Add support for CleanStart OS vulnerability scanning

[cleanstart-community-admin]

Summary

Adds CleanStart OS as a supported distro type in Grype, enabling accurate vulnerability scanning of CleanStart-based container images using the CleanStart Security Advisories database.

Motivation

CleanStart OS container images were previously unrecognised by Grype — scans produced no vulnerability results and emitted distro-detection warnings. Users scanning CleanStart images had no way to detect known vulnerabilities in installed packages.

Changes

• Add Clnstrt distro type constant in grype/distro/type.go
• Add clnstrt and cleanstart to the IDMapping table — clnstrt is the current /etc/os-release identifier; cleanstart supports an in-progress upstream rename
• Add Clnstrt to the All distro slice
• Add Rolling: true OS specifier overrides for both identifiers in grype/db/v6/data.go — CleanStart is a rolling distro and does not pin versions
• Update the OSV transformer to map the CleanStart ecosystem to pkg.ApkPkg — CleanStart uses the APK package format
• Add testdata/os/clnstrt and testdata/os/cleanstart test fixtures
• Add test coverage in distro_test.go and type_test.go

Related

• feat: add Cleanstart OS vulnerability match labels vulnerability-match-labels#187 — ground-truth scan labels for CleanStart images, required by Anchore CI to validate this change

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

[cleanstart-community-admin]

Hi @willmurphyscode

I’m following up on the status of PR #3294. Are there any updates or next steps for merging it, or anything needed from our side to help move it forward?

Thanks and regards
cleanstart-community-admin