Aligning SUSE & OpenSUSE identifiers with /etc/os-release values

[josegomezr]

Description

A little bit of a follow-up of #7620

I started looking into how SUSE gets recognized in SBOM's and noticed that our SBOMs are not detected by trivy.

I try adding support for our SBOM generation tool describing the OperatingSystem (as suggested in #7620) into the SPDX report.

However I encounter a little bit of a wall, reports can be read by trivy but it doesn't understand what OS that is.

@msmeissn pointed me to what seems to be the culprit:

trivy/pkg/fanal/types/const.go

Line 41 in efdb68d

SLES OSType = "suse linux enterprise server"

For trivy SUSE systems are called suse linux enterprise {micro|server} rather than the short name sle{s|m}.

When trivy is the creator of the SBOM report, it writes the long sentence and when it consumes it it matches as expected.

However when consuming SBOM's it expects such sentence to be the OS name. That wouldn't be a problem if that sentence would be available in the rootfs when we're running 😅, so far I can confirm that /etc/os-release is a reliable source of intel, and there what's available is the short names like sle{s|m}.

Trivy logs then something like:

2024-11-18T15:05:29+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-18T15:05:29+01:00       WARN    Unsupported os  family="sles"

And for openSUSE Leap & Tumbleweed a similar issue happens. For trivy they're known as opensuse.{leap|tumbleweed} however the /etc/os-release has ID="opensuse-{leap|tumbleweed}" (notice the dash instead of dot).

I have a small PoC in my personal fork aligning such identifiers (haven't run the tests yet) and it seems that by changing the const in fanal/types/const.go to the ID we can align detection for all tools.

https://github.com/aquasecurity/trivy/compare/main...josegomezr:trivy:main?expand=1

When aligning the ids trivy then reports:

2024-11-19T11:41:30+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-19T11:41:30+01:00       INFO    [sles] Detecting vulnerabilities...     os_version="15.4" pkg_num=444

What do y'all think?

Target

SBOM

Scanner

Vulnerability

[msmeissn]

proposed change would be fine for me.

[knqyf263]

It also looks good to me.

[josegomezr]

Should I open a PR referencing this discussion?

[knqyf263]

It would be appreciated.

[josegomezr]

PR's available! ✨ #7965

[knqyf263]

Opened #7971