Add analyzer for Chisel manifests

[zhijie-yang]

Description

Rationale

As there is a continuously increasing number of container images being built with chisel (e.g., ubuntu/dotnet-runtime, ubuntu/jre, etc.), and that chiselled software package slices do not automatically amend to the dpkg metadata in the container's rootfs (unless using a chisel-wrapper explicitly when building the image), supporting analyzing the vulnerabilities in the chiselled images is demonstrating its importance to ensure thorough scans against container images.

Works done so far

@HadrienPatte has implemented the first draft for integrating the support for the chisel analyzer in their fork. I continue to work upon @HadrienPatte 's basis to make it work and finalized it in my fork on behave of Canonical.

Target

None

Scanner

Vulnerability

[simar7]

hi @zhijie-yang - thanks for the idea. We can keep this issue open to see the level of engagement and the desire of the community to have this.

[zhijie-yang]

Hi @simar7 , are there any updates we can follow up on this?

[cjdcordeiro]

Thanks for this! It would indeed be great to have.
Here are some useful references where this particular feature is relevant:

• include package metadata in chiseled images canonical/chisel#148
• Scanning Ubuntu Chiseled Images Now Supported dotnet/dotnet-docker#4739

[linostar]

I think adding support for analyzing chisel manifests is good step towards having a better vulnerability disvovery in containers.

[townsend2010]

We can keep this issue open to see the level of engagement and the desire of the community to have this.

Adding my 👍 to add this support in Trivy 🙂

[cjdcordeiro]

@simar7 there are some upvotes for this feature. Do you have any updates on your side? Is there a certain criteria you'd like this topic to meet before moving forward to the implementation?

[lengau]

This would be incredibly useful for my team.