Ingest Red Hat trivy-db package information

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Goal

The goal is to ingest the OS package information about Red Hat from the trivy db. Relevant trivy-db buckets are Red Hat and Red Hat CPE.

Glossary

• CPE:
  • Common Platform Enumeration
  • Examples:
    • cpe:/a:redhat:rhel_application_stack:1 -- Red Hat Application Stack version 1
    • cpe:/a:redhat/xpdf -- the xpdf package in any Red Hat product.
    • cpe:/a:redhat:enterprise_linux:3 -- Red Hat Enterprise Linux 3
  • Structure: a string divided by :. cpe:/a:<VENDOR>:<PRODUCT>:<VERSION>:<UPDATE>
  • If any fields are missing, a wildcard is assumed to be used. For example, cpe:/a:microsoft:internet_explorer:8.0.6001:beta is cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*.
• NVR:
  • Name-Version-Release of a package.
  • Example:
    • openssl-1.0.1e-16.el6_5.7.x86_64.rpm
    • So from this we see a package name of “openssl” (a hyphen), a version of 1.0.1e (a hyphen) and the release is 16.el6_5.7

Relevant links

• Trivy-db advisory structure fields

Implementation Plan

TODO