feat(seal): add seal support by DmitriyLewen · Pull Request #9370 · aquasecurity/trivy

DmitriyLewen · 2025-08-22T08:36:47Z

Description

This PR adds support for detecting vulnerabilities in Seal Security packages within Trivy. Seal Security provides patched versions of open source packages with security fixes that may not be available in upstream distributions. This
implementation enables Trivy to detect vulnerabilities specific to these Seal-patched packages by integrating with the Seal Security vulnerability database.

Features of implementation

Seal package detection: Automatically detects packages with names or source names starting with "seal-" (case-insensitive)
Multi-OS support: Supports vulnerability detection across multiple operating systems:
- Debian
- Ubuntu
- Alpine
- RedHat/CentOS
- CBL-Mariner
Dual vulnerability scanning: Performs vulnerability detection for both original OS packages and Seal-specific packages in a single scan
Version constraint checking: Implements proper version comparison using OS-specific comparers (DEB, APK, RPM)

Examples

Alpine based image:

➜  ./trivy -q image --pkg-types os --input /Users/dmitriy/work/tmp/seal/images/node-22.13.0-alpine-sp3.tar -f json | jq '.Results[].Vulnerabilities[] | select (.VulnerabilityID=="CVE-2022-2274")'              
 
{
  "VulnerabilityID": "CVE-2022-2274",
  "PkgID": "seal-libcrypto3@3.3.2-r453411",
  "PkgName": "seal-libcrypto3",
  "PkgIdentifier": {
    "PURL": "pkg:apk/alpine/seal-libcrypto3@3.3.2-r453411?arch=x86_64&distro=3.21.2",
    "UID": "65fa7c607cc10771"
  },
  "InstalledVersion": "3.3.2-r453411",
  "FixedVersion": "3.3.2-r45341999",
  "Status": "fixed",
  "Layer": {
    "DiffID": "sha256:c19c28ec60a402fde1e67526457e82c64f10146e0e86a48fef2af1797bde0884"
  },
  "SeveritySource": "nvd",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2274",
  "DataSource": {
    "ID": "seal",
    "Name": "Seal Security Database",
    "URL": "http://vulnfeed.sealsecurity.io/v1/osv/renamed/vulnerabilities.zip",
    "BaseID": "alpine"
  },
  "Title": "openssl: AVX-512-specific heap buffer overflow",
  "Description": "The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.",
  "Severity": "CRITICAL",
  "CweIDs": [
    "CWE-787"
  ],
  "VendorSeverity": {
    "ghsa": 4,
    "nvd": 4,
    "redhat": 3,
    "ubuntu": 2
  },
  "CVSS": {
    "ghsa": {
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "V3Score": 9.8
    },
    "nvd": {
      "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "V2Score": 10,
      "V3Score": 9.8
    },
    "redhat": {
      "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "V3Score": 8.1
    }
  },
  "References": [
    "https://access.redhat.com/security/cve/CVE-2022-2274",
    "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=4d8a88c134df634ba610ff8db1eb8478ac5fd345",
    "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345",
    "https://github.com/openssl/openssl/issues/18625",
    "https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/",
    "https://nvd.nist.gov/vuln/detail/CVE-2022-2274",
    "https://rustsec.org/advisories/RUSTSEC-2022-0033.html",
    "https://security.netapp.com/advisory/ntap-20220715-0010",
    "https://security.netapp.com/advisory/ntap-20220715-0010/",
    "https://www.cve.org/CVERecord?id=CVE-2022-2274",
    "https://www.openssl.org/news/secadv/20220705.txt"
  ],
  "PublishedDate": "2022-07-01T08:15:07.687Z",
  "LastModifiedDate": "2024-11-21T07:00:40.03Z"
}

Debian based image:

➜  ./trivy -q image --pkg-types os --input /Users/dmitriy/work/tmp/seal/images/python-3.11.6-slim-sp1.tar -f json | jq '.Results[].Vulnerabilities[] | select (.VulnerabilityID=="CVE-2010-4756" or .VulnerabilityID=="CVE-2011-3374")'

{
  "VulnerabilityID": "CVE-2011-3374",
  "PkgID": "apt@2.6.1",
  "PkgName": "apt",
  "PkgIdentifier": {
    "PURL": "pkg:deb/debian/apt@2.6.1?arch=amd64&distro=debian-12.2",
    "UID": "3c015cd3f3fb7932"
  },
  "InstalledVersion": "2.6.1",
  "Status": "affected",
  "Layer": {
    "DiffID": "sha256:92770f546e065c4942829b1f0d7d1f02c2eb1e6acf0d1bc08ef0bf6be4972839"
  },
  "SeveritySource": "debian",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2011-3374",
  "DataSource": {
    "ID": "debian",
    "Name": "Debian Security Tracker",
    "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
  },
  "Title": "It was found that apt-key in apt, all versions, do not correctly valid ...",
  "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.",
  "Severity": "LOW",
  "CweIDs": [
    "CWE-347"
  ],
  "VendorSeverity": {
    "debian": 1,
    "nvd": 1
  },
  "CVSS": {
    "nvd": {
      "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
      "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "V2Score": 4.3,
      "V3Score": 3.7
    }
  },
  "References": [
    "https://access.redhat.com/security/cve/cve-2011-3374",
    "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480",
    "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html",
    "https://seclists.org/fulldisclosure/2011/Sep/221",
    "https://security-tracker.debian.org/tracker/CVE-2011-3374",
    "https://snyk.io/vuln/SNYK-LINUX-APT-116518",
    "https://ubuntu.com/security/CVE-2011-3374"
  ],
  "PublishedDate": "2019-11-26T00:15:11.03Z",
  "LastModifiedDate": "2024-11-21T01:30:22.61Z"
}
...
{
  "VulnerabilityID": "CVE-2010-4756",
  "PkgID": "seal-libc6@2.36-9+deb12u3+sp1",
  "PkgName": "seal-libc6",
  "PkgIdentifier": {
    "PURL": "pkg:deb/debian/seal-libc6@2.36-9%2Bdeb12u3%2Bsp1?arch=amd64&distro=debian-12.2",
    "UID": "65ab1da4a8c9f6af"
  },
  "InstalledVersion": "2.36-9+deb12u3+sp1",
  "FixedVersion": "2.36-9+deb12u10+sp999, 2.36-9+deb12u3+sp999, 2.31-13+deb11u11+sp999, 2.36-9+deb12u9+sp999",
  "Status": "fixed",
  "Layer": {
    "DiffID": "sha256:28d62c0b2f4228309e96c1ff724a28be8231d8d7291b0e1fa964a7aa3dc94c17"
  },
  "SeveritySource": "nvd",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756",
  "DataSource": {
    "ID": "seal",
    "Name": "Seal Security Database",
    "URL": "http://vulnfeed.sealsecurity.io/v1/osv/renamed/vulnerabilities.zip",
    "BaseID": "debian"
  },
  "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions",
  "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
  "Severity": "MEDIUM",
  "CweIDs": [
    "CWE-399"
  ],
  "VendorSeverity": {
    "nvd": 2,
    "redhat": 1
  },
  "CVSS": {
    "nvd": {
      "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
      "V2Score": 4
    },
    "redhat": {
      "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
      "V2Score": 5
    }
  },
  "References": [
    "http://cxib.net/stuff/glob-0day.c",
    "http://securityreason.com/achievement_securityalert/89",
    "http://securityreason.com/exploitalert/9223",
    "https://access.redhat.com/security/cve/CVE-2010-4756",
    "https://bugzilla.redhat.com/show_bug.cgi?id=681681",
    "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756",
    "https://nvd.nist.gov/vuln/detail/CVE-2010-4756",
    "https://www.cve.org/CVERecord?id=CVE-2010-4756"
  ],
  "PublishedDate": "2011-03-02T20:00:01.037Z",
  "LastModifiedDate": "2025-04-11T00:51:21.963Z"
}

CentOS based image:

➜  ./trivy -q image --pkg-types os --input /Users/dmitriy/work/tmp/seal/images/centos-7-sp1.tar -f json | jq '.Results[].Vulnerabilities[] | select (.VulnerabilityID=="CVE-2021-20193" or .VulnerabilityID=="CVE-2022-1271")'

{
  "VulnerabilityID": "CVE-2022-1271",
  "VendorIDs": [
    "RHSA-2022:2191"
  ],
  "PkgID": "gzip@1.5-10.el7.x86_64",
  "PkgName": "gzip",
  "PkgIdentifier": {
    "PURL": "pkg:rpm/centos/gzip@1.5-10.el7?arch=x86_64&distro=centos-7.9.2009",
    "UID": "36cb1880c67913d6"
  },
  "InstalledVersion": "1.5-10.el7",
  "FixedVersion": "1.5-11.el7_9",
  "Status": "fixed",
  "Layer": {
    "DiffID": "sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02"
  },
  "SeveritySource": "redhat",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-1271",
  "Title": "gzip: arbitrary-file-write vulnerability",
  "Description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.",
  "Severity": "HIGH",
  "CweIDs": [
    "CWE-179",
    "CWE-20"
  ],
  "VendorSeverity": {
    "alma": 3,
    "amazon": 3,
    "cbl-mariner": 3,
    "nvd": 3,
    "oracle-oval": 3,
    "photon": 3,
    "redhat": 3,
    "rocky": 3,
    "ubuntu": 2
  },
  "CVSS": {
    "nvd": {
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "V3Score": 8.8
    },
    "redhat": {
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "V3Score": 8.8
    }
  },
  "References": [
    "https://access.redhat.com/errata/RHSA-2022:4940",
    "https://access.redhat.com/security/cve/CVE-2022-1271",
    "https://bugzilla.redhat.com/2073310",
    "https://bugzilla.redhat.com/show_bug.cgi?id=2073310",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271",
    "https://errata.almalinux.org/9/ALSA-2022-4940.html",
    "https://errata.rockylinux.org/RLSA-2022:4991",
    "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6",
    "https://linux.oracle.com/cve/CVE-2022-1271.html",
    "https://linux.oracle.com/errata/ELSA-2022-5052.html",
    "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html",
    "https://nvd.nist.gov/vuln/detail/CVE-2022-1271",
    "https://security-tracker.debian.org/tracker/CVE-2022-1271",
    "https://security.gentoo.org/glsa/202209-01",
    "https://security.netapp.com/advisory/ntap-20220930-0006/",
    "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch",
    "https://ubuntu.com/security/notices/USN-5378-1",
    "https://ubuntu.com/security/notices/USN-5378-2",
    "https://ubuntu.com/security/notices/USN-5378-3",
    "https://ubuntu.com/security/notices/USN-5378-4",
    "https://www.cve.org/CVERecord?id=CVE-2022-1271",
    "https://www.openwall.com/lists/oss-security/2022/04/07/8"
  ],
  "PublishedDate": "2022-08-31T16:15:09.347Z",
  "LastModifiedDate": "2025-06-09T15:15:26.69Z"
},
...
{
  "VulnerabilityID": "CVE-2021-20193",
  "PkgID": "seal-tar@1.26-35.el7+sp2.x86_64",
  "PkgName": "seal-tar",
  "PkgIdentifier": {
    "PURL": "pkg:rpm/centos/seal-tar@1.26-35.el7%2Bsp2?arch=x86_64&distro=centos-7.9.2009&epoch=2",
    "UID": "9bf87cef0322d99c"
  },
  "InstalledVersion": "2:1.26-35.el7+sp2",
  "FixedVersion": "2:1.26-35.el7+sp999, 2:1.23-15.el6_8+sp999",
  "Status": "fixed",
  "Layer": {
    "DiffID": "sha256:846659f12fcd364da361ab20bf5aba283481d65926b1bccb7d42f0ff89813332"
  },
  "SeveritySource": "redhat",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20193",
  "DataSource": {
    "ID": "seal",
    "Name": "Seal Security Database",
    "URL": "http://vulnfeed.sealsecurity.io/v1/osv/renamed/vulnerabilities.zip",
    "BaseID": "redhat"
  },
  "Title": "tar: Memory leak in read_header() in list.c",
  "Description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.",
  "Severity": "MEDIUM",
  "CweIDs": [
    "CWE-401",
    "CWE-125"
  ],
  "VendorSeverity": {
    "nvd": 1,
    "photon": 1,
    "redhat": 2,
    "ubuntu": 1
  },
  "CVSS": {
    "nvd": {
      "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
      "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "V2Score": 4.3,
      "V3Score": 3.3
    },
    "redhat": {
      "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "V3Score": 3.3
    }
  },
  "References": [
    "https://access.redhat.com/security/cve/CVE-2021-20193",
    "https://bugzilla.redhat.com/show_bug.cgi?id=1917565",
    "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777",
    "https://nvd.nist.gov/vuln/detail/CVE-2021-20193",
    "https://savannah.gnu.org/bugs/?59897",
    "https://security.gentoo.org/glsa/202105-29",
    "https://ubuntu.com/security/notices/USN-5329-1",
    "https://www.cve.org/CVERecord?id=CVE-2021-20193"
  ],
  "PublishedDate": "2021-03-26T17:15:12.843Z",
  "LastModifiedDate": "2025-05-05T14:15:04.557Z"
}

Related issues

Close feat(vuln): Add support for vulnerability detection in Seal packages #9542

Related PRs

Remove this section if you don't have related PRs.

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

pkg/detector/ospkg/seal/seal.go

- add baseID field

- add coverage page - add seal datasource

knqyf263

LGTM. I left small comments.

knqyf263 · 2025-09-16T10:07:05Z

pkg/detector/ospkg/seal/seal.go

+		comparer = version.NewDEBComparer()
+		vsg = seal.NewVulnSrcGetter(ecosystem.Debian)
+	default:
+		// Should never happen as it's validated in the provider


I didn't find the validation in the provider. Am I missing something?

Nice catch.
Added in a8d5e2d

knqyf263 · 2025-09-16T10:09:31Z

pkg/detector/ospkg/seal/seal.go

+	case ftypes.CentOS:
+		scanner = redhat.NewScanner()
+		comparer = version.NewRPMComparer()
+		vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)
+	case ftypes.Debian:
+		scanner = debian.NewScanner()
+		comparer = version.NewDEBComparer()
+		vsg = seal.NewVulnSrcGetter(ecosystem.Debian)
+	case ftypes.Oracle:
+		scanner = oracle.NewScanner()
+		comparer = version.NewRPMComparer()
+		vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)
+	case ftypes.RedHat:
+		scanner = redhat.NewScanner()
+		comparer = version.NewRPMComparer()
+		vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)


Do we need the case for CentOS?

Suggested change

case ftypes.CentOS:

scanner = redhat.NewScanner()

comparer = version.NewRPMComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)

case ftypes.Debian:

scanner = debian.NewScanner()

comparer = version.NewDEBComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.Debian)

case ftypes.Oracle:

scanner = oracle.NewScanner()

comparer = version.NewRPMComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)

case ftypes.RedHat:

scanner = redhat.NewScanner()

comparer = version.NewRPMComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)

case ftypes.Debian:

scanner = debian.NewScanner()

comparer = version.NewDEBComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.Debian)

case ftypes.Oracle:

scanner = oracle.NewScanner()

comparer = version.NewRPMComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)

case ftypes.CentOS, ftypes.RedHat:

scanner = redhat.NewScanner()

comparer = version.NewRPMComparer()

vsg = seal.NewVulnSrcGetter(ecosystem.RedHat)

Thanks!
Updated in 1c9ce37

knqyf263 · 2025-09-16T12:34:54Z

pkg/detector/ospkg/seal/seal.go

+			continue
+		}
+
+		srcName := pkg.SrcName


nit

Suggested change

srcName := pkg.SrcName

srcName := cmp.Or(pkg.SrcName, pkg.Name)

srcRelease := cmp.Or(pkg.SrcRelease, pkg.Release)

However, in my implementation, SrcName and SrcRelease are evaluated separately, so if you want to evaluate whether SrcName is empty in both cases, I think the current code is fine.

Suggested change

srcName := pkg.SrcName

srcName := cmp.Or(pkg.SrcName, pkg.Name)

srcRelease := lo.Ternary(pkg.SrcName != "", pkg.SrcRelease, pkg.Release)

Most likely, if srcName exists, then srcRelease will also exist.
But I still added the check (your second option).
Updated in 1c9ce37

knqyf263 · 2025-09-16T12:38:28Z

pkg/detector/ospkg/seal/seal_test.go

+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_ = dbtest.InitDB(t, tt.fixtures)
+			defer db.Close()


nit: We can remove the import of the db package.

Suggested change

defer db.Close()

defer dbtest.Close()

updated in 1c9ce37

- merge RedHat and CentOS cases - simplify logic to get pkg Name and Release - use `dbtest` package

…upport

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.66.0` -> `0.67.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.67.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0670-2025-09-30) [Compare Source](aquasecurity/trivy@v0.66.0...v0.67.0) ##### Features - add documentation URL for database lock errors ([#9531](aquasecurity/trivy#9531)) ([eba48af](aquasecurity/trivy@eba48af)) - **cli:** change --list-all-pkgs default to true ([#9510](aquasecurity/trivy#9510)) ([7b663d8](aquasecurity/trivy@7b663d8)) - **cloudformation:** support default values and list results in Fn::FindInMap ([#9515](aquasecurity/trivy#9515)) ([42b3bf3](aquasecurity/trivy@42b3bf3)) - **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#9439](aquasecurity/trivy#9439)) ([aff03eb](aquasecurity/trivy@aff03eb)) - **redhat:** add os-release detection for RHEL-based images ([#9458](aquasecurity/trivy#9458)) ([cb25a07](aquasecurity/trivy@cb25a07)) - **sbom:** added support for CoreOS ([#9448](aquasecurity/trivy#9448)) ([6d562a3](aquasecurity/trivy@6d562a3)) - **seal:** add seal support ([#9370](aquasecurity/trivy#9370)) ([e4af279](aquasecurity/trivy@e4af279)) ##### Bug Fixes - **aws:** use `BuildableClient` insead of `xhttp.Client` ([#9436](aquasecurity/trivy#9436)) ([fa6f1bf](aquasecurity/trivy@fa6f1bf)) - close file descriptors and pipes on error paths ([#9536](aquasecurity/trivy#9536)) ([a4cbd6a](aquasecurity/trivy@a4cbd6a)) - **db:** Dowload database when missing but metadata still exists ([#9393](aquasecurity/trivy#9393)) ([92ebc7e](aquasecurity/trivy@92ebc7e)) - **k8s:** disable parallel traversal with fs cache for k8s images ([#9534](aquasecurity/trivy#9534)) ([c0c7a6b](aquasecurity/trivy@c0c7a6b)) - **misconf:** handle tofu files in module detection ([#9486](aquasecurity/trivy#9486)) ([bfd2f6b](aquasecurity/trivy@bfd2f6b)) - **misconf:** strip build metadata suffixes from image history ([#9498](aquasecurity/trivy#9498)) ([c938806](aquasecurity/trivy@c938806)) - **misconf:** unmark cty values before access ([#9495](aquasecurity/trivy#9495)) ([8e40d27](aquasecurity/trivy@8e40d27)) - **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#9497](aquasecurity/trivy#9497)) ([267a970](aquasecurity/trivy@267a970)) - **nodejs:** parse workspaces as objects for package-lock.json files ([#9518](aquasecurity/trivy#9518)) ([404abb3](aquasecurity/trivy@404abb3)) - **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#9330](aquasecurity/trivy#9330)) ([4517e8c](aquasecurity/trivy@4517e8c)) - **vex:** don't suppress vulns for packages with infinity loop ([#9465](aquasecurity/trivy#9465)) ([78f0d4a](aquasecurity/trivy@78f0d4a)) - **vuln:** compare `nuget` package names in lower case ([#9456](aquasecurity/trivy#9456)) ([1ff9ac7](aquasecurity/trivy@1ff9ac7)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1622 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

DmitriyLewen added 6 commits August 21, 2025 16:25

feat: add RPMComparer

590bd97

feat: add seal provider

5e6571c

chore(deps): use trivy-db from fork

9d6b763

feat: add seal detector

8eeb7c0

test: add tests

d6e5de8

ci(semantic-pr): add seal

2653f41

DmitriyLewen self-assigned this Aug 22, 2025

DmitriyLewen commented Aug 22, 2025

View reviewed changes

pkg/detector/ospkg/seal/seal.go Show resolved Hide resolved

DmitriyLewen added 18 commits August 25, 2025 16:38

Merge branch 'main' into 'feat/seal-support'

ac54ed6

chore(deps): bump trivy-db fork version:

c0fdc6f

- add baseID field

test(seal): update tests (add baseID)

0b996bd

docs(seal): update docs:

7e30515

- add coverage page - add seal datasource

test(detect): update alpine fixed version

4d589b9

fix: linter error

cede518

refactor: add comment about EOL dates

cec6383

refactor: remove extra loop to detect vulns

3f77f56

refactor: remove versionTrimmer

69932c0

refactor: use el* as release version

6301394

fix: add oracle linux

63314ea

fix(seal): remove + siffux for rpm version

41ee590

chore(deps): bump trivy-db

7f2b15b

fix(driver): use new ecosystem.Type type

7cf6377

fix(seal): use new ecosystem.Type for NewVulnSrcGetter

08b84a4

Merge branch 'main' into 'feat/seal-support'

4eac5e9

chore(deps): bump trivy-db

4181be3

fix: linter error

4b32c0c

knqyf263 approved these changes Sep 16, 2025

View reviewed changes

DmitriyLewen added 3 commits September 17, 2025 12:29

feat: add supported OS check in provider

a8d5e2d

fix: changes based on review notes

1c9ce37

- merge RedHat and CentOS cases - simplify logic to get pkg Name and Release - use `dbtest` package

Merge branch 'main' of github.com:DmitriyLewen/trivy into feat/seal-s…

aaec015

…upport

chore(deps): bump trivy-db version (from fork)

8d8a258

knqyf263 approved these changes Sep 29, 2025

View reviewed changes

DmitriyLewen added 2 commits September 29, 2025 13:14

test(seal): update bucket names for RedHat

f53d3ef

chore(deps): use upstream trivy-db

9dfce7e

DmitriyLewen marked this pull request as ready for review September 29, 2025 07:41

DmitriyLewen added autoready Automatically mark PR as ready for review when all checks pass and removed autoready Automatically mark PR as ready for review when all checks pass labels Sep 29, 2025

DmitriyLewen added this pull request to the merge queue Sep 29, 2025

Merged via the queue into aquasecurity:main with commit e4af279 Sep 29, 2025
27 checks passed

DmitriyLewen deleted the feat/seal-support branch September 29, 2025 09:04

aqua-bot mentioned this pull request Sep 29, 2025

release: v0.67.0 [main] #9432

Merged

aqua-bot mentioned this pull request Dec 16, 2025

release: v0.69.0 [release/v0.68] #9948

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(seal): add seal support#9370

feat(seal): add seal support#9370
DmitriyLewen merged 30 commits intoaquasecurity:mainfrom
DmitriyLewen:feat/seal-support

DmitriyLewen commented Aug 22, 2025 •

edited

Loading

Uh oh!

Uh oh!

knqyf263 left a comment

Uh oh!

knqyf263 Sep 16, 2025

Uh oh!

DmitriyLewen Sep 17, 2025

Uh oh!

knqyf263 Sep 16, 2025

Uh oh!

DmitriyLewen Sep 17, 2025

Uh oh!

knqyf263 Sep 16, 2025

Uh oh!

DmitriyLewen Sep 17, 2025

Uh oh!

knqyf263 Sep 16, 2025

Uh oh!

DmitriyLewen Sep 17, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	srcName := pkg.SrcName
	srcName := cmp.Or(pkg.SrcName, pkg.Name)
	srcRelease := cmp.Or(pkg.SrcRelease, pkg.Release)

	srcName := pkg.SrcName
	srcName := cmp.Or(pkg.SrcName, pkg.Name)
	srcRelease := lo.Ternary(pkg.SrcName != "", pkg.SrcRelease, pkg.Release)

Conversation

DmitriyLewen commented Aug 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Features of implementation

Examples

Related issues

Related PRs

Checklist

Uh oh!

Uh oh!

knqyf263 left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

DmitriyLewen commented Aug 22, 2025 •

edited

Loading