Open dsever opened 3 weeks ago
Hi @dsever, thanks for reaching out. The api is returning the correct results, in this case the appropriate query is actually https://ubuntu.com/security/cves.json?package=openssh . The security team works with source packages from which several binary packages are then compiled and when querying cves for a given package the source package needs to be matched
Understand, but how then do you match packages registered in the ubuntu dpkg -l
command there is openssh-server against API? Do you have any recommendations on that?
To be honest, I have impressions this is inconsistent when Ubuntu users usually don't have any idea what is the source package/project on which they are relying on, we just see package openssh-server
has been installed and particular version, and to know vulnerabilities related to installed package
Summary
Not sure do I do something wrong, but openssh-server should contain vulnerabilities for sure.
Process
Curl the most popular package
Current and expected result
For sure there must me results, for instance targeting directly CVE provides valid results for the openssh-server vulnerability
Additional test with
provides results, but then question is how to handle it, because name of the package is openssh-server that is visible from dpkg not openssh
Browser details
curl command ubuntu 20.04