Add ELA as a defined prefix #104
Conversation
Debian ELTS uses ELA as a prefix. The data is published at the following places: - https://www.freexian.com/lts/extended/updates/ - https://deb.freexian.com/extended-lts/tracker/CVE-ID - https://deb.freexian.com/extended-lts/tracker/ELA-ID Signed-off-by: Nemo <commits@captnemo.in>
|
Not a Freexian developer, but I'll reach out to them to ask if this can be supported upstream. |
|
@oliverchang Thanks for getting us involved! @captn3m0 As you noted most of the relevant information is available in the security tracker at https://deb.freexian.com/extended-lts/tracker/ Usually people rely on the JSON export but given what you are looking after, you are probably best served by parsing the data/ELA/list file in the underlying git repository. At some point, we might improve the security tracker to produce OSV or other common export format but we are not there yet. If you are interested to contribute at that level, the upstream security tracker source is here: |
|
I switched to the git repository as the source. Here's a sample advisory: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json {
"affected": [
{
"package": {
"ecosystem": "Debian:7",
"name": "apache2",
"purl": "pkg:deb/debian/apache2?distro=wheezy&repository_url=http%3A%2F%2Fdeb.freexian.com%2Fextended-lts"
},
"ranges": {
"events": [
{
"fixed": "2.2.22-13+deb7u14"
}
],
"type": "ECOSYSTEM"
}
}
],
"database_specific": {
"type": "security update"
},
"id": "ELA-117-1",
"modified": "2019-05-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://deb.freexian.com/extended-lts/tracker/ELA-117-1"
},
{
"type": "ADVISORY",
"url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0217"
},
{
"type": "ADVISORY",
"url": "https://deb.freexian.com/extended-lts/tracker/CVE-2019-0220"
}
],
"related": [
"CVE-2019-0217",
"CVE-2019-0220"
]
}Will look at improving this over time, suggestions are welcome. I've set it to auto-update as well, so other databases can start scraping this. There's no |
Nice!! One comment on this: You need an Also, should the "ecosystem": "Freexian:7"instead to disambiguate things? |
|
We also have some existing code for converting Debian advisories that could potentially be reused: https://github.com/ossf/osv-schema/tree/main/tools/debian, if these are the same for Freexian. This does additional stuff like getting the text details of the vulnerability. |
|
Hey @captn3m0, just checking up on this PR once more. Since this links the spec out to your repo at https://github.com/captn3m0/debian-elts-advisories, we'd like to make sure it's compliant before we merge :) Would you be able to address the comments on #104 (comment) ? |
Updated accordingly. Preview: https://github.com/captn3m0/debian-elts-advisories/blob/main/advisories/ELA-117-1.json
Using Debian with a repository URL is much clearer imo. Had discussed this in another context with the PURL spec, and it seemed like using |
Debian ELTS uses ELA as a prefix. The data is published at the following places:
More information about Debian LTS is available at https://www.freexian.com/lts/extended/. This includes advisories targeting debian 7,8,9, on a limited subset of packages.
The OSV schema generation is WIP, but filing this PR to start the conversation on what all will be required.Edit: See below.I'm planning to:
Few ELAs don't have enough information with them (See https://www.freexian.com/lts/extended/updates/ela-761-1-exuberant-ctags/, https://www.freexian.com/lts/extended/updates/ela-582-1-wordpress/), such as CVE/package/version information. In the absence of such information, I'm currently ignoring such advisories, but plan to work towards getting the important ones added.
Signed-off-by: Nemo commits@captnemo.in