Next steps with OpenSuSE importing into OSV.dev
2 views
Skip to first unread message
Andrew Pollock
Feb 19, 2024, 12:23:57 AMFeb 19
to Marcus Meissner, osv-discuss
Hello Marcus,
I hope you're doing well.
We're looking forward to being able to import the OpenSuSE OSV records into OSV.dev and for them to provide actionable vulnerability detection to OpenSuSE users.
Looking at what's available in https://ftp.suse.com/pub/projects/security/osv, what's looks to be remaining:
- enumerating vulnerable versions
Enumerating vulnerable versions
For example, looking at https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024%3A0048-1.json:
On a Leap 15.5 system, versions of pdns-recursor prior to 4.8.6-bp155.2.3.1 should be considered vulnerable. Looking at https://download.opensuse.org/distribution/leap/15.5/repo/oss/aarch64/ I can see 4.8.3-bp155.1.6 referred to as a version for pdns-recursor.
A scan of a vulnerable system might construct an API call like:
curl -d \
'{"version": "4.8.3-bp155.1.6",
"package": {"name": "pdns-recursor", "ecosystem": "openSUSE:Leap 15.5"}}' \
"https://api.osv.dev/v1/query"
--
'{"version": "4.8.3-bp155.1.6",
"package": {"name": "pdns-recursor", "ecosystem": "openSUSE:Leap 15.5"}}' \
"https://api.osv.dev/v1/query"
In order for this version to be determined to be vulnerable by OSV.dev's API, the list of all versions that has existed in Leap 15.5 needs to be able to be enumerated by OSV.dev when the OSV record is imported.
To see existing code for concrete examples and inspiration go to:
If you have any questions, or if an interactive conversation would be helpful, please get in touch, and we can organise a meeting.
regards
Andrew
This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.
Marcus Meissner
Feb 19, 2024, 11:33:40 AMFeb 19
to Andrew Pollock, osv-discuss
Hi Andrew,
Yes, just super busy so this is put on the backburner a bit.
I added a "openSUSE:" naming and "SUSE:" naming to define the namespace
inbetween.
On Mon, Feb 19, 2024 at 03:23:42PM +1000, Andrew Pollock wrote:
> Hello Marcus,
>
> I hope you're doing well.
>
> We're looking forward to being able to import the OpenSuSE OSV records into
> OSV.dev and for them to provide actionable vulnerability detection to
> OpenSuSE users.
>
> Looking at what's available in
> https://ftp.suse.com/pub/projects/security/osv, what's looks to be
> remaining:
>
> - enumerating vulnerable versions
>
> *Enumerating vulnerable versions*
could get them, but for most relations is that the bug was there before
shipment and is fixed now.
So I thought that
"introduced" : 0
"fixed" : 4.8.6-bp155.2.3.1
"type": "ECOSYSTEM"
would be sufficient here?
The package versions we release are linear in a "RPM version compare" relation.
I see Debian, Rocky Linux and Alma Linux doing the same.
Or would I need to define with "ECOSYSTEM" means here?
Can we perhaps also have a "RPMVER" relation?
> To see existing code for concrete examples and inspiration go to:
>
> -
> https://github.com/google/osv.dev/blob/master/osv/ecosystems/_ecosystems.py
> - https://github.com/google/osv.dev/tree/master/osv/ecosystems
Yes, just super busy so this is put on the backburner a bit.
I added a "openSUSE:" naming and "SUSE:" naming to define the namespace
inbetween.
On Mon, Feb 19, 2024 at 03:23:42PM +1000, Andrew Pollock wrote:
> Hello Marcus,
>
> I hope you're doing well.
>
> We're looking forward to being able to import the OpenSuSE OSV records into
> OSV.dev and for them to provide actionable vulnerability detection to
> OpenSuSE users.
>
> Looking at what's available in
> https://ftp.suse.com/pub/projects/security/osv, what's looks to be
> remaining:
>
>
> *Enumerating vulnerable versions*
>
> For example, looking at
> https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024%3A0048-1.json
> :
>
> On a Leap 15.5 system, versions of pdns-recursor prior to 4.8.6-bp155.2.3.1
> should be considered vulnerable. Looking at
> https://download.opensuse.org/distribution/leap/15.5/repo/oss/aarch64/ I
> can see 4.8.3-bp155.1.6 referred to as a version for pdns-recursor.
>
> A scan of a vulnerable system might construct an API call like:
>
> curl -d \
> '{"version": "4.8.3-bp155.1.6",
> "package": {"name": "pdns-recursor", "ecosystem": "openSUSE:Leap
> 15.5"}}' \
> "https://api.osv.dev/v1/query"
>
> In order for this version to be determined to be vulnerable by OSV.dev's
> API, the list of all versions that has existed in Leap 15.5 needs to be
> able to be enumerated by OSV.dev when the OSV record is imported.
Currently it is challenging a bit to list all affected versions, we
> For example, looking at
> https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024%3A0048-1.json
> :
>
> On a Leap 15.5 system, versions of pdns-recursor prior to 4.8.6-bp155.2.3.1
> should be considered vulnerable. Looking at
> https://download.opensuse.org/distribution/leap/15.5/repo/oss/aarch64/ I
> can see 4.8.3-bp155.1.6 referred to as a version for pdns-recursor.
>
> A scan of a vulnerable system might construct an API call like:
>
> curl -d \
> '{"version": "4.8.3-bp155.1.6",
> "package": {"name": "pdns-recursor", "ecosystem": "openSUSE:Leap
> 15.5"}}' \
> "https://api.osv.dev/v1/query"
>
> In order for this version to be determined to be vulnerable by OSV.dev's
> API, the list of all versions that has existed in Leap 15.5 needs to be
> able to be enumerated by OSV.dev when the OSV record is imported.
could get them, but for most relations is that the bug was there before
shipment and is fixed now.
So I thought that
"introduced" : 0
"fixed" : 4.8.6-bp155.2.3.1
"type": "ECOSYSTEM"
would be sufficient here?
The package versions we release are linear in a "RPM version compare" relation.
I see Debian, Rocky Linux and Alma Linux doing the same.
Or would I need to define with "ECOSYSTEM" means here?
Can we perhaps also have a "RPMVER" relation?
> To see existing code for concrete examples and inspiration go to:
>
> https://github.com/google/osv.dev/blob/master/osv/ecosystems/_ecosystems.py
> - https://github.com/google/osv.dev/tree/master/osv/ecosystems
>
> If you have any questions, or if an interactive conversation would be
> helpful, please get in touch, and we can organise a meeting.
Ciao, Marcus
> If you have any questions, or if an interactive conversation would be
> helpful, please get in touch, and we can organise a meeting.
Reply all
Reply to author
Forward
0 new messages