feat: azure linux 3 support

Map vulnerabilities coming from Vunnel mariner provider that are tagged
with mariner 3.0 to be Azure Linux 3.

Signed-off-by: Will Murphy <[email protected]>

pkg/process/v5/transformers/os/test-fixtures/azure-linux-3.json

@@ -0,0 +1,26 @@
+[
+  {
+    "Vulnerability": {
+      "Name": "CVE-2023-29403",
+      "NamespaceName": "mariner:3.0",
+      "Description": "CVE-2023-29403 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+      "Severity": "High",
+      "Link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29403",
+      "CVSS": [],
+      "FixedIn": [
+        {
+          "Name": "golang",
+          "NamespaceName": "mariner:3.0",
+          "VersionFormat": "rpm",
+          "Version": "0:1.20.7-1.azl3",
+          "Module": "",
+          "VendorAdvisory": {
+            "NoAdvisory": false,
+            "AdvisorySummary": []
+          }
+        }
+      ],
+      "Metadata": {}
+    }
+  }
+]

pkg/process/v5/transformers/os/test-fixtures/mariner-20.json

@@ -0,0 +1,26 @@
+[
+  {
+    "Vulnerability": {
+      "Name": "CVE-2021-37621",
+      "NamespaceName": "mariner:2.0",
+      "Description": "CVE-2021-37621 affecting package exiv2 for versions less than 0.27.5-1. An upgraded version of the package is available that resolves this issue.",
+      "Severity": "Medium",
+      "Link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37621",
+      "CVSS": [],
+      "FixedIn": [
+        {
+          "Name": "exiv2",
+          "NamespaceName": "mariner:2.0",
+          "VersionFormat": "rpm",
+          "Version": "0:0.27.5-1.cm2",
+          "Module": "",
+          "VendorAdvisory": {
+            "NoAdvisory": false,
+            "AdvisorySummary": []
+          }
+        }
+      ],
+      "Metadata": {}
+    }
+  }
+]

pkg/process/v5/transformers/os/transform.go

@@ -30,15 +30,21 @@ func buildGrypeNamespace(group string) (namespace.Namespace, error) {
 	}
 
 	providerName := d.String()
+	distroName := d.String()
 
 	switch d {
 	case distro.OracleLinux:
 		providerName = "oracle"
 	case distro.AmazonLinux:
 		providerName = "amazon"
+	case distro.Mariner, distro.Azure:
+		providerName = "mariner"
+		if feedGroupComponents[1] == "3.0" {
+			distroName = distro.Azure.String() // Mariner Linux 3.0 is known as "Azure Linux 3"
+		}
 	}
 
-	ns, err := namespace.FromString(fmt.Sprintf("%s:distro:%s:%s", providerName, d.String(), feedGroupComponents[1]))
+	ns, err := namespace.FromString(fmt.Sprintf("%s:distro:%s:%s", providerName, distroName, feedGroupComponents[1]))
 
 	if err != nil {
 		return nil, err

pkg/process/v5/transformers/os/transform_test.go

@@ -626,6 +626,84 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
 				Description:  "A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the search_path safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or update. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
 			},
 		},
+		{
+			name:       "mariner linux 2.0",
+			numEntries: 1,
+			fixture:    "test-fixtures/mariner-20.json",
+			vulns: []grypeDB.Vulnerability{
+				{
+					ID:          "CVE-2021-37621",
+					PackageName: "exiv2",
+					Namespace:   "mariner:distro:mariner:2.0",
+					PackageQualifiers: []qualifier.Qualifier{
+						rpmmodularity.Qualifier{
+							Kind: "rpm-modularity",
+						},
+					},
+					RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
+						{
+							ID:        "CVE-2021-37621",
+							Namespace: "nvd:cpe",
+						},
+					},
+					VersionConstraint: "< 0:0.27.5-1.cm2",
+					VersionFormat:     "rpm",
+					Fix: grypeDB.Fix{
+						Versions: []string{"0:0.27.5-1.cm2"},
+						State:    grypeDB.FixedState,
+					},
+					Advisories: nil,
+				},
+			},
+			metadata: grypeDB.VulnerabilityMetadata{
+				ID:           "CVE-2021-37621",
+				Namespace:    "mariner:distro:mariner:2.0",
+				DataSource:   "https://nvd.nist.gov/vuln/detail/CVE-2021-37621",
+				RecordSource: "vulnerabilities:mariner:2.0",
+				Severity:     "Medium",
+				URLs:         []string{"https://nvd.nist.gov/vuln/detail/CVE-2021-37621"},
+				Description:  "CVE-2021-37621 affecting package exiv2 for versions less than 0.27.5-1. An upgraded version of the package is available that resolves this issue.",
+				Cvss:         nil,
+			},
+		},
+		{
+			name:       "azure linux 3",
+			numEntries: 1,
+			fixture:    "test-fixtures/azure-linux-3.json",
+			vulns: []grypeDB.Vulnerability{
+				{
+					ID:          "CVE-2023-29403",
+					PackageName: "golang",
+					Namespace:   "mariner:distro:azurelinux:3.0",
+					PackageQualifiers: []qualifier.Qualifier{
+						rpmmodularity.Qualifier{
+							Kind: "rpm-modularity",
+						},
+					},
+					RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
+						{
+							ID:        "CVE-2023-29403",
+							Namespace: "nvd:cpe",
+						},
+					},
+					VersionConstraint: "< 0:1.20.7-1.azl3",
+					VersionFormat:     "rpm",
+					Fix: grypeDB.Fix{
+						Versions: []string{"0:1.20.7-1.azl3"},
+						State:    grypeDB.FixedState,
+					},
+				},
+			},
+			metadata: grypeDB.VulnerabilityMetadata{
+				ID:           "CVE-2023-29403",
+				Namespace:    "mariner:distro:azurelinux:3.0",
+				DataSource:   "https://nvd.nist.gov/vuln/detail/CVE-2023-29403",
+				RecordSource: "vulnerabilities:mariner:3.0",
+				Severity:     "High",
+				URLs:         []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-29403"},
+				Description:  "CVE-2023-29403 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+			},
+		},
 		{
 			name:       "mariner entry with version range",
 			numEntries: 1,