search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.23k stars 359 forks source link

Add Red Hat version comparison support #1336

Open hogo6002 opened 1 week ago

hogo6002 commented 1 week ago

Following osv.dev's recent addition of support for RPM versions, osv-scanner should also add a version-rmp.go file in internal/semantic to support Red Hat version comparison.

G-Rath commented 1 week ago

It looks like RedHat isn't available on production yet, so there's not `all.zip db available which is needed to write a fixtures generator, and it doesn't seem like there's a staging equivalent of the bucket.

Strictly speaking that shouldn't block this but it would be great to have if possible (and in particular I'm primarily wondering if it could be possible for someone to get a one-time all.zip from staging?)

hogo6002 commented 1 week ago

It looks like RedHat isn't available on production yet, so there's not `all.zip db available which is needed to write a fixtures generator, and it doesn't seem like there's a staging equivalent of the bucket.

Rocky Linux is based on Red Hat, I think we can use its all.zip first to generate fixtures. We can also use all.zip from AlmaLinux and SUSE.

another-rex commented 1 week ago

it doesn't seem like there's a staging equivalent of the bucket.

We do have a private one for the staging environment, I added you as a viewer to it now: Should be able to download the all.zip here: https://storage.mtls.cloud.google.com/osv-test-vulnerabilities/Red%20Hat/all.zip