Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ELA as a defined prefix #104

Merged
merged 5 commits into from
Aug 29, 2024
Merged

Add ELA as a defined prefix #104

merged 5 commits into from
Aug 29, 2024

Conversation

captn3m0
Copy link
Contributor

@captn3m0 captn3m0 commented Jan 4, 2023
edited
Loading

Debian ELTS uses ELA as a prefix. The data is published at the following places:

More information about Debian LTS is available at https://www.freexian.com/lts/extended/. This includes advisories targeting debian 7,8,9, on a limited subset of packages.

The OSV schema generation is WIP, but filing this PR to start the conversation on what all will be required. Edit: See below.

I'm planning to:

  1. Publish advisories in the OSV format. (Right now, it's adhoc)
  2. Sync the advisory URLs to the GSD Database

Few ELAs don't have enough information with them (See https://www.freexian.com/lts/extended/updates/ela-761-1-exuberant-ctags/, https://www.freexian.com/lts/extended/updates/ela-582-1-wordpress/), such as CVE/package/version information. In the absence of such information, I'm currently ignoring such advisories, but plan to work towards getting the important ones added.

Signed-off-by: Nemo commits@captnemo.in

@captn3m0
Add ELA as a defined prefix
c3856d8 
Debian ELTS uses ELA as a prefix. The data is published at the following places:

- https://www.freexian.com/lts/extended/updates/
- https://deb.freexian.com/extended-lts/tracker/CVE-ID
- https://deb.freexian.com/extended-lts/tracker/ELA-ID

Signed-off-by: Nemo <commits@captnemo.in>
oliverchang
oliverchang approved these changes Jan 5, 2023
View reviewed changes
Copy link
Contributor

@oliverchang oliverchang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!! Are you a Freexian developer, or do you have plans to engage them to support OSV upstream?

@captn3m0
Copy link
Contributor Author

captn3m0 commented Jan 5, 2023

Not a Freexian developer, but I'll reach out to them to ask if this can be supported upstream.

@oliverchang
Copy link
Contributor

CC @rhertzog @jeremiah who I think are part of Freexian!

@rhertzog
Copy link

rhertzog commented Jan 5, 2023

@oliverchang Thanks for getting us involved!

@captn3m0 As you noted most of the relevant information is available in the security tracker at https://deb.freexian.com/extended-lts/tracker/

Usually people rely on the JSON export but given what you are looking after, you are probably best served by parsing the data/ELA/list file in the underlying git repository.

At some point, we might improve the security tracker to produce OSV or other common export format but we are not there yet. If you are interested to contribute at that level, the upstream security tracker source is here:
https://salsa.debian.org/security-tracker-team/security-tracker

@captn3m0
Copy link
Contributor Author

captn3m0 commented Jan 5, 2023
edited
Loading

I switched to the git repository as the source.

Here's a sample advisory: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json

{
    "affected": [
        {
            "package": {
                "ecosystem": "Debian:7",
                "name": "apache2",
                "purl": "pkg:deb/debian/apache2?distro=wheezy&repository_url=http%3A%2F%2Fdeb.freexian.com%2Fextended-lts"
            },
            "ranges": {
                "events": [
                    {
                        "fixed": "2.2.22-13+deb7u14"
                    }
                ],
                "type": "ECOSYSTEM"
            }
        }
    ],
    "database_specific": {
        "type": "security update"
    },
    "id": "ELA-117-1",
    "modified": "2019-05-15T00:00:00Z",
    "references": [
        {
            "type": "ADVISORY",
            "url": "https://deb.freexian.com/extended-lts/tracker/ELA-117-1"
        },
        {
            "type": "ADVISORY",
            "url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0217"
        },
        {
            "type": "ADVISORY",
            "url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0220"
        }
    ],
    "related": [
        "CVE-2019-0217",
        "CVE-2019-0220"
    ]
}

Will look at improving this over time, suggestions are welcome. I've set it to auto-update as well, so other databases can start scraping this. There's no published/modified timestamp, so I'm making do with the advisory date instead.

@captn3m0 captn3m0 mentioned this pull request Jan 5, 2023
Merged
@oliverchang
Copy link
Contributor

I switched to the git repository as the source.

Here's a sample advisory: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json

{
    "affected": [
        {
            "package": {
                "ecosystem": "Debian:7",
                "name": "apache2",
                "purl": "pkg:deb/debian/apache2?distro=wheezy&repository_url=http%3A%2F%2Fdeb.freexian.com%2Fextended-lts"
            },
            "ranges": {
                "events": [
                    {
                        "fixed": "2.2.22-13+deb7u14"
                    }
                ],
                "type": "ECOSYSTEM"
            }
        }
    ],
    "database_specific": {
        "type": "security update"
    },
    "id": "ELA-117-1",
    "modified": "2019-05-15T00:00:00Z",
    "references": [
        {
            "type": "ADVISORY",
            "url": "https://deb.freexian.com/extended-lts/tracker/ELA-117-1"
        },
        {
            "type": "ADVISORY",
            "url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0217"
        },
        {
            "type": "ADVISORY",
            "url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0220"
        }
    ],
    "related": [
        "CVE-2019-0217",
        "CVE-2019-0220"
    ]
}

Will look at improving this over time, suggestions are welcome. I've set it to auto-update as well, so other databases can start scraping this. There's no published/modified timestamp, so I'm making do with the advisory date instead.

Nice!! One comment on this:

You need an "introduced": "0" event per https://ossf.github.io/osv-schema/#examples. Otherwise, according to the evaluation algorithm, the encoding means that no versions are affected.

Also, should the "ecosystem" be different here? E.g.

"ecosystem": "Freexian:7"

instead to disambiguate things?

@oliverchang
Copy link
Contributor

We also have some existing code for converting Debian advisories that could potentially be reused: https://github.com/ossf/osv-schema/tree/main/tools/debian, if these are the same for Freexian.

This does additional stuff like getting the text details of the vulnerability.

@captn3m0 captn3m0 mentioned this pull request Jan 11, 2023
Open
@oliverchang
Copy link
Contributor

Hey @captn3m0, just checking up on this PR once more. Since this links the spec out to your repo at https://github.com/captn3m0/debian-elts-advisories, we'd like to make sure it's compliant before we merge :) Would you be able to address the comments on #104 (comment) ?

@captn3m0
Copy link
Contributor Author

captn3m0 commented Feb 8, 2023

You need an "introduced": "0" event

Updated accordingly. Preview: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json

Also, should the "ecosystem" be different here? "ecosystem": "Freexian:7"

Using Debian with a repository URL is much clearer imo. Had discussed this in another context with the PURL spec, and it seemed like using debian as the ecosystem with a clear repo_url is the cleanest solution. Sticking to the same ecosystem as purl will make things easier everywhere as well.

Ref: package-url/purl-spec#214 (comment)

@andrewpollock
Copy link
Collaborator

@captn3m0 do you want to fix up this conflict and then I think this is good to merge?

captn3m0 and others added 3 commits August 28, 2024 13:10
@captn3m0
Merge branch 'main' into patch-1
7c778d0 
Signed-off-by: Nemo <me@captnemo.in>
@captn3m0
Update schema.md
e3fcc5f 
Signed-off-by: Nemo <commits@captnemo.in>
@captn3m0
Update schema.md
80bce00 
Signed-off-by: Nemo <commits@captnemo.in>
@captn3m0
Copy link
Contributor Author

Conflicts fixed. The data is now published over GitHub Pages, so the OSV-formatted-links are now much nicer than using the raw github link: https://captnemo.in/debian-elts-advisories/advisories/ELA-1166-1.json

andrewpollock
andrewpollock requested changes Aug 29, 2024
View reviewed changes
Copy link
Collaborator

@andrewpollock andrewpollock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add the ELA prefix to the validation at

osv-schema/validation/schema.json

Line 309 in 8907bae

"pattern": "^(ASB-A|PUB-A|ALSA|ALBA|ALEA|BIT|CURL|CVE|DSA|DLA|DTSA|GHSA|GO|GSD|HSEC|LBSEC|MAL|OSV|PHSA|PSF|PYSEC|RHSA|RLSA|RXSA|RSEC|RUSTSEC|USN)-"

@captn3m0
Update schema.json
5903ed4 
Signed-off-by: Nemo <me@captnemo.in>
@captn3m0
Copy link
Contributor Author

Updated validation schema

@andrewpollock andrewpollock merged commit e5ba747 into ossf:main Aug 29, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewpollock andrewpollock andrewpollock approved these changes

@oliverchang oliverchang oliverchang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@captn3m0 @oliverchang @rhertzog @andrewpollock