feat: support scanning rpm databases

G-Rath · G-Rath · commit f11b07322fa6 · 2025-09-15T11:03:53.000+12:00
diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
@@ -632,6 +632,108 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 ---
 
+[TestCommand_OCIImage/rockylinux_empty_image - 1]
+Scanning local image tarball "./testdata/test-rockylinux.tar"
+
+Container Scanning Result (Rocky Linux 9.2 (Blue Onyx)):
+Total 13 packages affected by 32 known vulnerabilities (0 Critical, 15 High, 3 Medium, 0 Low, 14 Unknown) from 2 ecosystems.
+4 vulnerabilities can be fixed.
+
+
+PyPI
++--------------------------------------------------------------------------------------------------+
+| Source:artifact:/usr/share/python3-wheels/pip-21.2.3-py3-none-any.whl                            |
++---------+-------------------+---------------+------------+------------------+--------------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE      |
++---------+-------------------+---------------+------------+------------------+--------------------+
+| pip     | 21.2.3            | Fix Available |          1 | # 0 Layer        | library/rockylinux |
++---------+-------------------+---------------+------------+------------------+--------------------+
++-----------------------------------------------------------------------------------------------------+
+| Source:artifact:/usr/share/python3-wheels/setuptools-53.0.0-py3-none-any.whl                        |
++------------+-------------------+---------------+------------+------------------+--------------------+
+| PACKAGE    | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE      |
++------------+-------------------+---------------+------------+------------------+--------------------+
+| setuptools | 53.0.0            | Fix Available |          3 | # 0 Layer        | library/rockylinux |
++------------+-------------------+---------------+------------+------------------+--------------------+
+Rocky Linux
++--------------------------------------------------------------------------------------------------------------------------------------+
+| Source:os:/var/lib/rpm/rpmdb.sqlite                                                                                                  |
++----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE      |
++----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
+| expat          | 2.5.0-1.el9       | No fix available |          2 | expat                   | # 0 Layer        | library/rockylinux |
+| glib2          | 2.68.4-6.el9      | No fix available |          1 | glib2                   | # 0 Layer        | library/rockylinux |
+| glibc          | 2.34-60.el9       | No fix available |          2 | glibc                   | # 0 Layer        | library/rockylinux |
+| gnutls         | 3.7.6-20.el9_2    | No fix available |          1 | gnutls                  | # 0 Layer        | library/rockylinux |
+| less           | 590-1.el9_0       | No fix available |          3 | less                    | # 0 Layer        | library/rockylinux |
+| libeconf       | 0.4.1-2.el9       | No fix available |          1 | libeconf                | # 0 Layer        | library/rockylinux |
+| libgcrypt      | 1.10.0-10.el9_2   | No fix available |          1 | libgcrypt               | # 0 Layer        | library/rockylinux |
+| libxml2        | 2.9.13-3.el9_1    | No fix available |          2 | libxml2                 | # 0 Layer        | library/rockylinux |
+| openssl        | 3.0.7-6.el9_2     | No fix available |         12 | openssl                 | # 0 Layer        | library/rockylinux |
+| pam            | 1.5.1-14.el9      | No fix available |          1 | pam                     | # 0 Layer        | library/rockylinux |
+| tar            | 1.34-6.el9_1      | No fix available |          2 | tar                     | # 0 Layer        | library/rockylinux |
++----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
+
+---
+
+[TestCommand_OCIImage/rockylinux_empty_image - 2]
+
+---
+
+[TestCommand_OCIImage/rockylinux_empty_image_all_vulns - 1]
+Scanning local image tarball "./testdata/test-rockylinux.tar"
+
+Container Scanning Result (Rocky Linux 9.2 (Blue Onyx)):
+Total 13 packages affected by 32 known vulnerabilities (0 Critical, 15 High, 3 Medium, 0 Low, 14 Unknown) from 2 ecosystems.
+4 vulnerabilities can be fixed.
+
+
+PyPI
++--------------------------------------------------------------------------------------------------+
+| Source:artifact:/usr/share/python3-wheels/pip-21.2.3-py3-none-any.whl                            |
++---------+-------------------+---------------+------------+------------------+--------------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE      |
++---------+-------------------+---------------+------------+------------------+--------------------+
+| pip     | 21.2.3            | Fix Available |          1 | # 0 Layer        | library/rockylinux |
++---------+-------------------+---------------+------------+------------------+--------------------+
++-----------------------------------------------------------------------------------------------------+
+| Source:artifact:/usr/share/python3-wheels/setuptools-53.0.0-py3-none-any.whl                        |
++------------+-------------------+---------------+------------+------------------+--------------------+
+| PACKAGE    | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE      |
++------------+-------------------+---------------+------------+------------------+--------------------+
+| setuptools | 53.0.0            | Fix Available |          3 | # 0 Layer        | library/rockylinux |
++------------+-------------------+---------------+------------+------------------+--------------------+
+Rocky Linux
++--------------------------------------------------------------------------------------------------------------------------------------+
+| Source:os:/var/lib/rpm/rpmdb.sqlite                                                                                                  |
++----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE      |
++----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
+| expat          | 2.5.0-1.el9       | No fix available |          2 | expat                   | # 0 Layer        | library/rockylinux |
+| glib2          | 2.68.4-6.el9      | No fix available |          1 | glib2                   | # 0 Layer        | library/rockylinux |
+| glibc          | 2.34-60.el9       | No fix available |          2 | glibc                   | # 0 Layer        | library/rockylinux |
+| gnutls         | 3.7.6-20.el9_2    | No fix available |          1 | gnutls                  | # 0 Layer        | library/rockylinux |
+| less           | 590-1.el9_0       | No fix available |          3 | less                    | # 0 Layer        | library/rockylinux |
+| libeconf       | 0.4.1-2.el9       | No fix available |          1 | libeconf                | # 0 Layer        | library/rockylinux |
+| libgcrypt      | 1.10.0-10.el9_2   | No fix available |          1 | libgcrypt               | # 0 Layer        | library/rockylinux |
+| libxml2        | 2.9.13-3.el9_1    | No fix available |          2 | libxml2                 | # 0 Layer        | library/rockylinux |
+| openssl        | 3.0.7-6.el9_2     | No fix available |         12 | openssl                 | # 0 Layer        | library/rockylinux |
+| pam            | 1.5.1-14.el9      | No fix available |          1 | pam                     | # 0 Layer        | library/rockylinux |
+| tar            | 1.34-6.el9_1      | No fix available |          2 | tar                     | # 0 Layer        | library/rockylinux |
++----------------+-------------------+------------------+------------+-------------------------+------------------+--------------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
+
+---
+
+[TestCommand_OCIImage/rockylinux_empty_image_all_vulns - 2]
+
+---
+
 [TestCommand_OCIImage/scanning_image_with_go_binary - 1]
 Scanning local image tarball "./testdata/test-package-tracing.tar"
 
diff --git a/cmd/osv-scanner/scan/image/command_test.go b/cmd/osv-scanner/scan/image/command_test.go
@@ -212,6 +212,16 @@ func TestCommand_OCIImage(t *testing.T) {
 				"./testdata/test-ubuntu-20-04.tar"},
 			Exit: 0,
 		},
+		{
+			Name: "rockylinux_empty_image",
+			Args: []string{"", "image", "--archive", "./testdata/test-rockylinux.tar"},
+			Exit: 1,
+		},
+		{
+			Name: "rockylinux_empty_image_all_vulns",
+			Args: []string{"", "image", "--all-vulns", "--archive", "./testdata/test-rockylinux.tar"},
+			Exit: 1,
+		},
 		{
 			Name: "Scanning python image with some packages",
 			Args: []string{"", "image", "--archive", "./testdata/test-python-full.tar"},
diff --git a/cmd/osv-scanner/scan/image/testdata/test-rockylinux.Dockerfile b/cmd/osv-scanner/scan/image/testdata/test-rockylinux.Dockerfile
@@ -0,0 +1 @@
+FROM rockylinux:9.2.20230513@sha256:b07e21a7bbcecbae55b9153317d333d4d50808bf5dc0859db0180b6fbd7afb3d
diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go
@@ -32,6 +32,7 @@ import (
 	extractors "github.com/google/osv-scalibr/extractor/filesystem/list"
 	"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
 	"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
+	"github.com/google/osv-scalibr/extractor/filesystem/os/rpm"
 	"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx"
 	"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored"
@@ -130,5 +131,7 @@ var ExtractorPresets = map[string]extractors.InitMap{
 		apk.Name: {apk.NewDefault},
 		// Debian
 		dpkg.Name: {dpkg.NewDefault},
+		// RedHat
+		rpm.Name: {rpm.NewDefault},
 	},
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+FROM rockylinux:9.2.20230513@sha256:b07e21a7bbcecbae55b9153317d333d4d50808bf5dc0859db0180b6fbd7afb3d`