feat(docker): add support for scanning Bitnami components (#5062)

* feat(bitnami): add support for scanning Bitnami components Signed-off-by: juan131 <[email protected]> * chore(deps): bump packageurl-go TypeBitnami is not included in v0.1.1 * feat(spdx): handle orphan packages * fix: update Elastic SPDX Signed-off-by: juan131 <[email protected]> * Update pkg/fanal/analyzer/sbom/sbom.go Co-authored-by: DmitriyLewen <[email protected]> * fix: remove useless else Signed-off-by: juan131 <[email protected]> * call AnalysisResult.Sort() Signed-off-by: knqyf263 <[email protected]> * delete app packages Signed-off-by: knqyf263 <[email protected]> * fix: set the component path to packages Signed-off-by: knqyf263 <[email protected]> * docs: add a comment about continue Signed-off-by: knqyf263 <[email protected]> * chore: bump trivy-db Signed-off-by: knqyf263 <[email protected]> * docs: add Bitnami Signed-off-by: knqyf263 <[email protected]> --------- Signed-off-by: juan131 <[email protected]> Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> Co-authored-by: DmitriyLewen <[email protected]>
aquasecurity · Aug 31, 2023 · 7acc5e8 · 7acc5e8
1 parent 9628b1c
commit 7acc5e8
Show file tree

Hide file tree

Showing 20 changed files with 646 additions and 368 deletions.
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
@@ -74,6 +74,7 @@ jobs:
             elixir
             dart
             swift
+            bitnami
 
             os
             lang

diff --git a/docs/docs/coverage/os/google-distroless.md b/docs/docs/coverage/os/google-distroless.md
@@ -1,4 +1,4 @@
-# Google Distroless
+# Google Distroless Images
 Trivy supports the following scanners for OS packages.
 
 |    Scanner    | Supported |

diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md
@@ -26,7 +26,13 @@ Trivy supports operating systems for
 | [Photon OS](photon.md)                        | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)                 | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
 | [Ubuntu](ubuntu.md)                           | All versions supported by Canonical | apt/dpkg         |
+
+## Supported container images
+
+| Container image                               | Supported Versions                  | Package Managers |
+|-----------------------------------------------|-------------------------------------|------------------|
 | [Google Distroless](google-distroless.md)[^2] | Any                                 | apt/dpkg         |
+| [Bitnami](bitnami.md)                         | Any                                 | -                |
 
 Each page gives more details.
 

diff --git a/go.mod b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321
+	github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
 	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f
 	github.com/aws/aws-sdk-go v1.44.273
@@ -74,7 +74,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0-rc4
 	github.com/openvex/go-vex v0.2.5
 	github.com/owenrumney/go-sarif/v2 v2.2.0
-	github.com/package-url/packageurl-go v0.1.1
+	github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b
 	github.com/samber/lo v1.38.1
 	github.com/saracen/walker v0.1.3
 	github.com/secure-systems-lab/go-securesystemslib v0.7.0

diff --git a/go.sum b/go.sum
@@ -344,8 +344,8 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321 h1:oAXkM8x6jMal+6p2XB78+ntPs5LGjxZhtWHdOy4crlg=
-github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
+github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E=
+github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f h1:KOB3oGBjP+usI88PzDehhJ0AUWoKUCs7wBspcxBAF00=
@@ -1459,8 +1459,8 @@ github.com/owenrumney/go-sarif/v2 v2.2.0 h1:1DmZaijK0HBZCR1fgcDSGa7VzYkU9NDmbZ7q
 github.com/owenrumney/go-sarif/v2 v2.2.0/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
 github.com/owenrumney/squealer v1.1.1 h1:e+fg29IxdNARSc4s7CbYnqVSepm9eOqErLNNNR5XbAs=
 github.com/owenrumney/squealer v1.1.1/go.mod h1:Q5ekVoyFSG2FlnCVIBGsyk/FSMA/ATv8PtwKIVX7t/o=
-github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
-github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
+github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b h1:mUXbYcE4/ZAh9uto21SUH+FL/RGmD0OGYci9JX66jDc=
+github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=