feat: support wildcard package name '*' in schema and linter#560
feat: support wildcard package name '*' in schema and linter#560another-rex wants to merge 1 commit into
Conversation
Signed-off-by: Rex P <rexpan@google.com>
7de5061 to
6bed7a5
Compare
|
@jasnow @DmitriyLewen fyi |
|
Hello all Correct me if I'm wrong: The idea behind this change is to mark a release as EOL — i.e. a package entry with This helps with the problem of records simply "disappearing" after EOL, but it doesn't really help scanners. From a scanner's point of view, we now at least know that the release is EOL, rather than it being missing from the data for some unknown (for scanner) reason. (Worth noting: Ubuntu's OSV records only list affected packages/releases — there is no "not-affected" representation, so today a missing release is ambiguous: it could be not-affected, or just no longer loaded because it's EOL. The wildcard removes that ambiguity.) But we still don't know the affected packages: we don't know whether all known vulnerabilities were fixed before EOL, or whether something was found after EOL that will never be fixed, and so on. |
|
Yes, that's mostly correct.
If a known vulnerability is fixed before EOL, the advisory for that vulnerability should contain a fixed version that's released within that ecosystem.
This it doesn't show this information, but from what I understand, that's what EOL is describing - this ecosystem/release is no longer maintained, so no one is processing or publishing any vulnerability reports, and you should move off this release, as packages used within will be a blind spot for any scanners. |
|
Am I understanding correctly that you are proposing to always keep a record for a specific release?
If that's the case, then this is a solution for scanners, but this PR isn't really related to the solution, because these changes only extend the information (EOL, or the package is not vulnerable). If you do think that the past records (with fixed versions, etc.) should be replaced with a wildcard, then the wildcard solution will not help scanners. At the moment of EOL (a day or two after the records are replaced), users will stop receiving advisories for that OS. |
|
I'm not quite sure I understand your comment. This proposal does not apply to existing records. This is the rough timeline I'm imagining,
Currently the same flow is happening, but step 5 is missing.
Could adding a date help with this? An advisory that's time bound, to let the user know that the EOL is coming up, and they should look at starting to migrate off e.g. 6 months earlier. |
|
Since the problem started with the removal of records from Ubuntu, a lot of my reasoning is based specifically on that experience.
Now I understand your logic, and this works for us.
A date can definitely be useful for scanners — but I'd argue it belongs in a separate, machine-readable source maintained by the vendor with the official EOL dates. The key reason is that these dates aren't static: some vendors revise them over time (Amazon Linux, for example, has pushed its EOL dates back more than once). Keeping them in one authoritative, machine-readable source means scanners always read the current value, and OSV stays focused on the vulnerability data — while the wildcard advisory still carries the present-tense "this release is EOL now" signal. |
|
I think my biggest question is, where would this blank advisory just for the EOL would live? |
Yes it would need to be a new ID, as for where it will live, from the scanner / ingestors perspective this shouldn't matter too much. |
This PR introduces support for a special wildcard package name
*to the OSV schema and theosv-lintervalidation tool.Changes
*which allows an advisory to affect all packages within a specified ecosystem (e.g. to denote EOL).This fixes #519 by providing a mechanism to represent End-of-Life (EOL) for an entire ecosystem without having to list every individual package. By using a wildcard package name
*, data providers can publish a single advisory for the EOL ecosystem version (e.g.Ubuntu:18.04). Any query for a package within that ecosystem will then match this advisory, alerting users that the ecosystem itself is no longer supported, so the results might not be complete / up to date.Definitely looking for feedback on this approach!