vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Collect vulnerabilities from Amazon Linux

Open pombredanne opened this issue 6 years ago • 10 comments

See https://alas.aws.amazon.com/ There are two variants: AL and AL2

pombredanne avatar Sep 26 '19 10:09 pombredanne

Essentially we want to scrape/mine/consume the pages at https://alas.aws.amazon.com/ and https://alas.aws.amazon.com/alas2.html .

sbs2001 avatar Nov 18 '20 09:11 sbs2001

Taking it up @sbs2001 @pombredanne !

tushar912 avatar Nov 18 '20 09:11 tushar912

I checked https://alas.aws.amazon.com/ but I found that the table does not contain fixed and affected versions . I even checked the advisory url( eg https://alas.aws.amazon.com/ALAS-2011-1.html )but did not find the same. @sbs2001 @pombredanne can you help me.

tushar912 avatar Nov 18 '20 15:11 tushar912

@tushar912 the new packages mentioned at the advisory page are the fixed packages. It seems there is no easy way to obtain exact affected packages so you can skip finding them.

sbs2001 avatar Nov 18 '20 16:11 sbs2001

@sbs2001 I am still confused .Currently what I conclude is to create a PackageURL object we need version .But currently what I find is that the table doesn't provide any thing related to version of the package which is affected.Please help.

tushar912 avatar Nov 19 '20 12:11 tushar912

@tushar912 in https://alas.aws.amazon.com/ALAS-2011-1.html I can see this:

  • Affected Packages: httpd (no version alright for now and not much data)
  • New packages (e.g. where this is fixed):
    • i686: httpd-devel-2.2.21-1.18.amzn1.i686 httpd-debuginfo-2.2.21-1.18.amzn1.i686 httpd-2.2.21-1.18.amzn1.i686 httpd-tools-2.2.21-1.18.amzn1.i686 mod_ssl-2.2.21-1.18.amzn1.i686
    • noarch: httpd-manual-2.2.21-1.18.amzn1.noarch
    • src: httpd-2.2.21-1.18.amzn1.src
    • x86_64: mod_ssl-2.2.21-1.18.amzn1.x86_64 httpd-tools-2.2.21-1.18.amzn1.x86_64 httpd-2.2.21-1.18.amzn1.x86_64 httpd-devel-2.2.21-1.18.amzn1.x86_64 httpd-debuginfo-2.2.21-1.18.amzn1.x86_64

From that I can therefore infer:

  1. all these packages versions are fixed (and we can parse RPMs nevra with https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/nevra.py)
  2. whatever were the versions BEFORE these versions are vulnerable

Does this make sense?

pombredanne avatar Nov 19 '20 15:11 pombredanne

Ok . I understood New Packages are the ones that are fixed and whatever are before were affected.

tushar912 avatar Nov 19 '20 16:11 tushar912

ok, sorry it it felt like a rehash ....that said we may not have a version that is affected, but rather a version range. @sbs2001 what do you think? that looks like a good use case for the ranges/spec?

pombredanne avatar Nov 19 '20 17:11 pombredanne