Add support to bci images

[gmontalvoy]

What happened

While Grype works well on sle-based images:

➜  ~ grype registry.suse.com/suse/sle15:15.1.6.2.508 
[...]
 ✔ Cataloged packages      [124 packages]
 ✔ Scanned image           [23 vulnerabilities]

NAME           INSTALLED       FIXED-IN                TYPE  VULNERABILITY   SEVERITY 
glibc          2.26-13.56.1    0:2.26-13.65.1          rpm   CVE-2022-23218  Medium    
glibc          2.26-13.56.1    0:2.26-13.65.1          rpm   CVE-2022-23219  Medium    
[...]

The same does not happen with the new bci-based images even with syft installed and available.

➜  ~ grype registry.suse.com/bci/bci-base:15.3       
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [0 packages]
 ✔ Scanned image           [0 vulnerabilities]

No vulnerabilities found

What you expected to happen:
I'd expect Grype to be able to perform vuln scans also on bci

How to reproduce it (as minimally and precisely as possible):

grype registry.suse.com/bci/bci-base:15.3 and it will detect 0 packages and, obviously, 0 vulnerabilities.

Environment:

• Output of grype version:

➜  ~ grype version
Application:          grype
Version:              0.36.0
Syft Version:         v0.45.0
BuildDate:            2022-04-29T18:30:45Z
GitCommit:            36f5150fa9da57871d8d7f153303505cbc842798
GitDescription:       v0.36.0
Platform:             darwin/arm64
GoVersion:            go1.18.1
Compiler:             gc
Supported DB Schema:  3

• OS (e.g: cat /etc/os-release or similar):
  As it is being tested on macos, I am using a linux box to do this, here's the box details.

NAME="Fedora Linux"
VERSION="35.20220305.dev.0 (CoreOS)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
PLATFORM_ID="platform:f35"
PRETTY_NAME="Fedora CoreOS 35.20220305.dev.0"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:35"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=35
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=35
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='35.20220305.dev.0'
DEFAULT_HOSTNAME=localhost

Thanks

[spiffcs]

👋 @gmontalvoy thanks so much for filing the issue!

I ran grype against the BCI image with one of our newer releases and see that it's picking up the packages now, but no vulnerabilities are being reported. Is there a case you're aware of where this is a false negative report? If you have more details about what you expect the output to be as far as correct findings let me know and I'll investigate further.

I'll keep this issue open for now so I can track myself the packages and see if we're missing anything.

[kzantow]

@gmontalvoy -- it looks like the latest versions of Grype are working fine with bci images. I'm going to close this issue as it is properly working but please reopen if you are still having problems! Example output from the latest version (which, as of today is v0.48.0):

% grype registry.suse.com/bci/bci-base:15.3.17.11.4
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [128 packages]
 ✔ Scanned image           [156 vulnerabilities]
NAME                INSTALLED       FIXED-IN                 TYPE  VULNERABILITY   SEVERITY 
gpg2                2.2.27-1.2      0:2.2.27-150300.3.5.1    rpm   CVE-2022-34903  Medium    
libcom_err2         1.43.8-4.26.1   0:1.43.8-150000.4.33.1   rpm   CVE-2022-1304   High      
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.33.1   rpm   CVE-2022-27782  High      
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.36.1   rpm   CVE-2022-32208  Medium    
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.33.1   rpm   CVE-2022-27781  Medium    
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.36.1   rpm   CVE-2022-32206  Medium    
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.30.1   rpm   CVE-2022-27776  Medium    
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.30.1   rpm   CVE-2022-22576  Medium    
libcurl4            7.66.0-4.27.1   0:7.66.0-150200.4.30.1   rpm   CVE-2022-27775  Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7607   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7613   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16062  Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7612   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7148   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18521  Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7610   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7611   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16402  Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7608   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16403  Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18520  Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7149   Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7609   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18310  Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7146   Medium    
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7664   Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7150   Low       
libdw1              0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7665   Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7613   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18521  Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7609   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7149   Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7610   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7611   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7612   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18520  Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7148   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7146   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7608   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16062  Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16402  Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16403  Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7150   Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7607   Medium    
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18310  Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7664   Low       
libebl-plugins      0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7665   Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18520  Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7150   Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16402  Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18521  Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7610   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7149   Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7664   Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-18310  Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16403  Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7148   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7612   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7613   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7609   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7146   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7607   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2019-7665   Low       
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7608   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2017-7611   Medium    
libelf1             0.168-4.5.3     0:0.177-150300.11.3.1    rpm   CVE-2018-16062  Medium    
libglib-2_0-0       2.62.6-3.6.1    0:2.62.6-150200.3.9.1    rpm   CVE-2021-28153  Low       
libldap-2_4-2       2.4.46-9.61.1   0:2.4.46-150200.14.8.1   rpm   CVE-2022-29155  Critical  
libldap-data        2.4.46-9.61.1   0:2.4.46-150200.14.8.1   rpm   CVE-2022-29155  Critical  
liblzma5            5.2.3-4.3.1     0:5.2.3-150000.4.7.1     rpm   CVE-2022-1271   High      
libopenssl1_1       1.1.1d-11.38.1  0:1.1.1d-11.43.1         rpm   CVE-2022-0778   High      
libopenssl1_1       1.1.1d-11.38.1  0:1.1.1d-150200.11.51.1  rpm   CVE-2022-2097   High      
libopenssl1_1-hmac  1.1.1d-11.38.1  0:1.1.1d-150200.11.51.1  rpm   CVE-2022-2097   High      
libopenssl1_1-hmac  1.1.1d-11.38.1  0:1.1.1d-11.43.1         rpm   CVE-2022-0778   High      
libp11-kit0         0.23.2-4.13.1   0:0.23.2-150000.4.16.1   rpm   CVE-2020-29362  Medium    
libpcre1            8.45-20.10.1    0:8.45-150000.20.13.1    rpm   CVE-2022-1586   High      
libprotobuf-lite20  3.9.2-4.9.1     0:3.9.2-4.12.1           rpm   CVE-2021-22570  Medium    
libxml2-2           2.9.7-3.37.1    0:2.9.7-150000.3.46.1    rpm   CVE-2022-23308  High      
libxml2-2           2.9.7-3.37.1    0:2.9.7-150000.3.46.1    rpm   CVE-2022-29824  High      
libz1               1.2.11-3.24.1   0:1.2.11-150000.3.30.1   rpm   CVE-2018-25032  High      
openssl-1_1         1.1.1d-11.38.1  0:1.1.1d-11.43.1         rpm   CVE-2022-0778   High      
openssl-1_1         1.1.1d-11.38.1  0:1.1.1d-150200.11.51.1  rpm   CVE-2022-2097   High      
p11-kit             0.23.2-4.13.1   0:0.23.2-150000.4.16.1   rpm   CVE-2020-29362  Medium    
p11-kit-tools       0.23.2-4.13.1   0:0.23.2-150000.4.16.1   rpm   CVE-2020-29362  Medium