Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Ubuntu package matching behavior #2963

Closed
another-rex opened this issue Dec 5, 2024 · 3 comments · Fixed by #2986
Closed

Update Ubuntu package matching behavior #2963

another-rex opened this issue Dec 5, 2024 · 3 comments · Fixed by #2986
Labels
api API-related infrastructure enhancement New feature or request question Further information is requested

Comments

@another-rex
Copy link
Contributor

another-rex commented Dec 5, 2024
edited
Loading

OSV-Scanner currently can only reliably get Ubuntu ecosystems with their release number (e.g. Ubuntu:22.04), but cannot get whether it is of the :LTS or :Pro variant without some vague string parsing.

Is there a difference in packages between Ubuntu:22.04 and Ubuntu:22.04:LTS at the same version number? E.g. is socat at version 1.7.4.1-3ubuntu1 the same between Ubuntu:22.04 and the LTS?

If they are the same, for our API, it should be fine to strip :LTS when matching, so a query with ecosystem of Ubuntu:22.04 and Ubuntu:22.04:LTS will return the same results.

Also does a similar thing apply the :Pro variant as well.

@dodys might you be able to provide some answers here? :)
@another-rex another-rex added api API-related infrastructure enhancement New feature or request question Further information is requested labels Dec 5, 2024
@dodys
Copy link

dodys commented Dec 5, 2024

@another-rex what you are referring to Ubuntu:22.04 is actually Ubuntu:22.04:LTS, we have no data that would have only Ubuntu:22.04, so I don't understand the difference you are seeing.

The :Pro variant is indeed an extra, as it is packages that don't go to the normal archive.

@another-rex
Copy link
Contributor Author

Thanks for the quick reply! It seems I misunderstood how Ubuntu releases work. I was assuming that a release starts off not marked as LTS and then becomes LTS, but it looks like LTS releases are started as LTS releases from the beginning, so this makes sense now.

For the :Pro variants, if we found a package matching the version specified on a advisory (e.g. [email protected]+dfsg-6 from https://osv.dev/vulnerability/UBUNTU-CVE-2024-53863), on an Ubuntu:18.04 machine/image (unknown whether it is Pro or not), can we assume that the advisory applies to that package?

@dodys
Copy link

dodys commented Dec 10, 2024

@another-rex sorry for the late reply, I was out the previous days.

Pro is a bit trickier, therefore I will try to list every case below:

  1. Pro only exists for LTS releases, therefore Interim releases like 25.10, there's no Pro variant.
  2. For LTS releases that have already passed their 5 years of support, like 14.04, 16.04 and 18.04, you might see either the LTS or the Pro variant:
    2.1. The LTS variant if the fix was published publicly;
    2.2 The Pro variant if the fix was published under Pro (only for universe packages) or if there's no fix available yet (that's the case with the matrix-synapse CVE you mentioned for 18.04).
  3. For LTS releases that are still in their LTS period (within the 5 years of support), like 20.04, 22.04 and 24.05, you might also see either the LTS or the Pro variant:
    3.1. The LTS variant if the fix was published publicly or if there's no fix available yet;
    3.2. The Pro variant if the fix was published under Ubuntu Pro (only for universe packages).

Nevertheless, to answer your question, the package is the same in LTS or Pro, the only change is the version and the patches that were applied to it. Therefore on a Ubuntu:18.04 you can assume that the advisory applies to that package.

Let me know if it makes sense or if you have any other doubts.

@hogo6002 hogo6002 mentioned this issue Dec 12, 2024
Merged
2 tasks
hogo6002 added a commit that referenced this issue Dec 13, 2024
@hogo6002
feat: expand Ubuntu ecosystem to include more variants (#2984)
ef25c66 
Related issue #2963

OSV-Scanner mismatches Ubuntu vulnerabilities due to variations in
ecosystem naming (e.g., :LTS, :Pro).
Adds a function to expand the Ubuntu ecosystem list with all possible
variants, ensuring accurate vulnerability matching.

TODO:

- [ ] reput all Ubuntu vulnerabilities
- [ ] support naming variations in API query
@hogo6002 hogo6002 mentioned this issue Dec 13, 2024
Merged
1 task
@hogo6002 hogo6002 mentioned this issue Jan 10, 2025
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api API-related infrastructure enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(api): match ecosystem names without variants hogo6002/osv.dev
2 participants
@dodys @another-rex