feat(vuln): Add Quantum package analyzer for DataRobot native C/C++ libraries

[Copilot]

Description

Trivy now detects DataRobot Quantum packages - native C/C++ libraries (curl, openssl, libpng, etc.) packaged as Python wheels via quantum-builders. These were previously invisible to vulnerability scanning despite being system-level dependencies.

Implementation

• Parser (pkg/dependency/parser/python/quantum/): Extracts canonical package names from upstream URLs in quantum.spec.json files

  • https://curl.se/download/curl-7.88.1.tar.gz → package curl@7.88.1
  • Falls back to library_name field if URL parsing fails
  • Uses upstream version (strips DataRobot .postN+dr suffix) for CVE matching

• Analyzer (pkg/fanal/analyzer/language/python/quantum/): Detects .dist-info/quantum.spec.json files created by quantum-builders' stamp_env()

• Vulnerability mapping: Routes to Conan ecosystem (GitLab Advisory DB, NVD) for C/C++ package CVE detection

• Type system: Added Quantum LangType and TypeQuantumPkg analyzer constants

Example quantum.spec.json structure

{
  "name": "quantum-native-curl",
  "library_name": "curl",
  "version": "7.88.1",
  "fullversion": "7.88.1.post5+dr",
  "upstream": "https://curl.se/download/curl-7.88.1.tar.gz",
  "license": "MIT"
}

Fixes

• Restored Go module test fixture files (go.mod and go.sum) that were accidentally modified in an earlier commit. These test files are now back to their original state and unaffected by the quantum analyzer implementation.

Related issues

Related PRs

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

Original prompt

Add Quantum Package Analyzer for DataRobot Native Libraries

Background

DataRobot uses an internal tool called "quantum-builders" that builds relocatable versions of system software (such as curl, krb5, openssl, libpng, etc.) and packages them into Python wheel format. These wheels are then installed into virtual environments using pip.

Currently, Trivy doesn't recognize these quantum packages for what they actually are - native system libraries that should be checked against CVE databases.

Goal

Extend Trivy to detect quantum packages and coerce them into a format that can be checked against the NVD (National Vulnerability Database) for CVE detection.

Implementation Details

1. Add Quantum LangType constant

Add a new Quantum constant to pkg/fanal/types/const.go:

Quantum LangType = "quantum"

2. Create Quantum Package Analyzer

Create a new analyzer at pkg/fanal/analyzer/language/python/quantum/quantum.go that:

• Detects quantum.spec.json files within .dist-info directories (these are created by quantum-builders' stamp_env() function)
• Parses the JSON metadata which contains fields like:
  • name: The quantum package name (e.g., "quantum-native-curl")
  • library_name: The internal library name (e.g., "curl")
  • version: The upstream version (e.g., "7.88.1")
  • fullversion: Version with DataRobot suffix (e.g., "7.88.1.post5+dr")
  • upstream: URL to the upstream source (e.g., "https://curl.se/download/curl-7.88.1.tar.gz")
  • license: The library license
  • library_type: Type of library (native, python, generic)
• Maps packages to their upstream equivalents using the upstream field URL to derive the canonical package name
• Creates packages with PURLs using the pkg:generic type for NVD matching

3. Quantum Spec JSON Structure

The quantum.spec.json file (found in .dist-info/quantum.spec.json) has this structure:

{
  "name": "quantum-native-curl",
  "library_name": "curl",
  "version": "7.88.1",
  "fullversion": "7.88.1.post5+dr",
  "suffix": ".post5+dr",
  "library_type": "native",
  "license": "MIT",
  "upstream": "https://curl.se/download/curl-7.88.1.tar.gz",
  "platform": "linux-x86_64",
  "python": "any",
  "dependencies": ["quantum-native-openssl==1.1.1.post3+dr"],
  "changelog": []
}

4. Register the Analyzer

• Register the analyzer in pkg/fanal/analyzer/all/import.go
• Add appropriate analyzer type constant in pkg/fanal/analyzer/const.go

5. Add Vulnerability Detection Driver

Create pkg/detector/library/driver.go support for quantum packages that maps to GitLab Advisory Database (which covers C/C++ packages) or generic NVD entries.

6. Upstream Name Extraction

Use the upstream field to derive the canonical package name:

• Parse URLs like https://curl.se/download/curl-7.88.1.tar.gz to extract "curl"
• Fall back to library_name field if upstream parsing fails
• The upstream version should be the version field (without the DataRobot suffix)

7. Add Tests

Create test files at pkg/fanal/analyzer/language/python/quantum/quantum_test.go with:

• Test data files (sample quantum.spec.json)
• Unit tests for parsing and detection
• Tests for upstream name extraction from various URL patterns

8. Documentation

Add documentation at docs/docs/coverage/language/quantum.md explaining:

• What quantum packages are
• How Trivy detects them
• What vulnerability sources are used
• Any limitations

Expected Behavior

After this change, when Trivy scans a container image or filesystem containing quantum packages:

1. It will detect .dist-info/quantum.spec.json files
2. Parse the metadata to extract the upstream library name and version
3. Create package entries with pkg:generic/<library_name>@<version> PURLs
4. Match these against the GitLab Advisory Database for C/C++ vulnerabilities
5. Report any CVEs found for the underlying native libraries

Files to Create/Modify

1. pkg/fanal/types/const.go - Add Quantum LangType
2. pkg/fanal/analyzer/const.go - Add TypeQuantumPkg analyzer type
3. pkg/fanal/analyzer/language/python/quantum/quantum.go - Main analyzer implementation
4. pkg/fanal/analyzer/language/python/quantum/quantum_test.go - Tests
5. pkg/fanal/analyzer/language/python/quantum/testdata/ - Test fixtures
6. pkg/fanal/analyzer/all/import.go - Register analyzer
7. pkg/detector/library/driver.go - Add quantum driver support
8. docs/docs/coverage/language/quantum.md - Documentation

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[elatt]

@copilot why did you delete so many lines in the go.mod and go.sum files?

[elatt]

@sviatsh I have no clue if the AI didn't just hallucinate all of this but if not, it could be a starting point. And since you know quantum much more than me, you can probably fine tune the prompts.

[Copilot]

@copilot why did you delete so many lines in the go.mod and go.sum files?

Those files were accidentally modified when running git add . during the last commit. They are test fixtures for the Go module parser and should not have been changed. I've restored all of them to their original state in commit a5f014c.