The SAP Vulnerability Advisory Service (VAS) informs users of Garden Linux (GL) about security issues and advises when to upgrade. To fulfill this service they need easily parsable information about the open CVEs for our supported Garden Linux releases. Currently this is done via parsing the release page on Github and the provided CVEs there, but in future we want to provide them a more reliable solution.
VAS runs for GL an automatized daily task that checks the release page. This task can be adjusted to parse a by us provided data format. Our current idea is to provide the open CVEs of the supported GL versions in one JSON file. The CVE entries inside this file can use the CVE JSON V5 Record format. The affected GL versions can be marked by an ADP container entry and the affected field. Each GL version gets a CPE assigned, which we have to use inside the CVE entry s.t. VAS can correctly map the CVEs to GL versions.
The created file can be made accessible via our to be establied way of providing external web artifacts. Once a new version of GL is released we update the file s.t. VAS can consume it and inform the users about the new update option.
This task can only be implemented once the prototype for GLVD2 (#1) is finished and tested, since it is important to only inform VAS about the relevant CVEs for a release (avoid false-positives) to avoid additional effort.
The SAP Vulnerability Advisory Service (VAS) informs users of Garden Linux (GL) about security issues and advises when to upgrade. To fulfill this service they need easily parsable information about the open CVEs for our supported Garden Linux releases. Currently this is done via parsing the release page on Github and the provided CVEs there, but in future we want to provide them a more reliable solution.
VAS runs for GL an automatized daily task that checks the release page. This task can be adjusted to parse a by us provided data format. Our current idea is to provide the open CVEs of the supported GL versions in one JSON file. The CVE entries inside this file can use the CVE JSON V5 Record format. The affected GL versions can be marked by an ADP container entry and the
affectedfield. Each GL version gets a CPE assigned, which we have to use inside the CVE entry s.t. VAS can correctly map the CVEs to GL versions.The created file can be made accessible via our to be establied way of providing external web artifacts. Once a new version of GL is released we update the file s.t. VAS can consume it and inform the users about the new update option.
This task can only be implemented once the prototype for GLVD2 (#1) is finished and tested, since it is important to only inform VAS about the relevant CVEs for a release (avoid false-positives) to avoid additional effort.