vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Collect Alpine vulnerability data from APKBUILD comments

Open pombredanne opened this issue 4 years ago • 1 comments

This may be redundant or not but APKBUILD files seem to have secfix info:

https://git.alpinelinux.org/aports/tree/main/asterisk/APKBUILD?id=9d426cf7a7701ee6707224d3e9f6d07553a56de1#n40

# secfixes:
#   18.2.1-r0:
#     - CVE-2021-26712
#     - CVE-2021-26713
#     - CVE-2021-26717
#     - CVE-2021-26906
#   18.1.1-r0:
#     - CVE-2020-35652
#     - CVE-2020-35776
#   18.0.1-r0:
#     - CVE-2020-28327
#   16.6.2-r0:
#     - CVE-2019-18610
#     - CVE-2019-18790
#   16.5.1-r0:
#     - CVE-2019-15297
#     - CVE-2019-15639
#   16.4.1-r0:
#     - CVE-2019-12827
#   16.3.0-r0:
#     - CVE-2019-7251
#   15.7.1-r0:
#     - CVE-2018-19278

pombredanne avatar Jul 21 '21 10:07 pombredanne

We have already an APKBUILD parser here... https://github.com/aboutcode-org/scancode-toolkit/blob/a16cb5be47ff313224cbe078aca41da8d519fdbd/src/packagedcode/alpine.py#L253 but these secfixes info look more like a commented, pound-prefixed YAML snippet

https://git.alpinelinux.org/aports/tree/main/openssl/APKBUILD#n32

Ideally we could have this part of the ScanCode parser... but we can also simply extract and dedent the secfix section, and load it as YAML. .... Because this is YAML, see https://man.archlinux.org/man/secfixes-check.1.en for instance

Also we have that https://secdb.alpinelinux.org/v3.22/ and I wonder how this differs from the APKBUILD secfixes section ... This is from https://security.alpinelinux.org/ ... see also https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker

Overall since we already collect data for Alpine at https://github.com/aboutcode-org/vulnerablecode/blob/be891173be2fbdc897116bf5aa4fc9fdc8dc4f3d/vulnerabilities/pipelines/alpine_linux_importer.py#L190 I think we should extract the code that handles the "secfixes" section in a common function, and then process the APKBUILD secfixes section with it, and not invent anything new.

pombredanne avatar Nov 30 '25 17:11 pombredanne

Hi @pombredanne ,

I don't think this section of the code explicitly handles the secfixes section. All the lines after the for loop seem to only construct the AdvisoryData object as needed.

Would it make sense to just reuse the load_advisories() function instead? This would involve using the APKBUILD parser from scancode-toolkit, as you mentioned, and the manually extracting and loading the secfixes section as YAML.

One important thing to note is that APKBUILD files do not contain distroversion or reponame. These fields are present in all the data from https://secdb.alpinelinux.org/, and they are also required parameters for load_advisories(). Would it be fine to modify load_Advisories to take those as optional parameters or make them empty strings by default?

I'd be interested to hear your thoughts on whether this approach aligns with the intended design.

mubarak-mustopha avatar Dec 16 '25 10:12 mubarak-mustopha