osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard

Published 20 hours ago verified publisher icon google

Feature Request : Add support for Wolfi Linux

Open fproulx-boostsecurity opened this issue 2 years ago • 9 comments
trafficstars

You currently support Debian and Alpine.

More and more people are looking at switching to Wolfi (Chainguard). Last month trivy added support for Wolfi https://github.com/aquasecurity/trivy/pull/3215

fproulx-boostsecurity avatar Jan 30 '23 17:01 fproulx-boostsecurity

Looks like the source of truth is https://packages.wolfi.dev/os/security.json and from eyeballing it and seeing "apk" mentioned plus some other references to Alpine in https://github.com/aquasecurity/vuln-list-update/blob/main/wolfi/wolfi.go makes me think this might be trivial to reuse (some of) the existing Alpine plumbing, WDYT @another-rex?

andrewpollock avatar Jan 30 '23 21:01 andrewpollock

We can probably reuse much of the alpine version ordering logic, but it looks like parsing the security vulnerabilities and enumerating the package versions will have to be done from scratch. (Only had a quick look though, might be wrong)

another-rex avatar Feb 01 '23 00:02 another-rex

makes me think this might be trivial to reuse (some of) the existing Alpine plumbing, WDYT @another-rex?

You should be able to reuse almost all of it, this is the standard apk security fixes feed format that all the apk-based distros are using.

kaniini avatar Mar 24 '23 16:03 kaniini

makes me think this might be trivial to reuse (some of) the existing Alpine plumbing, WDYT @another-rex?

You should be able to reuse almost all of it, this is the standard apk security fixes feed format that all the apk-based distros are using.

Thanks @kaniini ! Is there any chance you'd be open to supporting OSV natively in Wolfi?

Our custom conversion pipelines add a fair bit of maintenance burden and we may also make incorrect assumptions / get things wrong from time to time.

oliverchang avatar Mar 27 '23 00:03 oliverchang

In the apk distribution community we are largely looking at OpenVEX as the mechanism for distributing advisory data, but it may be possible to reflect that in a way that OSV can consume directly.

cc @luhring for his thoughts.

kaniini avatar Mar 27 '23 11:03 kaniini

That would be amazing to see, if the OSV format can be embedded or linked from there somehow. I think there would be a lot of community interest in getting Wolfi added to the growing ecosystem of vuln DBs supporting OSV (e.g. Rocky Linux which recently added support).

oliverchang avatar Mar 28 '23 03:03 oliverchang

This sounds cool! I think it'd be possible to produce OSV data from our advisory data. I think it's something worth considering at some point in the near future.

For now, +1 to what @kaniini said, Wolfi's secdb is just like Alpine's (same JSON format), so I'd imagine the dev work and additional maintenance burden might not be too bad. The key differences are:

  1. The data comes from https://packages.wolfi.dev/os/security.json (as @andrewpollock points out)
  2. There's just one continuous release branch and thus a single secdb — there aren't multiple release branches like Alpine has (e.g. Alpine 3.13, 3.14, 3.15, edge, etc.).

luhring avatar Mar 29 '23 21:03 luhring

Chainguard is now publishing OSV data for Wolfi and Chainguard images. I think osv.dev is ingesting the Wolfi feed and is still working on the chainguard feed

wolfi - https://packages.wolfi.dev/os/osv/all.json chainguard - https://packages.cgr.dev/chainguard/osv/all.json

amdawson avatar Apr 05 '24 16:04 amdawson

Wolfi advisories are being ingested into our test instance: https://test.osv.dev/list?ecosystem=Wolfi&q=

oliverchang avatar Apr 07 '24 23:04 oliverchang

The data is now available in Production.

https://osv.dev/blog/posts/announcing-chainguard/

andrewpollock avatar Jul 16 '24 23:07 andrewpollock