Trivy scanner should detect Chiselled Ubuntu images and installed packages

[rajesh-payyappilly]

Description

Trivy should detect Chiselled Ubuntu images and installed package/slices properly

1. Canonical's Chiselled Ubuntu is great way to build safe containers
2. This utility from Canonical allows building custom Ubuntu imaged with only required packages/slices
3. For such images, Trivy does not detect the OS correcty and the installed packages
4. Due to this, it reports many false positives though the CVEs is fixed in Ubuntu distribution. It also misses some packages

Ubuntu chisel provides installed packages/files information in two ways

Note the chisel allows to install a slice of package rather than installing the entire package. Ubuntu chisel provides installed packages/slices information in two ways

1. It includes a /var/lib/chisel/manifest.wall files which give very detailed information on slices/packages and files included in the image. But Trivy does not use this manifest

...
{"kind":"slice","name":"openssl_bins"}
...
{"kind":"content","slice":"openssl_bins","path":"/usr/bin/openssl"}
...
{"kind":"package","name":"openssl","version":"3.0.13-0ubuntu3.9","sha256":"df651b2b4fc7cd5aa3248d25b8ce29898b012ae8a0263229840a530eef1dd310","arch":"amd64"}
...
{"kind":"path","path":"/usr/bin/c_rehash","mode":"0755","slices":["openssl_bins"],"sha256":"e500ac3e4b1a18d117bd1c4b47f3e4f96584040b6ea4a484398fff7ddc3a7d12","size":6841}
...

2. Additionally, there is a wrapper utility. If the image is built using this wrapper, it creates /var/lib/dpkg/status with details of all the installed packages/slices. Even with this, Trivy does not detect the OS or installed packages correctly

...
...

Package: openssl
Version: 3.0.13-0ubuntu3.9
Architecture: amd64
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Installed-Size: 1885
Depends: libc6 (>= 2.34), libssl3t64 (>= 3.0.9)
Suggests: ca-certificates
Section: utils
Priority: optional
Multi-Arch: foreign
Homepage: https://www.openssl.org/
Description: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>

...
...

Target

Container Image

Scanner

Vulnerability

[HadrienPatte]

There is an existing discussion about chisel support here: #8644