osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Ubuntu data set to ignored showing up in OSV.dev

Open dodys opened this issue 7 months ago • 1 comments

I think there is a related problem with entries that the Ubuntu team set to "Ignored". The entries in the original Ubuntu JSON list the versions but without a "fixed" entry. This results in many false positive hits in our pipelines currently.

I think this is a flaw in the Ubuntu JSON sources but I post here for awareness.

Example:

{
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "openjdk-8",
        "purl": "pkg:deb/ubuntu/openjdk-8@8u452-ga~us1-0ubuntu1~24.04?arch=source&distro=noble"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],
      "versions": [
        "8u382-ga-1ubuntu1",
        "8u392-ga-1",
        "8u402-ga-1",
        "8u402-ga-2",
        "8u402-ga-2ubuntu1",
        "8u402-ga-2ubuntu6",
        "8u402-ga-2ubuntu7",
        "8u402-ga-8build1",
        "8u412-ga-1~24.04.2",
        "8u422-b05-1~24.04",
        "8u432-ga~us1-0ubuntu2~24.04",
        "8u442-b06~us1-0ubuntu1~24.04",
        "8u452-ga~us1-0ubuntu1~24.04"
      ],
      "ecosystem_specific": {
        "ubuntu_priority": "high"
      }
    }

Originally posted by @landesfeind in #3426

dodys avatar Jun 20 '25 16:06 dodys

@landesfeind this is not an issue. Ignored status means that the Ubuntu Security Team decided to not fix such vulnerability. Therefore you would still be vulnerable to it. We take this same approach on all the different data we publish.

In this particular case you mention, at the time this was chosen to be ignored (or not fixed) was because we had no official confirmation if this affects openjdk or not and if they would fix it.

dodys avatar Jun 20 '25 16:06 dodys

@landesfeind you mentioned this creating too many false positives. Do you have actual numbers? We could change our approach to it, if more people see the value of such a change.

dodys avatar Jun 23 '25 15:06 dodys

As you wrote: the CVE exists and one is still vulnerable to it, when Ubuntu decides to ignore it. There is nothing wrong with your approach.

It would help if the Ubuntu JSON data would include the "Ignored" information to their JSON exports as "ecosystem_specific" field to ease the assessment. But that is not on your end.

Yes, we have quite a number of entries that we consider "false positives" but they might not be false positive under conditions different to our approach.

landesfeind avatar Jun 23 '25 19:06 landesfeind

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Aug 22 '25 20:08 github-actions[bot]

Automatically closing stale issue

github-actions[bot] avatar Sep 05 '25 20:09 github-actions[bot]