-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve CVE entry management in OSV #2465
Comments
As someone that does not have a view of the whole osv.dev machinery, I think the main question is, why would you want to combine CVE entries? |
The initial reason was that Alpine SecDB uses CVE IDs to publish their vulnerabilities. So, we created a tool to combine their data into our existing CVEs, as long as they use the same vulnerability ID. Then, we wanted to add Debian security tracker data into our OSV to better support container scanning, so we continued to combine everything into our CVE entries to keep it consistent, as the Debian security tracker also uses CVE IDs. However, the problem now is that we continue to combine more and more data into a single record, increasing the difficulty of our maintenance. So, we are considering some better changes to this approach. |
From your first message, the thing that is not clear to me is, if you are not going to combine CVEs anymore, then why would you need to still add the prefixes (e.g. |
For OSV, ID prefixes must be unique, and be associated with a home database. Debian security tracker, Alpine etc didn't have a unique ID before, so we were combining them into a single CVE record. If we don't combine them, then they would need their own prefix. |
Thanks for clarifying it, and would the prefix also be necessary for the filename itself? or could we have a filename CVE-2024-0001.json and inside of it |
We do prefer the filename to match the ID name to keep it consistent for other ecosystems. Are there any concerns for Ubuntu in changing the filename? |
No concerns, just confirming what needs to be done as it will be a mass operation. The only thing to confirm is which should be the prefix, |
Thanks for confirming! We prefer |
Hey @dodys, I have two questions about Ubuntu CVE OSV records (ubuntu-security-notices/osv). Second question is about the |
Indeed, for now we only added the
Since OSV has the Some status are more complex and will depend on other factors: And some status we just don't include: Does that help clarify? |
Thanks Eduardo! It's very detailed and helpful! Having all the |
I forgot to ask one thing Holly |
Misread the question (didn't see the |
Hmm, I think @dodys is asking about what to put inside
|
Thanks both! |
Holly and Oliver, I've just pushed the CVE changes to our github repo, let me know if now looks as expected and the sync to osv.dev can be re-enabled |
Hey @dodys, thanks for the Ubuntu CVE updates! It looks good overall. One thing to mention is the I noticed that In the current OSV I talked with Oliver, and we think there is no perfect solution at this point. But to keep things consistent with other Linux distros, we think it's best to put all vulnerabilities in With all that said, we don't need to change the current USN data as it doesn't contain any aliases. The only change we probably want is to move |
ok, CVE files fixed and PR open: ossf/osv-schema#265 Let me know if anything needed. |
CVE files look good to me. Thanks for fixing them! |
Thanks for verifying Holly! |
Hey Eduardo, we have re-enabled |
Hi Holly, |
Oh yeah, sorry. That was a wrong paste. Example without purl: https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-0120.json, https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-1296.json, https://osv.dev/vulnerability/UBUNTU-CVE-2023-46726, https://osv.dev/vulnerability/UBUNTU-CVE-2024-8354 (it seems all come from Ubuntu:Pro?) |
We are only adding |
Yes, please. We also prefer the So for Ubuntu, regardless of whether a fix is available, the package Original one: @michaelkedar do you have anything to add? |
Thanks Holly, |
Thanks Eduardo! It all looks good now! |
This issue has not had any activity for 60 days and will be automatically closed in two weeks See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out. |
If I understand correctly, in order to call this issue "done", we'd have to render
|
The current OSV structure combines vulnerability data from different resources (e.g., NVD, Alpine, Debian) into a single CVE entry based on shared CVE IDs. This approach leads to overly large and difficult to maintain CVE entries. With Ubuntu also publishing its security tracker data to OSV.dev using CVE IDs, this issue will likely worsen.
We probably need a better solution for managing CVE entries. One idea is to add a source-specific prefix or suffix to the CVE ID, creating separate entries for each data source. For example,
Alpine-CVE-2024-0001
andDebian-CVE-2024-0001
would be displayed as two distinct records on OSV.dev.The text was updated successfully, but these errors were encountered: