Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingest SUSE/openSUSE OSV advisories #2543

Closed
oliverchang opened this issue Sep 3, 2024 · 8 comments
Closed

Ingest SUSE/openSUSE OSV advisories #2543

oliverchang opened this issue Sep 3, 2024 · 8 comments
Assignees
@hogo6002
Labels
datasource Requests for new data sources

Comments

@oliverchang
Copy link
Collaborator

oliverchang commented Sep 3, 2024
edited
Loading

Per ossf/osv-schema#259, the SUSE/openSUSE ecosystems have been added to the OSV schema, and there is a feed available at https://ftp.suse.com/pub/projects/security/osv/
@oliverchang oliverchang added the datasource Requests for new data sources label Sep 3, 2024
@oliverchang oliverchang changed the title Ingest SuSE/openSuSE OSV advisories Ingest SUSE/openSuSE OSV advisories Sep 3, 2024
@oliverchang
Copy link
Collaborator Author

For version ordering, SUSE seems to use RPM (https://en.opensuse.org/openSUSE:Package_versioning_guidelines).

For https://ftp.suse.com/pub/projects/security/osv/, we may need an https://ftp.suse.com/pub/projects/security/osv/all.json per https://google.github.io/osv.dev/rest-api-contribution/#1-a-url-pointing-to-a-rest-endpoint-containing-at-least-all-of-the-vulnerabilities-ids-and-date-modified. @msmeissn is this something that would be possible to add?

@oliverchang oliverchang mentioned this issue Sep 3, 2024
Closed
@msmeissn
Copy link

msmeissn commented Sep 3, 2024

i added an all.json file now.

@oliverchang
Copy link
Collaborator Author

Thanks @msmeissn !

@hogo6002 can you see if we can start ingesting this into our test instance?

@hogo6002
Copy link
Contributor

hogo6002 commented Sep 4, 2024

Hey @msmeissn, I have a question about the data prefixes and would like some clarification.

The ossf schema lists the valid prefixes for SUSE as only SUSE-SU-, but I noticed that all.json also contains entries other than SUSE-SU- (security updates), such as SUSE-RU- (recommended updates) and SUSE-FU- (feature updates).

I just want to confirm if we only want to ingest data with the SU- prefix into OSV or if we want to ingest all the data from all.json into OSV.

Also, I'm wondering if entries with other prefixes, such as SUSE-RU- and SUSE-FU-, are actually security-related data (they do have related CVEs on their records)?

@msmeissn
Copy link

msmeissn commented Sep 4, 2024

ok, problem is that occasionaly "recommended (bugfix)" or feature updates also include CVEs and I generate entries for those. Note that only bugfix or freature updates that have CVEs will be reported for OSV.

I sent a PR to osv-schema to allow them, so we can consume those.

@hogo6002
Copy link
Contributor

hogo6002 commented Sep 5, 2024

I sent a PR to osv-schema to allow them, so we can consume those.

Thanks! I will start to ingest data into our test instance.

@hogo6002 hogo6002 mentioned this issue Sep 5, 2024
Merged
@hogo6002 hogo6002 changed the title Ingest SUSE/openSuSE OSV advisories Ingest SUSE/openSUSE OSV advisories Sep 5, 2024
hogo6002 added a commit that referenced this issue Sep 6, 2024
@hogo6002
feat: add SUSE/openSUSE source to test instance (#2570)
f240c5a 
Add SUSE and openSUSE source (around 20k records), details:
#2543
SUSE prefixes: `SUSE-SU-` (most records), `SUSE-OU-`, `SUSE-FU-` and
`SUSE-RU-`
openSUSE prefixes: `openSUSE-SU-`

Merge after #2571
@hogo6002
Copy link
Contributor

hogo6002 commented Sep 9, 2024

SUSE/openSUSE data is available on test.osv.dev now!
website: https://test.osv.dev/list?q=&ecosystem=SUSE https://test.osv.dev/list?q=&ecosystem=openSUSE
API query:
curl -d \ '{"version": "1.2.0~rc3", "package": {"name": "runc", "ecosystem": "openSUSE"}}' \ "https://api.test.osv.dev/v1/query"

@hogo6002 hogo6002 mentioned this issue Sep 18, 2024
Merged
hogo6002 added a commit that referenced this issue Sep 19, 2024
@hogo6002
feat(data source): add SUSE/openSUSE source to prod instance (#2634)
2c22e95 
Add SUSE and openSUSE source (around 20k records), details:
#2543
SUSE prefixes: `SUSE-SU-` (most records), `SUSE-OU-`, `SUSE-FU-` and
`SUSE-RU-`
openSUSE prefixes: `openSUSE-SU-`

Test instance PR: #2570
@hogo6002
Copy link
Contributor

hogo6002 commented Sep 24, 2024
edited
Loading

SUSE/openSUSE is now on osv.dev!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hogo6002 hogo6002

Labels
datasource Requests for new data sources
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oliverchang @msmeissn @hogo6002