feat(redhat): Add EOL date for RHEL 10. #8910
Conversation
|
|
|
|
There was a problem hiding this comment.
@Romain-Geissler-1A
Thanks for your contribution!
Can you sign CLA (#8910 (comment))?
|
Yes I will do later today. I am contributing this as part of my company, so I first need to get the legal part reviewed by my legal representative. I need one last approval which I will get soon, then sign the CLA. |
|
Is there a release 0.63 planned soon ? If not, is there any new 0.62.x released planned soon where this could be backported to have it in a stable release soon ? |
|
We plan to release |
|
The default content sets were originally created for CentOS, which does not include buildinfo, so they should not be necessary for RHEL. If the mapping to CPE isn’t working properly, then it must be due to a different issue. Separately, support for vulnerability scanning on RHEL 10 has not been completed due to the issue with Red Hat’s new data source. At present, while SBOM scanning is possible, vulnerability scanning is not, so RHEL 10 cannot be considered a supported version. |
In my case, it was needed for a RHEL 10 image. More accurately, the scan is "ok" if I scan directly
At the moment for our use case (Service Now image scanning, which uses Trivy under the hood, and we care about package content, not vulnerabilities, as we have other scanners for vulnerabilities) we try to have the scan at least "work" without error, while now we have errors and thus we totally loose in Service Now the container content. So shall I change the doc change here to mark only RHEL 9 as fully supported and RHEL 10 as partially supported ? |
|
Ok I get from where the content sets shall come now. If I look inside a raw UBI 10 container I can see this: and I see code trying to parse this in https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/analyzer/buildinfo/content_manifest.go#L45 I will debug further to check why it doesn't work properly. |
|
After investigation, I propose a better fix for the RHEL 10 case in #8924. This new pull request doesn't wrongly pretend that RHEL 10 is supported, but at least it allows to scan a RHEL 10 image without error. |
Yes, it's more accurate as vulnerability scanning doesn't work with RHEL 10.
Thanks for your investigation. I left a comment there. |
|
I have renamed/changed this pull request to better reflect it's not a full RHEL 10 support. This in practices just removes the |
docs/docs/coverage/os/index.md
Outdated
| @@ -14,7 +14,7 @@ Trivy supports operating systems for | |||
| | [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.21, edge | apk | | |||
| | [Wolfi Linux](wolfi.md) | (n/a) | apk | | |||
| | [Chainguard](chainguard.md) | (n/a) | apk | | |||
| | [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm | | |||
| | [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8, 9, 10 (partial) | dnf/yum/rpm | | |||
There was a problem hiding this comment.
I think listing RHEL 10 (partial) as a supported version might confuse users since it's unclear what is supported. It might be better not to include it just yet, or alternatively, we could add a separate line clearly stating that only SBOM is supported.
| | [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8, 9, 10 (partial) | dnf/yum/rpm | | |
| | [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8, 9 | dnf/yum/rpm | | |
| | [Red Hat Enterprise Linux](rhel.md) | 10 (SBOM only) | dnf/yum/rpm | |
The RHEL 10 support is still partial (missing vulnerability scan) at the moment.
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.63.0` -> `0.64.1` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.64.1`](https://github.com/aquasecurity/trivy/releases/tag/v0.64.1) [Compare Source](aquasecurity/trivy@v0.64.0...v0.64.1) #### Changelog - [`86ee3c1`](aquasecurity/trivy@86ee3c1) release: v0.64.1 \[release/v0.64] ([#​9122](aquasecurity/trivy#9122)) - [`4e12722`](aquasecurity/trivy@4e12722) fix(misconf): skip rewriting expr if attr is nil \[backport: release/v0.64] ([#​9127](aquasecurity/trivy#9127)) - [`9a7d384`](aquasecurity/trivy@9a7d384) fix(cli): Add more non-sensitive flags to telemetry \[backport: release/v0.64] ([#​9124](aquasecurity/trivy#9124)) - [`53adfba`](aquasecurity/trivy@53adfba) fix(rootio): check full version to detect `root.io` packages \[backport: release/v0.64] ([#​9120](aquasecurity/trivy#9120)) - [`8cf1bf9`](aquasecurity/trivy@8cf1bf9) fix(alma): parse epochs from rpmqa file \[backport: release/v0.64] ([#​9119](aquasecurity/trivy#9119)) ### [`v0.64.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0640-2025-06-30) [Compare Source](aquasecurity/trivy@v0.63.0...v0.64.0) ##### Features - **cli:** add version constraints to annoucements ([#​9023](aquasecurity/trivy#9023)) ([19efa9f](aquasecurity/trivy@19efa9f)) - **java:** dereference all maven settings.xml env placeholders ([#​9024](aquasecurity/trivy#9024)) ([5aade69](aquasecurity/trivy@5aade69)) - **misconf:** add OpenTofu file extension support ([#​8747](aquasecurity/trivy#8747)) ([57801d0](aquasecurity/trivy@57801d0)) - **misconf:** normalize CreatedBy for buildah and legacy docker builder ([#​8953](aquasecurity/trivy#8953)) ([65e155f](aquasecurity/trivy@65e155f)) - **redhat:** Add EOL date for RHEL 10. ([#​8910](aquasecurity/trivy#8910)) ([48258a7](aquasecurity/trivy@48258a7)) - reject unsupported artifact types in remote image retrieval ([#​9052](aquasecurity/trivy#9052)) ([1e1e1b5](aquasecurity/trivy@1e1e1b5)) - **sbom:** add manufacturer field to CycloneDX tools metadata ([#​9019](aquasecurity/trivy#9019)) ([41d0f94](aquasecurity/trivy@41d0f94)) - **terraform:** add partial evaluation for policy templates ([#​8967](aquasecurity/trivy#8967)) ([a9f7dcd](aquasecurity/trivy@a9f7dcd)) - **ubuntu:** add end of life date for Ubuntu 25.04 ([#​9077](aquasecurity/trivy#9077)) ([367564a](aquasecurity/trivy@367564a)) - **ubuntu:** add eol date for 20.04-ESM ([#​8981](aquasecurity/trivy#8981)) ([87118a0](aquasecurity/trivy@87118a0)) - **vuln:** add Root.io support for container image scanning ([#​9073](aquasecurity/trivy#9073)) ([3a0ec0f](aquasecurity/trivy@3a0ec0f)) ##### Bug Fixes - Add missing version check flags ([#​8951](aquasecurity/trivy#8951)) ([ef5f8de](aquasecurity/trivy@ef5f8de)) - **cli:** add some values to the telemetry call ([#​9056](aquasecurity/trivy#9056)) ([fd2bc91](aquasecurity/trivy@fd2bc91)) - Correctly check for semver versions for trivy version check ([#​8948](aquasecurity/trivy#8948)) ([b813527](aquasecurity/trivy@b813527)) - don't show corrupted trivy-db warning for first run ([#​8991](aquasecurity/trivy#8991)) ([4ed78e3](aquasecurity/trivy@4ed78e3)) - **misconf:** .Config.User always takes precedence over USER in .History ([#​9050](aquasecurity/trivy#9050)) ([371b8cc](aquasecurity/trivy@371b8cc)) - **misconf:** correct Azure value-to-time conversion in AsTimeValue ([#​9015](aquasecurity/trivy#9015)) ([40d017b](aquasecurity/trivy@40d017b)) - **misconf:** move disabled checks filtering after analyzer scan ([#​9002](aquasecurity/trivy#9002)) ([a58c36d](aquasecurity/trivy@a58c36d)) - **misconf:** reduce log noise on incompatible check ([#​9029](aquasecurity/trivy#9029)) ([99c5151](aquasecurity/trivy@99c5151)) - **nodejs:** correctly parse `packages` array of `bun.lock` file ([#​8998](aquasecurity/trivy#8998)) ([875ec3a](aquasecurity/trivy@875ec3a)) - **report:** don't panic when report contains vulns, but doesn't contain packages for `table` format ([#​8549](aquasecurity/trivy#8549)) ([87fda76](aquasecurity/trivy@87fda76)) - **sbom:** remove unnecessary OS detection check in SBOM decoding ([#​9034](aquasecurity/trivy#9034)) ([198789a](aquasecurity/trivy@198789a)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/812 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
|
Hello! Wondering the status of supporting OS-level vulnerability scanning for RHEL 10 (i.e. the missing CPE indices issue)? Thanks! |
Description
This adds RHEL 10 support that Red Hat has officially released this week at the Red Hat summit.
These before/after were tested with the image
registry.access.redhat.com/ubi10/ubi:latest:Before:
After:
Also, I tested this with more complex RHEL 10 images we have started to build internally in Amadeus (actually any image that is built from
registry.access.redhat.com/ubi10/ubi:latestin which wednf install -yanything, for exampleprocps, will do). Before it used to fail with errors like:and after it can scan such images without problem:
Checklist