Skip to content

test: add E2E tests for AlmaLinux ecosystem mapping#2870

Open
herdiyana256 wants to merge 2 commits into
google:mainfrom
herdiyana256:feature/os-almalinux-ecosystem-e2e
Open

test: add E2E tests for AlmaLinux ecosystem mapping#2870
herdiyana256 wants to merge 2 commits into
google:mainfrom
herdiyana256:feature/os-almalinux-ecosystem-e2e

Conversation

@herdiyana256

Copy link
Copy Markdown
Contributor

Problem

The AlmaLinux ecosystem mapping was recently implemented and merged in the underlying extractor (google/osv-scalibr#2148). During the review of that PR, maintainer @michaelkedar requested that we also add an End-to-End (E2E) test case within the osv-scanner repository to verify that AlmaLinux images are properly scanned and successfully match advisories from OSV.dev (e.g., ALSA-2022:8299).

Solution

This PR introduces the requested E2E testing for the AlmaLinux ecosystem by adding:

  • A new Dockerfile fixture test-almalinux-9.Dockerfile based on almalinux:9.0 (which contains a curl package vulnerable to ALSA-2022:8299).
  • New test cases in cmd/osv-scanner/scan/image/command_test.go to scan the generated AlmaLinux tarball.
  • Updated snapshots and cassettes demonstrating successful identification of vulnerabilities under the AlmaLinux:9 ecosystem.

Important Note on Ecosystem Format: The ecosystem suffix is explicitly validated as AlmaLinux:9 (major version only, trimming minor/patch versions). This is critical because OSV.dev keys ALSA advisories by major version only. An ecosystem of AlmaLinux:9.8 would incorrectly return 0 vulnerabilities, whereas AlmaLinux:9 successfully matches the 500+ tracked ALSA advisories.

Verification

  • Tested via make test ACC=true SNAPS=true SHORT=false
  • Verified that TestCommand_OCIImage/Scanning_AlmaLinux_9_image passes successfully and that the JSON output accurately reflects the expected vulnerabilities.

@herdiyana256

Copy link
Copy Markdown
Contributor Author

Hi @michaelkedar, conflicts have been resolved and branch is now rebased onto main.Ready for review!

@herdiyana256

Copy link
Copy Markdown
Contributor Author

Hi @michaelkedar,
just a gentle ping on this E2E PR as a follow-up to osv-scalibr#2148 which has been merged. Would you be able to approve the workflows so CI can run? Happy to address any feedback. Thanks!

@michaelkedar

Copy link
Copy Markdown
Member

Hi, sorry for the delay

  • A new Dockerfile fixture test-almalinux-9.Dockerfile based on almalinux:9.0 (which contains a curl package vulnerable to ALSA-2022:8299).

I can't see any ALSA vulnerabilities in the test output at all? Are you sure this is the correct version of the base image to use?

herdiyana256 added a commit to herdiyana256/osv-scanner that referenced this pull request Jun 18, 2026
…ilities

Two root causes were found that prevented ALSA advisories from being detected
when scanning AlmaLinux container images:

1. RPM extractor was missing from the "artifact" preset (presets.go):
   The image scan uses the "artifact" extractor preset which included apk
   (Alpine), dpkg (Debian/Ubuntu), chisel, and homebrew — but NOT the rpm
   extractor. This caused all RPM packages (curl-minimal, openssl, bash, etc.)
   from AlmaLinux images to be completely ignored.

2. AlmaLinux ecosystem suffix was using full VERSION_ID instead of major only:
   /etc/os-release in almalinux:9.0 sets VERSION_ID="9.0", producing ecosystem
   "AlmaLinux:9.0". OSV.dev keys ALSA advisories by major version only
   ("AlmaLinux:9"), so zero advisories were matched. This is fixed upstream in
   google/osv-scalibr#2250; this PR includes a go.mod replace directive to
   pick up that fix while the upstream PR is reviewed.

With both fixes applied, scanning almalinux:9.0 now correctly produces:
  AlmaLinux:9 | 68 packages | 282 known vulnerabilities from 2 ecosystems
  curl-minimal 7.76.1-14.el9_0.5 → 12 vulnerabilities including ALSA advisories

Fixes google#2870 (responds to @michaelkedar review)
Depends on google/osv-scalibr#2250 (ecosystem suffix trim)
@herdiyana256

herdiyana256 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Hi @michaelkedar, thanks for the careful review! After digging in, I found two root causes both are now fixed.

Root Cause 1: RPM extractor missing from the artifact preset
The image scan relies on the "artifact" extractor preset in internal/scalibrplugin/presets.go. That preset had apk, dpkg, chisel, and homebrew — but not rpm. So any RPM packages from AlmaLinux images (curl-minimal, openssl, bash, you name it) were just silently skipped during image scanning.

Fix: added rpm.New to the "artifact" preset in presets.go.

Root Cause 2: AlmaLinux ecosystem suffix mismatch
/etc/os-release on almalinux:9.0 sets VERSION_ID="9.0" (point release). The upstream osv-scalibr ecosystem.go was passing this through as-is, so the queried ecosystem became "AlmaLinux:9.0" — but OSV.dev keys all ALSA advisories under the major version only ("AlmaLinux:9"), so zero advisories ever matched.

Quick sanity check: querying AlmaLinux:9 returns ALSA-2022:8299, ALSA-2023:0333, and so on. Querying AlmaLinux:9.0 returns nothing.

Fix: submitted google/osv-scalibr#2250 to strip the VERSION_ID down to major version ("9.0""9"). Using a go.mod replace directive to pull in that fix while the upstream PR is still under review.

Verified results
With both fixes in, scanning almalinux:9.0 now correctly surfaces:

Container Scanning Result (AlmaLinux 9.0 (Emerald Puma)):
Total 68 packages affected by 282 known vulnerabilities from 2 ecosystems.
AlmaLinux:9
| curl-minimal    | 7.76.1-14.el9_0.5 | Fix Available | 12 vulns |
| libcurl-minimal | 7.76.1-14.el9_0.5 | Fix Available | 12 vulns |

The almalinux:9.0 image was the right choice — it ships the vulnerable curl-minimal@7.76.1-14.el9_0.5. Fix is pushed and snapshots/cassettes have been regenerated.


…ilities

Two root causes were found that prevented ALSA advisories from being detected
when scanning AlmaLinux container images:

1. RPM extractor was missing from the "artifact" preset (presets.go):
   The image scan uses the "artifact" extractor preset which included apk
   (Alpine), dpkg (Debian/Ubuntu), chisel, and homebrew — but NOT the rpm
   extractor. This caused all RPM packages (curl-minimal, openssl, bash, etc.)
   from AlmaLinux images to be completely ignored.

2. AlmaLinux ecosystem suffix was using full VERSION_ID instead of major only:
   /etc/os-release in almalinux:9.0 sets VERSION_ID="9.0", producing ecosystem
   "AlmaLinux:9.0". OSV.dev keys ALSA advisories by major version only
   ("AlmaLinux:9"), so zero advisories were matched. This is fixed upstream in
   google/osv-scalibr#2250; this PR includes a go.mod replace directive to
   pick up that fix while the upstream PR is reviewed.

With both fixes applied, scanning almalinux:9.0 now correctly produces:
  AlmaLinux:9 | 68 packages | 282 known vulnerabilities from 2 ecosystems
  curl-minimal 7.76.1-14.el9_0.5 → 12 vulnerabilities including ALSA advisories

Fixes google#2870 (responds to @michaelkedar review)
Depends on google/osv-scalibr#2250 (ecosystem suffix trim)
@herdiyana256 herdiyana256 force-pushed the feature/os-almalinux-ecosystem-e2e branch from 94a8faa to c173341 Compare June 18, 2026 14:39
@herdiyana256

Copy link
Copy Markdown
Contributor Author

Hi @michaelkekar, both root causes are now fixed (rpm extractor missing from artifact preset + VERSION_ID trimming via osv-scalibr#2250). Could you approve the workflows so CI can run? Happy to address any feedback. Thanks!

@herdiyana256 herdiyana256 changed the title cmd/osv-scanner: add E2E test for AlmaLinux ecosystem mapping test: add E2E tests for AlmaLinux ecosystem mapping Jun 26, 2026
herdiyana256 added a commit to herdiyana256/osv-scanner that referenced this pull request Jun 26, 2026
Add end-to-end test for scanning Mageia 9 container images to verify
that the Mageia ecosystem mapping (added in google/osv-scalibr#2199)
is correctly exercised by osv-scanner.

Changes:
- Add test-mageia-9.Dockerfile fixture based on mageia:9
  (pinned to sha256:9f7cd063...) which contains bundled Python wheels
  with known PyPI vulnerabilities
- Add TestCommand_OCIImage/Scanning_Mageia_9_image test case in
  command_test.go to scan the generated Mageia tarball
- Add TestCommand_OCIImage_JSONFormat/scanning_mageia_9_image test case
  for JSON output format validation
- Update snapshots and cassettes with successful scan results

This follows the same pattern as the AlmaLinux E2E test (google#2870)
as requested by @michaelkedar in google/osv-scalibr#2177.

Tested via: make test ACC=true SNAPS=true SHORT=false
TestCommand_OCIImage/Scanning_Mageia_9_image passes successfully.
herdiyana256 added a commit to herdiyana256/osv-scanner that referenced this pull request Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants