feat(redhat): Add Red Hat Hummingbird support#10457
Open
prarit wants to merge 1 commit intoaquasecurity:mainfrom
Open
feat(redhat): Add Red Hat Hummingbird support#10457prarit wants to merge 1 commit intoaquasecurity:mainfrom
prarit wants to merge 1 commit intoaquasecurity:mainfrom
Conversation
prarit
force-pushed
the
HUM-528
branch
2 times, most recently
from
bcd0871 to
b45cdf5
Compare
Add support for scanning Red Hat Hummingbird container images. OS detection is handled through the existing os-release analyzer by adding "hummingbird" to the ID-to-OS-family mapping. No dedicated analyzer type is needed since Hummingbird uses a standard /etc/os-release file, following the same pattern as other projects. The vulnerability driver reuses the Red Hat advisory database query mechanism since Hummingbird advisories share the same CSAF VEX database structure. It differs from the RHEL driver in three ways: it uses Hummingbird-specific default content sets (public-hummingbird-*-rpms), it passes the full date-based version rather than extracting a major version number, and it has no end-of-life date restrictions. The driver also falls back to looking up advisories by source RPM name when no match is found by binary package name, handling VEX feeds that reference source rather than binary RPM names. The RPM analyzer is updated to recognize "Hummingbird" as a known OS vendor and to treat packages with ".hum" in the release string as official rather than third-party, since Hummingbird RPMs may not set the Vendor header tag. Co-authored-by: Cursor <noreply@cursor.ai> Signed-off-by: Prarit Bhargava <prarit@redhat.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OS detection is handled through the existing os-release analyzer by adding "hummingbird" to the ID-to-OS-family mapping. No dedicated analyzer type is needed since Hummingbird uses a standard /etc/os-release file, following the same pattern as other projects.
The vulnerability driver reuses the Red Hat advisory database query mechanism since Hummingbird advisories share the same CSAF VEX database structure. It differs from the RHEL driver in three ways: it uses Hummingbird-specific default content sets (ie, public-hummingbird-*-rpms), it passes the full date-based version rather than extracting a major version number, and it has no end-of-life date restrictions.
Add support for Red Hat Hummingbird images.
Description
Related issues
Related PRs
Remove this section if you don't have related PRs.
Checklist