diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index 0bef4159d5c..3759dbbd859 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -444,7 +444,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): -Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. +Total 25 packages affected by 83 known vulnerabilities (7 Critical, 19 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. 28 vulnerabilities can be fixed. @@ -496,7 +496,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): -Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. +Total 25 packages affected by 83 known vulnerabilities (7 Critical, 19 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. 28 vulnerabilities can be fixed. @@ -567,7 +567,7 @@ Scanning local image tarball "./testdata/test-ubuntu-with-packages.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): -Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. +Total 25 packages affected by 83 known vulnerabilities (7 Critical, 19 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. 28 vulnerabilities can be fixed. diff --git a/internal/scalibrplugin/__snapshots__/resolve_test.snap b/internal/scalibrplugin/__snapshots__/resolve_test.snap index 78775b5c3d1..bb8c58f213a 100755 --- a/internal/scalibrplugin/__snapshots__/resolve_test.snap +++ b/internal/scalibrplugin/__snapshots__/resolve_test.snap @@ -34,6 +34,7 @@ misc/brew-source os/apk os/dpkg os/homebrew +os/rpm osv/osvscannerjson php/composerlock python/pdmlock @@ -54,6 +55,7 @@ transitivedependency/requirements vcs/gitrepo vex/os-duplicate/apk vex/os-duplicate/dpkg +vex/os-duplicate/rpm vulnmatch/osvdev vulnmatch/osvlocal weakcredentials/codeserver @@ -71,10 +73,12 @@ misc/brew-source os/apk os/dpkg os/homebrew +os/rpm python/wheelegg rust/cargoauditable vex/os-duplicate/apk vex/os-duplicate/dpkg +vex/os-duplicate/rpm --- [TestResolve_Detectors_Presets/cis - 1] @@ -110,10 +114,12 @@ misc/brew-source os/apk os/dpkg os/homebrew +os/rpm python/wheelegg rust/cargoauditable vex/os-duplicate/apk vex/os-duplicate/dpkg +vex/os-duplicate/rpm --- [TestResolve_Enrichers_Presets/licenses - 1] @@ -138,10 +144,12 @@ misc/brew-source os/apk os/dpkg os/homebrew +os/rpm python/wheelegg rust/cargoauditable vex/os-duplicate/apk vex/os-duplicate/dpkg +vex/os-duplicate/rpm --- [TestResolve_Extractors_Presets/directory - 1] @@ -168,6 +176,7 @@ javascript/pnpmlock javascript/yarnlock os/apk os/dpkg +os/rpm osv/osvscannerjson php/composerlock python/pdmlock diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go index 26fbbbd6049..9c422481ced 100644 --- a/internal/scalibrplugin/presets.go +++ b/internal/scalibrplugin/presets.go @@ -7,6 +7,7 @@ import ( "github.com/google/osv-scalibr/annotator/misc/brewsource" apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk" dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg" + rpmanno "github.com/google/osv-scalibr/annotator/osduplicate/rpm" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" detectors "github.com/google/osv-scalibr/detector/list" "github.com/google/osv-scalibr/enricher" @@ -48,6 +49,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" + rpmextractor "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" @@ -130,6 +132,8 @@ var ExtractorPresets = map[string]extractors.InitMap{ apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, + // RPM + rpmextractor.Name: {rpmextractor.New}, }, "directory": { gitrepo.Name: {gitrepo.New}, @@ -153,6 +157,8 @@ var ExtractorPresets = map[string]extractors.InitMap{ apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, + // RPM + rpmextractor.Name: {rpmextractor.New}, // Homebrew homebrew.Name: {homebrew.New}, }, @@ -174,6 +180,7 @@ var annotatorPresets = map[string]annotatorlist.InitMap{ "artifact": { apkanno.Name: {apkanno.New}, dpkganno.Name: {dpkganno.New}, + rpmanno.Name: {rpmanno.New}, brewsource.Name: {brewsource.New}, }, } diff --git a/internal/scalibrplugin/resolve_test.go b/internal/scalibrplugin/resolve_test.go index 169b9b83150..0192c5a2536 100644 --- a/internal/scalibrplugin/resolve_test.go +++ b/internal/scalibrplugin/resolve_test.go @@ -9,6 +9,7 @@ import ( "github.com/google/osv-scalibr/annotator/misc/brewsource" apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk" dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg" + rpmanno "github.com/google/osv-scalibr/annotator/osduplicate/rpm" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/detector/cis/generic_linux/etcpasswdpermissions" "github.com/google/osv-scalibr/detector/govulncheck/binary" @@ -31,6 +32,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" + rpmextractor "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" @@ -521,9 +523,11 @@ func TestResolve_Extractors(t *testing.T) { homebrew.Name, gobinary.Name, nodemodules.Name, + rpmextractor.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, + rpmanno.Name, brewsource.Name, }, }, @@ -542,9 +546,11 @@ func TestResolve_Extractors(t *testing.T) { homebrew.Name, gobinary.Name, nodemodules.Name, + rpmextractor.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, + rpmanno.Name, brewsource.Name, }, }, @@ -569,8 +575,10 @@ func TestResolve_Extractors(t *testing.T) { gobinary.Name, homebrew.Name, nodemodules.Name, + rpmextractor.Name, apkanno.Name, dpkganno.Name, + rpmanno.Name, brewsource.Name, }, }, @@ -591,10 +599,12 @@ func TestResolve_Extractors(t *testing.T) { gitrepo.Name, gobinary.Name, nodemodules.Name, + rpmextractor.Name, vendored.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, + rpmanno.Name, brewsource.Name, }, }, @@ -703,6 +713,21 @@ func TestResolve_Extractors_Presets(t *testing.T) { } } +func TestResolve_LockfilePresetIncludesRPM(t *testing.T) { + t.Parallel() + + got := scalibrplugin.Resolve([]string{"lockfile"}, []string{}, &cpb.PluginConfig{}) + + gotNames := make([]string, 0, len(got)) + for _, extractor := range got { + gotNames = append(gotNames, extractor.Name()) + } + + if !slices.Contains(gotNames, rpmextractor.Name) { + t.Fatalf("lockfile preset does not include %s", rpmextractor.Name) + } +} + func TestResolve_Enrichers_Presets(t *testing.T) { t.Parallel() diff --git a/pkg/osvscanner/internal/scanners/lockfile.go b/pkg/osvscanner/internal/scanners/lockfile.go index 14c02e55b9d..f199ee67d23 100644 --- a/pkg/osvscanner/internal/scanners/lockfile.go +++ b/pkg/osvscanner/internal/scanners/lockfile.go @@ -38,6 +38,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" + "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" ) @@ -74,6 +75,10 @@ var osvscannerScalibrExtractionMapping = map[string][]string{ "gems.locked": {gemfilelock.Name}, "cabal.project.freeze": {cabal.Name}, "stack.yaml.lock": {stacklock.Name}, + "rpmdb": {rpm.Name}, + "rpmdb.sqlite": {rpm.Name}, + "Packages": {rpm.Name}, + "Packages.db": {rpm.Name}, // "Package.resolved": {packageresolved.Name}, } diff --git a/pkg/osvscanner/internal/scanners/lockfile_test.go b/pkg/osvscanner/internal/scanners/lockfile_test.go new file mode 100644 index 00000000000..dfe23d0f709 --- /dev/null +++ b/pkg/osvscanner/internal/scanners/lockfile_test.go @@ -0,0 +1,32 @@ +package scanners_test + +import ( + "testing" + + cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" + rpmextractor "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" + "github.com/google/osv-scanner/v2/internal/scalibrplugin" + "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/scanners" +) + +func TestParseAsToPlugin_RPM(t *testing.T) { + t.Parallel() + + plugins := scalibrplugin.Resolve([]string{"lockfile"}, []string{}, &cpb.PluginConfig{}) + + tests := []string{"rpmdb", "Packages", "Packages.db", "rpmdb.sqlite"} + for _, parseAs := range tests { + t.Run(parseAs, func(t *testing.T) { + t.Parallel() + + got, err := scanners.ParseAsToPlugin(parseAs, plugins) + if err != nil { + t.Fatalf("ParseAsToPlugin(%q) returned error: %v", parseAs, err) + } + + if got.Name() != rpmextractor.Name { + t.Fatalf("ParseAsToPlugin(%q) got %q, want %q", parseAs, got.Name(), rpmextractor.Name) + } + }) + } +}