Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Track date timestamps in vulnerability data #742

Open
wagoodman opened this issue Dec 4, 2024 · 2 comments
Open

Track date timestamps in vulnerability data #742

wagoodman opened this issue Dec 4, 2024 · 2 comments
Assignees
Labels
enhancement New feature or request

Comments

@wagoodman
Copy link
Contributor

wagoodman commented Dec 4, 2024

What would you like to be added:
Where possible, track the following timestamps for each provider:

  • published date
  • modified date
  • withdrawn date

Why is this needed:
This is very helpful in terms of understanding what data has changed in the grype DB, especially when grype DB v6 schema lands.

Additional context:

Here's what I see today in terms of providers need work (github and nvd are not listed since they already capture this information and output it as results):

Provider Published Modified Fixed Withdrawn Comments
alpine ⚠️ ⚠️ ? Use NVD date info (publish + modified + withdrawn) + aports git timestamps (publish + modified)
wolfi ? Port to using advisories over secdb
chainguard ? Port to using advisories over secdb
amazon ? Use XML pubdate + HTML span info
debian ? Dates listed for each DSA . Important: Legacy distros not covered
mariner ? Use advisory_date field in OVAL XML
oracle ? Use issued field in elsa-all XML
rhel ? Use issued and updated in OVAL XML
sles ? Use issued and updated in OVAL XML
ubuntu ⚠️ ⚠️ ? Use git timestamp for each commit when processing (modified). Published requires more effort

Legend Explanation

  • - Data is trivially accessible from existing input data already being downloaded.
  • ⚠️ - Possible to associate the data but will require more work (or downloading more data sources).
  • - Not clear where to get this information from.
  • ? - Not clear yet if it can be added (Fixed data availability status is uncertain).

This work depends on adding date information to be added to the OS workspace schema #266

Current development status

Provider Published Modified Fixed Withdrawn PR
oracle - - - exists already
@zhill
Copy link
Member

zhill commented Dec 6, 2024

I think there is a good use-case for specifically tracking when fix information is added to a record outside of just the broader "Modified" category if that information available.

@wagoodman
Copy link
Contributor Author

Good call -- the v6 schema has a spot for this but it is not really leveraged yet, I'll update this table...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Ready
Development

No branches or pull requests

2 participants