feat(vuln): support dependency graph for RHEL/CentOS (#3094)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>

go.mod

@@ -259,7 +259,7 @@ require (
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
 	github.com/klauspost/compress v1.15.11 // indirect
-	github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
+	github.com/knqyf263/go-rpmdb v0.0.0-20221030142135-919c8a52f04f
 	github.com/knqyf263/nested v0.0.1
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect

go.sum

@@ -1082,8 +1082,8 @@ github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
 github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 h1:aC6MEAs3PE3lWD7lqrJfDxHd6hcced9R4JTZu85cJwU=
 github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
-github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21 h1:3E1B04qBvkGmr6oXPSwLpuAF0wekN67CKseKGRjj6Yo=
-github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21/go.mod h1:zp6SMcRd0GB+uwNJjr+DkrNZdQZ4er2HMO6KyD0vIGU=
+github.com/knqyf263/go-rpmdb v0.0.0-20221030142135-919c8a52f04f h1:oz80cOWEcx/tTh5T0g43oz5W7zZw8jm7zD5BR9tQjX8=
+github.com/knqyf263/go-rpmdb v0.0.0-20221030142135-919c8a52f04f/go.mod h1:zp6SMcRd0GB+uwNJjr+DkrNZdQZ4er2HMO6KyD0vIGU=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=

integration/testdata/almalinux-8.json.golden

@@ -53,6 +53,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2021-3712",
+          "PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.1.1k-4.el8",
           "FixedVersion": "1:1.1.1k-5.el8_5",

integration/testdata/amazon-1.json.golden

@@ -54,6 +54,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-5481",
+          "PkgID": "curl@7.61.1-11.91.amzn1.x86_64",
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-11.91.amzn1",
           "FixedVersion": "7.61.1-12.93.amzn1",

integration/testdata/amazon-2.json.golden

@@ -54,6 +54,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-5481",
+          "PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-9.amzn2.0.1",
           "FixedVersion": "7.61.1-12.amzn2.0.1",
@@ -111,6 +112,7 @@
         },
         {
           "VulnerabilityID": "CVE-2019-5436",
+          "PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-9.amzn2.0.1",
           "FixedVersion": "7.61.1-11.amzn2.0.2",

integration/testdata/centos-6.json.golden

@@ -76,6 +76,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2020-29573",
+          "PkgID": "glibc@2.12-1.212.el6.x86_64",
           "PkgName": "glibc",
           "InstalledVersion": "2.12-1.212.el6",
           "Layer": {
@@ -119,6 +120,7 @@
           "VendorIDs": [
             "RHSA-2019:2471"
           ],
+          "PkgID": "openssl@1.0.1e-57.el6.x86_64",
           "PkgName": "openssl",
           "InstalledVersion": "1.0.1e-57.el6",
           "FixedVersion": "1.0.1e-58.el6_10",

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -69,6 +69,7 @@
           "VendorIDs": [
             "RHSA-2019:2304"
           ],
+          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
@@ -149,6 +150,7 @@
           "VendorIDs": [
             "RHSA-2019:2304"
           ],
+          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",

integration/testdata/centos-7-medium.json.golden

@@ -69,6 +69,7 @@
           "VendorIDs": [
             "RHSA-2019:2304"
           ],
+          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",

integration/testdata/centos-7.json.golden

@@ -66,6 +66,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-18276",
+          "PkgID": "bash@4.2.46-31.el7.x86_64",
           "PkgName": "bash",
           "InstalledVersion": "4.2.46-31.el7",
           "Layer": {
@@ -113,6 +114,7 @@
           "VendorIDs": [
             "RHSA-2019:2304"
           ],
+          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
@@ -193,6 +195,7 @@
           "VendorIDs": [
             "RHSA-2019:2304"
           ],
+          "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",

integration/testdata/fixtures/sbom/centos-7-spdx.json

@@ -30,6 +30,7 @@
 		{
 			"SPDXID": "SPDXRef-Package-5a18334f22149877",
 			"attributionTexts": [
+				"PkgID: bash@4.2.46-31.el7.x86_64",
 				"LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
 				"LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
 			],
@@ -50,6 +51,7 @@
 		{
 			"SPDXID": "SPDXRef-Package-e16b1cbaa5186199",
 			"attributionTexts": [
+				"PkgID: openssl-libs@1.0.2k-16.el7.x86_64",
 				"LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
 				"LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
 			],

integration/testdata/fixtures/sbom/centos-7-spdx.txt

@@ -33,6 +33,7 @@ PackageSourceInfo: built package from: bash 4.2.46-31.el7
 PackageLicenseConcluded: GPLv3+
 PackageLicenseDeclared: GPLv3+
 ExternalRef: PACKAGE-MANAGER purl pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810
+PackageAttributionText: PkgID: bash@4.2.46-31.el7.x86_64
 PackageAttributionText: LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
 PackageAttributionText: LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a
 
@@ -46,6 +47,7 @@ PackageSourceInfo: built package from: openssl-libs 1:1.0.2k-16.el7
 PackageLicenseConcluded: OpenSSL
 PackageLicenseDeclared: OpenSSL
 ExternalRef: PACKAGE-MANAGER purl pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810
+PackageAttributionText: PkgID: openssl-libs@1.0.2k-16.el7.x86_64
 PackageAttributionText: LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
 PackageAttributionText: LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a
 

integration/testdata/opensuse-leap-151.json.golden

@@ -62,6 +62,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "openSUSE-SU-2020:0062-1",
+          "PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
           "PkgName": "libopenssl1_1",
           "InstalledVersion": "1.1.0i-lp151.8.3.1",
           "FixedVersion": "1.1.0i-lp151.8.6.1",
@@ -86,6 +87,7 @@
         },
         {
           "VulnerabilityID": "openSUSE-SU-2020:0062-1",
+          "PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
           "PkgName": "openssl-1_1",
           "InstalledVersion": "1.1.0i-lp151.8.3.1",
           "FixedVersion": "1.1.0i-lp151.8.6.1",

integration/testdata/oraclelinux-8.json.golden

@@ -63,6 +63,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-3823",
+          "PkgID": "curl@7.61.1-8.el8.x86_64",
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-8.el8",
           "FixedVersion": "7.61.1-11.el8",
@@ -119,6 +120,7 @@
         },
         {
           "VulnerabilityID": "CVE-2019-5436",
+          "PkgID": "curl@7.61.1-8.el8.x86_64",
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-8.el8",
           "FixedVersion": "7.61.1-12.el8",

integration/testdata/photon-30.json.golden

@@ -64,6 +64,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-18276",
+          "PkgID": "bash@4.4.18-1.ph3.x86_64",
           "PkgName": "bash",
           "InstalledVersion": "4.4.18-1.ph3",
           "FixedVersion": "4.4.18-2.ph3",
@@ -114,6 +115,7 @@
         },
         {
           "VulnerabilityID": "CVE-2019-5481",
+          "PkgID": "curl@7.61.1-4.ph3.x86_64",
           "PkgName": "curl",
           "InstalledVersion": "7.61.1-4.ph3",
           "FixedVersion": "7.61.1-5.ph3",
@@ -171,6 +173,7 @@
         },
         {
           "VulnerabilityID": "CVE-2019-5481",
+          "PkgID": "curl-libs@7.61.1-4.ph3.x86_64",
           "PkgName": "curl-libs",
           "InstalledVersion": "7.61.1-4.ph3",
           "FixedVersion": "7.61.1-5.ph3",

integration/testdata/rockylinux-8.json.golden

@@ -53,6 +53,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2021-3712",
+          "PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
           "PkgName": "openssl-libs",
           "InstalledVersion": "1:1.1.1k-4.el8",
           "FixedVersion": "1:1.1.1k-5.el8_5",

integration/testdata/ubi-7.json.golden

@@ -77,6 +77,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-18276",
+          "PkgID": "bash@4.2.46-33.el7.x86_64",
           "PkgName": "bash",
           "InstalledVersion": "4.2.46-33.el7",
           "Layer": {

pkg/detector/ospkg/alma/alma.go

@@ -87,6 +87,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			if installedVersion.LessThan(fixedVersion) {
 				vuln := types.DetectedVulnerability{
 					VulnerabilityID:  adv.VulnerabilityID,
+					PkgID:            pkg.ID,
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     fixedVersion.String(),

pkg/detector/ospkg/amazon/amazon.go

@@ -100,6 +100,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			if installedVersion.LessThan(fixedVersion) {
 				vuln := types.DetectedVulnerability{
 					VulnerabilityID:  adv.VulnerabilityID,
+					PkgID:            pkg.ID,
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     adv.FixedVersion,

pkg/detector/ospkg/oracle/oracle.go

@@ -85,6 +85,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
+				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
 				Ref:              pkg.Ref,

pkg/detector/ospkg/photon/photon.go

@@ -77,6 +77,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
+				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
 				Ref:              pkg.Ref,

pkg/detector/ospkg/redhat/redhat.go

@@ -155,6 +155,7 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
 		vulnID := adv.VulnerabilityID
 		vuln := types.DetectedVulnerability{
 			VulnerabilityID:  vulnID,
+			PkgID:            pkg.ID,
 			PkgName:          pkg.Name,
 			InstalledVersion: utils.FormatVersion(pkg),
 			Ref:              pkg.Ref,

pkg/detector/ospkg/rocky/rocky.go

@@ -87,6 +87,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			if installedVersion.LessThan(fixedVersion) {
 				vuln := types.DetectedVulnerability{
 					VulnerabilityID:  adv.VulnerabilityID,
+					PkgID:            pkg.ID,
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     fixedVersion.String(),

pkg/detector/ospkg/suse/suse.go

@@ -129,6 +129,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
+				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
 				Ref:              pkg.Ref,