search

canonical / ubuntu-com-security-api

The API for CVEs and USNs data.
15 stars 8 forks source link

API is not providing valid results #166

Open dsever opened 3 weeks ago

dsever commented 3 weeks ago

Summary

Not sure do I do something wrong, but openssh-server should contain vulnerabilities for sure.

Process

Curl the most popular package

curl -X 'GET'   'https://ubuntu.com/security/cves.json?package=openssh-server'   -H 'accept: application/json'
{"cves":[],"limit":20,"offset":0,"total_results":0}

Current and expected result

For sure there must me results, for instance targeting directly CVE provides valid results for the openssh-server vulnerability

curl -X 'GET'   'https://ubuntu.com/security/cves/CVE-2024-6387.json'   -H 'accept: application/json' | jq

Additional test with 

 curl -X 'GET'   'https://ubuntu.com/security/cves.json?package=openssh&limit=100'   -H 'accept: application/json' | jq | less

provides results, but then question is how to handle it, because name of the package is openssh-server that is visible from dpkg not openssh

Browser details

curl command ubuntu 20.04

mtruj013 commented 3 weeks ago

Hi @dsever, thanks for reaching out. The api is returning the correct results, in this case the appropriate query is actually https://ubuntu.com/security/cves.json?package=openssh . The security team works with source packages from which several binary packages are then compiled and when querying cves for a given package the source package needs to be matched

dsever commented 3 weeks ago

Understand, but how then do you match packages registered in the ubuntu dpkg -l command there is openssh-server against API? Do you have any recommendations on that? To be honest, I have impressions this is inconsistent when Ubuntu users usually don't have any idea what is the source package/project on which they are relying on, we just see package openssh-server has been installed and particular version, and to know vulnerabilities related to installed package