feat(alpine): support unfixed vulnerabilities

[knqyf263]

Overview

Trivy DB doesn't insert security advisories for unfixed vulnerabilities, so Trivy cannot detect unfixed vulnerabilities at the moment. This PR is for the future.

Related PRs

• feat(alpine): add support of unfixed vulnerabilities vuln-list-update#93

[tonaim]

Current logic in Cybercenter is, we look for range.
If installedVersion >AffectedFrom && installedVersion <= AffectedTo{
vulns = append(vulns, vuln)
}
We need to add affectedFrom and affectedTo in trivy-db types.

[knqyf263]

If we take the information from NVD, it is true. But we take it from Alpine Security Tracker which provides potentially vulnerable packages. We don't need to care about affectedFrom and affectedTo because secfixes tracker already compares versions with minimum and maximum versions.
https://gitlab.alpinelinux.org/kaniini/secfixes-tracker/-/blob/master/secfixes_tracker/models.py#L266-301

If we compare it again, it doesn't make sense. We just do the same thing twice.

[tonaim]

Okay. I get it. Please consider below scenario

1. I have curl v1.5 package
2. sec fix tracker says that 2.0 (current/latest version) is vulnerable
3. Now, with this logic we will show v1.5 also as vulnerable.

there can be a chance that the installed version is not vulnerable. latest version of the package is only vulnerable.

[knqyf263]

I see, but it is the same as fixed vulnerabilities, right? Alpine doesn't provide introduced versions, but fixed versions only. What do you think about it? Do we support the introduced versions only for unpatched vulnerabilities?

[tonaim]

okay, so all version below this version are vulnerable. Okay this is good

[knqyf263]

I think it is enough to support minimum versions. I've fixed that. While building DB, you need to insert minimum versions into the AffectedVersion field.
03eece3