google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.23k stars 358 forks source link

Scan `status` files used by Ubuntu #1293

Open cav72 opened 4 weeks ago

cav72 commented 4 weeks ago

Description With the large amount of OSV data from Ubuntu on osv.dev, is there a plan to support /var/lib/dpkg/status "lockfiles" on Ubuntu?

For example, using this simplified /var/lib/dpkg/status file on a Debian 12 host:

Package: base-files
Status: install ok installed
Version: 12.4+deb12u7

Package: openvpn
Status: install ok installed
Version: 2.6.3-1+deb12u2

we receive the following vulnerability report when running $ osv-scanner scan --lockfile 'dpkg-status:/var/lib/dpkg/status' :

╭────────────────────────────────┬──────┬───────────┬─────────┬─────────────────┬────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION         │ SOURCE                     │
├────────────────────────────────┼──────┼───────────┼─────────┼─────────────────┼────────────────────────────┤
│ https://osv.dev/CVE-2024-28882 │      │ Debian:12 │ openvpn │ 2.6.3-1+deb12u2 │ ../var/lib/dpkg/status     │
╰────────────────────────────────┴──────┴───────────┴─────────┴─────────────────┴────────────────────────────╯

But when we run an equivalent scan on an Ubuntu 24.04 host with the following simplified /var/lib/dpkg/status file:

Package: base-files
Status: install ok installed
Version: 13ubuntu10.1

Package: openvpn
Status: install ok installed
Version: 2.6.9-1ubuntu4

we receive:

No issues found

What I would like to retrieve is a report like:

╭───────────────────────────────────────┬──────┬──────────────────┬─────────┬────────────────┬────────────────────────────╮
│ OSV URL                               │ CVSS │ ECOSYSTEM        │ PACKAGE │ VERSION        │ SOURCE                     │
├───────────────────────────────────────┼──────┼──────────────────┼─────────┼────────────────┼────────────────────────────┤
│ https://osv.dev/UBUNTU-CVE-2024-28882 │      │ Ubuntu:24.04:LTS │ openvpn │ 2.6.9-1ubuntu4 │ ../var/lib/dpkg/status     │
╰───────────────────────────────────────┴──────┴──────────────────┴─────────┴────────────────┴────────────────────────────╯

Is this functionality able to integrated into osv-scanner?

To Reproduce Steps to reproduce the behaviour: Run the commands above and check the output.

Expected behaviour The following data should be retrieved: https://osv.dev/vulnerability/UBUNTU-CVE-2024-28882

cc: @dodys

oliverchang commented 4 weeks ago

Thanks for filing the issue!

CC @hogo6002 @another-rex who are currently working on Ubuntu scanning in the context of container scanning.

another-rex commented 3 weeks ago

This is actively being worked on! Coming soon (in a month or 2?) in OSV-Scanner V2, when we complete the migration to use osv-scalibr extractors.

At that point it should work as you expect where both scanning on host in an ubuntu machine, or scanning an ubuntu container image will correctly return ubuntu vulnerabilties.

cav72 commented 3 weeks ago

That is great to hear! Let me know if you need any extra external testing when it lands! Thank you heaps.