feat(suse): added SUSE Linux Enterprise Micro support

This adds support for the SUSE Linux Enterprise Micro family. This also fixes also purl logic for SUSE and openSUSE to match standard expectations better. #7221 Signed-off-by: Marcus Meissner <meissner@suse.de>
aquasecurity · Sep 19, 2024 · c4eda8c · c4eda8c
1 parent aeb7039
commit c4eda8c
Show file tree

Hide file tree

Showing 27 changed files with 13,568 additions and 732 deletions.
diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md
@@ -23,7 +23,8 @@ Trivy supports operating systems for
 | [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
 | [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
 | [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise Micro](suse.md)| 5, 6                                | zypper/rpm       |
 | [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
 | [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |

diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md
@@ -3,7 +3,8 @@ Trivy supports the following distributions:
 
 - openSUSE Leap
 - openSUSE Tumbleweed
-- SUSE Enterprise Linux (SLE)
+- SUSE Linux Enterprise (SLE)
+- SUSE Linux Enterprise Micro
 
 Please see [here](index.md#supported-os) for supported versions.
 

diff --git a/integration/client_server_test.go b/integration/client_server_test.go
@@ -220,6 +220,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-tumbleweed.json.golden",
 		},
+		{
+			name: "sle micro rancher 5.4",
+			args: csArgs{
+				Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			},
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: csArgs{

diff --git a/integration/docker_engine_test.go b/integration/docker_engine_test.go
@@ -198,6 +198,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
 			golden:   "testdata/opensuse-tumbleweed.json.golden",
 		},
+		{
+			name:     "sle micro rancher 5.4",
+			imageTag: "ghcr.io/aquasecurity/trivy-test-images:sle-micro-rancher-5.4_ndb",
+			input:    "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			golden:   "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name:     "photon 3.0",
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",

diff --git a/integration/standalone_tar_test.go b/integration/standalone_tar_test.go
@@ -341,6 +341,14 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-tumbleweed.json.golden",
 		},
+		{
+			name: "sle micro rancher 5.4",
+			args: args{
+				Format: types.FormatJSON,
+				Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			},
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: args{

diff --git a/integration/testdata/fixtures/db/suse.yaml b/integration/testdata/fixtures/db/suse.yaml
@@ -0,0 +1,19 @@
+- bucket: "SUSE Linux Enterprise 15-SP3"
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+    - bucket: openssl-1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+- bucket: "SUSE Linux Enterprise Micro 5.3"
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2023:0311-1"
+          value:
+            FixedVersion: 1.1.1l-150400.7.22.1
diff --git a/integration/testdata/fixtures/db/vulnerability.yaml b/integration/testdata/fixtures/db/vulnerability.yaml
@@ -1349,6 +1349,15 @@
         - "https://www.suse.com/security/cve/CVE-2023-2975/"
         - "https://www.suse.com/security/cve/CVE-2023-3446/"
         - "https://www.suse.com/support/security/rating/"
+  - key: SUSE-SU-2022:2251-1
+    value:
+      Title: "Security update for openssl-1_1"
+      Description: "This update for openssl-1_1 fixes the following issues:\nCVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).\nCVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)"
+      Severity: MEDIUM
+      References:
+        - "https://www.suse.com/security/cve/CVE-2022-1292/"
+        - "https://www.suse.com/security/cve/CVE-2022-2068/"
+        - "https://www.suse.com/support/security/rating/"
   - key: CVE-2022-22965
     value:
       Title: "spring-framework: RCE via Data Binding on JDK 9+"

diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden
@@ -66,7 +66,7 @@
           "PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
           "PkgName": "libopenssl1_1",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+            "PURL": "pkg:rpm/opensuse/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
             "UID": "898b73ddd0412f57"
           },
           "InstalledVersion": "1.1.0i-lp151.8.3.1",
@@ -99,7 +99,7 @@
           "PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
           "PkgName": "openssl-1_1",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+            "PURL": "pkg:rpm/opensuse/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
             "UID": "58980d005de43f54"
           },
           "InstalledVersion": "1.1.0i-lp151.8.3.1",

diff --git a/integration/testdata/opensuse-tumbleweed.json.golden b/integration/testdata/opensuse-tumbleweed.json.golden
@@ -69,7 +69,7 @@
           "PkgID": "libopenssl3@3.1.4-9.1.x86_64",
           "PkgName": "libopenssl3",
           "PkgIdentifier": {
-            "PURL": "pkg:rpm/opensuse.tumbleweed/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
+            "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
             "UID": "f051425f385d2b99"
           },
           "InstalledVersion": "3.1.4-9.1",

diff --git a/integration/testdata/sl-micro-rancher5.4.json.golden b/integration/testdata/sl-micro-rancher5.4.json.golden
@@ -0,0 +1,69 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "suse linux enterprise micro",
+      "Name": "5.4"
+    },
+    "ImageID": "sha256:c45ec974938acac29c893b5d273d73e4ebdd7e6a97b6fa861dfbd8dd430b9016",
+    "DiffIDs": [
+      "sha256:7cdd3aec849d122d63dc83a5e1e2fb89b341c67b03e25979131ca335a463bb57"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "SUSE LLC (https://www.suse.com/)",
+      "created": "2024-09-03T17:54:39Z",
+      "history": [
+        {
+          "author": "SUSE LLC \u003chttps://www.suse.com/\u003e",
+          "created": "2024-09-03T17:54:39Z",
+          "created_by": "KIWI 9.24.43"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:7cdd3aec849d122d63dc83a5e1e2fb89b341c67b03e25979131ca335a463bb57"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "com.suse.eula": "sle-eula",
+          "com.suse.image-type": "sle-micro",
+          "com.suse.release-stage": "released",
+          "com.suse.sle.micro.rancher.created": "2024-09-03T17:53:32.129328086Z",
+          "com.suse.sle.micro.rancher.description": "Image containing a micro environment for containers based on the SLE Micro for Rancher.",
+          "com.suse.sle.micro.rancher.disturl": "obs://build.suse.de/SUSE:SLE-15-SP4:Update:Products:Micro54:Update:CR/images/fcaa3a91b132f1955fa900b902aef7f2-SLE-Micro-Rancher",
+          "com.suse.sle.micro.rancher.reference": "registry.suse.com/suse/sle-micro-rancher/5.4:%PKG_VERSION%-%RELEASE",
+          "com.suse.sle.micro.rancher.title": "SLE Micro for Rancher Base Container",
+          "com.suse.sle.micro.rancher.url": "https://www.suse.com/products/micro/",
+          "com.suse.sle.micro.rancher.vendor": "SUSE LLC",
+          "com.suse.sle.micro.rancher.version": "5.4",
+          "com.suse.supportlevel": "l3",
+          "org.openbuildservice.disturl": "obs://build.suse.de/SUSE:SLE-15-SP4:Update:Products:Micro54:Update:CR/images/fcaa3a91b132f1955fa900b902aef7f2-SLE-Micro-Rancher",
+          "org.opencontainers.image.created": "2024-09-03T17:53:32.129328086Z",
+          "org.opencontainers.image.description": "Image containing a micro environment for containers based on the SLE Micro for Rancher.",
+          "org.opencontainers.image.title": "SLE Micro for Rancher Base Container",
+          "org.opencontainers.image.url": "https://www.suse.com/products/micro/",
+          "org.opencontainers.image.vendor": "SUSE LLC",
+          "org.opencontainers.image.version": "5.4",
+          "org.suse.reference": "registry.suse.com/suse/sle-micro-rancher/5.4:%PKG_VERSION%-%RELEASE"
+        }
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz (suse linux enterprise micro 5.4)",
+      "Class": "os-pkgs",
+      "Type": "suse linux enterprise micro"
+    }
+  ]
+}
diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go
@@ -44,6 +44,7 @@ var (
 		ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed),
 		ftypes.OpenSUSELeap:       suse.NewScanner(suse.OpenSUSE),
 		ftypes.SLES:               suse.NewScanner(suse.SUSEEnterpriseLinux),
+		ftypes.SLEMicro:           suse.NewScanner(suse.SUSEEnterpriseLinuxMicro),
 		ftypes.Photon:             photon.NewScanner(),
 		ftypes.Wolfi:              wolfi.NewScanner(),
 		ftypes.Chainguard:         chainguard.NewScanner(),

diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go
@@ -44,6 +44,18 @@ var (
 		// 6 months after SLES 15 SP7 release
 		// "15.7": time.Date(2031, 7, 31, 23, 59, 59, 0, time.UTC),
 	}
+	slemicroEolDates = map[string]time.Time{
+		// Source: https://www.suse.com/lifecycle/
+		"5.0": time.Date(2022, 3, 31, 23, 59, 59, 0, time.UTC),
+		"5.1": time.Date(2025, 10, 31, 23, 59, 59, 0, time.UTC),
+		"5.2": time.Date(2026, 4, 30, 23, 59, 59, 0, time.UTC),
+		"5.3": time.Date(2026, 10, 30, 23, 59, 59, 0, time.UTC),
+		"5.4": time.Date(2027, 4, 30, 23, 59, 59, 0, time.UTC),
+		"5.5": time.Date(2027, 10, 31, 23, 59, 59, 0, time.UTC),
+		"6.0": time.Date(2028, 6, 30, 23, 59, 59, 0, time.UTC),
+		// 6.1 will be released late 2024
+		// "6.1": time.Date(2028, 11, 30, 23, 59, 59, 0, time.UTC),
+	}
 
 	opensuseEolDates = map[string]time.Time{
 		// Source: https://en.opensuse.org/Lifetime
@@ -66,6 +78,8 @@ type Type int
 const (
 	// SUSEEnterpriseLinux is Linux Enterprise version
 	SUSEEnterpriseLinux Type = iota
+	// SUSE Linux Enterprise Micro is the micro series
+	SUSEEnterpriseLinuxMicro
 	// OpenSUSE for open versions
 	OpenSUSE
 	OpenSUSETumbleweed
@@ -83,6 +97,10 @@ func NewScanner(t Type) *Scanner {
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinux),
 		}
+	case SUSEEnterpriseLinuxMicro:
+		return &Scanner{
+			vs: susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinuxMicro),
+		}
 	case OpenSUSE:
 		return &Scanner{
 			vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE),
@@ -135,6 +153,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType
 	if osFamily == ftypes.SLES {
 		return osver.Supported(ctx, slesEolDates, osFamily, osVer)
 	}
+	if osFamily == ftypes.SLEMicro {
+		return osver.Supported(ctx, slemicroEolDates, osFamily, osVer)
+	}
 	// tumbleweed is a rolling release, it has no version and no eol
 	if osFamily == ftypes.OpenSUSETumbleweed {
 		return true

diff --git a/pkg/detector/ospkg/suse/suse_test.go b/pkg/detector/ospkg/suse/suse_test.go
@@ -111,6 +111,86 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path: suse sle 15sp3",
+			fixtures: []string{
+				"testdata/fixtures/suse.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.SUSEEnterpriseLinux,
+			args: args{
+				osVer: "15.3",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "libopenssl1_1",
+						Version:    "1.1.1d",
+						Release:    "150200.11.47.1",
+						SrcName:    "libopenssl1_1",
+						SrcVersion: "1.1.1d",
+						SrcRelease: "150200.11.47.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "libopenssl1_1",
+					VulnerabilityID:  "SUSE-SU-2022:2251-1",
+					InstalledVersion: "1.1.1d-150200.11.47.1",
+					FixedVersion:     "1.1.1d-150200.11.48.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
+		{
+			name: "happy path: suse sle micro 15.3",
+			fixtures: []string{
+				"testdata/fixtures/suse.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			distribution: suse.SUSEEnterpriseLinuxMicro,
+			args: args{
+				osVer: "5.3",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "libopenssl1_1",
+						Version:    "1.1.1l",
+						Release:    "150400.7.21.1",
+						SrcName:    "libopenssl1_1",
+						SrcVersion: "1.1.1l",
+						SrcRelease: "150400.7.21.1",
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "libopenssl1_1",
+					VulnerabilityID:  "SUSE-SU-2023:0311-1",
+					InstalledVersion: "1.1.1l-150400.11.21.1",
+					FixedVersion:     "1.1.1l-150400.11.22.1",
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+			},
+		},
 		{
 			name: "broken bucket",
 			fixtures: []string{

diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
@@ -15,3 +15,8 @@
         ID: "suse-cvrf"
         Name: "SUSE CVRF"
         URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise Micro 5.3
+      value:
+        ID: "suse-cvrf"
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
diff --git a/pkg/detector/ospkg/suse/testdata/fixtures/suse.yaml b/pkg/detector/ospkg/suse/testdata/fixtures/suse.yaml
@@ -8,3 +8,23 @@
         - key: CVE-2021-0001
           value:
             FixedVersion: ""
+- bucket: SUSE Linux Enterprise 15 SP3
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+    - bucket: openssl-1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+- bucket: SUSE Linux Enterprise Micro 5.3
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2023:0311-1"
+          value:
+            FixedVersion: 1.1.1l-150400.7.22.1
+
diff --git a/pkg/fanal/analyzer/os/release/release.go b/pkg/fanal/analyzer/os/release/release.go
@@ -55,6 +55,11 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp
 			family = types.OpenSUSELeap
 		case "sles":
 			family = types.SLES
+		// There are various rebrands of SLE Micro, there is also one brief (and reverted rebrand)
+		// for SLE Micro 6.0. which was called "SL Micro 6.0" until very short before release
+		// and there is a "SLE Micro for Rancher" rebrand, which is used by SUSEs K8S based offerings.
+		case "sle-micro", "sl-micro", "sle-micro-rancher":
+			family = types.SLEMicro
 		case "photon":
 			family = types.Photon
 		case "wolfi":