osv-schema
osv-schema copied to clipboard
ossf
Add ELA as a defined prefix
Debian ELTS uses ELA as a prefix. The data is published at the following places:
- https://www.freexian.com/lts/extended/updates/
- https://deb.freexian.com/extended-lts/tracker/CVE-ID
- https://deb.freexian.com/extended-lts/tracker/ELA-ID
More information about Debian LTS is available at https://www.freexian.com/lts/extended/. This includes advisories targeting debian 7,8,9, on a limited subset of packages.
~~The OSV schema generation is WIP, but filing this PR to start the conversation on what all will be required.~~ Edit: See below.
I'm planning to:
- Publish advisories in the OSV format. (Right now, it's adhoc)
- Sync the advisory URLs to the GSD Database
Few ELAs don't have enough information with them (See https://www.freexian.com/lts/extended/updates/ela-761-1-exuberant-ctags/, https://www.freexian.com/lts/extended/updates/ela-582-1-wordpress/), such as CVE/package/version information. In the absence of such information, I'm currently ignoring such advisories, but plan to work towards getting the important ones added.
Signed-off-by: Nemo [email protected]
Not a Freexian developer, but I'll reach out to them to ask if this can be supported upstream.
@oliverchang Thanks for getting us involved!
@captn3m0 As you noted most of the relevant information is available in the security tracker at https://deb.freexian.com/extended-lts/tracker/
Usually people rely on the JSON export but given what you are looking after, you are probably best served by parsing the data/ELA/list file in the underlying git repository.
At some point, we might improve the security tracker to produce OSV or other common export format but we are not there yet. If you are interested to contribute at that level, the upstream security tracker source is here: https://salsa.debian.org/security-tracker-team/security-tracker
I switched to the git repository as the source.
Here's a sample advisory: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json
{
"affected": [
{
"package": {
"ecosystem": "Debian:7",
"name": "apache2",
"purl": "pkg:deb/debian/apache2?distro=wheezy&repository_url=http%3A%2F%2Fdeb.freexian.com%2Fextended-lts"
},
"ranges": {
"events": [
{
"fixed": "2.2.22-13+deb7u14"
}
],
"type": "ECOSYSTEM"
}
}
],
"database_specific": {
"type": "security update"
},
"id": "ELA-117-1",
"modified": "2019-05-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://deb.freexian.com/extended-lts/tracker/ELA-117-1"
},
{
"type": "ADVISORY",
"url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0217"
},
{
"type": "ADVISORY",
"url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0220"
}
],
"related": [
"CVE-2019-0217",
"CVE-2019-0220"
]
}
Will look at improving this over time, suggestions are welcome. I've set it to auto-update as well, so other databases can start scraping this. There's no published/modified timestamp, so I'm making do with the advisory date instead.
I switched to the git repository as the source.
Here's a sample advisory: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json
{ "affected": [ { "package": { "ecosystem": "Debian:7", "name": "apache2", "purl": "pkg:deb/debian/apache2?distro=wheezy&repository_url=http%3A%2F%2Fdeb.freexian.com%2Fextended-lts" }, "ranges": { "events": [ { "fixed": "2.2.22-13+deb7u14" } ], "type": "ECOSYSTEM" } } ], "database_specific": { "type": "security update" }, "id": "ELA-117-1", "modified": "2019-05-15T00:00:00Z", "references": [ { "type": "ADVISORY", "url": "https://deb.freexian.com/extended-lts/tracker/ELA-117-1" }, { "type": "ADVISORY", "url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0217" }, { "type": "ADVISORY", "url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0220" } ], "related": [ "CVE-2019-0217", "CVE-2019-0220" ] }Will look at improving this over time, suggestions are welcome. I've set it to auto-update as well, so other databases can start scraping this. There's no
published/modifiedtimestamp, so I'm making do with the advisory date instead.
Nice!! One comment on this:
You need an "introduced": "0" event per https://ossf.github.io/osv-schema/#examples. Otherwise, according to the evaluation algorithm, the encoding means that no versions are affected.
Also, should the "ecosystem" be different here? E.g.
"ecosystem": "Freexian:7"
instead to disambiguate things?
We also have some existing code for converting Debian advisories that could potentially be reused: https://github.com/ossf/osv-schema/tree/main/tools/debian, if these are the same for Freexian.
This does additional stuff like getting the text details of the vulnerability.
Hey @captn3m0, just checking up on this PR once more. Since this links the spec out to your repo at https://github.com/captn3m0/debian-elts-advisories, we'd like to make sure it's compliant before we merge :) Would you be able to address the comments on https://github.com/ossf/osv-schema/pull/104#issuecomment-1372871791 ?
You need an "introduced": "0" event
Updated accordingly. Preview: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json
Also, should the "ecosystem" be different here?
"ecosystem": "Freexian:7"
Using Debian with a repository URL is much clearer imo. Had discussed this in another context with the PURL spec, and it seemed like using debian as the ecosystem with a clear repo_url is the cleanest solution. Sticking to the same ecosystem as purl will make things easier everywhere as well.
Ref: https://github.com/package-url/purl-spec/pull/214#issuecomment-1382158096
@captn3m0 do you want to fix up this conflict and then I think this is good to merge?
Conflicts fixed. The data is now published over GitHub Pages, so the OSV-formatted-links are now much nicer than using the raw github link: https://captnemo.in/debian-elts-advisories/advisories/ELA-1166-1.json