Support BusyBox base image

[nicksc423]

Currently when scanning BusyBox images Trivy throws a FATAL error:
FATAL error in image scan: failed to scan the image: failed to analyze OS: Unknown OS

It'd be nice to add support for BusyBox

[mattlorimor]

Since BusyBox doesn't have any way to install system packages, the most I would expect Trivy to do at this point would be to pull the BusyBox version using something like this;

/ # busybox | head -1
BusyBox v1.31.1 (2020-04-14 01:09:51 UTC) multi-call binary.

Then compare the version against known CVEs for that BusyBox version. I am not quite sure where the vuln feed would come from, though. There have certainly been CVEs for BusyBox in the past.

As for scanning for application dependencies, I would expect that Trivy could continue on as normal on BusyBox simply looking for the application dependency manifests (e.g., .lock files) it already looks for.

[mattlorimor]

I am not quite sure where the vuln feed would come from, though.

The NVD database should have this data to compare against in the CPE fields, but I'm not sure what capability the current Trivy code has to compare against it.

https://github.com/aquasecurity/vuln-list/blob/9fe1471a12139e35fb0b63cfe7cd5a82873f0db3/nvd/2019/CVE-2019-5747.json#L8

[simar7]

Thanks for digging into this @mattlorimor, we're currently investigating this as well. Your feedback is helpful!

[knqyf263]

Now, Trivy can handle a busybox image gracefully, but it doesn't mean Trivy can detect vulnerabilities of busybox itself. Someone who needs it can watch this issue.
#481