------+-------------------+---------------+------------+------------------+--------------------+
700+
| pip | 21.2.3 | Fix Available | 1 | # 0 Layer | library/rockylinux |
701+
+---------+-------------------+---------------+------------+------------------+--------------------+
702+
+-----------------------------------------------------------------------------------------------------+
703+
| Source:artifact:/usr/share/python3-wheels/setuptools-53.0.0-py3-none-any.whl |
704+
+------------+-------------------+---------------+------------+------------------+--------------------+
705+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
706+
+------------+-------------------+---------------+------------+------------------+--------------------+
707+
| setuptools | 53.0.0 | Fix Available | 3 | # 0 Layer | library/rockylinux |
708+
+------------+-------------------+---------------+------------+------------------+--------------------+
709+
Rocky Linux
710+
+--------------------------------------------------------------------------------------------------------------------------------------+
711+
| Source:os:/var/lib/rpm/rpmdb.sqlite |
712+
+----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
713+
| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
714+
+----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
715+
| expat | 2.5.0-1.el9 | No fix available | 2 | expat | # 0 Layer | library/rockylinux |
716+
| glib2 | 2.68.4-6.el9 | No fix available | 1 | glib2 | # 0 Layer | library/rockylinux |
717+
| glibc | 2.34-60.el9 | No fix available | 2 | glibc | # 0 Layer | library/rockylinux |
718+
| gnutls | 3.7.6-20.el9_2 | No fix available | 1 | gnutls | # 0 Layer | library/rockylinux |
719+
| less | 590-1.el9_0 | No fix available | 3 | less | # 0 Layer | library/rockylinux |
720+
| libeconf | 0.4.1-2.el9 | No fix available | 1 | libeconf | # 0 Layer | library/rockylinux |
721+
| libgcrypt | 1.10.0-10.el9_2 | No fix available | 1 | libgcrypt | # 0 Layer | library/rockylinux |
722+
| libxml2 | 2.9.13-3.el9_1 | No fix available | 2 | libxml2 | # 0 Layer | library/rockylinux |
723+
| openssl | 3.0.7-6.el9_2 | No fix available | 12 | openssl | # 0 Layer | library/rockylinux |
724+
| pam | 1.5.1-14.el9 | No fix available | 1 | pam | # 0 Layer | library/rockylinux |
725+
| tar | 1.34-6.el9_1 | No fix available | 2 | tar | # 0 Layer | library/rockylinux |
726+
+----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
727+
728+
For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
729+
You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
730+
731+
---
732+
733+
[TestCommand_OCIImage/rockylinux_empty_image_all_vulns - 2]
734+
735+
---
736+
635737
[TestCommand_OCIImage/scanning_image_with_go_binary - 1]
636738
Scanning local image tarball "./testdata/test-package-tracing.tar"
637739

cmd/osv-scanner/scan/image/command_test.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -212,6 +212,16 @@ func TestCommand_OCIImage(t *testing.T) {
212212
"./testdata/test-ubuntu-20-04.tar"},
213213
Exit: 0,
214214
},
215+
{
216+
Name: "rockylinux_empty_image",
217+
Args: []string{"", "image", "--archive", "./testdata/test-rockylinux.tar"},
218+
Exit: 1,
219+
},
220+
{
221+
Name: "rockylinux_empty_image_all_vulns",
222+
Args: []string{"", "image", "--all-vulns", "--archive", "./testdata/test-rockylinux.tar"},
223+
Exit: 1,
224+
},
215225
{
216226
Name: "Scanning python image with some packages",
217227
Args: []string{"", "image", "--archive", "./testdata/test-python-full.tar"},

cmd/osv-scanner/scan/image/testdata/test-rockylinux.Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
FROM rockylinux:9.2.20230513@sha256:b07e21a7bbcecbae55b9153317d333d4d50808bf5dc0859db0180b6fbd7afb3d

internal/scalibrplugin/__snapshots__/resolve_test.snap

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ java/archive
2929
javascript/nodemodules
3030
os/apk
3131
os/dpkg
32+
os/rpm
3233
python/wheelegg
3334
rust/cargoauditable
3435
---

internal/scalibrplugin/presets.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ import (
3232
extractors "github.com/google/osv-scalibr/extractor/filesystem/list"
3333
"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
3434
"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
35+
"github.com/google/osv-scalibr/extractor/filesystem/os/rpm"
3536
"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx"
3637
"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx"
3738
"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored"
@@ -130,5 +131,7 @@ var ExtractorPresets = map[string]extractors.InitMap{
130131
apk.Name: {apk.NewDefault},
131132
// Debian
132133
dpkg.Name: {dpkg.NewDefault},
134+
// RedHat
135+
rpm.Name: {rpm.NewDefault},
133136
},
134137
}

internal/scalibrplugin/resolve_test.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
chromeextensions "github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions"
2222
"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
2323
"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
24+
"github.com/google/osv-scalibr/extractor/filesystem/os/rpm"
2425
"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx"
2526
"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx"
2627
"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored"
@@ -397,6 +398,7 @@ func TestResolve_Extractors(t *testing.T) {
397398
dpkg.Name,
398399
gobinary.Name,
399400
nodemodules.Name,
401+
rpm.Name,
400402
wheelegg.Name,
401403
},
402404
},
@@ -413,6 +415,7 @@ func TestResolve_Extractors(t *testing.T) {
413415
dpkg.Name,
414416
gobinary.Name,
415417
nodemodules.Name,
418+
rpm.Name,
416419
wheelegg.Name,
417420
},
418421
},
@@ -435,6 +438,7 @@ func TestResolve_Extractors(t *testing.T) {
435438
dpkg.Name,
436439
gobinary.Name,
437440
nodemodules.Name,
441+
rpm.Name,
438442
},
439443
},
440444
//
@@ -453,6 +457,7 @@ func TestResolve_Extractors(t *testing.T) {
453457
gobinary.Name,
454458
nodemodules.Name,
455459
vendored.Name,
460+
rpm.Name,
456461
wheelegg.Name,
457462
},
458463
},

0 commit comments

Comments
 (0)