fix(rocky): add architectures support for advisories (aquasecurity#4691)

* add multi-arch support for rocky linux advisories

* feat: comply with the new signagure

* bump trivy-db

* fix tests

* chore(deps): remove fork replace

---------

Co-authored-by: knqyf263 <knqyf263@gmail.com>

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c
+	github.com/aquasecurity/trivy-db v0.0.0-20230703082116-dc52e83376ce
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
 	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230628140707-dae3bdb6ee81
 	github.com/aws/aws-sdk-go v1.44.245
@@ -93,7 +93,7 @@ require (
 	github.com/xlab/treeprint v1.1.0
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/zap v1.24.0
-	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/mod v0.11.0
 	golang.org/x/sync v0.3.0
 	golang.org/x/term v0.9.0

go.sum

@@ -343,8 +343,8 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c h1:mFMfHmb5GC6xrnUGk2mJcKNt5vBaFSzJx1MMW47uzB0=
-github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c/go.mod h1:s7x7CTxYeiFf6gPOakSsg4mCD93au4dbYplG4h0FGrs=
+github.com/aquasecurity/trivy-db v0.0.0-20230703082116-dc52e83376ce h1:swoQLWQoZ4HW13XeEji217TTcgi61MuMZdsKrqSTE0A=
+github.com/aquasecurity/trivy-db v0.0.0-20230703082116-dc52e83376ce/go.mod h1:cXuqKo+FaMY0ixJNoUcyDHdfCBRPWOysI2Td8N4fRsg=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230628140707-dae3bdb6ee81 h1:5/tKpCr861auON/CMHSXnRzNixx1FTWAeHSwV0PtA0U=
@@ -1811,8 +1811,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea h1:vLCWI/yYrdEHyN2JzIzPO3aaQJHQdp89IZBA/+azVC4=
-golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

integration/testdata/fixtures/db/rockylinux.yaml

@@ -4,4 +4,10 @@
       pairs:
         - key: CVE-2021-3712
           value:
-            FixedVersion: 1:1.1.1k-5.el8_5
+            FixedVersion: 1:1.1.1k-5.el8_5
+            Entries:
+              - FixedVersion: "1:1.1.1k-5.el8_5"
+                Arches:
+                  - x86_64
+                VendorIds:
+                  - RLSA-2021:4647

pkg/detector/ospkg/rocky/rocky.go

@@ -74,7 +74,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			continue
 		}
 		pkgName := addModularNamespace(pkg.Name, pkg.Modularitylabel)
-		advisories, err := s.vs.Get(osVer, pkgName)
+		advisories, err := s.vs.Get(osVer, pkgName, pkg.Arch)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to get Rocky Linux advisories: %w", err)
 		}

pkg/detector/ospkg/rocky/rocky_test.go

@@ -40,7 +40,7 @@ func TestScanner_Detect(t *testing.T) {
 						Epoch:           0,
 						Version:         "4.18.0",
 						Release:         "348.el8.0.3",
-						Arch:            "x86_64",
+						Arch:            "aarch64",
 						SrcName:         "kernel",
 						SrcEpoch:        0,
 						SrcVersion:      "4.18.0",
@@ -56,7 +56,7 @@ func TestScanner_Detect(t *testing.T) {
 					PkgName:          "bpftool",
 					VulnerabilityID:  "CVE-2021-20317",
 					InstalledVersion: "4.18.0-348.el8.0.3",
-					FixedVersion:     "4.18.0-348.2.1.el8_5",
+					FixedVersion:     "5.18.0-348.2.1.el8_5",
 					Layer:            ftypes.Layer{},
 					DataSource: &dbTypes.DataSource{
 						ID:   vulnerability.Rocky,

pkg/detector/ospkg/rocky/testdata/fixtures/rocky.yaml

@@ -2,9 +2,17 @@
   pairs:
     - bucket: bpftool
       pairs:
-        - key: CVE-2021-0129
-          value:
-            FixedVersion: "4.18.0-348.el8.0.2"
         - key: CVE-2021-20317
           value:
-            FixedVersion: "4.18.0-348.2.1.el8_5"
+            FixedVersion: "4.18.0-348.2.1.el8_5"
+            Entries:
+              - FixedVersion: "4.18.0-348.2.1.el8_5"
+                Arches:
+                  - "x86_64"
+                VendorIDs:
+                  - "RLSA-2021:4647"
+              - FixedVersion: "5.18.0-348.2.1.el8_5"
+                Arches:
+                  - "aarch64"
+                VendorIDs:
+                  - "RLSA-2021:4647"