Skip to content

feat(minimos): Add support for MinimOS #521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 29, 2025
Merged

feat(minimos): Add support for MinimOS #521

merged 6 commits into from
May 29, 2025

Conversation

Daniel-Wachter
Copy link
Contributor

Hi,
I’m part of the Minimus team. Minimus delivers secure, minimal container images with auto-generated SBOMs and real-time vulnerability threat intelligence to help reduce vulnerability risk.
We also maintain a minimal operating system called MinimOS. We’ve been publishing our security advisories in a secdb feed and would like to contribute it as a new security data source.

Details:
The feed URL: https://packages.mini.dev/advisories/secdb/security.json

The format closely mirrors Alpine's secdb, but it's unversioned—similar to Alpine's edge feed.

Discussion ref: aquasecurity/trivy#8666

Thanks for your consideration!

@Daniel-Wachter Daniel-Wachter changed the title Add support for MinimOS feat(minimos): Add support for MinimOS Apr 29, 2025
@Daniel-Wachter Daniel-Wachter mentioned this pull request Apr 29, 2025
Merged
8 tasks
DmitriyLewen
DmitriyLewen reviewed May 20, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Left small comments

@itaysk itaysk mentioned this pull request May 25, 2025
Closed
@knqyf263 knqyf263 requested a review from Copilot May 26, 2025 09:13
Copilot
Copilot AI reviewed May 26, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@knqyf263 knqyf263 requested a review from Copilot May 26, 2025 12:09
Copilot
Copilot AI reviewed May 26, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for MinimOS as a new security data source by implementing a new vulnerability source. Key changes include registering MinimOS in the main vulnerability source registry, defining a new constant for MinimOS, and introducing a dedicated package with tests and sample JSON data for MinimOS.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

File Description
pkg/vulnsrc/vulnsrc.go Registers the new MinimOS vulnerability source by adding the appropriate import and registration in the list of vulnerability sources.
pkg/vulnsrc/vulnerability/const.go Adds the MinimOS constant to the list of known source IDs.
pkg/vulnsrc/minimos/ (minimos.go, minimos_test.go, JSON files) Implements the vulnerability source logic, tests, and test data for MinimOS.
Comments suppressed due to low confidence (1)

pkg/vulnsrc/minimos/minimos_test.go:53

  • [nitpick] It might be beneficial to add additional cases to cover different error scenarios during JSON decoding for improved test coverage.
wantErr: "json decode error",

@DmitriyLewen
Copy link
Contributor

@Daniel-Wachter I have 1 question:
When version in secfixes is 0 - does that mean the vulnerability is fixed in all versions?

e.g.:

  "packages": [
    {
      "pkg": {
        "name": "apache2",
        "secfixes": {
          "0": [
            "CVE-1999-0289",
            "CVE-1999-0678",
            "CVE-1999-1237",

@Daniel-Wachter
Copy link
Contributor Author

@DmitriyLewen yes, it means the CVE is not relevant to our package and so fixed in all versions

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented May 29, 2025
edited
Loading

Thanks for confirming.
This means we can skip (not include) vulnerabilities with the fixed version 0 for trivy-db.

Changed in 257b873

cc. @knqyf263

@DmitriyLewen
Copy link
Contributor

I confirm that trivy-db built using new vuln-list contains advisories for MinimOS:
изображение

@DmitriyLewen DmitriyLewen added this pull request to the merge queue May 29, 2025
Merged via the queue into aquasecurity:main with commit a12dfc2 May 29, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@knqyf263 knqyf263 knqyf263 approved these changes

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Daniel-Wachter @DmitriyLewen @knqyf263