aquasecurity · shiloong · Feb 10, 2026
@@ -0,0 +1,73 @@
+# Alibaba Cloud Linux
+Trivy supports the following scanners for OS packages.
+
+|    Scanner    | Supported |
+| :-----------: | :-------: |
+|     SBOM      |     ✓     |
+| Vulnerability |     ✓     |
+|    License    |     ✓     |
+
+Please see [here](index.md#supported-os) for supported versions.
+
+The table below outlines the features offered by Trivy.
+
+|               Feature                | Supported |
+|:------------------------------------:|:---------:|
+|       Unfixed vulnerabilities        |     -     |
+| [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
+
+## SBOM
+Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
+
+## Vulnerability
+Alibaba Cloud Linux offers its own security advisories, and these are utilized when scanning Alibaba Cloud Linux for vulnerabilities.
+
+### Data Source
+See [here](../../scanner/vulnerability.md#data-sources).
+
+### Fixed Version
+When looking at fixed versions, it's crucial to consider the patches supplied by Alibaba Cloud.
+For example, for CVE-2020-25694, the fixed version for Alibaba Cloud Linux 3 is listed as `12.5-1.1.al8` in [ALINUX3-SA-2021:0002].
+Note that this is different from the upstream fixed version.
+Typically, only the upstream information gets listed on [NVD], so it's important not to get confused.
+
+### Severity
+Trivy calculates the severity of an issue based on the severity provided by Alibaba Cloud Linux.
+If the severity is not provided or defined yet by Alibaba Cloud Linux, the severity from the NVD is taken into account.
+
+Using CVE-2020-10543 as an example, while it is rated as "High" in NVD, Alibaba Cloud Linux has marked it as ["Moderate"][ALINUX3-SA-2021:0012].
+As a result, Trivy will display it as "Medium".
+
+The table below is the mapping of Alibaba Cloud Linux's severity to Trivy's severity levels.
+
+| Alibaba Cloud Linux |  Trivy   |
+| :-----------------: | :------: |
+|         Low         |   Low    |
+|      Moderate       |  Medium  |
+|      Important      |   High   |
+|      Critical       | Critical |
+
+### Status
+Trivy supports the following [vulnerability statuses] for Alibaba Cloud Linux.
+
+|       Status        | Supported |
+| :-----------------: | :-------: |
+|        Fixed        |     ✓     |
+|      Affected       |     ✓     |
+| Under Investigation |           |
+|    Will Not Fix     |           |
+|    Fix Deferred     |           |
+|     End of Life     |           |
+
+
+## License
+Trivy identifies licenses by examining the metadata of RPM packages.
+
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+
+[ALINUX3-SA-2021:0002]: https://alas.aliyuncs.com/alinux3/ALINUX3-SA-2021-0002
+[ALINUX3-SA-2021:0012]: https://alas.aliyuncs.com/alinux3/ALINUX3-SA-2021-0012
+[NVD]: https://nvd.nist.gov/vuln/detail/CVE-2020-25694
+
+[vulnerability statuses]: ../../configuration/filtering.md#by-status
@@ -22,6 +22,7 @@ Trivy supports operating systems for
 | [Rocky Linux](rocky.md)                        | 8, 9                                | dnf/yum/rpm      |
 | [Oracle Linux](oracle.md)                      | 5, 6, 7, 8                          | dnf/yum/rpm      |
 | [Azure Linux (CBL-Mariner)](azure.md)          | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
+| [Alibaba Cloud Linux](alinux.md)               | 2, 3, 4                             | dnf/yum/rpm      |
 | [Amazon Linux](amazon.md)                      | 1, 2, 2023                          | dnf/yum/rpm      |
 | [openSUSE Leap](suse.md)                       | 42, 15                              | zypper/rpm       |
 | [openSUSE Tumbleweed](suse.md)                 | (n/a)                               | zypper/rpm       |

@@ -26,6 +26,7 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 | Wolfi Linux               | [secdb][wolfi]                                               |
 | Chainguard                | [secdb][chainguard]                                          |
 | MinimOS                   | [secdb][minimos]                                             |
+| Alibaba Cloud Linux       | [Alinux Security Center][alinux]                             |
 | Amazon Linux              | [Amazon Linux Security Center][amazon]                       |
 | Echo                      | [Echo][echo]                                                 |
 | Debian                    | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
@@ -403,6 +404,7 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 [wolfi]: https://packages.wolfi.dev/os/security.json
 [chainguard]: https://packages.cgr.dev/chainguard/security.json
 [minimos]: https://packages.mini.dev/advisories/secdb/security.json
+[alinux]: https://alas.aliyuncs.com/
 [amazon]: https://alas.aws.amazon.com/
 [echo]: https://advisory.echohq.com/data.json
 [debian-tracker]: https://security-tracker.debian.org/tracker/

@@ -72,6 +72,7 @@ nav:
           - Overview: guide/coverage/index.md
           - OS:
               - Overview: guide/coverage/os/index.md
+              - Alibaba Cloud Linux: guide/coverage/os/alinux.md
               - AlmaLinux: guide/coverage/os/alma.md
               - Alpine Linux: guide/coverage/os/alpine.md
               - Amazon Linux: guide/coverage/os/amazon.md

@@ -0,0 +1,83 @@
+package alinux
+
+import (
+	"context"
+	"time"
+
+	version "github.com/knqyf263/go-rpm-version"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbAlinux "github.com/aquasecurity/trivy-db/pkg/vulnsrc/alinux"
+	osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/scan/utils"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+var (
+	eolDates = map[string]time.Time{
+		// https://www.alibabacloud.com/help/en/alinux/product-overview/alibaba-cloud-linux-overview
+		"2": time.Date(2024, 3, 31, 23, 59, 59, 0, time.UTC),
+		"3": time.Date(2031, 4, 30, 23, 59, 59, 0, time.UTC),
+		"4": time.Date(2038, 6, 30, 23, 59, 59, 0, time.UTC),
+	}
+)
+
+// Scanner implements the Alibaba Cloud Linux scanner
+type Scanner struct {
+	vs dbAlinux.VulnSrc
+}
+
+// NewScanner is the factory method for Scanner
+func NewScanner() *Scanner {
+	return &Scanner{
+		vs: dbAlinux.NewVulnSrc(),
+	}
+}
+
+// Detect vulnerabilities in packages using the Alinux scanner
+func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
+	osVer = osver.Major(osVer)
+	log.InfoContext(ctx, "Detecting vulnerabilities...", log.String("os_version", osVer),
+		log.Int("pkg_num", len(pkgs)))
+
+	var vulns []types.DetectedVulnerability
+	for _, pkg := range pkgs {
+		advisories, err := s.vs.Get(db.GetParams{
+			Release: osVer,
+			PkgName: pkg.Name,
+		})
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get Alinux advisories: %w", err)
+		}
+
+		installed := utils.FormatVersion(pkg)
+		installedVersion := version.NewVersion(installed)
+		for _, adv := range advisories {
+			fixedVersion := version.NewVersion(adv.FixedVersion)
+			if installedVersion.LessThan(fixedVersion) {
+				vuln := types.DetectedVulnerability{
+					VulnerabilityID:  adv.VulnerabilityID,
+					PkgID:            pkg.ID,
+					PkgName:          pkg.Name,
+					InstalledVersion: installed,
+					FixedVersion:     fixedVersion.String(),
+					PkgIdentifier:    pkg.Identifier,
+					Layer:            pkg.Layer,
+					DataSource:       adv.DataSource,
+					Custom:           adv.Custom,
+				}
+				vulns = append(vulns, vuln)
+			}
+		}
+	}
+
+	return vulns, nil
+}
+
+// IsSupportedVersion checks if the version is supported.
+func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType, osVer string) bool {
+	return osver.Supported(ctx, eolDates, osFamily, osver.Major(osVer))
+}