feat: add Bottlerocket OS package analyzer

[0intro]

Description

This change adds the Bottlerocket OS package analyzer.

This analyzer parses the package information provided in the application-inventory.json file, as specified on:

https://bottlerocket.dev/en/os/1.37.x/concepts/variants/#software-inventory

This change also defines the Bottlerocket OS family.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Hi @0intro
Thank you for your work.

Trivy repository has been growing bigger and bigger lately.
So it's getting harder to maintain.
So we're trying to add only the functionality that the community needs.

Can you create a new Discussion with a proposal to add Bottlerocket?
If this future is in demand by the community - we'll review/merge etc. this PR.

[0intro]

Thanks. I've opened #8661.

[knqyf263]

Thanks for your great contribution! Since I have already heard about some needs on Bottlerocket, I think we want to move forward with this PR.

[knqyf263]

Can we shrink the test data? Our policy for unit tests is not to include data that doesn't change the code path, so I think it's fine to keep it simple with just 2–3 cases, including the normal case and edge cases (if any).

[0intro]

Thanks, I've shrunk the test data down.

[Copilot]

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

pkg/fanal/analyzer/pkg/bottlerocket/bottlerocket.go:72

• Consider wrapping the JSON unmarshal error with additional context to improve debugging clarity, such as including the source file or input length.

err = json.Unmarshal(b, &applicationInventory)

[knqyf263]

Can you please take a look at the test failure?

[0intro]

I've just fixed the linter issue.

[knqyf263]

You can run mage lint:fix and mage test:unit locally.

[0intro]

Surprisingly, the first pass of mage lint:fix lead to a build error. It should be fixed now.

[knqyf263]

It looks great! I left small comments.

[knqyf263]

Is there any reason all the file content needs to be loaded?

Suggested change

	b, err := io.ReadAll(r)
	if err != nil {
	return nil, err
	}
	var applicationInventory ApplicationInventory
	err = json.Unmarshal(b, &applicationInventory)
	if err != nil {
	return nil, err
	}
	var applicationInventory ApplicationInventory
	if err := json.NewDecoder(r).Decode(&applicationInventory); err != nil {
	return nil, err
	}

[0intro]

Done.

[knqyf263]

nit: Other package analyzers use the name of the package manager, like rpm and apk. Since Bottlerocket is also an OS name, I would rename it to bottlerocket-package, bottlerocket-pkg or things like that so it will not get confused with Bottlerocket OS analyzer.

[0intro]

This is a good point, but I haven't been able to find a good name. What do you think about bottlerocket-inventory? The file is usually called either application inventory or software inventory in the Bottlerocket documentation.

[knqyf263]

bottlerocket-inventory sounds good to me.

[0intro]

Done.

[0intro]

I've renamed the bottlerocket package to bottlerocket_inventory.

[knqyf263]

LGTM.
@DmitriyLewen Can you also take a look?

[DmitriyLewen]

I see a few things:

1. I think Trivy shows warning (something like WARN Unsupported os family="bottlerocket"). This might confuse users. Let's create a new ospkg driver. This driver will only show the Info log that Trivy does not support vulnerability detection for bottlerocket packages (the Detect function will simply return nil).
   @knqyf263 wdyt?
2. I think we need to update the purl package.
   We can add the bottlerocket purl type to Trivy (until package-url/purl-spec#454 is merged). You also need to update other functions (purlType, LangType, etc.)
   or we can use generic type
3. Add Bottlerocket page in docs

[DmitriyLewen]

let's use same name as in package (bottlerocket_inventory.go) (with _)

[0intro]

Done.

[knqyf263]

If I'm not mistaken, it's still mixed.

pkg/fanal/analyzer/pkg/bottlerocket_inventory/bottlerocket-inventory_test.go should be pkg/fanal/analyzer/pkg/bottlerocket-inventory/bottlerocket-inventory_test.go

[0intro]

Sorry, it should be fine now.

[knqyf263]

I think Trivy shows warning (something like WARN Unsupported os family="bottlerocket"). This might confuse users. Let's create a new ospkg driver. This driver will only show the Info log that Trivy does not support vulnerability detection for bottlerocket packages (the Detect function will simply return nil).

I thought we could document Trivy supports Bottlerocket only for SBOM, but UX would be better if we show the log message like you suggested.

[DmitriyLewen]

Thanks for pointing this out, I forgot to write about it in the review:
We need to add information to the bottlerocket OS documentation.

[DmitriyLewen]

@0intro do you have time to update this PR as per notes from #8653 (review)?

[0intro]

@0intro do you have time to update this PR as per notes from #8653 (review)?

Yes, I'll take a look.

[0intro]

I've added a stub bottlerocket ospkg driver, which should get rid of the Unsupported os family="bottlerocket" warning.

[knqyf263]

I picked up some images from https://gallery.ecr.aws/bottlerocket/, but their OS was Amazon Linux. How can I test this PR with actual images?

[0intro]

To deploy Bottlerocket on AWS, I've created an EC2 instance using resolve:ssm:/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_id as an ImageId.

[knqyf263]

I had trouble enabling SSM properly when launching a Bottlerocket AMI on EC2, so I wasn’t able to access the shell. I was finally able to view Bottlerocket’s root filesystem by launching it as an instance within an EKS cluster. If there’s an easier way to do this, I’d really appreciate it if you could let me know—it would make future testing much smoother.

Sorry for the delay in commenting; it took some time to get the setup working correctly.

[knqyf263]

Have you ever seen a case where /usr/lib/os-release doesn't exist and only ${arch}-bottlerocket-linux-gnu/sys-root/usr/lib/os-release exists? In my environment, /usr/lib/os-release is present. If /usr/lib/os-release is always present, we don't need to check ${arch}-bottlerocket-linux-gnu/sys-root/usr/lib/os-release.

[root@admin]# ls -alh /.bottlerocket/rootfs/usr/lib/os-release
-rw-r--r--. 1 root root 455 Apr 23 00:29 /.bottlerocket/rootfs/usr/lib/os-release
[root@admin]# cat /.bottlerocket/rootfs/usr/lib/os-release
NAME=Bottlerocket
ID=bottlerocket
VERSION="1.37.0 (aws-k8s-1.30)"
PRETTY_NAME="Bottlerocket OS 1.37.0 (aws-k8s-1.30)"
VARIANT_ID=aws-k8s-1.30
VERSION_ID=1.37.0
BUILD_ID=e5290cd7
VENDOR_NAME="Bottlerocket"
HOME_URL="https://github.com/bottlerocket-os/bottlerocket"
SUPPORT_URL="https://github.com/bottlerocket-os/bottlerocket/discussions"
BUG_REPORT_URL="https://github.com/bottlerocket-os/bottlerocket/issues"
DOCUMENTATION_URL="https://bottlerocket.dev"

[0intro]

Yes, ${arch}-bottlerocket-linux-gnu/sys-root/usr/lib/os-release is mounted to /usr/lib/os-release at run time. When Bottlerocket is running, you can access to /usr/lib/os-release, but when mounting the Bottlerocket partition, you only have access to ${arch}-bottlerocket-linux-gnu/sys-root/usr/lib/os-release. I'm using Trivy in this later case.

[knqyf263]

We also need epoch. Otherwise, it leads to false detection.

    {
      "Name": "xfscli",
      "Publisher": "bottlerocket-core-kit",
      "Version": "0.0",
      "Release": "1.1745352352.c92146c5.br1",
      "Epoch": "1",
      "InstalledTime": "2025-04-23T00:26:38Z",
      "ApplicationType": "Unspecified",
      "Architecture": "x86_64",
      "Url": "https://github.com/bottlerocket-os/bottlerocket",
      "Summary": "XFS progs cli"
    },

[0intro]

I've just added handling of epoch.

[knqyf263]

@DmitriyLewen Can you also take a look?

[DmitriyLewen]

LGTM
left small comments about comments, tests and purl package

@0intro and can you fix linter errors (mage lint:fix and mage lint:run commands help you)?

[DmitriyLewen]

This is incorrect, because we don't detect vulns for Bottlerocket pkgs.

[0intro]

Done.

[DmitriyLewen]

Let's add Info log that Trivy currently doesn't support vulnerability detection for Bottlerocket packages.

[0intro]

Done.

[DmitriyLewen]

Suggested change

	// Temporary type before being added in github.com/package-url/packageurl-go
	packageurlTypeBottlerocket = "bottlerocket"
	// Temporary type before being added in github.com/package-url/packageurl-go
	// cf. https://github.com/package-url/purl-spec/issues/454
	packageurlTypeBottlerocket = "bottlerocket"

[0intro]

Done.

[DmitriyLewen]

Can you add small test case for bottlerrocker os-release file?

[0intro]

Done.

[DmitriyLewen]

I wrote 2 tests for your changes:

diff --git a/pkg/purl/purl_test.go b/pkg/purl/purl_test.go
index 5607551da..ae00df05d 100644
--- a/pkg/purl/purl_test.go
+++ b/pkg/purl/purl_test.go
@@ -440,6 +440,38 @@ func TestNewPackageURL(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "bottlerocket package",
+			typ:  ftypes.Bottlerocket,
+			metadata: types.Metadata{
+				OS: &ftypes.OS{
+					Family: ftypes.Bottlerocket,
+					Name:   "v1.39.0",
+				},
+			},
+			pkg: ftypes.Package{
+				ID:      "[email protected]",
+				Name:    "glibc",
+				Version: "2.40",
+				Epoch:   1,
+				Arch:    "x86_64",
+			},
+			want: &purl.PackageURL{
+				Type:    "bottlerocket",
+				Name:    "glibc",
+				Version: "2.40",
+				Qualifiers: packageurl.Qualifiers{
+					{
+						Key:   "epoch",
+						Value: "1",
+					},
+					{
+						Key:   "distro",
+						Value: "bottlerocket-v1.39.0",
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -710,6 +742,47 @@ func TestPackageURL_Package(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "bottlerocker with epoch",
+			pkgURL: &purl.PackageURL{
+				Type:    "bottlerocket",
+				Name:    "glibc",
+				Version: "2.40",
+				Qualifiers: packageurl.Qualifiers{
+					{
+						Key:   "epoch",
+						Value: "1",
+					},
+					{
+						Key:   "distro",
+						Value: "bottlerocket-v1.39.0",
+					},
+				},
+			},
+			wantPkg: &ftypes.Package{
+				ID:      "[email protected]",
+				Name:    "glibc",
+				Version: "2.40",
+				Epoch:   1,
+				Identifier: ftypes.PkgIdentifier{
+					PURL: &packageurl.PackageURL{
+						Type:    "bottlerocket",
+						Name:    "glibc",
+						Version: "2.40",
+						Qualifiers: packageurl.Qualifiers{
+							{
+								Key:   "epoch",
+								Value: "1",
+							},
+							{
+								Key:   "distro",
+								Value: "bottlerocket-v1.39.0",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "wrong epoch",
 			pkgURL: &purl.PackageURL{

Can you add these tests and update purl package (add epoch)?

[0intro]

Done.

[DmitriyLewen]

Add bottlerocker into purlType(t) function:

diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go
index c0287cca6..7c59ff4f4 100644
--- a/pkg/purl/purl.go
+++ b/pkg/purl/purl.go
@@ -7,7 +7,7 @@ import (
 
        cn "github.com/google/go-containerregistry/pkg/name"
        version "github.com/knqyf263/go-rpm-version"
-       packageurl "github.com/package-url/packageurl-go"
+       "github.com/package-url/packageurl-go"
        "github.com/samber/lo"
        "golang.org/x/xerrors"
 
@@ -489,6 +489,8 @@ func purlType(t ftypes.TargetType) string {
                ftypes.OpenSUSELeap, ftypes.OpenSUSETumbleweed, ftypes.SLES, ftypes.SLEMicro, ftypes.Photon,
                ftypes.Azure, ftypes.CBLMariner:
                return packageurl.TypeRPM
+       case ftypes.Bottlerocket:
+               return packageurlTypeBottlerocket
        case TypeOCI:
                return packageurl.TypeOCI
        case ftypes.Julia:

[0intro]

Done.

[0intro]

Thanks. I think I've done all the required changes.

[DmitriyLewen]

@0intro Thanks for your work!
LGTM.

I left 1 comment.
And you need to update docs (OS page):
https://trivy.dev/latest/docs/coverage/os/

PS use mage docs:serve to see your changes

PS2 fix linter errors please

[0intro]

I've added the documentation.

[DmitriyLewen]

@0intro Great!
run mage lint:fix please.

[DmitriyLewen]

LGTM
@0intro Thanks for your contribution!

cc. @knqyf263