Scan `status` files used by Ubuntu

[cav72]

Description
With the large amount of OSV data from Ubuntu on osv.dev, is there a plan to support /var/lib/dpkg/status "lockfiles" on Ubuntu?

For example, using this simplified /var/lib/dpkg/status file on a Debian 12 host:

Package: base-files
Status: install ok installed
Version: 12.4+deb12u7

Package: openvpn
Status: install ok installed
Version: 2.6.3-1+deb12u2

we receive the following vulnerability report when running $ osv-scanner scan --lockfile 'dpkg-status:/var/lib/dpkg/status' :

╭────────────────────────────────┬──────┬───────────┬─────────┬─────────────────┬────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION         │ SOURCE                     │
├────────────────────────────────┼──────┼───────────┼─────────┼─────────────────┼────────────────────────────┤
│ https://osv.dev/CVE-2024-28882 │      │ Debian:12 │ openvpn │ 2.6.3-1+deb12u2 │ ../var/lib/dpkg/status     │
╰────────────────────────────────┴──────┴───────────┴─────────┴─────────────────┴────────────────────────────╯

But when we run an equivalent scan on an Ubuntu 24.04 host with the following simplified /var/lib/dpkg/status file:

Package: base-files
Status: install ok installed
Version: 13ubuntu10.1

Package: openvpn
Status: install ok installed
Version: 2.6.9-1ubuntu4

we receive:

No issues found

What I would like to retrieve is a report like:

╭───────────────────────────────────────┬──────┬──────────────────┬─────────┬────────────────┬────────────────────────────╮
│ OSV URL                               │ CVSS │ ECOSYSTEM        │ PACKAGE │ VERSION        │ SOURCE                     │
├───────────────────────────────────────┼──────┼──────────────────┼─────────┼────────────────┼────────────────────────────┤
│ https://osv.dev/UBUNTU-CVE-2024-28882 │      │ Ubuntu:24.04:LTS │ openvpn │ 2.6.9-1ubuntu4 │ ../var/lib/dpkg/status     │
╰───────────────────────────────────────┴──────┴──────────────────┴─────────┴────────────────┴────────────────────────────╯

Is this functionality able to integrated into osv-scanner?

To Reproduce
Steps to reproduce the behaviour:
Run the commands above and check the output.

Expected behaviour
The following data should be retrieved:
https://osv.dev/vulnerability/UBUNTU-CVE-2024-28882

cc: @dodys

[oliverchang]

Thanks for filing the issue!

CC @hogo6002 @another-rex who are currently working on Ubuntu scanning in the context of container scanning.

[another-rex]

This is actively being worked on!
Coming soon (in a month or 2?) in OSV-Scanner V2, when we complete the migration to use osv-scalibr extractors.

At that point it should work as you expect where both scanning on host in an ubuntu machine, or scanning an ubuntu container image will correctly return ubuntu vulnerabilties.

[cav72]

That is great to hear! Let me know if you need any extra external testing when it lands! Thank you heaps.

[dodys]

@another-rex do you have any updates or ETA to share on this issue?
I saw that osv-scalibr was officially announced.

[oliverchang]

This took a little longer than expected, but we're gearing up for a beta release of OSV-Scanner V2 this week (it's already usable from HEAD)I! We'll ping this thread as soon as it is.

We'd love feedback on making sure the results are accurate!

[dodys]

@oliverchang that's great news thanks!
I will catch-up tomorrow with @cav72 and see if he can do some testing with current HEAD and give some feedback here.

[oliverchang]

v2.0.0-beta1 has been released. Please see https://osv.dev/blog/posts/osv-scanner-v2-beta1-is-ready/

[oliverchang]

Hey @dodys and @cav72 ! Just checking to see if you've gotten a chance to try the beta and have any feedback for Ubuntu container images?

[hogo6002]

Also adding a sample output for running an Ubuntu image: https://hogo6002.github.io/v2/ubuntu/
We filter out vulnerabilities with an ubuntu_priority of negligible and mark them as unimportant.

[dodys]

Hey @dodys and @cav72 ! Just checking to see if you've gotten a chance to try the beta and have any feedback for Ubuntu container images?

@cav72 is currently on PTO until end of next week and I have no buffer on my side to check on this. I will see if someone else can check. Sorry for the delay.

[allenpthuang]

Hi @oliverchang @hogo6002, thanks for the new version!

I just tested 2.0.0-beta2 with the sample Ubuntu lockfile, and it worked well:

╭───────────────────────────────────────┬──────┬──────────────┬─────────┬────────────────┬──────────────────────╮
│ OSV URL                               │ CVSS │ ECOSYSTEM    │ PACKAGE │ VERSION        │ SOURCE               │
├───────────────────────────────────────┼──────┼──────────────┼─────────┼────────────────┼──────────────────────┤
│ https://osv.dev/UBUNTU-CVE-2020-20813 │ 7.5  │ Ubuntu:24.04 │ openvpn │ 2.6.9-1ubuntu4 │ ubuntu-lockfile.lock │
│ https://osv.dev/UBUNTU-CVE-2024-28882 │      │ Ubuntu:24.04 │ openvpn │ 2.6.9-1ubuntu4 │ ubuntu-lockfile.lock │
│ https://osv.dev/UBUNTU-CVE-2024-3661  │ 7.6  │ Ubuntu:24.04 │ openvpn │ 2.6.9-1ubuntu4 │ ubuntu-lockfile.lock │
│ https://osv.dev/UBUNTU-CVE-2024-5594  │      │ Ubuntu:24.04 │ openvpn │ 2.6.9-1ubuntu4 │ ubuntu-lockfile.lock │
│ https://osv.dev/USN-6860-1            │      │ Ubuntu:24.04 │ openvpn │ 2.6.9-1ubuntu4 │ ubuntu-lockfile.lock │
╰───────────────────────────────────────┴──────┴──────────────┴─────────┴────────────────┴──────────────────────╯

There's a weird thing though. I also tested it with the sample Debian lockfile, and the result was empty:

No issues found

With 1.9.0:

╭────────────────────────────────┬──────┬───────────┬─────────┬─────────────────┬──────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION         │ SOURCE               │
├────────────────────────────────┼──────┼───────────┼─────────┼─────────────────┼──────────────────────┤
│ https://osv.dev/CVE-2024-28882 │      │ Debian:12 │ openvpn │ 2.6.3-1+deb12u2 │ debian-lockfile.lock │
│ https://osv.dev/CVE-2024-5594  │      │ Debian:12 │ openvpn │ 2.6.3-1+deb12u2 │ debian-lockfile.lock │
╰────────────────────────────────┴──────┴───────────┴─────────┴─────────────────┴──────────────────────╯

[another-rex]

Thanks for testing this!

I'm guessing the issue is when scanning locally we now take the ecosystem from the OS release file on your host machine. So the packages were assumed to be part of a Ubuntu release, and there weren't vulnerabilities at those version numbers for the ubuntu release. (Because of the +deb12u2 extension).

We need a way for people to specify the ecosystem to resolve this, or take the ecosystem from the status file itself somehow (look at the version of the base package?) #1565 tracks this.

[another-rex]

Can you also test container scanning on Ubuntu based containers to see if that behaves correctly?:

osv-scanner scan image <image-name>

or

osv-scanner scan image --archive <path-to-docker-archive>