No affected versions reported by the API

[4b75726169736859]

Hello, I don’t understand why I can’t find affected versions for RedHat or Rocky vulnerabilities when querying the API or downloading the datasources for RedHat and Rocky. However, I do find the affected versions in the datasources for Debian vulnerabilities.

I’m basing my search on a package name and version to look for vulnerabilities related to a specific version in the datasources, and this makes things much more complicated.

Is this normal? I’m not sure how I should proceed.

Thank you, have a great day!

[hogo6002]

Hi @4b75726169736859, this is because we don't get affected versions from the upstream source. The upstream source can provide us with either affected versions or an affected range, or both (such as in Ubuntu). We ingested Debian data ourselves, so we have some version enumeration function to calculate all affected versions based on the affected range. This is difficult to maintain and scale to more ecosystems.

So, we have improved our API queries to match vulnerabilities against the affected range. If you are using our API version query, it will return all vulnerabilities for that version.

curl -d \ '{ "version": "0:8.7p1", "package": { "name": "openssh-debuginfo", "ecosystem": "Red Hat" } }' "https://api.osv.dev/v1/query"

[4b75726169736859]

Thank you for your quick response.

What interests me here is the ability to perform vulnerability checks offline. I have a large number of packages to verify, and the goal is to conduct regular vulnerability monitoring for my IT infrastructure.

I want to perform these checks offline for two main reasons:

1. Avoid relying on an Internet connection.
2. Improve speed: using an API would take much longer than running the checks locally.

In the example you provided with API requests, you were able to retrieve vulnerabilities associated with a specific package version.

I was wondering:

• Do you rely on a particular data source for this ?
• Would it be possible for me to achieve the same result locally by developing a similar functionality ?

If yes, could you guide me through your approach or methodology ?

Thank you.

[another-rex]

If you are building your own offline vulnerability matching system, you might be interested in osv-scanner, especially the local offline mode, which uses our exported zip files as the local database and does all matching locally.

You can either use osv-scanner directly (check out our osv-scanner documentation), or take a look at our source code for ideas on how to implement your own version. The main parts of the code that are likely of interest to you is the semantic package: https://github.com/google/osv-scanner/tree/main/internal/semantic, which provides version comparison code to help you do range matches against our records.

We are currently in the process of open sourcing that by moving it to osv-scalibr, see: google/osv-scalibr#316

See https://github.com/google/osv-scanner/blob/main/internal/clients/clientimpl/localmatcher/localmatcher.go for how we do offline matching with semantic and the exported zips.

We are currently doing a big refactor for osv-scanner v2, so the code might move around a bit.

[4b75726169736859]

Great, thank you very much! I have everything I need to move forward with my project!