a Linux OS packages vulnerabilities from OSV database? #8769
Closed
i-bs
started this conversation in
Development
Replies: 1 comment 1 reply
-
|
OS vendors typically provide OVAL or CSAF as the primary data source and convert it into the OSV format. Therefore, we prioritize using the primary data sources. However, if you add a script to vuln-list-update, OSV can also be consumed for OS packages. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
thank you. This is what I have in my mind. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Looking at https://trivy.dev/latest/docs/scanner/vulnerability/ I see that Vulnerability Scanning → OS Packages → Data Sources are different sources but not the OSV (aka Open Source Vulnerabilities). OSV is used as the Data sources for Language-specific Packages only.
Meanwhile OSV covers many OSes (Linux-based and beyond).
I wonder what it takes or how to use the OSV as the data source for a newly added OS? As that OS's security data is (or soon will be) available in OSV-only and no OVAL or self-made formats.
Thanks
Beta Was this translation helpful? Give feedback.
All reactions