-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osv-scanner doesn't find Fedora vulnerabilities #917
Comments
(I also tried reducing the fedora version to the upstream version, eg 3.1-1.fc38 -> 3.1 |
Thanks for the issue! This is because osv.dev currently doesn't contain advisories from Fedora. In order to provide accurate vuln scanning results, we make sure to only scan OS packages against their respective distro advisory DB, to account for backported fixes. It's unclear if there is a Fedora security advisory DB of some sort, we'll investigate. |
But you claim to map it to rhel/centios ?Which is what other scanners do too, such as grype and snyk.Sent using a virtual keyboard on a phoneOn Apr 16, 2024, at 13:40, Oliver Chang ***@***.***> wrote:
Thanks for the issue! This is because osv.dev currently doesn't contain advisories from Fedora. In order to provide accurate vuln scanning results, we make sure to only scan OS packages against their respective distro advisory DB, to account for backported fixes.
It's unclear if there is a Fedora security advisory DB of some sort, we'll investigate.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
RHEL currently does not provide an OSV feed unfortunately. It also looks like Fedora also tracks their own security advisories here: https://bodhi.fedoraproject.org/updates/?type=security. It seems like it may be more accurate for Fedora vulnerability scanners to match against this DB instead. |
When I scan using an spdx sbom, I see:
This is after I lowered the version of the libreswan package to one that is vulnerable to several CVEs:
While https://osv.dev/list?ecosystem=&q=libreswan shows the vulnerabilities are known.
The text was updated successfully, but these errors were encountered: