Skip to content

feat(minimos): Add support for MinimOS#521

Merged
DmitriyLewen merged 6 commits into
aquasecurity:mainfrom
Daniel-Wachter:minimos_support
May 29, 2025
Merged

feat(minimos): Add support for MinimOS#521
DmitriyLewen merged 6 commits into
aquasecurity:mainfrom
Daniel-Wachter:minimos_support

Conversation

@Daniel-Wachter

@Daniel-Wachter Daniel-Wachter commented Apr 29, 2025

Copy link
Copy Markdown
Contributor

Hi,
I’m part of the Minimus team. Minimus delivers secure, minimal container images with auto-generated SBOMs and real-time vulnerability threat intelligence to help reduce vulnerability risk.
We also maintain a minimal operating system called MinimOS. We’ve been publishing our security advisories in a secdb feed and would like to contribute it as a new security data source.

Details:
The feed URL: https://packages.mini.dev/advisories/secdb/security.json

The format closely mirrors Alpine's secdb, but it's unversioned—similar to Alpine's edge feed.

Discussion ref: aquasecurity/trivy#8666

Thanks for your consideration!

@Daniel-Wachter Daniel-Wachter changed the title Add support for MinimOS feat(minimos): Add support for MinimOS Apr 29, 2025
@Daniel-Wachter Daniel-Wachter mentioned this pull request Apr 29, 2025
Merged
8 tasks
DmitriyLewen
DmitriyLewen reviewed May 20, 2025
View reviewed changes

@DmitriyLewen DmitriyLewen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Left small comments

Comment thread pkg/vulnsrc/minimos/minimos.go Outdated
Comment thread pkg/vulnsrc/minimos/minimos.go Outdated
Comment thread pkg/vulnsrc/minimos/minimos.go Outdated
Comment thread pkg/vulnsrc/minimos/minimos.go Outdated
Comment thread pkg/vulnsrc/minimos/minimos.go Outdated
Comment thread pkg/vulnsrc/minimos/minimos_test.go
Comment thread pkg/vulnsrc/vulnsrc.go Outdated
Comment thread pkg/vulnsrc/minimos/minimos.go
@itaysk itaysk mentioned this pull request May 25, 2025
Closed
@knqyf263 knqyf263 requested a review from Copilot May 26, 2025 09:13
Copilot AI reviewed May 26, 2025

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@knqyf263 knqyf263 requested a review from Copilot May 26, 2025 12:09
Copilot AI reviewed May 26, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for MinimOS as a new security data source by implementing a new vulnerability source. Key changes include registering MinimOS in the main vulnerability source registry, defining a new constant for MinimOS, and introducing a dedicated package with tests and sample JSON data for MinimOS.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

File Description
pkg/vulnsrc/vulnsrc.go Registers the new MinimOS vulnerability source by adding the appropriate import and registration in the list of vulnerability sources.
pkg/vulnsrc/vulnerability/const.go Adds the MinimOS constant to the list of known source IDs.
pkg/vulnsrc/minimos/ (minimos.go, minimos_test.go, JSON files) Implements the vulnerability source logic, tests, and test data for MinimOS.
Comments suppressed due to low confidence (1)

pkg/vulnsrc/minimos/minimos_test.go:53

  • [nitpick] It might be beneficial to add additional cases to cover different error scenarios during JSON decoding for improved test coverage.
wantErr: "json decode error",

Comment thread pkg/vulnsrc/minimos/minimos.go
Comment thread pkg/vulnsrc/minimos/minimos.go Outdated
@DmitriyLewen

DmitriyLewen commented May 29, 2025

Copy link
Copy Markdown
Contributor

@Daniel-Wachter I have 1 question:
When version in secfixes is 0 - does that mean the vulnerability is fixed in all versions?

e.g.:

  "packages": [
    {
      "pkg": {
        "name": "apache2",
        "secfixes": {
          "0": [
            "CVE-1999-0289",
            "CVE-1999-0678",
            "CVE-1999-1237",

@Daniel-Wachter

Daniel-Wachter commented May 29, 2025

Copy link
Copy Markdown
Contributor Author

@DmitriyLewen yes, it means the CVE is not relevant to our package and so fixed in all versions

@DmitriyLewen

DmitriyLewen commented May 29, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Thanks for confirming.
This means we can skip (not include) vulnerabilities with the fixed version 0 for trivy-db.

Changed in 257b873

cc. @knqyf263

@DmitriyLewen

DmitriyLewen commented May 29, 2025

Copy link
Copy Markdown
Contributor

I confirm that trivy-db built using new vuln-list contains advisories for MinimOS:
изображение

@DmitriyLewen DmitriyLewen added this pull request to the merge queue May 29, 2025
Merged via the queue into aquasecurity:main with commit a12dfc2 May 29, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@knqyf263 knqyf263 knqyf263 approved these changes

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Daniel-Wachter @DmitriyLewen @knqyf263