Assess whether semver_dialects can be used to match SBOM components generated by container scanning

Problem to solve

This issue is tied to Assess accuracy of semver_dialects using gemnas... (#369238 - closed) and is meant to assess whether the semver_dialects gem supports all the version formats supported by container scanning: https://docs.gitlab.com/ee/user/application_security/container_scanning/#supported-distributions

Proposal

Because trivy does its own version matching (e.g. https://github.com/aquasecurity/trivy/tree/main/pkg/detector/library/compare) rather than delegating to the package manager in another process (as is done with vrange), the assessment can take test cases from the unit tests of various detectors (e.g. library, ospkg) to feed to semver_dialects and assess coverage.

Trivy Detectors:

Trivy detection docs:

Container scanning supported sources:

Implementation Plan

The goal is to assess whether the vulnerability format of the sources can be supported in the rails monolith: can the semver_dialects gem be used or is extra logic needed?

  • for each advisory data source in supported sources (see vuln-list and trivy detection logic) fill in the Assessment section below
    • identify the version format, affected range format, and fixed version format, of the source
    • assess whether these are supported by semver_dialects

Assessment

Data Source Version Format Affected Range Format Fixed Format Supported by semver_dialects
AlmaLinux Security Advisory
Amazon Linux Security Center
Arch Linux Security Tracker
SUSE CVRF
CWE Advisories
Debian Security Bug Tracker
GitHub Security Advisory
Go Vulnerability Database
CBL-Mariner Vulnerability Data
NVD
OSV
Red Hat OVAL v2
Red Hat Security Data API
Photon Security Advisories
Rocky Linux UpdateInfo
Ubuntu CVE Tracker

Note: container scanning docs under ubuntu state "only data sources from mid 2021 and later": https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerabilities-database

Edited by Igor Frenkel