Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Collect vulnerabilities from Amazon Linux #72

Open
pombredanne opened this issue Sep 26, 2019 · 10 comments · May be fixed by #1569
Open

Collect vulnerabilities from Amazon Linux #72

pombredanne opened this issue Sep 26, 2019 · 10 comments · May be fixed by #1569
Assignees
Labels
Data collection GSoC 24 GSoC 24 (Data Collection & Data Quality project) sys system or OS packages

Comments

@pombredanne
Copy link
Member

See https://alas.aws.amazon.com/
There are two variants: AL and AL2

@pombredanne pombredanne added the sys system or OS packages label Dec 3, 2019
@sbs2001
Copy link
Collaborator

sbs2001 commented Nov 18, 2020

Essentially we want to scrape/mine/consume the pages at https://alas.aws.amazon.com/ and https://alas.aws.amazon.com/alas2.html .

@tushar912
Copy link
Contributor

Taking it up @sbs2001 @pombredanne !

@tushar912
Copy link
Contributor

I checked https://alas.aws.amazon.com/ but I found that the table does not contain fixed and affected versions . I even checked the advisory url( eg https://alas.aws.amazon.com/ALAS-2011-1.html )but did not find the same. @sbs2001 @pombredanne can you help me.

@sbs2001
Copy link
Collaborator

sbs2001 commented Nov 18, 2020

@tushar912 the new packages mentioned at the advisory page are the fixed packages. It seems there is no easy way to obtain exact affected packages so you can skip finding them.

@tushar912
Copy link
Contributor

@sbs2001 I am still confused .Currently what I conclude is to create a PackageURL object we need version .But currently what I find is that the table doesn't provide any thing related to version of the package which is affected.Please help.

@pombredanne
Copy link
Member Author

@tushar912 in https://alas.aws.amazon.com/ALAS-2011-1.html I can see this:

  • Affected Packages: httpd (no version alright for now and not much data)
  • New packages (e.g. where this is fixed):
    • i686:
      httpd-devel-2.2.21-1.18.amzn1.i686
      httpd-debuginfo-2.2.21-1.18.amzn1.i686
      httpd-2.2.21-1.18.amzn1.i686
      httpd-tools-2.2.21-1.18.amzn1.i686
      mod_ssl-2.2.21-1.18.amzn1.i686
    • noarch:
      httpd-manual-2.2.21-1.18.amzn1.noarch
    • src:
      httpd-2.2.21-1.18.amzn1.src
    • x86_64:
      mod_ssl-2.2.21-1.18.amzn1.x86_64
      httpd-tools-2.2.21-1.18.amzn1.x86_64
      httpd-2.2.21-1.18.amzn1.x86_64
      httpd-devel-2.2.21-1.18.amzn1.x86_64
      httpd-debuginfo-2.2.21-1.18.amzn1.x86_64

From that I can therefore infer:

  1. all these packages versions are fixed (and we can parse RPMs nevra with https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/nevra.py)
  2. whatever were the versions BEFORE these versions are vulnerable

Does this make sense?

@tushar912
Copy link
Contributor

Ok . I understood New Packages are the ones that are fixed and whatever are before were affected.

@pombredanne
Copy link
Member Author

ok, sorry it it felt like a rehash ....that said we may not have a version that is affected, but rather a version range.
@sbs2001 what do you think? that looks like a good use case for the ranges/spec?

@TG1999 TG1999 added this to the v34.0.0 milestone Jan 13, 2023
@TG1999 TG1999 removed this from the v34.0.0 milestone Jan 30, 2024
@ambuj-1211 ambuj-1211 added the GSoC 24 GSoC 24 (Data Collection & Data Quality project) label Jun 25, 2024
@ambuj-1211 ambuj-1211 linked a pull request Aug 27, 2024 that will close this issue
@keshav-space
Copy link
Member

Amazon might provide direct access to structured Advisory data at some point amazonlinux/amazon-linux-2023#158 (comment)

@pombredanne
Copy link
Member Author

@ambuj-1211 @keshav-space is this completed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Data collection GSoC 24 GSoC 24 (Data Collection & Data Quality project) sys system or OS packages
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants