Rpmdb support

go.mod

@@ -33,6 +33,21 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/glebarez/go-sqlite v1.20.3 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	modernc.org/libc v1.22.2 // indirect
+	modernc.org/mathutil v1.5.0 // indirect
+	modernc.org/memory v1.5.0 // indirect
+	modernc.org/sqlite v1.20.3 // indirect
+)
+
+require (
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/knqyf263/go-rpmdb v0.0.0-20230201142403-697bc51b3948
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect

go.sum

@@ -59,6 +59,21 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
+github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
+github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/jedib0t/go-pretty/v6 v6.4.4 h1:N+gz6UngBPF4M288kiMURPHELDMIhF/Em35aYuKrsSc=
+github.com/jedib0t/go-pretty/v6 v6.4.4/go.mod h1:MgmISkTWDSFu0xOqiZ0mKNntMQ2mDgOcwOkwBEkMDJI=
+github.com/knqyf263/go-rpmdb v0.0.0-20230201142403-697bc51b3948 h1:gYyAaKRpnnV3PhR1XWvIKD0UjCnYB4fubIf2pB2NiUI=
+github.com/knqyf263/go-rpmdb v0.0.0-20230201142403-697bc51b3948/go.mod h1:9LQcoMCMQ9vrF7HcDtXfvqGO4+ddxFQ8+YF/0CVGDww=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mmcloughlin/avo v0.5.0/go.mod h1:ChHFdoV7ql95Wi7vuq2YT1bwCJqiWdZrQ1im3VujLYM=
@@ -73,6 +88,9 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/profile v1.6.0/go.mod h1:qBsxPvzyUincmltOk6iyRVxHYg4adc0OFOv72ZdLa18=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578 h1:VstopitMQi3hZP0fzvnsLmzXZdQGc4bEcgu24cp+d4M=
+github.com/remyoudompheng/bigfft v0.0.0-20230126093431-47fa9a501578/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
@@ -176,6 +194,15 @@ golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3 h1:9GJsAwSzB/ztwMwsEm3ihUgC
 golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3/go.mod h1:LTLnfk/dpXDNKsX6aCg/cI4LyCVnTyrQhgV/yLJuly0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -193,4 +220,12 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
 mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
+modernc.org/libc v1.22.2 h1:4U7v51GyhlWqQmwCHj28Rdq2Yzwk55ovjFrdPjs8Hb0=
+modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
+modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
+modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
+modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
+modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/sqlite v1.20.3 h1:SqGJMMxjj1PHusLxdYxeQSodg7Jxn9WWkaAQjKrntZs=
+modernc.org/sqlite v1.20.3/go.mod h1:zKcGyrICaxNTMEHSr1HQ2GUraP0j+845GYw37+EyT6A=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

pkg/lockfile/fixtures/rpm/generate-rpmdb-bdb.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# Inspired by: https://raw.githubusercontent.com/anchore/grype/main/test/integration/test-fixtures/image-centos-match-coverage/var/lib/rpm/generate-fixture.sh
+set -eux
+
+docker create --name gen-rpmdb-bdb centos:8 sh -c 'tail -f /dev/null'
+
+function cleanup {
+  docker kill gen-rpmdb-bdb
+  docker rm gen-rpmdb-bdb
+}
+trap cleanup EXIT
+
+docker start gen-rpmdb-bdb
+docker exec -i --tty=false gen-rpmdb-bdb bash <<-EOF
+  mkdir /rpmdb
+  cd /rpmdb
+  rpm --initdb --dbpath /rpmdb
+  curl -sSLO https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/h/htop-3.2.1-1.el8.x86_64.rpm
+  rpm --dbpath /rpmdb -ivh htop-3.2.1-1.el8.x86_64.rpm
+  rm -f htop-3.2.1-1.el8.x86_64.rpm
+  rpm --dbpath /rpmdb -qa
+EOF
+
+docker cp gen-rpmdb-bdb:/rpmdb/Packages .

pkg/lockfile/fixtures/rpm/generate-rpmdb-sqlite.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# Inspired by: https://raw.githubusercontent.com/anchore/grype/main/test/integration/test-fixtures/image-centos-match-coverage/var/lib/rpm/generate-fixture.sh
+set -eux
+
+docker create --name gen-rpmdb-sqlite rockylinux:9 sh -c 'tail -f /dev/null'
+
+function cleanup {
+  docker kill gen-rpmdb-sqlite
+  docker rm gen-rpmdb-sqlite
+}
+trap cleanup EXIT
+
+docker start gen-rpmdb-sqlite
+docker exec -i --tty=false gen-rpmdb-sqlite bash <<-EOF
+  mkdir /rpmdb
+  cd /rpmdb
+  rpm --initdb --dbpath /rpmdb
+  curl -sSLO https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/h/htop-3.2.1-1.el9.x86_64.rpm
+  rpm --dbpath /rpmdb -ivh htop-3.2.1-1.el9.x86_64.rpm
+  rm -f htop-3.2.1-1.el9.x86_64.rpm
+  rpm --dbpath /rpmdb -qa
+EOF
+
+docker cp gen-rpmdb-sqlite:/rpmdb/rpmdb.sqlite .

pkg/lockfile/fixtures/rpm/not-an-rpmdb

@@ -0,0 +1 @@
+# Clearly not an rpmdb file!

pkg/lockfile/rpmdb.go

@@ -0,0 +1,48 @@
+package lockfile
+
+import (
+	"fmt"
+	"os"
+
+	_ "github.com/glebarez/go-sqlite"
+	rpmdb "github.com/knqyf263/go-rpmdb/pkg"
+)
+
+const RedHatEcosystem Ecosystem = "Redhat"
+
+func ParseRpmDB(pathToLockfile string) ([]PackageDetails, error) {
+	db, err := rpmdb.Open(pathToLockfile)
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
+	}
+	pkgList, err := db.ListPackages()
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("error listing packages from %s: %w", pathToLockfile, err)
+	}
+
+	packages := make([]PackageDetails, 0, len(pkgList))
+
+	for _, rpmPkg := range pkgList {
+		// {Epoch:0 Name:m4 Version:1.4.16 Release:10.el7 Arch:x86_64}
+		// {Epoch:0 Name:zip Version:3.0 Release:11.el7 Arch:x86_64}
+		// ...
+		if rpmPkg.Name == "" {
+			_, _ = fmt.Fprintf(
+				os.Stderr,
+				"warning: malformed RPM DB. Found empty package name. File: %s\n",
+				pathToLockfile,
+			)
+
+			continue
+		}
+
+		packages = append(packages, PackageDetails{
+			Name:      rpmPkg.Name,
+			Version:   rpmPkg.Version,
+			Ecosystem: RedHatEcosystem,
+			CompareAs: RedHatEcosystem,
+		})
+	}
+
+	return packages, nil
+}

pkg/lockfile/rpmdb_test.go

@@ -0,0 +1,73 @@
+package lockfile_test
+
+import (
+	"testing"
+
+	"github.com/google/osv-scanner/pkg/lockfile"
+)
+
+func TestParseRpmDB_SQLite_FileDoesNotExist(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseRpmDB("fixtures/rpm/does-not-exist")
+
+	expectErrContaining(t, err, "could not open")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParseRpmDB_SQLite_EmptyFile(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseRpmDB("fixtures/rpm/empty-rpmdb")
+
+	expectErrContaining(t, err, "could not open")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParseRpmDB_SQLite_NotAnRpmDb(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseRpmDB("fixtures/rpm/not-an-rpmdb")
+
+	expectErrContaining(t, err, "could not open")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+// Berkeley DB (rpm < v4.16)
+func TestParseRpmDB_BDB_Single(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseRpmDB("fixtures/rpm/Packages")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "htop",
+			Version:   "3.2.1",
+			Ecosystem: lockfile.RedHatEcosystem,
+			CompareAs: lockfile.RedHatEcosystem,
+		},
+	})
+}
+
+func TestParseRpmDB_SQLite_Single(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseRpmDB("fixtures/rpm/rpmdb.sqlite")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "htop",
+			Version:   "3.2.1",
+			Ecosystem: lockfile.RedHatEcosystem,
+			CompareAs: lockfile.RedHatEcosystem,
+		},
+	})
+}