trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Support Fedora

Open urbaniak opened this issue 5 years ago • 15 comments

Any chances getting support for Fedora?

urbaniak avatar Aug 19 '19 13:08 urbaniak

@urbaniak Thank you for your request. Although I want to support Fedora, I don't know whether Fedora has the security advisory. Trivy needs the security advisory by the distribution to detect vulnerabilities. Let me know if you know anything.

knqyf263 avatar Aug 20 '19 08:08 knqyf263

Hello @knqyf263 , I think that you need to use this url to restrict to security : https://bodhi.fedoraproject.org/updates/?type=security It also offers an RSS : https://bodhi.fedoraproject.org/rss/updates/?type=security Fedora has others things about Updates and Security that you can find in the wiki : https://fedoraproject.org/wiki/Security_Bugs#Fedora_Security_Advisories Regards

ghost avatar Aug 24 '19 05:08 ghost

@colundrum Great! This is valuable information. How many users are using fedora on container?

knqyf263 avatar Aug 25 '19 13:08 knqyf263

@knqyf263 statistics for fedora official docker images are here : https://hub.docker.com/v2/repositories/library/fedora/ I read at this time : "pull_count": 49053602

ghost avatar Aug 25 '19 13:08 ghost

@colundrum Thank you for the information. It's large number. It might be better to support Fedora. Welcome contributor!

knqyf263 avatar Aug 30 '19 12:08 knqyf263

@knqyf263 I'm interested in having fedora support as well. I've started debugging trivy CLI in order to have an idea about the architecture.

Can you please provide some high level guidance on how to approach this contributions? Should I start from trivy-db or fanal repository?

Thanks

mfrancisc avatar Apr 15 '21 15:04 mfrancisc

First of all, we have to parse Fedora security advisories and they need to be committed to vuln-list. https://bodhi.fedoraproject.org/updates/?type=security

The update script must be in vuln-list-update.

But I've not found structured advisories like JSON or YAML yet. Looks like RSS is missing some information such as OS versions. We have to look for it at first.

knqyf263 avatar Apr 20 '21 05:04 knqyf263

@mfrancisc Could you open a PR in vuln-list-update? We already have a PR we were working on, but you can open a new one. https://github.com/aquasecurity/vuln-list-update/pull/30/

knqyf263 avatar Apr 20 '21 06:04 knqyf263

@knqyf263 I can have a look and see if I can find a way to integrate the missing information (OS versions and others if needed). Should I start from the code in that PR? why was that closed?

mfrancisc avatar Apr 20 '21 09:04 mfrancisc

whats the status here? seems like fedora is not supported but there already was once a prepared pr for that?

since i'm new to this topic, is this about adding fedora to the "scanable base images" or to have installable rpms for fedora? :D

Loki-Afro avatar Sep 08 '22 14:09 Loki-Afro

Seems like https://github.com/aquasecurity/trivy/pull/1616 has been closed for inactivity. Any other news so far?

danielefranceschi avatar Oct 19 '22 09:10 danielefranceschi

Any update so far? Has trivy started supporting fedora images?

shagun1802 avatar Feb 06 '23 06:02 shagun1802

Any update so far? Has trivy started supporting fedora images?

lucasarrudatrustly avatar Feb 08 '23 14:02 lucasarrudatrustly

I am very interested in using it with Fedora 38 as well

logicito avatar Jun 08 '23 01:06 logicito

I also interested in using it with all Fedora versions

lmilbaum avatar Apr 22 '24 07:04 lmilbaum