Add OS information to reports

deploy/helm/crds/aquasecurity.github.io_exposedsecretreports.yaml

@@ -96,6 +96,19 @@ spec:
                       an Artifact.
                     type: string
                 type: object
+              os:
+                description: OS information of the Artifact
+                properties:
+                  family:
+                    description: OS family
+                    type: string
+                  name:
+                    description: Name of OS
+                    type: string
+                  eosl:
+                    description: End of Service Life
+                    type: boolean
+                type: object
               registry:
                 description: Registry is the registry the Artifact was pulled from.
                 properties:

deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml

@@ -101,6 +101,19 @@ spec:
                       an Artifact.
                     type: string
                 type: object
+              os:
+                description: OS information of the Artifact
+                properties:
+                  family:
+                    description: OS family
+                    type: string
+                  name:
+                    description: Name of OS
+                    type: string
+                  eosl:
+                    description: End of Service Life
+                    type: boolean
+                type: object
               registry:
                 description: Registry is the registry the Artifact was pulled from.
                 properties:

deploy/static/trivy-operator.yaml

@@ -1044,6 +1044,19 @@ spec:
                       an Artifact.
                     type: string
                 type: object
+              os:
+                description: OS information of the Artifact
+                properties:
+                  family:
+                    description: OS family
+                    type: string
+                  name:
+                    description: Name of OS
+                    type: string
+                  eosl:
+                    description: End of Service Life
+                    type: boolean
+                type: object
               registry:
                 description: Registry is the registry the Artifact was pulled from.
                 properties:
@@ -1929,6 +1942,19 @@ spec:
                       an Artifact.
                     type: string
                 type: object
+              os:
+                description: OS information of the Artifact
+                properties:
+                  family:
+                    description: OS family
+                    type: string
+                  name:
+                    description: Name of OS
+                    type: string
+                  eosl:
+                    description: End of Service Life
+                    type: boolean
+                type: object
               registry:
                 description: Registry is the registry the Artifact was pulled from.
                 properties:

docs/docs/crds/exposedsecret-report.md

@@ -35,6 +35,8 @@ report:
   artifact:
     repository: myimagewithsecret
     tag: v0.16.4
+  os:
+    family: ""
   registry:
     server: index.docker.io
   scanner:

docs/docs/crds/vulnerability-report.md

@@ -33,6 +33,9 @@ report:
   artifact:
     repository: library/nginx
     tag: '1.16'
+  os:
+    family: debian
+    name:   '10.3'
   registry:
     server: index.docker.io
   scanner:
@@ -104,6 +107,9 @@ report:
   artifact:
     repository: library/nginx
     tag: '1.16'
+  os:
+    family: debian
+    name:   '10.3'
   registry:
     server: index.docker.io
   scanner:

docs/tutorials/integrations/metrics.md

@@ -10,7 +10,7 @@ A report summary series exposes the count of checks of each status reported in a
 
 ```shell
 trivy_image_vulnerabilities{
-    container_name="coredns",image_digest="",image_registry="index.docker.io",image_repository="rancher/coredns-coredns",image_tag="1.8.3",name="replicaset-coredns-6488c6fcc6-coredns",namespace="kube-system",resource_kind="ReplicaSet",resource_name="coredns-6488c6fcc6",severity="High"
+    container_name="coredns",image_digest="",image_registry="index.docker.io",image_os_eosl="",image_os_family="",image_os_name="",image_repository="rancher/coredns-coredns",image_tag="1.8.3",name="replicaset-coredns-6488c6fcc6-coredns",namespace="kube-system",resource_kind="ReplicaSet",resource_name="coredns-6488c6fcc6",severity="High"
     } 10
 ```
 

itest/helper/helper.go

@@ -289,6 +289,10 @@ func (b *VulnerabilityReportBuilder) Build() *v1alpha1.VulnerabilityReport {
 				Repository: "library/nginx",
 				Tag:        "1.16",
 			},
+			OS: v1alpha1.OS{
+				Family: "debian",
+				Name:   "10.3",
+			},
 			Summary: v1alpha1.VulnerabilitySummary{
 				MediumCount: 1,
 			},

pkg/apis/aquasecurity/v1alpha1/exposed_secrets_types.go

@@ -80,6 +80,7 @@ type ExposedSecretReportData struct {
 	// run an application.
 	Artifact Artifact `json:"artifact"`
 
+	OS OS `json:"os"`
 	// Summary is the exposed secrets counts grouped by Severity.
 	Summary ExposedSecretSummary `json:"summary"`
 

pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go

@@ -2,6 +2,7 @@ package v1alpha1
 
 import (
 	"github.com/aquasecurity/trivy-db/pkg/types"
+	ostype "github.com/aquasecurity/trivy/pkg/fanal/types"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -60,6 +61,22 @@ type Artifact struct {
 	MimeType string `json:"mimeType,omitempty"`
 }
 
+// OS represents a standalone, executable package of software that
+// includes everything needed to run an application.
+type OS struct {
+	// Repository is the name of the repository in the Artifact registry.
+	// +optional
+	Family ostype.OSType `json:"family"`
+
+	// Digest is a unique and immutable identifier of an Artifact.
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Tag is a mutable, human-readable string used to identify an Artifact.
+	// +optional
+	Eosl bool `json:"eosl,omitempty"`
+}
+
 // Vulnerability is the spec for a vulnerability record.
 type Vulnerability struct {
 	// VulnerabilityID the vulnerability identifier.
@@ -141,6 +158,7 @@ type VulnerabilityReportData struct {
 	// run an application.
 	Artifact Artifact `json:"artifact"`
 
+	OS OS `json:"os"`
 	// Summary is a summary of Vulnerability counts grouped by Severity.
 	Summary VulnerabilitySummary `json:"summary"`
 

pkg/metrics/collector.go

@@ -28,6 +28,9 @@ const (
 	image_repository   = "image_repository"
 	image_tag          = "image_tag"
 	image_digest       = "image_digest"
+	image_os_family    = "image_os_family"
+	image_os_name      = "image_os_name"
+	image_os_eosl      = "image_os_eosl"
 	installed_version  = "installed_version"
 	fixed_version      = "fixed_version"
 	published_date     = "published_date"
@@ -239,6 +242,9 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		image_repository,
 		image_tag,
 		image_digest,
+		image_os_family,
+		image_os_name,
+		image_os_eosl,
 		severity,
 	}
 	imageVulnLabels = append(imageVulnLabels, dynamicLabels...)
@@ -535,11 +541,19 @@ func (c ResourcesMetricsCollector) collectVulnerabilityReports(ctx context.Conte
 			labelValues[6] = r.Report.Artifact.Repository
 			labelValues[7] = r.Report.Artifact.Tag
 			labelValues[8] = r.Report.Artifact.Digest
+			labelValues[9] = string(r.Report.OS.Family)
+			labelValues[10] = r.Report.OS.Name
+			if r.Report.OS.Eosl {
+				labelValues[11] = strconv.FormatBool(r.Report.OS.Eosl)
+			} else {
+				labelValues[11] = ""
+			}
+
 			for i, label := range c.GetReportResourceLabels() {
-				labelValues[i+10] = r.Labels[label]
+				labelValues[i+13] = r.Labels[label]
 			}
 			for severity, countFn := range c.imageVulnSeverities {
-				labelValues[9] = severity
+				labelValues[12] = severity
 				count := countFn(r.Report.Summary)
 				metrics <- prometheus.MustNewConstMetric(c.imageVulnDesc, prometheus.GaugeValue, float64(count), labelValues...)
 			}