feat: add support for Wolfi Linux

[luhring]

Description

This PR adds support for Wolfi Linux to Trivy, by adding support for detecting the Wolfi "OS" and mapping that to the Wolfi secdb data provided via aquasecurity/vuln-list-update#183 and aquasecurity/trivy-db#266.

(Note: I'm on the Wolfi team. 👋 Happy to answer any questions, including about what's similar/different from Alpine.)

Here's a look at Trivy's behavior before and after adding Wolfi support. These examples are scans of an intentionally old Wolfi image so that vulnerabilities are still present. (Wofli vulnerabilities are typically patched extremely quickly.) The image being scanned is cgr.dev/chainguard/wolfi-base:latest-20221001.

Before

2022-11-22T16:08:42.908-0500	INFO	Need to update DB
2022-11-22T16:08:42.908-0500	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-22T16:08:42.908-0500	INFO	Downloading DB...
35.24 MiB / 35.24 MiB [-----------------------------------------------------------------------------------------------------] 100.00% 22.12 MiB p/s 1.8s
2022-11-22T16:08:45.239-0500	INFO	Vulnerability scanning is enabled
2022-11-22T16:08:45.239-0500	INFO	Secret scanning is enabled
2022-11-22T16:08:45.239-0500	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-22T16:08:45.239-0500	INFO	Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-11-22T16:08:46.073-0500	INFO	Detected OS: none
2022-11-22T16:08:46.073-0500	WARN	unsupported os : none
2022-11-22T16:08:46.073-0500	INFO	Number of language-specific files: 0

After

2022-11-22T16:11:09.581-0500    INFO    Vulnerability scanning is enabled
2022-11-22T16:11:09.581-0500    INFO    Secret scanning is enabled
2022-11-22T16:11:09.581-0500    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-22T16:11:09.581-0500    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-11-22T16:11:09.602-0500    INFO    Detected OS: wolfi
2022-11-22T16:11:09.602-0500    INFO    Detecting Wolfi vulnerabilities...
2022-11-22T16:11:09.603-0500    INFO    Number of language-specific files: 0

cgr.dev/chainguard/wolfi-base:latest-20221001 (wolfi 20220914)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-28391 │ HIGH     │                   │ 1.35.0-r3     │ busybox: remote attackers may execute arbitrary code if     │
│         │                │          │                   │               │ netstat is used                                             │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28391                  │
│         ├────────────────┤          ├───────────────────┤               ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2022-30065 │          │                   │               │ busybox: A use-after-free in Busybox's awk applet leads to  │
│         │                │          │                   │               │ denial of service...                                        │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                  │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ glibc   │ CVE-2022-39046 │ MEDIUM   │                   │ 2.36-r1       │ glibc: a crafted input may allow information disclosure     │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-39046                  │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib    │ CVE-2022-37434 │ CRITICAL │                   │ 1.2.12-r3     │ zlib: heap-based buffer over-read and overflow in inflate() │
│         │                │          │                   │               │ in inflate.c via a...                                       │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
│         ├────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2018-25032 │ HIGH     │                   │ 1.2.12-r0     │ zlib: A flaw found in zlib when compressing (not            │
│         │                │          │                   │               │ decompressing) certain inputs...                            │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-25032                  │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Related issues

• Close Add support for Wolfi OS #3205

Related PRs

• feat(wolfi): add support for Wolfi Linux vuln-list-update#183
• feat(wolfi): add support for Wolfi Linux trivy-db#266

Remove this section if you don't have related PRs.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[luhring]

(Compilation will fail until aquasecurity/trivy-db#266 is merged and we update this branch of trivy to use the new version of trivy-db.)

[afdesk]

@luhring thanks for your efforts.
could you say why we need a custom analyzer? https://github.com/luhring/trivy/tree/wolfi-support/pkg/fanal/analyzer/os/wolfi

You already handle family ID: https://github.com/luhring/trivy/blob/b7c961a65c08aa289a32659a412b550535688dd9/pkg/fanal/analyzer/os/release/release.go#L62-L63

[luhring]

@luhring thanks for your efforts. could you say why we need a custom analyzer? https://github.com/luhring/trivy/tree/wolfi-support/pkg/fanal/analyzer/os/wolfi

You already handle family ID: https://github.com/luhring/trivy/blob/b7c961a65c08aa289a32659a412b550535688dd9/pkg/fanal/analyzer/os/release/release.go#L62-L63

We might not need it, actually! 😃 I'm still learning Trivy's architecture, but that's what I was hoping to learn here #3205 (comment):

I'm wondering if I can even delete what I added at pkg/fanal/analyzer/os/wolfi/..., relying instead on pkg/fanal/analyzer/os/release/release.go to detect the Wolfi OS. What do you think?

[afdesk]

@luhring sorry, missed your thought.
yes, you can remove wolfi analyzer and rely on release package.

[luhring]

sorry, missed your thought.
yes, you can remove wolfi analyzer and rely on release package.

No worries! Removed in b0df2e5

[luhring]

Now that aquasecurity/trivy-db#266 is merged, I've updated this branch to use the latest version of trivy-db.

@knqyf263 and @afdesk could you please take a look? I'm happy to make any other changes you'd like!

Also, in these situations do you typically wait for an updated Trivy DB to be published, in order to test Trivy without using a local cache of the DB?

[knqyf263]

The addition of Wolfi is causing the DB to fail to build (it is our fault), so let us fix that first.
https://github.com/aquasecurity/trivy-db/actions/runs/3648065794/jobs/6161044855

[luhring]

@knqyf263 The DB looks good to me now! Do you think this one is ready to merge?

[knqyf263]

Looks almost good to me. I left some small comments.

[knqyf263]

Hi, it looked good to me, but I found that the installed versions are empty. Do you know the reason? This analyzer should capture versions.
https://github.com/aquasecurity/trivy/blob/b944ac628616b892d2c1cb085c1bae63128de45d/pkg/fanal/analyzer/pkg/apk/apk.go

[knqyf263]

Doesn't Wolfi have origin package names/versions? If it is the case, we need to use FormatVersion instead.

trivy/pkg/detector/ospkg/wolfi/wolfi.go

Line 66 in 0dfe832

installed := utils.FormatSrcVersion(pkg)

C:Q1LzfStMeff9oZ+09WB5Z5OR73s/Q=
P:binutils-dev
V:2.39-r4
A:x86_64
S:1052112
I:4209277
T:binutils development headers
U:
L:GPL-3.0-or-later
o:binutils
F:usr
F:usr/include

In the above example, can we assume binutils-dev is installed from binutils v2.39-r4? In other words, the origin package version and sub-package version are always the same?

[luhring]

In the above example, can we assume binutils-dev is installed from binutils v2.39-r4? In other words, the origin package version and sub-package version are always the same?

Yes, that's correct. Good to know about utils.FormatVersion, thanks! Updated.

[luhring]

Hi, it looked good to me, but I found that the installed versions are empty. Do you know the reason? This analyzer should capture versions.

Just so I understand this comment, where are you looking? I'm seeing installed versions in Trivy's output.

[knqyf263]

In your PR description, installed versions are empty in the table.
#3215 (comment)

[knqyf263]

It works now, though.

cgr.dev/chainguard/wolfi-base:latest-20221001 (wolfi 20220914)
==============================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-28391 │ HIGH     │ 1.35.0-r2         │ 1.35.0-r3     │ busybox: remote attackers may execute arbitrary code if     │
│         │                │          │                   │               │ netstat is used                                             │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28391                  │
│         ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2022-30065 │          │                   │               │ busybox: A use-after-free in Busybox's awk applet leads to  │
│         │                │          │                   │               │ denial of service...                                        │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                  │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ glibc   │ CVE-2022-39046 │ MEDIUM   │ 2.36-r0           │ 2.36-r1       │ glibc: a crafted input may allow information disclosure     │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-39046                  │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib    │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r2         │ 1.2.12-r3     │ zlib: heap-based buffer over-read and overflow in inflate() │
│         │                │          │                   │               │ in inflate.c via a...                                       │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

[luhring]

In your PR description, installed versions are empty in the table.

Got it! There have been a handful of changes in the past 3 weeks. I'm seeing installed versions locally — let me know if you see something different when you run it.

[knqyf263]

I didn't see installed versions before this commit 95568b5. It looks good now.

[knqyf263]

Thanks for your contribution👍 It will be included in v0.36.0.

[luhring]

Thanks for all your help @knqyf263 and @afdesk! 🙏 This was a great learning experience.