Support Photon OS (#340)

* Add photon * test(vulnerability): use generated structs and mock * test(photon): add integration tests * test(photon): comment in * test(integration): add vulnerability details to trivy.db * chore(mod): update dependencies * chore(README): add Photon OS Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
aquasecurity · Dec 27, 2019 · fcc193b · fcc193b
1 parent 44d74a7
commit fcc193b
Show file tree

Hide file tree

Showing 19 changed files with 603 additions and 60 deletions.
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ See [here](#continuous-integration-ci) for details.
 # Features
 
 - Detect comprehensive vulnerabilities
-  - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux and Distroless)
+  - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
   - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)
 - Simple
   - Specify only an image name
@@ -1316,11 +1316,12 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Amazon Linux                 | 1, 2                                     | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                | 42, 15                                   | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux        | 11, 12, 15                               | Installed by zypper/rpm       |                  NO                  |
+| Photon OS                    | 1.0, 2.0, 3.0                            | Installed by tdnf/yum/rpm     |                  NO                  |
 | Debian GNU/Linux             | wheezy, jessie, stretch, buster          | Installed by apt/apt-get/dpkg |                 YES                  |
 | Ubuntu                       | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 | Installed by apt/apt-get/dpkg |                 YES                  |
 | Distroless                   | Any                                      | Installed by apt/apt-get/dpkg |                 YES                  |
 
-RHEL, CentOS, Oracle Linux, SUSE and Amazon Linux package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available.
+RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux and Photon OS package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available.
 
 Distroless: https://github.com/GoogleContainerTools/distroless
 

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/aquasecurity/fanal v0.0.0-20191225115707-0939236aadb8
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297
+	github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cheggaaa/pb/v3 v3.0.3
 	github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f

diff --git a/go.sum b/go.sum
@@ -34,8 +34,8 @@ github.com/aquasecurity/fanal v0.0.0-20191225115707-0939236aadb8/go.mod h1:I+y3t
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4=
-github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297 h1:XyGsaTMGASjxlXW2w+Dn6vwRje8MHASymxj1QEE+xwI=
-github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw=
+github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1 h1:IVXoVH8ejJuBdxgH/+er2WjBxc0tqIGuBCqI5aWW3A0=
+github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=

diff --git a/integration/client_server_test.go b/integration/client_server_test.go
@@ -277,6 +277,30 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-423.json.golden",
 		},
+		{
+			name: "photon 1.0 integration",
+			testArgs: args{
+				Version: "dev",
+				Input:   "testdata/fixtures/photon-10.tar.gz",
+			},
+			golden: "testdata/photon-10.json.golden",
+		},
+		{
+			name: "photon 2.0 integration",
+			testArgs: args{
+				Version: "dev",
+				Input:   "testdata/fixtures/photon-20.tar.gz",
+			},
+			golden: "testdata/photon-20.json.golden",
+		},
+		{
+			name: "photon 3.0 integration",
+			testArgs: args{
+				Version: "dev",
+				Input:   "testdata/fixtures/photon-30.tar.gz",
+			},
+			golden: "testdata/photon-30.json.golden",
+		},
 		{
 			name: "invalid token",
 			testArgs: args{

diff --git a/integration/standalone_test.go b/integration/standalone_test.go
@@ -311,6 +311,36 @@ func TestRun_WithTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-423.json.golden",
 		},
+		{
+			name: "photon 1.0 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/photon-10.tar.gz",
+			},
+			golden: "testdata/photon-10.json.golden",
+		},
+		{
+			name: "photon 2.0 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/photon-20.tar.gz",
+			},
+			golden: "testdata/photon-20.json.golden",
+		},
+		{
+			name: "photon 3.0 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/photon-30.tar.gz",
+			},
+			golden: "testdata/photon-30.json.golden",
+		},
 	}
 
 	for _, c := range cases {

diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden
@@ -100,4 +100,4 @@
       }
     ]
   }
-]
+]
diff --git a/integration/testdata/opensuse-leap-423.json.golden b/integration/testdata/opensuse-leap-423.json.golden
@@ -3,4 +3,4 @@
     "Target": "testdata/fixtures/opensuse-leap-423.tar.gz (opensuse.leap 42.3)",
     "Vulnerabilities": null
   }
-]
+]
diff --git a/integration/testdata/oraclelinux-6-slim.json.golden b/integration/testdata/oraclelinux-6-slim.json.golden
@@ -162,5 +162,4 @@
       }
     ]
   }
-]
-
+]
diff --git a/integration/testdata/oraclelinux-7-slim.json.golden b/integration/testdata/oraclelinux-7-slim.json.golden
@@ -855,5 +855,4 @@
       }
     ]
   }
-]
-
+]
diff --git a/integration/testdata/oraclelinux-8-slim.json.golden b/integration/testdata/oraclelinux-8-slim.json.golden
@@ -3,4 +3,4 @@
     "Target": "testdata/fixtures/oraclelinux-8-slim.tar.gz (oracle 8.0)",
     "Vulnerabilities": null
   }
-]
+]
diff --git a/integration/testdata/photon-10.json.golden b/integration/testdata/photon-10.json.golden
@@ -0,0 +1,61 @@
+[
+  {
+    "Target": "testdata/fixtures/photon-10.tar.gz (photon 1.0)",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2012-6711",
+        "PkgName": "bash",
+        "InstalledVersion": "4.3.48-3.ph1",
+        "FixedVersion": "4.3.48-4.ph1",
+        "Title": "bash: heap-based buffer overflow during echo of unsupported characters",
+        "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel\u0026id=863d31ae775d56b785dc5b0105b6d251515d81d5",
+          "http://www.securityfocus.com/bid/108824",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1721071",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph1",
+        "FixedVersion": "1.0.2t-1.ph1",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph1",
+        "FixedVersion": "1.0.2t-1.ph1",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      }
+    ]
+  }
+]
-Original file line number
+Diff line change
@@ Expand Up / @@ -100,4 +100,4 @@ @@
           }
         ]
       }
-    ]
+    ]