Skip to content

feat: add RPM scan plugin wiring#2790

Open
qkal wants to merge 5 commits into
google:mainfrom
qkal:feat/add-rpm-scan-support
Open

feat: add RPM scan plugin wiring#2790
qkal wants to merge 5 commits into
google:mainfrom
qkal:feat/add-rpm-scan-support

Conversation

@qkal

@qkal qkal commented May 9, 2026

Copy link
Copy Markdown

Summary

Adds OSV-Scalibr's RPM package database extractor to OSV-Scanner's default plugin wiring so RPM databases can be scanned alongside the existing APK and DPKG OS package sources.

This also wires the RPM duplicate-package annotator for artifact scans and adds explicit lockfile parse aliases for common RPM database filenames: rpmdb, rpmdb.sqlite, Packages, and Packages.db.

Fixes #254.

Testing

  • go test ./internal/scalibrplugin ./pkg/osvscanner/...

@qkal qkal marked this pull request as ready for review May 9, 2026 01:56

@another-rex another-rex left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, can you also add a Dockerfile as a test for a redhat image so that we know it's extracting and matching correctly??

@qkal

qkal commented May 18, 2026

Copy link
Copy Markdown
Author

@another-rex thanks for feedback.
I added a pinned Red Hat UBI Dockerfile fixture (test-redhat.Dockerfile) and wired it into the image scan acceptance test so it verifies RPM extraction from /var/lib/rpm/rpmdb.sqlite and Red Hat ecosystem matching.

The RPM extractor is Linux-only in SCALIBR, so the Red Hat image test is skipped on Windows and verified on Linux.

Validation run:

  • go test ./cmd/osv-scanner/scan/image ./pkg/osvscanner/internal/scanners ./internal/scalibrplugin -count=1
  • Linux acceptance subtest: TEST_ACCEPTANCE=true TEST_VCR_MODE=ReplayOnly go test -v ./cmd/osv-scanner/scan/image -run "^TestCommand_OCIImage$/^Scanning_Red_Hat_image$" -count=1

@qkal qkal requested a review from another-rex May 18, 2026 10:38
@another-rex another-rex force-pushed the feat/add-rpm-scan-support branch from 5608db7 to 3450689 Compare May 29, 2026 03:44
@another-rex another-rex force-pushed the feat/add-rpm-scan-support branch from 3450689 to 3cbf40e Compare June 2, 2026 05:48
@codecov-commenter

codecov-commenter commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.72%. Comparing base (1526d17) to head (3cbf40e).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2790      +/-   ##
==========================================
- Coverage   79.24%   78.72%   -0.53%     
==========================================
  Files         122      122              
  Lines        8259     8259              
==========================================
- Hits         6545     6502      -43     
- Misses       1330     1379      +49     
+ Partials      384      378       -6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add RPM/Red Hat ecosystem support

3 participants