trivy feat: add Bottlerocket OS package analyzer

Description

This change adds the Bottlerocket OS package analyzer.

This analyzer parses the package information provided in the application-inventory.json file, as specified on:

https://bottlerocket.dev/en/os/1.34.x/concepts/variants/#software-inventory

This change also defines the Bottlerocket OS family.

Checklist

[x] I've read the guidelines for contributing to this repository.
[x] I've followed the conventions in the PR title.
[x] I've added tests that prove my fix is effective or that my feature works.
[x] I've updated the documentation with the relevant information (if needed).
[x] I've added usage information (if the PR introduces new options)
[x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

Mar 31 '25 16:03 0intro

Hi @0intro Thank you for your work.

Trivy repository has been growing bigger and bigger lately. So it's getting harder to maintain. So we're trying to add only the functionality that the community needs.

Can you create a new Discussion with a proposal to add Bottlerocket? If this future is in demand by the community - we'll review/merge etc. this PR.

Apr 01 '25 05:04 DmitriyLewen

Thanks. I've opened https://github.com/aquasecurity/trivy/discussions/8661.

Apr 01 '25 16:04 0intro

Can you please take a look at the test failure?

Apr 09 '25 08:04 knqyf263

I've just fixed the linter issue.

Apr 09 '25 09:04 0intro

You can run mage lint:fix and mage test:unit locally.

Apr 09 '25 11:04 knqyf263

Surprisingly, the first pass of mage lint:fix lead to a build error. It should be fixed now.

Apr 09 '25 13:04 0intro

I've renamed the bottlerocket package to bottlerocket_inventory.

Apr 14 '25 12:04 0intro

I think Trivy shows warning (something like WARN Unsupported os family="bottlerocket"). This might confuse users. Let's create a new ospkg driver. This driver will only show the Info log that Trivy does not support vulnerability detection for bottlerocket packages (the Detect function will simply return nil).

I thought we could document Trivy supports Bottlerocket only for SBOM, but UX would be better if we show the log message like you suggested.

Apr 15 '25 07:04 knqyf263

Thanks for pointing this out, I forgot to write about it in the review: We need to add information to the bottlerocket OS documentation.

Apr 15 '25 07:04 DmitriyLewen

@0intro do you have time to update this PR as per notes from https://github.com/aquasecurity/trivy/pull/8653#pullrequestreview-2766898083?

Apr 16 '25 05:04 DmitriyLewen

@0intro do you have time to update this PR as per notes from #8653 (review)?

Yes, I'll take a look.

Apr 16 '25 14:04 0intro

I've added a stub bottlerocket ospkg driver, which should get rid of the Unsupported os family="bottlerocket" warning.

Apr 16 '25 15:04 0intro

I've added the changes to purl as well.

I've defined a temporary packageurlTypeBottlerocket = "bottlerocket" type, until the type is added to packageurl.

I chose to make purl starting with pkg:bottlerocket/ (without namespace), because I think something like pkg:bottlerocket-inventory/bottlerocket/ (like pkg:rpm/redhat and so on) wouldn't make much sense for Bottlerocket.

Apr 16 '25 16:04 0intro

I picked up some images from https://gallery.ecr.aws/bottlerocket/, but their OS was Amazon Linux. How can I test this PR with actual images?

Apr 23 '25 18:04 knqyf263

To deploy Bottlerocket on AWS, I've created an EC2 instance using resolve:ssm:/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_id as an ImageId.

Apr 28 '25 16:04 0intro

Thanks. I think I've done all the required changes.

May 19 '25 13:05 0intro

I've added the documentation.

May 21 '25 07:05 0intro

@0intro Great! run mage lint:fix please.

May 21 '25 09:05 DmitriyLewen