Add support for the Mageia distro #2449
Conversation
|
Hi @dfandrich ! The first step to adding support for a new distro is to add a new vunnel provider that reads vulnerability advisories from the intended source. We have some documentation on the best way to get started adding a provider. I don't know much about Mageia, but since it's RPM based there shouldn't be a need to add support in syft to detect packages (🎉 ). Once the vunnel provider is written then it's easier to test the grype changes needed to use that data (we can update this PR later). Might you be interested in contributing the vunnel provider for this distro? |
|
I can probably do that. Is there a reason vunnel doesn't pull from osv.dev? That would eliminate the need for all the Alpine, Debian, GSA, Red Hat, SLES, Ubuntu and Wolfi parsers since they're already in osv.dev. |
|
I haven't checked in a while, but years ago the data in osv.dev was lacking some of the same severity information and distro specific details that existed in the canonical sources -- I don't know if this is still true. There is a community member that is actively adding an OSV transformer to the grype-db repo, which would be a necessary step after writing the vunnel provider. |
|
The data displayed for Mageia vulnerabilities at osv.dev contains all the data of the canonical source, so pulling it from there should be viable. Could you point me to the OSV transformer? Is anyone already working on pulling data from osv.dev? |
|
Hi @dfandrich,
Grype (or really vunnel, the client that downloads data to be built into Grype's database), needs to pull down all the vulnerability data for a given provider, and, AFAIK, the osv.dev API doesn't provide and endpoint that can be used to enumerate the entire dataset. Do you know whether Mageia has an upstream source we can access directly? We do have one provider in progress that uses OSV data, but we get the data by downloading it from a git repo that's upstream of osv.dev. The transformer is here: |
|
Mageia serves an index to security advisories at https://advisories.mageia.org/vulns.json
and data on each advisory at https://advisories.mageia.org/{ID}.json
If an OSV parser is available it should be easy to get these data. I'll take a
look at the existing code it won't be for at least a few weeks.
|
This is basically cargo-culted from existing entries so I don't know if this is
done properly or not. Unfortunately, Mageia vulnerabilities don't seem to be in
the vulnerability database (according to "grype db providers") so I'm not able
to perform a full test.