search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.49k stars 180 forks source link

Ingest SUSE/openSUSE OSV advisories #2543

Open oliverchang opened 1 week ago

oliverchang commented 1 week ago

Per https://github.com/ossf/osv-schema/issues/259, the SUSE/openSUSE ecosystems have been added to the OSV schema, and there is a feed available at https://ftp.suse.com/pub/projects/security/osv/

oliverchang commented 1 week ago

For version ordering, SUSE seems to use RPM (https://en.opensuse.org/openSUSE:Package_versioning_guidelines).

For https://ftp.suse.com/pub/projects/security/osv/, we may need an https://ftp.suse.com/pub/projects/security/osv/all.json per https://google.github.io/osv.dev/rest-api-contribution/#1-a-url-pointing-to-a-rest-endpoint-containing-at-least-all-of-the-vulnerabilities-ids-and-date-modified. @msmeissn is this something that would be possible to add?

msmeissn commented 1 week ago

i added an all.json file now.

oliverchang commented 1 week ago

Thanks @msmeissn !

@hogo6002 can you see if we can start ingesting this into our test instance?

hogo6002 commented 1 week ago

Hey @msmeissn, I have a question about the data prefixes and would like some clarification.

The ossf schema lists the valid prefixes for SUSE as only SUSE-SU-, but I noticed that all.json also contains entries other than SUSE-SU- (security updates), such as SUSE-RU- (recommended updates) and SUSE-FU- (feature updates).

I just want to confirm if we only want to ingest data with the SU- prefix into OSV or if we want to ingest all the data from all.json into OSV.

Also, I'm wondering if entries with other prefixes, such as SUSE-RU- and SUSE-FU-, are actually security-related data (they do have related CVEs on their records)?

msmeissn commented 1 week ago

ok, problem is that occasionaly "recommended (bugfix)" or feature updates also include CVEs and I generate entries for those. Note that only bugfix or freature updates that have CVEs will be reported for OSV.

I sent a PR to osv-schema to allow them, so we can consume those.

hogo6002 commented 1 week ago

I sent a PR to osv-schema to allow them, so we can consume those.

Thanks! I will start to ingest data into our test instance.

hogo6002 commented 6 days ago

SUSE/openSUSE data is available on test.osv.dev now! website: https://test.osv.dev/list?q=&ecosystem=SUSE https://test.osv.dev/list?q=&ecosystem=openSUSE API query: curl -d \ '{"version": "1.2.0~rc3", "package": {"name": "runc", "ecosystem": "openSUSE"}}' \ "https://api.test.osv.dev/v1/query"