aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
533 stars 200 forks source link

Collect vulnerabilities from Amazon Linux #72

Open pombredanne opened 5 years ago

pombredanne commented 5 years ago

See https://alas.aws.amazon.com/ There are two variants: AL and AL2

sbs2001 commented 3 years ago

Essentially we want to scrape/mine/consume the pages at https://alas.aws.amazon.com/ and https://alas.aws.amazon.com/alas2.html .

tushar912 commented 3 years ago

Taking it up @sbs2001 @pombredanne !

tushar912 commented 3 years ago

I checked https://alas.aws.amazon.com/ but I found that the table does not contain fixed and affected versions . I even checked the advisory url( eg https://alas.aws.amazon.com/ALAS-2011-1.html )but did not find the same. @sbs2001 @pombredanne can you help me.

sbs2001 commented 3 years ago

@tushar912 the new packages mentioned at the advisory page are the fixed packages. It seems there is no easy way to obtain exact affected packages so you can skip finding them.

tushar912 commented 3 years ago

@sbs2001 I am still confused .Currently what I conclude is to create a PackageURL object we need version .But currently what I find is that the table doesn't provide any thing related to version of the package which is affected.Please help.

pombredanne commented 3 years ago

@tushar912 in https://alas.aws.amazon.com/ALAS-2011-1.html I can see this:

From that I can therefore infer:

  1. all these packages versions are fixed (and we can parse RPMs nevra with https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/nevra.py)
  2. whatever were the versions BEFORE these versions are vulnerable

Does this make sense?

tushar912 commented 3 years ago

Ok . I understood New Packages are the ones that are fixed and whatever are before were affected.

pombredanne commented 3 years ago

ok, sorry it it felt like a rehash ....that said we may not have a version that is affected, but rather a version range. @sbs2001 what do you think? that looks like a good use case for the ranges/spec?

keshav-space commented 2 months ago

Amazon might provide direct access to structured Advisory data at some point https://github.com/amazonlinux/amazon-linux-2023/issues/158#issuecomment-1602766478

pombredanne commented 2 weeks ago

@ambuj-1211 @keshav-space is this completed?