Vendor for RPM packages

[tonaim]

Description

For curl-minimal, in amazonlinux:latest image, there is no vendor.

We are not adding files related to it in the system files here
https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/analyzer/pkg/rpm/rpm.go#L136

Desired Behavior

Installed files of curl-minimum should be added into system files.

Actual Behavior

/usr/bin/curl file should be part of system files

Reproduction Steps

1. scan amazonlinux:2023 image
2. In system files observe that /usr/bin/curl
3.
...

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

vendor for curl-minimal is ""

Operating System

Any OS

Version

0.48.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

The older version has the vendor information, so I have no idea why they removed it. It can be a bug in Amazon Linux, but it is better to handle the case on our end anyway.

bash-5.2# rpm -qi curl-minimal
Name        : curl-minimal
Version     : 8.0.1
Release     : 1.amzn2023
Architecture: aarch64
Install Date: Fri Jun  9 20:42:57 2023
Group       : Unspecified
Size        : 392942
License     : MIT
Signature   : RSA/SHA512, Tue May 30 23:59:26 2023, Key ID e951904ad832c631
Source RPM  : curl-8.0.1-1.amzn2023.src.rpm
Build Date  : Tue May 30 22:57:56 2023
Build Host  : ip-10-0-38-248.us-west-2.compute.internal
Packager    : Amazon Linux
Vendor      : Amazon Linux
URL         : https://curl.se/
Summary     : Conservatively configured build of curl for minimal installations
Description :
This is a replacement of the 'curl' package for minimal installations.  It
comes with a limited set of features compared to the 'curl' package.  On the
other hand, the package is smaller and requires fewer run-time dependencies to
be installed.

[knqyf263]

Created #5887