Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

osv-scanner doesn't find Fedora vulnerabilities #917

Open
paulwouters opened this issue Apr 12, 2024 · 4 comments
Open

osv-scanner doesn't find Fedora vulnerabilities #917

paulwouters opened this issue Apr 12, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@paulwouters
Copy link

When I scan using an spdx sbom, I see:

osv-scanner scan --sbom=SBOM-report-testproject-habi-20240410_0131-clean-licenses.spdx.json --verbosity verbose
Scanned /home/paul/SBOM-report-testproject-habi-20240410_0131-clean-licenses.spdx.json as SPDX SBOM and found 948 packages
No issues found

This is after I lowered the version of the libreswan package to one that is vulnerable to several CVEs:

       {
            "SPDXID": "SPDXRef-Package-370",
            "downloadLocation": "https://libreswan.org/",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE_MANAGER",
                    "referenceLocator": "pkg:rpm/fedora/libreswan@3.1-1.fc38",
                    "referenceType": "purl"
                }
            ],
            "licenseConcluded": "GPL-2.0-or-later AND MPL-2.0",
            "licenseDeclared": "GPL-2.0-or-later AND MPL-2.0",
            "name": "libreswan",
            "originator": "Organization: Fedora Project",
            "versionInfo": "3.1-1.fc38"
        },

While https://osv.dev/list?ecosystem=&q=libreswan shows the vulnerabilities are known.
@paulwouters
Copy link
Author

(I also tried reducing the fedora version to the upstream version, eg 3.1-1.fc38 -> 3.1

@oliverchang oliverchang added the enhancement New feature or request label Apr 16, 2024
@oliverchang
Copy link
Collaborator

Thanks for the issue! This is because osv.dev currently doesn't contain advisories from Fedora. In order to provide accurate vuln scanning results, we make sure to only scan OS packages against their respective distro advisory DB, to account for backported fixes.

It's unclear if there is a Fedora security advisory DB of some sort, we'll investigate.

@paulwouters
Copy link
Author

paulwouters commented Apr 16, 2024 via email

@oliverchang
Copy link
Collaborator

RHEL currently does not provide an OSV feed unfortunately.

It also looks like Fedora also tracks their own security advisories here: https://bodhi.fedoraproject.org/updates/?type=security. It seems like it may be more accurate for Fedora vulnerability scanners to match against this DB instead.

@oliverchang oliverchang changed the title osv-scanner doesn't find vulnerable entries in SPDX SBOM osv-scanner doesn't find Fedora vulnerabilities May 15, 2024
@G-Rath G-Rath mentioned this issue May 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliverchang @paulwouters