Update trivy from 0.35.0 to 0.49.1 (#1806)

* Update trivy 0.35.0->0.48.0

- Specify oras-go 1.2.4 in indirect dependencies

  docker/docker changes a part of its API at 24.0
  - registry: return concrete service type · moby/moby@7b3acdf
    - 7b3acdff5d (diff-8325eae896b1149bf92c826d07fc29005b1b102000b766ffa5a238d791e0849bR18-R21)

  oras-go 1.2.3 uses 23.0.1 and trivy transitively depends on docker/docker 24.y.z.
  There is a build error between oras-go and docker/dockr.

- Update disabled analyzers
- Update language scanners, enable all of them

* move javadb init to scan.go

* Add options for java db init()

* Update scanner/base.go

* Remove unused codes

* Add some lock file names

* Typo fix

* Remove space character (0x20)

* Add java-db options for integration scan

* Minor fomartting fix

* minor fix

* conda is NOT supported by Trivy for library scan

* Configure trivy log in report command too

* Init trivy in scanner

* Use trivy's jar.go and replace client which does almost nothing

* mv jar.go

* Add sha1 hash to result and add filepath for report phase

* Undo added 'vuls scan' options

* Update oras-go to 1.2.4

* Move Java DB related config items to report side

* Add java db search in detect phase

* filter top level jar only

* Update trivy to 0.49.1

* go mod tidy

* Update to newer interface

* Refine lock file list, h/t MaineK00n

* Avoid else clauses if possible, h/t MaineK00n

* Avoid missing word for find and lang types, h/t MaineK00n

* Add missing ecosystems, h/t MaineK00n

* Add comments why to use custom jar analyzer, h/t MaineK00n

* Misc

* Misc

* Misc

* Include go-dep-parser's pares.go for modification

* Move digest field from LibraryScanner to Library

* Use inner jars sha1 for each

* Add Seek to file head before handling zip file entry

* Leave Digest feild empty for entries from pom.xml

* Don't import python/pkg (don't look into package.json)

* Make privete where private is sufficient

* Remove duplicate after Java DB lookup

* misc

* go mod tidy

* Comment out ruby/gemspec

* misc

* Comment out python/packaging

* misc

* Use custom jar

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/jar.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update detector/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update models/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/base.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/parse.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Missing changes in name change

* Update models/github.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update models/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update models/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update models/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/base.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/base.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update scanner/trivy/jar/jar.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Don't import fanal/types at github.go

* Rewrite code around java db initialization

* Add comment

* refactor

* Close java db client

* rename

* Let LibraryScanner have java db client

* Update detector/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update detector/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update detector/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* Update detector/library.go

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

* inline variable

* misc

* Fix typo

---------

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

contrib/future-vuls/README.md

@@ -6,11 +6,11 @@
   - upload vuls results json to future-vuls
 
 - `future-vuls discover`
- -  Explore hosts within the CIDR range using the ping command
- -  Describe the information including CPE on the found hosts in a toml-formatted file.
- -  Exec snmp2cpe(https://github.com/future-architect/vuls/pull/1625) to active hosts to obtain CPE<br>
-Commands running internally　　`snmp2cpe v2c {IPAddr} public  | snmp2cpe convert`<br>
-   
+ -  Explores hosts within the CIDR range using the ping command
+ -  Describes the information including CPEs on the found hosts in a toml-formatted file
+ -  Executes snmp2cpe(https://github.com/future-architect/vuls/pull/1625) to active hosts to obtain CPE,
+    Commands running internally `snmp2cpe v2c {IPAddr} public  | snmp2cpe convert`
+
 Structure of toml-formatted file
 ```
 [server.{ip}]
@@ -23,12 +23,12 @@ fvuls_sync = false
  
 - `future-vuls add-cpe`
   -  Create pseudo server to Fvuls to obtain uuid and Upload CPE information on the specified(FvulsSync is true and UUID is obtained) hosts to Fvuls
-  -  Fvuls_Sync must be rewritten to true to designate it as the target of the command<br><br>
+  -  Fvuls_Sync must be rewritten to true to designate it as the target of the command
 
 
-1.　`future-vuls discover`
+1. `future-vuls discover`
 
-2.　`future-vuls add-cpe`
+2. `future-vuls add-cpe`
 
 These two commands are used to manage the CPE of network devices, and by executing the commands in the order from the top, you can manage the CPE of each device in Fvuls
 

contrib/trivy/parser/v2/parser.go

@@ -46,15 +46,13 @@ func setScanResultMeta(scanResult *models.ScanResult, report *types.Report) erro
 	scanResult.ServerName = report.ArtifactName
 	if report.ArtifactType == "container_image" {
 		matches := dockerTagPattern.FindStringSubmatch(report.ArtifactName)
-		var imageName, imageTag string
+		// initial values are for without image tag
+		var imageName = report.ArtifactName
+		var imageTag = "latest" // Complement if the tag is omitted
 		if 2 < len(matches) {
 			// including the image tag
 			imageName = matches[1]
 			imageTag = matches[2]
-		} else {
-			// no image tag
-			imageName = report.ArtifactName
-			imageTag = "latest" // Complement if the tag is omitted
 		}
 		scanResult.ServerName = fmt.Sprintf("%s:%s", imageName, imageTag)
 		if scanResult.Optional == nil {
@@ -64,11 +62,10 @@ func setScanResultMeta(scanResult *models.ScanResult, report *types.Report) erro
 		scanResult.Optional["TRIVY_IMAGE_TAG"] = imageTag
 	}
 
+	scanResult.Family = constant.ServerTypePseudo
 	if report.Metadata.OS != nil {
-		scanResult.Family = report.Metadata.OS.Family
+		scanResult.Family = string(report.Metadata.OS.Family)
 		scanResult.Release = report.Metadata.OS.Name
-	} else {
-		scanResult.Family = constant.ServerTypePseudo
 	}
 
 	scanResult.ScannedAt = time.Now()

contrib/trivy/pkg/converter.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 	"time"
 
-	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 
 	"github.com/future-architect/vuls/models"
@@ -92,7 +92,7 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 				})
 			} else {
 				vulnInfo.LibraryFixedIns = append(vulnInfo.LibraryFixedIns, models.LibraryFixedIn{
-					Key:     trivyResult.Type,
+					Key:     string(trivyResult.Type),
 					Name:    vuln.PkgName,
 					Path:    trivyResult.Target,
 					FixedIn: vuln.FixedVersion,
@@ -190,24 +190,26 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 	return scanResult, nil
 }
 
-func isTrivySupportedOS(family string) bool {
-	supportedFamilies := map[string]struct{}{
-		os.RedHat:             {},
-		os.Debian:             {},
-		os.Ubuntu:             {},
-		os.CentOS:             {},
-		os.Rocky:              {},
-		os.Alma:               {},
-		os.Fedora:             {},
-		os.Amazon:             {},
-		os.Oracle:             {},
-		os.Windows:            {},
-		os.OpenSUSE:           {},
-		os.OpenSUSELeap:       {},
-		os.OpenSUSETumbleweed: {},
-		os.SLES:               {},
-		os.Photon:             {},
-		os.Alpine:             {},
+func isTrivySupportedOS(family ftypes.TargetType) bool {
+	supportedFamilies := map[ftypes.TargetType]struct{}{
+		ftypes.Alma:               {},
+		ftypes.Alpine:             {},
+		ftypes.Amazon:             {},
+		ftypes.CBLMariner:         {},
+		ftypes.CentOS:             {},
+		ftypes.Chainguard:         {},
+		ftypes.Debian:             {},
+		ftypes.Fedora:             {},
+		ftypes.OpenSUSE:           {},
+		ftypes.OpenSUSELeap:       {},
+		ftypes.OpenSUSETumbleweed: {},
+		ftypes.Oracle:             {},
+		ftypes.Photon:             {},
+		ftypes.RedHat:             {},
+		ftypes.Rocky:              {},
+		ftypes.SLES:               {},
+		ftypes.Ubuntu:             {},
+		ftypes.Wolfi:              {},
 	}
 	_, ok := supportedFamilies[family]
 	return ok