-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubuntu: Add as a Vulnerability Specification Source #958
Comments
Hi @gh-greg -- we are already using Canonical's vulnerability feeds when matching Ubuntu packages! Is there a specific reason to use OVAL otherwise? If you'd like to see the data source for each vulnerability, you could run something like:
This is what we see, which is from Canonical:
|
@kzantow : Let's close this. I must have gone off "half-cocked", and today cannot fully reproduce, what I was talking about when I filed this. [PRISMACLOUD]
GRYPE:
UBUNTU:
|
Thanks for following up @gh-greg ! |
Ubuntu: Add as a Vulnerability Specification Source:
As Ubuntu seems to have the largest Linux market share, proposed to
directly include Canonical "OVAL/Security-Notices", as a Grype Vulnerability source.
In 2022, Ubuntu seemed to be the largest Linux Market Share:
https://www.enterpriseappstoday.com/stats/linux-statistics.html
Thus, Ubuntu based Docker containers are deployed in lots of microservices.
Once working, long term Ubuntu releases may stay in product deployment
for an extended period ... gathering discovered defects.
Today, Ubuntu issues "Security Notices" , through a service known as OVAL.
https://ubuntu.com/security/oval # oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml
https://ubuntu.com/security/notices
https://ubuntu.com/security/notices/USN-5675-1
Why is this needed:
Tenable, Grype's competition, seems to be using Ubuntu's security feed, as a data source.
What are other vendors besides Tenable, doing ?
https://www.tenable.com/
(1) Example: Is Ubuntu publishing Vulns, that Mitre is not listing ?
(1.a) Ubuntu : Flags "Heimdal vulnerabilities"
https://ubuntu.com/security/notices?order=newest&release=xenial&details=Heimdal+
(1.b) Mitre CVE : By way of contrast, these Ubuntu "Heimdal vulnerabilities",
do not seem to be clearly noted , or even found, here in the CVE/Mitre Vulnerability feed:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=heimdal+ubuntu
Additional context:
(a) Possibly Related Issues:
(b) Is there already a Grype enhancement, to suggest using Canonical Ubuntu as a Vulnerability Source ?
https://github.com/anchore/grype/issues?page=1&q=is%3Aissue+is%3Aopen++ubuntu
(c) What are the existing Data Sources , of Grype Vulnerability specifications ?
Using this source file, Grype seems to use these things as Vulnerability Data Sources:
https://github.com/anchore/grype/blob/a000a69b84211b9d928aff676d0b44b9ae83f7dc/schema/cyclonedx/vulnerability.xsd
The text was updated successfully, but these errors were encountered: