feat: add RPM scan plugin wiring#2790
Conversation
another-rex
left a comment
There was a problem hiding this comment.
Thank you, can you also add a Dockerfile as a test for a redhat image so that we know it's extracting and matching correctly??
|
@another-rex thanks for feedback. The RPM extractor is Linux-only in SCALIBR, so the Red Hat image test is skipped on Windows and verified on Linux. Validation run:
|
5608db7 to
3450689
Compare
3450689 to
3cbf40e
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2790 +/- ##
==========================================
- Coverage 79.24% 78.72% -0.53%
==========================================
Files 122 122
Lines 8259 8259
==========================================
- Hits 6545 6502 -43
- Misses 1330 1379 +49
+ Partials 384 378 -6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Summary
Adds OSV-Scalibr's RPM package database extractor to OSV-Scanner's default plugin wiring so RPM databases can be scanned alongside the existing APK and DPKG OS package sources.
This also wires the RPM duplicate-package annotator for artifact scans and adds explicit lockfile parse aliases for common RPM database filenames:
rpmdb,rpmdb.sqlite,Packages, andPackages.db.Fixes #254.
Testing
go test ./internal/scalibrplugin ./pkg/osvscanner/...