hogo6002
commented
1 week ago This should probably be implemented after https://github.com/google/osv.dev/issues/2465
Open hogo6002 opened 1 week ago
hogo6002
commented
1 week ago This should probably be implemented after https://github.com/google/osv.dev/issues/2465
OSV currently includes Alpine's fixed vulnerabilities (from Alpine secdb) in its CVE records, but it's missing information about unfixed vulnerabilities from Alpine's security issue tracker. This means OSV can't report to users about unfixed vulnerabilities when scanning containers. This will be an issue, and similar discussions have come up with other container scanning tools.
Most Linux distros have official security advisories listing fixed patches (e.g., Alpine secdb), and they also maintain a security tracker that records potential vulnerabilities (usually identified with
CVE-). OSV has already integrated security data from Debian and Ubuntu (Ubuntu-CVE-).For other Linux distros, OSV only has data on fixed vulnerabilities. We should probably add more security tracker data into OSV, but there are some challenges. Combining all security tracker data will give us a very large number of records (e.g., Ubuntu provided 20k CVE entries), and not all vulnerabilities are actually important. We can use fields like "ecosystem_specific" to indicate urgency (e.g., "urgency": "unimportant" for Debian, "Ubuntu_priority": "negligible" for Ubuntu). But we need a better way to filter this data to reduce noise for OSV-scanner result and API queries.