Version enumeration for Rocky Linux

14 views
Skip to first unread message

Andrew Pollock

unread,
Feb 15, 2024, 1:14:27 AMFeb 15
to Mustafa Gezen, osv-discuss
Hi Mustafa, I hope this finds you well.

The fact that there's no version enumeration code for the Rocky Linux ecosystem bubbled back up towards the top of my attention recently, and I thought I'd reach out to discuss a way forward to resolve this.

For context as to the need: while having the records in OSV.dev is great for general searching, and visibility on the website, without having the affected[].versions field populated, the OSV.dev API (and any downstream tooling using it, like OSV-Scanner) cannot determine if a particular package in between the introduced and fixed versions is vulnerable, which limits the utility of the data somewhat.

Do you have any availability this year to contribute the necessary version enumeration code to address this deficiency?

For reference, see https://github.com/google/osv.dev/tree/master/osv/ecosystems, in particular https://github.com/google/osv.dev/blob/master/osv/ecosystems/_ecosystems.py and if an interactive conversation would help, please let me know and we can set up a meeting.

regards

Andrew

--


Andrew Pollock

Software Engineer, Google Open Source Security Team | apol...@google.com

Google LLC


This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.

Mustafa Gezen

unread,
Feb 22, 2024, 1:29:12 AMFeb 22
to Andrew Pollock, osv-discuss
Hi Andrew,

Sorry for late reply, we currently don't have a plan to introduce this field but we can certainly take a look and see if we can prioritize it. It should be possible for us to provide that info.

Mustafa

Andrew Pollock

unread,
Feb 22, 2024, 4:34:21 AMFeb 22
to Mustafa Gezen, osv-discuss
Hi Mustafa,

To clarify, you don't need to add this field, OSV.dev needs additional code so it can enumerate the versions during record import.

Regards

Andrew

Mustafa Gezen

unread,
Feb 22, 2024, 5:28:47 PMFeb 22
to Andrew Pollock, osv-discuss
Ah that explains it, so the contribution would be into the osv.dev enumeration code. Thanks for the clarification
Reply all
Reply to author
Forward
0 new messages