-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encoding binary packages for linux distros #202
Comments
This would be a Good Addition, I believe. The first option seems cleaner at first ( Another similarish thing we encountered are packages which are packaged differently, e.g. pypi has the 'wheel' and 'sdist' format, one or both present for a specific package. They normally correspond but don't necessarily contain the same files. This is perhaps less commonly relevant for vulnerabilities but has some impact on malicious packages in rare cases. |
Some more examples are compile options, e.g.: E.g. The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. So there's also the inverse case where the source code is vulnerable, but the binary isn't. |
@oliverchang This is something handled as qualifiers in PURLs. |
Hmm, I thought "name" could already mean binary packages, I had planned my SUSE work like this. |
The definition would be part of the OSV schema spec, so in theory you could define it as binary packages for the SUSE ecosystem. That said, all our other current Linux distros decided to go with source packages. For example, Ubuntu does this, and also encodes binary packages in an |
Circling back to this one. It appears to me that many distro vulnerability DBs today (e.g. Debian, Ubuntu, Rocky Linux) key vulns on source packages, and do not triage whether the individual binary packages are impacted or not. Examples:
In both cases it looks like the full list of binary packages are just expanded from the source package. Are there any instances today of distro vuln DBs not doing this? Of course, this doesn't mean we shouldn't support encoding this -- just that there's perhaps no urgency to adding this if nobody is going to use this today. |
I changed our OSV now to look similar to Ubuntus, use sourcepackage as primary affected index and include binaries in ecosystem_specific section. For me the relevance is that automated checkers on Linux would look for binary packages mostly, not for source packages. |
A common paradigm for Linux distros is a distinction between source and binary packages.
Currently, all of our Linux distro ecosystems refer to source packages, but this may not be the most convenient for all consumers.
Some possibilities:
Extend "package" field
One possibility is that we extend the existing
"package"
field to include a concept of packages built from this.e.g.
Introduce convention to ecosystem definitions
Alternatively, we can introduce a convention to package names for Linux ecosystems.
e.g.
The text was updated successfully, but these errors were encountered: