feat(suse): added SUSE Linux Enterprise Micro support (#7294)

Signed-off-by: Marcus Meissner <meissner@suse.de> Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
aquasecurity · Sep 29, 2024 · efdb68d · efdb68d
1 parent ef0a27d
commit efdb68d
Show file tree

Hide file tree

Showing 23 changed files with 453 additions and 136 deletions.
diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md
@@ -23,7 +23,8 @@ Trivy supports operating systems for
 | [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
 | [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
 | [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise Micro](suse.md)| 5, 6                                | zypper/rpm       |
 | [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
 | [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |

diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md
@@ -3,7 +3,8 @@ Trivy supports the following distributions:
 
 - openSUSE Leap
 - openSUSE Tumbleweed
-- SUSE Enterprise Linux (SLE)
+- SUSE Linux Enterprise (SLE)
+- SUSE Linux Enterprise Micro
 
 Please see [here](index.md#supported-os) for supported versions.
 

diff --git a/integration/client_server_test.go b/integration/client_server_test.go
@@ -220,6 +220,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-tumbleweed.json.golden",
 		},
+		{
+			name: "sle micro rancher 5.4",
+			args: csArgs{
+				Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			},
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: csArgs{

diff --git a/integration/docker_engine_test.go b/integration/docker_engine_test.go
@@ -198,6 +198,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
 			golden:   "testdata/opensuse-tumbleweed.json.golden",
 		},
+		{
+			name:     "sle micro rancher 5.4",
+			imageTag: "ghcr.io/aquasecurity/trivy-test-images:sle-micro-rancher-5.4_ndb",
+			input:    "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			golden:   "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name:     "photon 3.0",
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",

diff --git a/integration/standalone_tar_test.go b/integration/standalone_tar_test.go
@@ -341,6 +341,14 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-tumbleweed.json.golden",
 		},
+		{
+			name: "sle micro rancher 5.4",
+			args: args{
+				Format: types.FormatJSON,
+				Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			},
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: args{

diff --git a/integration/testdata/fixtures/db/suse.yaml b/integration/testdata/fixtures/db/suse.yaml
@@ -0,0 +1,19 @@
+- bucket: "SUSE Linux Enterprise 15-SP3"
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+    - bucket: openssl-1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+- bucket: "SUSE Linux Enterprise Micro 5.3"
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2023:0311-1"
+          value:
+            FixedVersion: 1.1.1l-150400.7.22.1
diff --git a/integration/testdata/fixtures/db/vulnerability.yaml b/integration/testdata/fixtures/db/vulnerability.yaml
@@ -1349,6 +1349,15 @@
         - "https://www.suse.com/security/cve/CVE-2023-2975/"
         - "https://www.suse.com/security/cve/CVE-2023-3446/"
         - "https://www.suse.com/support/security/rating/"
+  - key: SUSE-SU-2022:2251-1
+    value:
+      Title: "Security update for openssl-1_1"
+      Description: "This update for openssl-1_1 fixes the following issues:\nCVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).\nCVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)"
+      Severity: MEDIUM
+      References:
+        - "https://www.suse.com/security/cve/CVE-2022-1292/"
+        - "https://www.suse.com/security/cve/CVE-2022-2068/"
+        - "https://www.suse.com/support/security/rating/"
   - key: CVE-2022-22965
     value:
       Title: "spring-framework: RCE via Data Binding on JDK 9+"

diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden
@@ -66,7 +66,7 @@
           "PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
           "PkgName": "libopenssl1_1",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+            "PURL": "pkg:rpm/opensuse/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
             "UID": "898b73ddd0412f57"
           },
           "InstalledVersion": "1.1.0i-lp151.8.3.1",
@@ -99,7 +99,7 @@
           "PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
           "PkgName": "openssl-1_1",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+            "PURL": "pkg:rpm/opensuse/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
             "UID": "58980d005de43f54"
           },
           "InstalledVersion": "1.1.0i-lp151.8.3.1",

diff --git a/integration/testdata/opensuse-tumbleweed.json.golden b/integration/testdata/opensuse-tumbleweed.json.golden
@@ -69,7 +69,7 @@
           "PkgID": "libopenssl3@3.1.4-9.1.x86_64",
           "PkgName": "libopenssl3",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.tumbleweed/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
+            "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
             "UID": "f051425f385d2b99"
           },
           "InstalledVersion": "3.1.4-9.1",

diff --git a/integration/testdata/sl-micro-rancher5.4.json.golden b/integration/testdata/sl-micro-rancher5.4.json.golden
@@ -0,0 +1,69 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "suse linux enterprise micro",
+      "Name": "5.4"
+    },
+    "ImageID": "sha256:c45ec974938acac29c893b5d273d73e4ebdd7e6a97b6fa861dfbd8dd430b9016",
+    "DiffIDs": [
+      "sha256:7cdd3aec849d122d63dc83a5e1e2fb89b341c67b03e25979131ca335a463bb57"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "SUSE LLC (https://www.suse.com/)",
+      "created": "2024-09-03T17:54:39Z",
+      "history": [
+        {
+          "author": "SUSE LLC \u003chttps://www.suse.com/\u003e",
+          "created": "2024-09-03T17:54:39Z",
+          "created_by": "KIWI 9.24.43"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:7cdd3aec849d122d63dc83a5e1e2fb89b341c67b03e25979131ca335a463bb57"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "com.suse.eula": "sle-eula",
+          "com.suse.image-type": "sle-micro",
+          "com.suse.release-stage": "released",
+          "com.suse.sle.micro.rancher.created": "2024-09-03T17:53:32.129328086Z",
+          "com.suse.sle.micro.rancher.description": "Image containing a micro environment for containers based on the SLE Micro for Rancher.",
+          "com.suse.sle.micro.rancher.disturl": "obs://build.suse.de/SUSE:SLE-15-SP4:Update:Products:Micro54:Update:CR/images/fcaa3a91b132f1955fa900b902aef7f2-SLE-Micro-Rancher",
+          "com.suse.sle.micro.rancher.reference": "registry.suse.com/suse/sle-micro-rancher/5.4:%PKG_VERSION%-%RELEASE",
+          "com.suse.sle.micro.rancher.title": "SLE Micro for Rancher Base Container",
+          "com.suse.sle.micro.rancher.url": "https://www.suse.com/products/micro/",
+          "com.suse.sle.micro.rancher.vendor": "SUSE LLC",
+          "com.suse.sle.micro.rancher.version": "5.4",
+          "com.suse.supportlevel": "l3",
+          "org.openbuildservice.disturl": "obs://build.suse.de/SUSE:SLE-15-SP4:Update:Products:Micro54:Update:CR/images/fcaa3a91b132f1955fa900b902aef7f2-SLE-Micro-Rancher",
+          "org.opencontainers.image.created": "2024-09-03T17:53:32.129328086Z",
+          "org.opencontainers.image.description": "Image containing a micro environment for containers based on the SLE Micro for Rancher.",
+          "org.opencontainers.image.title": "SLE Micro for Rancher Base Container",
+          "org.opencontainers.image.url": "https://www.suse.com/products/micro/",
+          "org.opencontainers.image.vendor": "SUSE LLC",
+          "org.opencontainers.image.version": "5.4",
+          "org.suse.reference": "registry.suse.com/suse/sle-micro-rancher/5.4:%PKG_VERSION%-%RELEASE"
+        }
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz (suse linux enterprise micro 5.4)",
+      "Class": "os-pkgs",
+      "Type": "suse linux enterprise micro"
+    }
+  ]
+}
diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go
@@ -44,6 +44,7 @@ var (
 		ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
 		ftypes.OpenSUSELeap:       suse.NewScanner(suse.OpenSUSE),
 		ftypes.SLES:               suse.NewScanner(suse.SUSEEnterpriseLinux),
+		ftypes.SLEMicro:           suse.NewScanner(suse.SUSEEnterpriseLinuxMicro),
 		ftypes.Photon:             photon.NewScanner(),
 		ftypes.Wolfi:              wolfi.NewScanner(),
 		ftypes.Chainguard:         chainguard.NewScanner(),

diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go
@@ -44,6 +44,18 @@ var (
 		// 6 months after SLES 15 SP7 release
 		// "15.7": time.Date(2031, 7, 31, 23, 59, 59, 0, time.UTC),
 	}
+	slemicroEolDates = map[string]time.Time{
+		// Source: https://www.suse.com/lifecycle/
+		"5.0": time.Date(2022, 3, 31, 23, 59, 59, 0, time.UTC),
+		"5.1": time.Date(2025, 10, 31, 23, 59, 59, 0, time.UTC),
+		"5.2": time.Date(2026, 4, 30, 23, 59, 59, 0, time.UTC),
+		"5.3": time.Date(2026, 10, 30, 23, 59, 59, 0, time.UTC),
+		"5.4": time.Date(2027, 4, 30, 23, 59, 59, 0, time.UTC),
+		"5.5": time.Date(2027, 10, 31, 23, 59, 59, 0, time.UTC),
+		"6.0": time.Date(2028, 6, 30, 23, 59, 59, 0, time.UTC),
+		// 6.1 will be released late 2024
+		// "6.1": time.Date(2028, 11, 30, 23, 59, 59, 0, time.UTC),
+	}
 
 	opensuseEolDates = map[string]time.Time{
 		// Source: https://en.opensuse.org/Lifetime
@@ -66,6 +78,8 @@ type Type int
 const (
 	// SUSEEnterpriseLinux is Linux Enterprise version
 	SUSEEnterpriseLinux Type = iota
+	// SUSE Linux Enterprise Micro is the micro series
+	SUSEEnterpriseLinuxMicro
 	// OpenSUSE for open versions
 	OpenSUSE
 	OpenSUSETumbleweed
@@ -83,6 +97,10 @@ func NewScanner(t Type) *Scanner {
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinux),
 		}
+	case SUSEEnterpriseLinuxMicro:
+		return &Scanner{
+			vs: susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinuxMicro),
+		}
 	case OpenSUSE:
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
@@ -135,6 +153,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
 	if osFamily == ftypes.SLES {
 		return osver.Supported(ctx, slesEolDates, osFamily, osVer)
 	}
+	if osFamily == ftypes.SLEMicro {
+		return osver.Supported(ctx, slemicroEolDates, osFamily, osVer)
+	}
 	// tumbleweed is a rolling release, it has no version and no eol
 	if osFamily == ftypes.OpenSUSETumbleweed {
 		return true

diff --git a/pkg/detector/ospkg/suse/suse_test.go b/pkg/detector/ospkg/suse/suse_test.go
@@ -111,6 +111,86 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path: suse sle 15sp3",
+			fixtures: []string{
+				"testdata/fixtures/suse.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.SUSEEnterpriseLinux,
+			args: args{
+				osVer: "15.3",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "libopenssl1_1",
+						Version:    "1.1.1d",
+						Release:    "150200.11.47.1",
+						SrcName:    "libopenssl1_1",
+						SrcVersion: "1.1.1d",
+						SrcRelease: "150200.11.47.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "libopenssl1_1",
+					VulnerabilityID:  "SUSE-SU-2022:2251-1",
+					InstalledVersion: "1.1.1d-150200.11.47.1",
+					FixedVersion:     "1.1.1d-150200.11.48.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
+		{
+			name: "happy path: suse sle micro 15.3",
+			fixtures: []string{
+				"testdata/fixtures/suse.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.SUSEEnterpriseLinuxMicro,
+			args: args{
+				osVer: "5.3",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "libopenssl1_1",
+						Version:    "1.1.1l",
+						Release:    "150400.7.21.1",
+						SrcName:    "libopenssl1_1",
+						SrcVersion: "1.1.1l",
+						SrcRelease: "150400.7.21.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "libopenssl1_1",
+					VulnerabilityID:  "SUSE-SU-2023:0311-1",
+					InstalledVersion: "1.1.1l-150400.7.21.1",
+					FixedVersion:     "1.1.1l-150400.7.22.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
 		{
 			name: "broken bucket",
 			fixtures: []string{

diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
@@ -15,3 +15,8 @@
         ID: "suse-cvrf"
         Name: "SUSE CVRF"
         URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise Micro 5.3
+      value:
+        ID: "suse-cvrf"
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/suse.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/suse.yaml
@@ -8,3 +8,23 @@
         - key: CVE-2021-0001
           value:
             FixedVersion: ""
+- bucket: SUSE Linux Enterprise 15.3
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+    - bucket: openssl-1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+- bucket: SUSE Linux Enterprise Micro 5.3
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2023:0311-1"
+          value:
+            FixedVersion: 1.1.1l-150400.7.22.1
+
diff --git a/pkg/fanal/analyzer/os/release/release.go b/pkg/fanal/analyzer/os/release/release.go
@@ -55,6 +55,11 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp
 			family = types.OpenSUSELeap
 		case "sles":
 			family = types.SLES
+		// There are various rebrands of SLE Micro, there is also one brief (and reverted rebrand)
+		// for SLE Micro 6.0. which was called "SL Micro 6.0" until very short before release
+		// and there is a "SLE Micro for Rancher" rebrand, which is used by SUSEs K8S based offerings.
+		case "sle-micro", "sl-micro", "sle-micro-rancher":
+			family = types.SLEMicro
 		case "photon":
 			family = types.Photon
 		case "wolfi":