From 07adf08cb4542c611f9e6acfc143771b22b000e8 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 4 Jun 2025 13:37:39 +0600 Subject: [PATCH 1/7] refactor(ubuntu): update 20.04 eol dates - fix 20.04 eol date - add 20.04-esm --- pkg/detector/ospkg/ubuntu/ubuntu.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/detector/ospkg/ubuntu/ubuntu.go b/pkg/detector/ospkg/ubuntu/ubuntu.go index 880a57c783..0bd67c6ba5 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu.go @@ -54,7 +54,8 @@ var ( "18.10": time.Date(2019, 7, 18, 23, 59, 59, 0, time.UTC), "19.04": time.Date(2020, 1, 18, 23, 59, 59, 0, time.UTC), "19.10": time.Date(2020, 7, 17, 23, 59, 59, 0, time.UTC), - "20.04": time.Date(2025, 4, 23, 23, 59, 59, 0, time.UTC), + "20.04": time.Date(2025, 5, 31, 23, 59, 59, 0, time.UTC), + "20.04-ESM": time.Date(2030, 4, 30, 23, 59, 59, 0, time.UTC), "20.10": time.Date(2021, 7, 22, 23, 59, 59, 0, time.UTC), "21.04": time.Date(2022, 1, 20, 23, 59, 59, 0, time.UTC), "21.10": time.Date(2022, 7, 14, 23, 59, 59, 0, time.UTC), From 633427de3a0d56336426292e12274486c0ed3250 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 4 Jun 2025 13:56:57 +0600 Subject: [PATCH 2/7] test(ubuntu): fix tests - change 20.04 to 22.04 in tests --- .../ospkg/ubuntu/testdata/fixtures/data-source.yaml | 4 ++-- pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml | 2 +- pkg/detector/ospkg/ubuntu/ubuntu_test.go | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml index b5c8f895fd..8daa72a7b6 100644 --- a/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml +++ b/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml @@ -1,11 +1,11 @@ - bucket: data-source pairs: - - key: ubuntu 20.04 + - key: ubuntu 21.04 value: ID: "ubuntu" Name: "Ubuntu CVE Tracker" URL: "https://git.launchpad.net/ubuntu-cve-tracker" - - key: ubuntu 21.04 + - key: ubuntu 22.04 value: ID: "ubuntu" Name: "Ubuntu CVE Tracker" diff --git a/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml b/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml index bcb207cd8e..f69bd55216 100644 --- a/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml +++ b/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml @@ -5,7 +5,7 @@ - key: CVE-2019-9243 value: FixedVersion: "" -- bucket: ubuntu 20.04 +- bucket: ubuntu 22.04 pairs: - bucket: wpa pairs: diff --git a/pkg/detector/ospkg/ubuntu/ubuntu_test.go b/pkg/detector/ospkg/ubuntu/ubuntu_test.go index 4c6a445a2f..c57ffdf75c 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu_test.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu_test.go @@ -37,7 +37,7 @@ func TestScanner_Detect(t *testing.T) { "testdata/fixtures/data-source.yaml", }, args: args{ - osVer: "20.04", + osVer: "22.04", pkgs: []ftypes.Package{ { Name: "wpa", @@ -82,13 +82,13 @@ func TestScanner_Detect(t *testing.T) { }, }, { - name: "ubuntu 20.04-ESM. 20.04 is not outdated", + name: "ubuntu 22.04-ESM. 22.04 is not outdated", fixtures: []string{ "testdata/fixtures/ubuntu.yaml", "testdata/fixtures/data-source.yaml", }, args: args{ - osVer: "20.04-ESM", + osVer: "22.04-ESM", pkgs: []ftypes.Package{ { Name: "wpa", From cb8c4e646b61f1be4ef9f309caa5627c8752bfb4 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 10 Jun 2025 09:53:08 +0600 Subject: [PATCH 3/7] Revert "test(ubuntu): fix tests - change 20.04 to 22.04 in tests" This reverts commit 633427de3a0d56336426292e12274486c0ed3250. --- .../ospkg/ubuntu/testdata/fixtures/data-source.yaml | 4 ++-- pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml | 2 +- pkg/detector/ospkg/ubuntu/ubuntu_test.go | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml index 8daa72a7b6..b5c8f895fd 100644 --- a/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml +++ b/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml @@ -1,11 +1,11 @@ - bucket: data-source pairs: - - key: ubuntu 21.04 + - key: ubuntu 20.04 value: ID: "ubuntu" Name: "Ubuntu CVE Tracker" URL: "https://git.launchpad.net/ubuntu-cve-tracker" - - key: ubuntu 22.04 + - key: ubuntu 21.04 value: ID: "ubuntu" Name: "Ubuntu CVE Tracker" diff --git a/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml b/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml index f69bd55216..bcb207cd8e 100644 --- a/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml +++ b/pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml @@ -5,7 +5,7 @@ - key: CVE-2019-9243 value: FixedVersion: "" -- bucket: ubuntu 22.04 +- bucket: ubuntu 20.04 pairs: - bucket: wpa pairs: diff --git a/pkg/detector/ospkg/ubuntu/ubuntu_test.go b/pkg/detector/ospkg/ubuntu/ubuntu_test.go index c57ffdf75c..4c6a445a2f 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu_test.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu_test.go @@ -37,7 +37,7 @@ func TestScanner_Detect(t *testing.T) { "testdata/fixtures/data-source.yaml", }, args: args{ - osVer: "22.04", + osVer: "20.04", pkgs: []ftypes.Package{ { Name: "wpa", @@ -82,13 +82,13 @@ func TestScanner_Detect(t *testing.T) { }, }, { - name: "ubuntu 22.04-ESM. 22.04 is not outdated", + name: "ubuntu 20.04-ESM. 20.04 is not outdated", fixtures: []string{ "testdata/fixtures/ubuntu.yaml", "testdata/fixtures/data-source.yaml", }, args: args{ - osVer: "22.04-ESM", + osVer: "20.04-ESM", pkgs: []ftypes.Package{ { Name: "wpa", From 07f066f1b4f668eefdf786cef7b5fd67a93a49f0 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 10 Jun 2025 10:02:11 +0600 Subject: [PATCH 4/7] feat: add `WithEOLDates` --- pkg/detector/ospkg/ubuntu/ubuntu.go | 32 ++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/pkg/detector/ospkg/ubuntu/ubuntu.go b/pkg/detector/ospkg/ubuntu/ubuntu.go index 0bd67c6ba5..d3cabafbb5 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu.go @@ -68,15 +68,37 @@ var ( } ) +type options struct { + eolDates map[string]time.Time +} + +type Option func(*options) + +// WithEOLDates takes eol dates for testability +func WithEOLDates(dates map[string]time.Time) Option { + return func(opts *options) { + opts.eolDates = dates + } +} + // Scanner implements the Ubuntu scanner type Scanner struct { + *options vs ubuntu.VulnSrc } // NewScanner is the factory method for Scanner -func NewScanner() *Scanner { +func NewScanner(opts ...Option) *Scanner { + o := &options{ + eolDates: eolDates, + } + + for _, opt := range opts { + opt(o) + } return &Scanner{ - vs: ubuntu.NewVulnSrc(), + options: o, + vs: ubuntu.NewVulnSrc(), } } @@ -134,12 +156,12 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository // IsSupportedVersion checks is OSFamily can be scanned using Ubuntu scanner func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType, osVer string) bool { - return osver.Supported(ctx, eolDates, osFamily, osVer) + return osver.Supported(ctx, s.eolDates, osFamily, osVer) } // versionFromEolDates checks if actual (not ESM) version is not outdated func (s *Scanner) versionFromEolDates(ctx context.Context, osVer string) string { - if _, ok := eolDates[osVer]; ok { + if _, ok := s.eolDates[osVer]; ok { return osVer } @@ -149,7 +171,7 @@ func (s *Scanner) versionFromEolDates(ctx context.Context, osVer string) string // then we need to get vulnerabilities for `18.04` // if `18.04` is outdated - we need to use `18.04-ESM` (we will return error until we add `18.04-ESM` to eolDates) ver := strings.TrimRight(osVer, "-ESM") - if eol, ok := eolDates[ver]; ok && clock.Now(ctx).Before(eol) { + if eol, ok := s.eolDates[ver]; ok && clock.Now(ctx).Before(eol) { return ver } return osVer From 711d99138bae4e2d6865b7d22eedd0b227ea5736 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 10 Jun 2025 10:15:01 +0600 Subject: [PATCH 5/7] test: use `WithEOLDates` in tests --- pkg/detector/ospkg/ubuntu/ubuntu_test.go | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/pkg/detector/ospkg/ubuntu/ubuntu_test.go b/pkg/detector/ospkg/ubuntu/ubuntu_test.go index 4c6a445a2f..73edb21130 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu_test.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu_test.go @@ -18,6 +18,16 @@ import ( "github.com/aquasecurity/trivy/pkg/types" ) +var testEOLDates = map[string]time.Time{ + "12.04": time.Date(2019, 4, 26, 23, 59, 59, 0, time.UTC), + "12.04-ESM": time.Date(2019, 4, 28, 23, 59, 59, 0, time.UTC), + "18.04": time.Date(2023, 5, 31, 23, 59, 59, 0, time.UTC), + "18.04-ESM": time.Date(2028, 3, 31, 23, 59, 59, 0, time.UTC), + "19.04": time.Date(2020, 1, 18, 23, 59, 59, 0, time.UTC), + "20.04": time.Date(2025, 5, 31, 23, 59, 59, 0, time.UTC), + "21.04": time.Date(2022, 1, 20, 23, 59, 59, 0, time.UTC), +} + func TestScanner_Detect(t *testing.T) { type args struct { osVer string @@ -180,7 +190,7 @@ func TestScanner_Detect(t *testing.T) { _ = dbtest.InitDB(t, tt.fixtures) defer db.Close() - s := ubuntu.NewScanner() + s := ubuntu.NewScanner(ubuntu.WithEOLDates(testEOLDates)) got, err := s.Detect(ctx, tt.args.osVer, nil, tt.args.pkgs) if tt.wantErr != "" { require.ErrorContains(t, err, tt.wantErr) @@ -216,7 +226,7 @@ func TestScanner_IsSupportedVersion(t *testing.T) { want: true, }, { - name: "ubuntu12.04", + name: "ubuntu 12.04", now: time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC), args: args{ osFamily: "ubuntu", @@ -255,7 +265,7 @@ func TestScanner_IsSupportedVersion(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { ctx := clock.With(t.Context(), tt.now) - s := ubuntu.NewScanner() + s := ubuntu.NewScanner(ubuntu.WithEOLDates(testEOLDates)) got := s.IsSupportedVersion(ctx, tt.args.osFamily, tt.args.osVer) assert.Equal(t, tt.want, got) }) From 753847e0bdc809df45265cba3704c871372eb151 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 10 Jun 2025 10:47:45 +0600 Subject: [PATCH 6/7] fix: check non ESM version in `IsSupportedVersion` --- pkg/detector/ospkg/ubuntu/ubuntu.go | 1 + pkg/detector/ospkg/ubuntu/ubuntu_test.go | 53 +++++++++++++++++++----- 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/pkg/detector/ospkg/ubuntu/ubuntu.go b/pkg/detector/ospkg/ubuntu/ubuntu.go index d3cabafbb5..6ac95f1506 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu.go @@ -156,6 +156,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository // IsSupportedVersion checks is OSFamily can be scanned using Ubuntu scanner func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType, osVer string) bool { + osVer = s.versionFromEolDates(ctx, osVer) return osver.Supported(ctx, s.eolDates, osFamily, osVer) } diff --git a/pkg/detector/ospkg/ubuntu/ubuntu_test.go b/pkg/detector/ospkg/ubuntu/ubuntu_test.go index 73edb21130..2cf331e9ab 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu_test.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu_test.go @@ -1,6 +1,7 @@ package ubuntu_test import ( + "bytes" "sort" "testing" "time" @@ -15,6 +16,7 @@ import ( "github.com/aquasecurity/trivy/pkg/clock" "github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" + "github.com/aquasecurity/trivy/pkg/log" "github.com/aquasecurity/trivy/pkg/types" ) @@ -211,10 +213,11 @@ func TestScanner_IsSupportedVersion(t *testing.T) { osVer string } tests := []struct { - name string - now time.Time - args args - want bool + name string + now time.Time + args args + want bool + wantLog string }{ { name: "ubuntu 12.04 eol ends", @@ -235,8 +238,17 @@ func TestScanner_IsSupportedVersion(t *testing.T) { want: false, }, { - name: "ubuntu 18.04 ESM. 18.04 is not outdated", - now: time.Date(2022, 4, 31, 23, 59, 59, 0, time.UTC), + name: "ubuntu 18.04 ESM and 18.04 are outdated", + now: time.Date(2030, 4, 31, 23, 59, 59, 0, time.UTC), + args: args{ + osFamily: "ubuntu", + osVer: "18.04-ESM", + }, + want: false, + }, + { + name: "ubuntu 18.04 ESM. Only 18.04 is outdated", + now: time.Date(2027, 4, 31, 23, 59, 59, 0, time.UTC), args: args{ osFamily: "ubuntu", osVer: "18.04-ESM", @@ -244,13 +256,23 @@ func TestScanner_IsSupportedVersion(t *testing.T) { want: true, }, { - name: "ubuntu 18.04 ESM. 18.04 is outdated", + name: "ubuntu 20.04 ESM. 20.04 is not outdated, 20.04 ESM not added in EOL dates", + now: time.Date(2022, 4, 31, 23, 59, 59, 0, time.UTC), + args: args{ + osFamily: "ubuntu", + osVer: "20.04-ESM", + }, + want: true, + }, + { + name: "ubuntu 20.04 ESM. 20.04 is outdated, 20.04 ESM not added in EOL dates", now: time.Date(2030, 4, 31, 23, 59, 59, 0, time.UTC), args: args{ osFamily: "ubuntu", - osVer: "18.04-ESM", + osVer: "20.04-ESM", }, - want: false, + want: true, + wantLog: "This OS version is not on the EOL list\tfamily=\"ubuntu\" version=\"20.04-ESM\"", }, { name: "latest", @@ -259,15 +281,26 @@ func TestScanner_IsSupportedVersion(t *testing.T) { osFamily: "ubuntu", osVer: "99.04", }, - want: true, + want: true, + wantLog: "This OS version is not on the EOL list\tfamily=\"ubuntu\" version=\"99.04\"", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + out := bytes.NewBuffer(nil) + logger := log.New(log.NewHandler(out, &log.Options{Level: log.LevelInfo})) + log.SetDefault(logger) + ctx := clock.With(t.Context(), tt.now) s := ubuntu.NewScanner(ubuntu.WithEOLDates(testEOLDates)) got := s.IsSupportedVersion(ctx, tt.args.osFamily, tt.args.osVer) assert.Equal(t, tt.want, got) + + if out.Len() > 0 && tt.wantLog == "" { + t.Errorf("IsSupportedVersion() logs not expected. Found logs: %s", out.String()) + return + } + assert.Contains(t, out.String(), tt.wantLog) }) } } From dd444352261d8c2c1f453dea97ed516063325a14 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 10 Jun 2025 12:46:09 +0600 Subject: [PATCH 7/7] refactor --- pkg/detector/ospkg/ubuntu/ubuntu.go | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/pkg/detector/ospkg/ubuntu/ubuntu.go b/pkg/detector/ospkg/ubuntu/ubuntu.go index 6ac95f1506..07cad000a8 100644 --- a/pkg/detector/ospkg/ubuntu/ubuntu.go +++ b/pkg/detector/ospkg/ubuntu/ubuntu.go @@ -68,38 +68,32 @@ var ( } ) -type options struct { - eolDates map[string]time.Time -} - -type Option func(*options) +type Option func(*Scanner) // WithEOLDates takes eol dates for testability func WithEOLDates(dates map[string]time.Time) Option { - return func(opts *options) { - opts.eolDates = dates + return func(s *Scanner) { + s.eolDates = dates } } // Scanner implements the Ubuntu scanner type Scanner struct { - *options - vs ubuntu.VulnSrc + eolDates map[string]time.Time + vs ubuntu.VulnSrc } // NewScanner is the factory method for Scanner func NewScanner(opts ...Option) *Scanner { - o := &options{ + s := &Scanner{ eolDates: eolDates, + vs: ubuntu.NewVulnSrc(), } for _, opt := range opts { - opt(o) - } - return &Scanner{ - options: o, - vs: ubuntu.NewVulnSrc(), + opt(s) } + return s } // Detect scans and returns the vulnerabilities