Open cav72 opened 4 weeks ago
Thanks for filing the issue!
CC @hogo6002 @another-rex who are currently working on Ubuntu scanning in the context of container scanning.
This is actively being worked on! Coming soon (in a month or 2?) in OSV-Scanner V2, when we complete the migration to use osv-scalibr extractors.
At that point it should work as you expect where both scanning on host in an ubuntu machine, or scanning an ubuntu container image will correctly return ubuntu vulnerabilties.
That is great to hear! Let me know if you need any extra external testing when it lands! Thank you heaps.
Description With the large amount of OSV data from Ubuntu on osv.dev, is there a plan to support
/var/lib/dpkg/status
"lockfiles" on Ubuntu?For example, using this simplified
/var/lib/dpkg/status
file on a Debian 12 host:we receive the following vulnerability report when running
$ osv-scanner scan --lockfile 'dpkg-status:/var/lib/dpkg/status'
:But when we run an equivalent scan on an Ubuntu 24.04 host with the following simplified
/var/lib/dpkg/status
file:we receive:
What I would like to retrieve is a report like:
Is this functionality able to integrated into osv-scanner?
To Reproduce Steps to reproduce the behaviour: Run the commands above and check the output.
Expected behaviour The following data should be retrieved: https://osv.dev/vulnerability/UBUNTU-CVE-2024-28882
cc: @dodys