test: add E2E tests for AlmaLinux ecosystem mapping#2870
Conversation
607787f to
5fe1e3e
Compare
|
Hi @michaelkedar, conflicts have been resolved and branch is now rebased onto main.Ready for review! |
|
Hi @michaelkedar, |
|
Hi, sorry for the delay
I can't see any ALSA vulnerabilities in the test output at all? Are you sure this is the correct version of the base image to use? |
…ilities
Two root causes were found that prevented ALSA advisories from being detected
when scanning AlmaLinux container images:
1. RPM extractor was missing from the "artifact" preset (presets.go):
The image scan uses the "artifact" extractor preset which included apk
(Alpine), dpkg (Debian/Ubuntu), chisel, and homebrew — but NOT the rpm
extractor. This caused all RPM packages (curl-minimal, openssl, bash, etc.)
from AlmaLinux images to be completely ignored.
2. AlmaLinux ecosystem suffix was using full VERSION_ID instead of major only:
/etc/os-release in almalinux:9.0 sets VERSION_ID="9.0", producing ecosystem
"AlmaLinux:9.0". OSV.dev keys ALSA advisories by major version only
("AlmaLinux:9"), so zero advisories were matched. This is fixed upstream in
google/osv-scalibr#2250; this PR includes a go.mod replace directive to
pick up that fix while the upstream PR is reviewed.
With both fixes applied, scanning almalinux:9.0 now correctly produces:
AlmaLinux:9 | 68 packages | 282 known vulnerabilities from 2 ecosystems
curl-minimal 7.76.1-14.el9_0.5 → 12 vulnerabilities including ALSA advisories
Fixes google#2870 (responds to @michaelkedar review)
Depends on google/osv-scalibr#2250 (ecosystem suffix trim)
|
Hi @michaelkedar, thanks for the careful review! After digging in, I found two root causes both are now fixed. Root Cause 1: RPM extractor missing from the artifact preset Fix: added Root Cause 2: AlmaLinux ecosystem suffix mismatch Quick sanity check: querying Fix: submitted google/osv-scalibr#2250 to strip the VERSION_ID down to major version ( Verified results The |
…ilities
Two root causes were found that prevented ALSA advisories from being detected
when scanning AlmaLinux container images:
1. RPM extractor was missing from the "artifact" preset (presets.go):
The image scan uses the "artifact" extractor preset which included apk
(Alpine), dpkg (Debian/Ubuntu), chisel, and homebrew — but NOT the rpm
extractor. This caused all RPM packages (curl-minimal, openssl, bash, etc.)
from AlmaLinux images to be completely ignored.
2. AlmaLinux ecosystem suffix was using full VERSION_ID instead of major only:
/etc/os-release in almalinux:9.0 sets VERSION_ID="9.0", producing ecosystem
"AlmaLinux:9.0". OSV.dev keys ALSA advisories by major version only
("AlmaLinux:9"), so zero advisories were matched. This is fixed upstream in
google/osv-scalibr#2250; this PR includes a go.mod replace directive to
pick up that fix while the upstream PR is reviewed.
With both fixes applied, scanning almalinux:9.0 now correctly produces:
AlmaLinux:9 | 68 packages | 282 known vulnerabilities from 2 ecosystems
curl-minimal 7.76.1-14.el9_0.5 → 12 vulnerabilities including ALSA advisories
Fixes google#2870 (responds to @michaelkedar review)
Depends on google/osv-scalibr#2250 (ecosystem suffix trim)
94a8faa to
c173341
Compare
|
Hi @michaelkekar, both root causes are now fixed (rpm extractor missing from artifact preset + VERSION_ID trimming via osv-scalibr#2250). Could you approve the workflows so CI can run? Happy to address any feedback. Thanks! |
Add end-to-end test for scanning Mageia 9 container images to verify that the Mageia ecosystem mapping (added in google/osv-scalibr#2199) is correctly exercised by osv-scanner. Changes: - Add test-mageia-9.Dockerfile fixture based on mageia:9 (pinned to sha256:9f7cd063...) which contains bundled Python wheels with known PyPI vulnerabilities - Add TestCommand_OCIImage/Scanning_Mageia_9_image test case in command_test.go to scan the generated Mageia tarball - Add TestCommand_OCIImage_JSONFormat/scanning_mageia_9_image test case for JSON output format validation - Update snapshots and cassettes with successful scan results This follows the same pattern as the AlmaLinux E2E test (google#2870) as requested by @michaelkedar in google/osv-scalibr#2177. Tested via: make test ACC=true SNAPS=true SHORT=false TestCommand_OCIImage/Scanning_Mageia_9_image passes successfully.
Problem
The AlmaLinux ecosystem mapping was recently implemented and merged in the underlying extractor (
google/osv-scalibr#2148). During the review of that PR, maintainer @michaelkedar requested that we also add an End-to-End (E2E) test case within theosv-scannerrepository to verify that AlmaLinux images are properly scanned and successfully match advisories from OSV.dev (e.g., ALSA-2022:8299).Solution
This PR introduces the requested E2E testing for the AlmaLinux ecosystem by adding:
test-almalinux-9.Dockerfilebased onalmalinux:9.0(which contains acurlpackage vulnerable toALSA-2022:8299).cmd/osv-scanner/scan/image/command_test.goto scan the generated AlmaLinux tarball.AlmaLinux:9ecosystem.Important Note on Ecosystem Format: The ecosystem suffix is explicitly validated as
AlmaLinux:9(major version only, trimming minor/patch versions). This is critical because OSV.dev keys ALSA advisories by major version only. An ecosystem ofAlmaLinux:9.8would incorrectly return 0 vulnerabilities, whereasAlmaLinux:9successfully matches the 500+ tracked ALSA advisories.Verification
make test ACC=true SNAPS=true SHORT=falseTestCommand_OCIImage/Scanning_AlmaLinux_9_imagepasses successfully and that the JSON output accurately reflects the expected vulnerabilities.