Download echo OSV advisories to vuln-list#436
Conversation
There was a problem hiding this comment.
Can you use real advisories (names, fixed version, etc) in test?
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Echo", |
There was a problem hiding this comment.
What about ecosystem for language packages?
I found ECHO-7db2-03aa-5591 with "ecosystem":"PyPI","name":"pip",.
Do you want use default ecosystem for language packages?
There was a problem hiding this comment.
can you also add testcase with multiple affected packages.
There was a problem hiding this comment.
I'm not sure I fully understand what you mean in the question. We follow the pep440 conventions of versioning (using local versions for pypi packages).
There was a problem hiding this comment.
No, I was talking about the affected[].package.ecosystem field.
You have a specific Echo ecosystem and use Echo for deb packages.
e.g.:
"package": {
"ecosystem": "Echo",
"name": "python-pip"
},But i see that you use "default" ecosystems for language packages
e.g.:
"package": {
"ecosystem": "PyPI",
"name": "pip",
"purl": "pkg:pypi/pip"
},Since you have your "own" ecosystem — using "default" ecosystems is a bit confusing.
That's why I had the question — is this expected, and do you plan to "expand" the Echo ecosystem in the future (for example "Echo PyPI" or something along those lines)?
There was a problem hiding this comment.
So we publish advisories both for OS packages and for language packages in OSV.
I assumed that the default ecosystem is relative to the package ecosystem, is it not how it works? For "Echo" packages it should be our versioning logic, and for PyPi I assumed that "default" means pep440.
There was a problem hiding this comment.
Hey @DmitriyLewen, we changed our osv pypi records to have a new ecosystem Echo:PyPi
|
|
||
| ecosystems := map[string]osv.Ecosystem{ | ||
| "echo": { | ||
| Dir: "", |
There was a problem hiding this comment.
It's better to use the original folder here to verify the file paths.
| Dir: "", | |
| Dir: "echo-osv", |
Replace synthetic test advisories with real ones (ECHO-003f-2632-599c for openssh, ECHO-7db2-03aa-5591 for pip with multiple affected packages) to address PR review feedback. Made-with: Cursor
Rebuild osv-all.zip with real Echo advisories, update wantFiles paths to match, and use Dir: "echo-osv" to verify the full file path. Made-with: Cursor
|
Hey @DmitriyLewen, I addressed you comments :) |
|
Hello @orizerah what about this comment? Are you planning to expand your ecosystem? |
|
We have issues with the OSV records, so I'm drafting this PR until we fix it |
Update golden test files to include the upstream field added to the OSV type, fixing TestOSVUpdater_Update/happy_path failures. Co-authored-by: Cursor <cursoragent@cursor.com>
Echo now publishes Python advisories under the Echo:PyPI ecosystem namespace instead of PyPI. Update the test zip and golden file to reflect the new upstream format. Co-authored-by: Cursor <cursoragent@cursor.com>
|
@DmitriyLewen we fixed the issue with OSV and I made some changes to the code. |
| target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+ | ||
| "redhat-csaf-vex, debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, glad, cwe, osvdev, mariner, kevc, wolfi, "+ | ||
| "chainguard, azure, openeuler, echo, minimos, eoldates, rootio)") | ||
| "chainguard, azure, openeuler, echo, echo-osv, minimos, eoldates, rootio)") |
There was a problem hiding this comment.
We will merge this and related PRs together.
So should we save previous source (I mean echo dir)?
There was a problem hiding this comment.
We need the echo dir for the os package scanning, but the OSV mostly for our Language Package advisories, should we filter them to decrease the dir size?
There was a problem hiding this comment.
So the OSV package doesn't contain advisories for OS packages?
Or is the list incomplete?
I just saw a file for OS packages in the tests and thought the OSV archive contained all your advisories.
There was a problem hiding this comment.
It contain all of our advisories. But we still want Trivy to work with our data.json file for advisories.
There was a problem hiding this comment.
Having 2 sources complicates the code and maintenance:
- we need to keep track of 2 packages
- the code must exclude advisories (e.g. OS packages from OSV and language packages (if any) from data.json)
What positive aspects or necessary points do you see for using 2 databases?
Perhaps we can address them right away.
There was a problem hiding this comment.
We build our OSV and data.json advisories differently. We rely on our findings from scanning our images with Trivy (using the data.json) to build the OSV advisory for other scanners.
Language packages are different, and we were asked to implement it using OSV to remain aligned with other vendors.
The data.json doesn't hold language packages (so no change is necessary), but I will filter out the OS packages from echo-osv.
There was a problem hiding this comment.
We build our OSV and data.json advisories differently. We rely on our findings from scanning our images with Trivy (using the data.json) to build the OSV advisory for other scanners.
I compared the OSV source and the data.json file and found that the OSV feed does not contain all the advisories for OS packages (compared to data.json).
If I understood correctly — this is exactly what you meant.
Could you clarify how feasible it is to "populate" the OSV source with all the advisories?
In the meantime we will discuss the option of using 2 sources internally within the team.
There was a problem hiding this comment.
Hey @DmitriyLewen
It's currently not very feasible to populate the OSV with the full data.json data. That's because we build it using the results we get from scanning with the data.json itself.
I changed the code here to only import the language packages advisories from OSV so it will reduce the amount of data we add to the db.
There was a problem hiding this comment.
I changed the code here to only import the language packages advisories from OSV so it will reduce the amount of data we add to the db.
Hello @orizerah
Thanks!
As I mentioned earlier, I noticed that the OSV feed contains only a portion of the advisories.
Could you share information on why you only store a portion of them?
And is it possible to keep only the advisories for language packages in the OSV feed (so that the filtering is on your side)?
There was a problem hiding this comment.
Hey @DmitriyLewen
The OSV feed contains only a portion of the CVEs because we build it based on CVEs we detect using other advisory sources. To be concise, we detect CVEs using our data.json as a source (which is built to contain a larger scope of CVEs), and those detections are used to feed OSV.
Unfortunately, we can't keep only language package advisories in OSV because other scanners use it to scan our images with it.
|
|
||
| const ( | ||
| osvURL = "https://advisory.echohq.com/osv/all.zip" | ||
| osvDir = "echo-osv" |
There was a problem hiding this comment.
same question.
osv package removes previous files, so we can use echo dir here.
2 participants
Add support for downloading Echo's OSV advisory
Issue: aquasecurity/trivy#10519