feat(arch): support Arch Linux

README.md

@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Features
 
 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS, Arch Linux and Distroless)
   - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Misconfiguration detection (IaC scanning) 
   - A wide variety of built-in policies are provided **out of the box**

docs/getting-started/overview.md

@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
 ## Features
 
 - Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS, Arch Linux and Distroless)
     - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
     - A wide variety of [built-in policies][builtin] are provided **out of the box**:

docs/vulnerability/detection/os.md

@@ -5,6 +5,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
 | Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
+| Arch Linux                       | Rolling Release                          | Installed by pacman           |                 YES                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |

go.mod

@@ -3,6 +3,7 @@ module github.com/aquasecurity/trivy
 go 1.16
 
 require (
+	github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46

go.sum

@@ -149,6 +149,8 @@ github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+x
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
 github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
+github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184 h1:enu2psM1AcUsNx36T+X13lcy2kmFFV4kwCMmL7i4yiQ=
+github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184/go.mod h1:iMNOZ59Aouwx++SN7zGEi8yB9JTd+ZwYufdnC02mjd4=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=

integration/client_server_test.go

@@ -210,6 +210,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/mariner-1.0.json.golden",
 		},
+		{
+			name: "archlinux",
+			args: csArgs{
+				Input: "testdata/fixtures/images/archlinux.tar.gz",
+			},
+			golden: "testdata/archlinux.json.golden",
+		},
 		{
 			name: "buxybox with Cargo.lock",
 			args: csArgs{

integration/docker_engine_test.go

@@ -182,6 +182,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/mariner-1.0.tar.gz",
 			golden:   "testdata/mariner-1.0.json.golden",
 		},
+		{
+			name:     "archlinux",
+			imageTag: "archlinux:latest",
+			input:    "testdata/fixtures/images/archlinux.tar.gz",
+			golden:   "testdata/archlinux.json.golden",
+		},
 		{
 			name:     "busybox with Cargo.lock",
 			imageTag: "busy-cargo:latest",

integration/standalone_tar_test.go

@@ -231,6 +231,14 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/mariner-1.0.json.golden",
 		},
+		{
+			name: "archlinux",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/archlinux.tar.gz",
+			},
+			golden: "testdata/archlinux.json.golden",
+		},
 		{
 			name: "buxybox with Cargo.lock integration",
 			testArgs: args{