Combine Alpine Security Issue Tracker into OSV #2567
Labels
Comments
|
This should probably be implemented after #2465 |
|
This issue has not had any activity for 60 days and will be automatically closed in two weeks See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out. |
github-actions
bot
added
the
stale
another-rex
removed
the
stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OSV currently includes Alpine's fixed vulnerabilities (from Alpine secdb) in its CVE records, but it's missing information about unfixed vulnerabilities from Alpine's security issue tracker. This means OSV can't report to users about unfixed vulnerabilities when scanning containers. This will be an issue, and similar discussions have come up with other container scanning tools.
Most Linux distros have official security advisories listing fixed patches (e.g., Alpine secdb), and they also maintain a security tracker that records potential vulnerabilities (usually identified with
CVE-). OSV has already integrated security data from Debian and Ubuntu (Ubuntu-CVE-).For other Linux distros, OSV only has data on fixed vulnerabilities. We should probably add more security tracker data into OSV, but there are some challenges. Combining all security tracker data will give us a very large number of records (e.g., Ubuntu provided 20k CVE entries), and not all vulnerabilities are actually important. We can use fields like "ecosystem_specific" to indicate urgency (e.g., "urgency": "unimportant" for Debian, "Ubuntu_priority": "negligible" for Ubuntu). But we need a better way to filter this data to reduce noise for OSV-scanner result and API queries.
The text was updated successfully, but these errors were encountered: