Hello,
We have been hard at work the past month working on a CVE tracking system
for Alpine. While this work is not 100% complete, it is in a state where
we can start testing it and making tweaks as needed.
You can play with it at https://security.alpinelinux.org/ and if you want
to send some tweaks, it's at
https://gitlab.alpinelinux.org/kaniini/secfixes-tracker on Gitlab.
Thanks to the infrastructure team for getting up the test version so
quickly!
Ariadne
Hi Ariadne,
Thank you for letting us know the Security Fix Tracker. It looks awesome!
Does it also have any API returning JSON or something like that?
Thanks,
Teppei
2021年4月21日(水) 7:43 Ariadne Conill <ariadne@dereferenced.org>:
> Hello,>> We have been hard at work the past month working on a CVE tracking system> for Alpine. While this work is not 100% complete, it is in a state where> we can start testing it and making tweaks as needed.>> You can play with it at https://security.alpinelinux.org/ and if you want> to send some tweaks, it's at> https://gitlab.alpinelinux.org/kaniini/secfixes-tracker on Gitlab.>> Thanks to the infrastructure team for getting up the test version so> quickly!>> Ariadne>
Hello,
On Wed, 21 Apr 2021, Teppei Fukuda wrote:
> Hi Ariadne,> Thank you for letting us know the Security Fix Tracker. It looks awesome! Does it also have any API returning JSON or something like that?
In next version, you will be able to request with the "Accept:
application/ld+json" header to get JSON-LD. I am still working on
finalizing the JSON-LD vocabulary.
I am hoping that the JSON-LD vocabulary will be partially shared with Max
Rees' work on APKVitrine (which is planned to replace aports-turbo), so
that pkgs.alpinelinux.org data can be queried in the same way.
Ariadne
Great, thanks for the update. I'm looking forward to it.
Best,
Teppei
2021年4月21日(水) 10:00 Ariadne Conill <ariadne@dereferenced.org>:
> Hello,>> On Wed, 21 Apr 2021, Teppei Fukuda wrote:>> > Hi Ariadne,> > Thank you for letting us know the Security Fix Tracker. It looks> awesome! Does it also have any API returning JSON or something like that?>> In next version, you will be able to request with the "Accept:> application/ld+json" header to get JSON-LD. I am still working on> finalizing the JSON-LD vocabulary.>> I am hoping that the JSON-LD vocabulary will be partially shared with Max> Rees' work on APKVitrine (which is planned to replace aports-turbo), so> that pkgs.alpinelinux.org data can be queried in the same way.>> Ariadne>
That is such a beauty, thanks a lot Ariadne!
I am not sure if you can easily filter it, but when going to the package
in question (like https://security.alpinelinux.org/srcpkg/subversion),
one sees open and resolved CVEs.
What would be quite interesting to see is which Alpine version relates
to which CVEs, not only to which packages.
This could answer the question of "I am running Alpine
3.11, by which CVEs am I likely affected?"
Either case, this is a pretty good start, great work!
Cheers,
Nico
Ariadne Conill <ariadne@dereferenced.org> writes:
> Hello,>> We have been hard at work the past month working on a CVE tracking> system for Alpine. While this work is not 100% complete, it is in a> state where we can start testing it and making tweaks as needed.>> You can play with it at https://security.alpinelinux.org/ and if you> want to send some tweaks, it's at> https://gitlab.alpinelinux.org/kaniini/secfixes-tracker on Gitlab.>> Thanks to the infrastructure team for getting up the test version so> quickly!>> Ariadne
--
Sustainable and modern Infrastructures by ungleich.ch
Hello,
On Wed, 21 Apr 2021, Nico Schottelius wrote:
> That is such a beauty, thanks a lot Ariadne!>> I am not sure if you can easily filter it, but when going to the package> in question (like https://security.alpinelinux.org/srcpkg/subversion),> one sees open and resolved CVEs.
In this case, subversion actually has no unresolved CVEs, as those CVEs
are related to Jenkins and the NVD staff have written some nonsense CPE
rule which causes it to match. I'm working on a way to
configuration-define some exemption rules.
> What would be quite interesting to see is which Alpine version relates> to which CVEs, not only to which packages.
That is already available, with the branch lists on the main page, or do
you mean something else?
> This could answer the question of "I am running Alpine> 3.11, by which CVEs am I likely affected?"
We plan to make it even easier to ask that question with apk-tools 3. I
am hoping to expose the secfixes data directly in package indices once we
swap over to apk-tools 3.0 indices.
Then you could do something like: apk list --upgradable --security
Ariadne
Hello,
I'm just a regular user of this distribution.
I think it would be great to sort the list by CVE name because they are made from year then sequencial number. It easier to find last CVE instead of sorting/grouping by package name.
Or better, allow users to sort like they want.
Laurent
Le 21 avril 2021 06:39:56 GMT+02:00, Ariadne Conill <ariadne@dereferenced.org> a écrit :
>Hello,>>We have been hard at work the past month working on a CVE tracking system >for Alpine. While this work is not 100% complete, it is in a state where >we can start testing it and making tweaks as needed.>>You can play with it at https://security.alpinelinux.org/ and if you want >to send some tweaks, it's at >https://gitlab.alpinelinux.org/kaniini/secfixes-tracker on Gitlab.>>Thanks to the infrastructure team for getting up the test version so >quickly!>>Ariadne
Hi,
On Wed, 21 Apr 2021, Laurent Baysse wrote:
> Hello,> > I'm just a regular user of this distribution.> > I think it would be great to sort the list by CVE name because they are made from year then sequencial number. It easier to find last CVE instead of sorting/grouping by package name.> > Or better, allow users to sort like they want.
We'll probably integrate the JavaScript datatables library to allow this.
A nice benefit of that library is that the application will still continue
to work in browsers which have JavaScript disabled.
Ariadne
Hello,
On Wed, 21 Apr 2021, Teppei Fukuda wrote:
> Great, thanks for the update. I'm looking forward to it.
As an update, JSON-LD is now live on security.alpinelinux.org. Common
sense applies here: if you're planning to throw a ton of queries at this
service, you should download and set up your own instance for local
querying of the data.
(The infrastructure team has made it very clear that they will not be
amused by people bulk querying the API and will be handing out bans if it
becomes a problem, so running your own instance is recommended for bulk
querying.)
Ariadne