search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.06k stars 337 forks source link

osv-scanner doesn't find Fedora vulnerabilities #917

Open paulwouters opened 3 months ago

paulwouters commented 3 months ago

When I scan using an spdx sbom, I see:

osv-scanner scan --sbom=SBOM-report-testproject-habi-20240410_0131-clean-licenses.spdx.json --verbosity verbose
Scanned /home/paul/SBOM-report-testproject-habi-20240410_0131-clean-licenses.spdx.json as SPDX SBOM and found 948 packages
No issues found

This is after I lowered the version of the libreswan package to one that is vulnerable to several CVEs:

       {
            "SPDXID": "SPDXRef-Package-370",
            "downloadLocation": "https://libreswan.org/",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE_MANAGER",
                    "referenceLocator": "pkg:rpm/fedora/libreswan@3.1-1.fc38",
                    "referenceType": "purl"
                }
            ],
            "licenseConcluded": "GPL-2.0-or-later AND MPL-2.0",
            "licenseDeclared": "GPL-2.0-or-later AND MPL-2.0",
            "name": "libreswan",
            "originator": "Organization: Fedora Project",
            "versionInfo": "3.1-1.fc38"
        },

While https://osv.dev/list?ecosystem=&q=libreswan shows the vulnerabilities are known.

paulwouters commented 3 months ago

(I also tried reducing the fedora version to the upstream version, eg 3.1-1.fc38 -> 3.1

oliverchang commented 3 months ago

Thanks for the issue! This is because osv.dev currently doesn't contain advisories from Fedora. In order to provide accurate vuln scanning results, we make sure to only scan OS packages against their respective distro advisory DB, to account for backported fixes.

It's unclear if there is a Fedora security advisory DB of some sort, we'll investigate.

paulwouters commented 3 months ago

But you claim to map it to rhel/centios ?Which is what other scanners do too, such as grype and snyk.Sent using a virtual keyboard on a phoneOn Apr 16, 2024, at 13:40, Oliver Chang @.***> wrote: Thanks for the issue! This is because osv.dev currently doesn't contain advisories from Fedora. In order to provide accurate vuln scanning results, we make sure to only scan OS packages against their respective distro advisory DB, to account for backported fixes. It's unclear if there is a Fedora security advisory DB of some sort, we'll investigate.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

oliverchang commented 2 months ago

RHEL currently does not provide an OSV feed unfortunately.

It also looks like Fedora also tracks their own security advisories here: https://bodhi.fedoraproject.org/updates/?type=security. It seems like it may be more accurate for Fedora vulnerability scanners to match against this DB instead.

github-actions[bot] commented 6 days ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks