project-copacetic · ashnamehrotra · Jul 29, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
@@ -122,6 +122,22 @@
         "description": "Valid rpm DB, yum present",
         "ignoreErrors": false
     },
+    {
+        "image": "docker.io/library/oraclelinux",
+        "tag": "7.9",
+        "digest": "sha256:ba39a0daabd2df95ed5f374d016e87513f8e579ecc5a1599d7cf94679a281a34",
+        "distro": "Oracle Linux 7.9",
+        "description": "Valid rpm DB, yum present",
+        "ignoreErrors": false
+    },
+    {
+        "image": "docker.io/library/oraclelinux",
+        "tag": "8.9",
+        "digest": "sha256:67c889172b07b1f4067050abf4bcf7fce2febd280664df261fe17fa82501a498",
+        "distro": "Oracle Linux 8.9",
+        "description": "Valid rpm DB, yum present",
+        "ignoreErrors": true
+    },
     {
         "image": "docker.io/library/rockylinux",
         "tag": "8.9.20231119",

@@ -48,7 +48,9 @@ func TestPatch(t *testing.T) {
 
 	for _, img := range images {
 		img := img
-		if !reportFile {
+		// Oracle tends to throw false positives with Trivy
+		// See https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400
+		if !reportFile && !strings.Contains(img.Image, "oracle") {
 			img.IgnoreErrors = false
 		}
 
@@ -92,15 +94,18 @@ func TestPatch(t *testing.T) {
 			t.Log("patching image")
 			patch(t, ref, tagPatched, dir, img.IgnoreErrors, reportFile)
 
-			if reportFile {
+			switch {
+			case strings.Contains(img.Image, "oracle"):
+				t.Log("Oracle image detected. Skipping Trivy scan.")
+			case reportFile:
 				t.Log("scanning patched image")
 				scanner().
 					withIgnoreFile(ignoreFile).
 					withSkipDBUpdate().
 					// here we want a non-zero exit code because we are expecting no vulnerabilities.
 					withExitCode(1).
 					scan(t, patchedRef, img.IgnoreErrors)
-			} else {
+			default:
 				t.Log("scanning patched image")
 				scanner().
 					withIgnoreFile(ignoreFile).
@@ -110,7 +115,7 @@ func TestPatch(t *testing.T) {
 			}
 
 			// currently validation is only present when patching with a scan report
-			if reportFile {
+			if reportFile && !strings.Contains(img.Image, "oracle") {
 				t.Log("verifying the vex output")
 				validVEXJSON(t, dir)
 			}
@@ -207,7 +212,13 @@ func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool, report
 	cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)
 
 	out, err := cmd.CombinedOutput()
-	require.NoError(t, err, string(out))
+
+	if strings.Contains(ref, "oracle") && reportFile && !ignoreErrors {
+		assert.Contains(t, string(out), "Error: Detected Oracle image passed in\n"+
+			"Please read https://project-copacetic.github.io/copacetic/website/troubleshooting before patching your Oracle image")
+	} else {
+		require.NoError(t, err, string(out))
+	}
 }
 
 func scanner() *scannerCmd {
@@ -248,6 +259,7 @@ func (s *scannerCmd) scan(t *testing.T, ref string, ignoreErrors bool) {
 	cmd.Env = append(cmd.Env, os.Environ()...)
 	cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)
 	out, err := cmd.CombinedOutput()
+
 	assert.NoError(t, err, string(out))
 }
 

@@ -326,6 +326,8 @@ func getOSType(ctx context.Context, osreleaseBytes []byte) (string, error) {
 		return "redhat", nil
 	case strings.Contains(osType, "rocky"):
 		return "rocky", nil
+	case strings.Contains(osType, "oracle"):
+		return "oracle", nil
 	default:
 		log.Error("unsupported osType ", osType)
 		return "", errors.ErrUnsupported

@@ -186,6 +186,49 @@ func TestGetOSType(t *testing.T) {
 			err:            nil,
 			expectedOSType: "rocky",
 		},
+		{
+			osRelease: []byte(`NAME="Oracle Linux Server"
+			VERSION="7.9"
+			ID="ol"
+			ID_LIKE="fedora"
+			VARIANT="Server"
+			VARIANT_ID="server"
+			VERSION_ID="7.9"
+			PRETTY_NAME="Oracle Linux Server 7.9"
+			ANSI_COLOR="0;31"
+			CPE_NAME="cpe:/o:oracle:linux:7:9:server"
+			HOME_URL="https://linux.oracle.com/"
+			BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
+
+			ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
+			ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
+			ORACLE_SUPPORT_PRODUCT="Oracle Linux"
+			ORACLE_SUPPORT_PRODUCT_VERSION=7.9`),
+			err:            nil,
+			expectedOSType: "oracle",
+		},
+		{
+			osRelease: []byte(`NAME="Oracle Linux Server"
+			VERSION="8.9"
+			ID="ol"
+			ID_LIKE="fedora"
+			VARIANT="Server"
+			VARIANT_ID="server"
+			VERSION_ID="8.9"
+			PLATFORM_ID="platform:el8"
+			PRETTY_NAME="Oracle Linux Server 8.9"
+			ANSI_COLOR="0;31"
+			CPE_NAME="cpe:/o:oracle:linux:8:9:server"
+			HOME_URL="https://linux.oracle.com/"
+			BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
+
+			ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8"
+			ORACLE_BUGZILLA_PRODUCT_VERSION=8.9
+			ORACLE_SUPPORT_PRODUCT="Oracle Linux"
+			ORACLE_SUPPORT_PRODUCT_VERSION=8.9`),
+			err:            nil,
+			expectedOSType: "oracle",
+		},
 		{
 			osRelease:      nil,
 			err:            errors.ErrUnsupported,

@@ -33,7 +33,7 @@ func GetPackageManager(osType string, osVersion string, config *buildkit.Config,
 		return &apkManager{config: config, workingFolder: workingFolder}, nil
 	case "debian", "ubuntu":
 		return &dpkgManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil
-	case "cbl-mariner", "centos", "redhat", "rocky", "amazon":
+	case "cbl-mariner", "centos", "oracle", "redhat", "rocky", "amazon":
 		return &rpmManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil
 	default:
 		return nil, fmt.Errorf("unsupported osType %s specified", osType)

@@ -191,7 +191,14 @@
 	var updates unversioned.UpdatePackages
 	var rpmComparer VersionComparer
 	var err error
+
 	if manifest != nil {
+		if manifest.Metadata.OS.Type == "oracle" && !ignoreErrors {
+			err = errors.New("Detected Oracle image passed in\n" +
+				"Please read https://project-copacetic.github.io/copacetic/website/troubleshooting before patching your Oracle image")
+			return &rm.config.ImageState, nil, err
+		}
+
 		rpmComparer = VersionComparer{isValidRPMVersion, isLessThanRPMVersion}
 		updates, err = GetUniqueLatestUpdates(manifest.Updates, rpmComparer, ignoreErrors)
 		if err != nil {

@@ -2,6 +2,23 @@
 title: Troubleshooting
 ---
 
+## Copa and Trivy throw errors when Oracle Linux is passed in
+
+Copa supports patching Oracle Linux in two ways:
+
+With a vulnerability scan, `--ignore-errors` must be passed in. This will patch all CVEs aside from false positives reported by Trivy:
+
+```bash
+copa patch -r /oracle-7.9-vulns.json -i docker.io/library/oraclelinux:7.9 --ignore-errors
+```
+
+Without a vulnerability scan, Copa will update all packages in the image:
+
+```bash
+copa patch -i docker.io/library/oraclelinux:7.9
+```
+
+Oracle reports CVEs in a way that causes Trivy to report false positives that Copa will be unable to patch. To patch the entire image, use the Copa `--ignore-errors` flag or omit the vulnerability scan report to upgrade all outdated packages. See [this GitHub issue](https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400) for more information.
 ## Filtering Vulnerabilities
 
 You might want to filter/ignore some of the vulnerabilities while patching. To do so, you need to first filter those undesired vulnerabilities from your scanner output.