google
Ubuntu deleted data still showing up in osv.dev
Describe the bug As new CVEs are published, new OSV data are generated for Ubuntu, but at some point the team will triage that CVE and might define that this CVE does not affect any Ubuntu release. In that case, that OSV file is removed from the repo, as the affected[] field would be empty.
To Reproduce Steps to reproduce the behaviour:
- Go to 'https://osv.dev/vulnerability/UBUNTU-CVE-2024-53861'
- Check the file in the Ubuntu repo exists: 'https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-53861.json'
Expected behaviour If an OSV file is deleted, the website shouldn't show that file anymore too.
Hey @dodys !
Is it possible to keep these files around, but mark them as withdrawn instead? That's how we typically expect sources to "remove" entries.
Hey @dodys !
Is it possible to keep these files around, but mark them as
withdrawninstead? That's how we typically expect sources to "remove" entries.
hey @oliverchang!
oh, I didn't realize that field existed, is that a 1.7.0 field?
It's been there for a since pre 1.0 :) But the fact you didn't know about it means we haven't signposted it enough in our documentation -- @jess-lowe @hogo6002 this is something we should incorporate in our revamped documentation for sources!
It's been there for a since pre 1.0 :) But the fact you didn't know about it means we haven't signposted it enough in our documentation -- @jess-lowe @hogo6002 this is something we should incorporate in our revamped documentation for sources!
oh, my bad too, I saw I did already have it but really never implemented it. I will try to adopt it, it might take a few weeks until I fix this.
Thanks @dodys !
Is there any possibility you could also take a look at upstream while you're changing things with the feed? For most advisories I'd imagine it's a matter of s/related/upstream/.
@oliverchang yes totally, that's one of the reasons it might take a few weeks, my idea is to fix the withdraw issue and update the schema to 1.7.0 on all data to use the upstream and Ubuntu specific severity fields
I think there is a related problem with entries that the Ubuntu team set to "Ignored". The entries in the original Ubuntu JSON list the versions but without a "fixed" entry. This results in many false positive hits in our pipelines currently.
I think this is a flaw in the Ubuntu JSON sources but I post here for awareness.
Example:
- The CVE-2015-4852 entry on OSV.dev list Ubuntu:24.04:LTS as affected
- The corresponding JSON from Ubuntu lists it as "not fixed" (see below)
- The Ubuntu Security website lists the CVE as ignored
{
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "openjdk-8",
"purl": "pkg:deb/ubuntu/openjdk-8@8u452-ga~us1-0ubuntu1~24.04?arch=source&distro=noble"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"versions": [
"8u382-ga-1ubuntu1",
"8u392-ga-1",
"8u402-ga-1",
"8u402-ga-2",
"8u402-ga-2ubuntu1",
"8u402-ga-2ubuntu6",
"8u402-ga-2ubuntu7",
"8u402-ga-8build1",
"8u412-ga-1~24.04.2",
"8u422-b05-1~24.04",
"8u432-ga~us1-0ubuntu2~24.04",
"8u442-b06~us1-0ubuntu1~24.04",
"8u452-ga~us1-0ubuntu1~24.04"
],
"ecosystem_specific": {
"ubuntu_priority": "high"
}
}
I think there is a related problem with entries that the Ubuntu team set to "Ignored". The entries in the original Ubuntu JSON list the versions but without a "fixed" entry. This results in many false positive hits in our pipelines currently.
I think this is a flaw in the Ubuntu JSON sources but I post here for awareness.
this is unrelated to the topic of this bug, please don't mix topics.