Distro: Arch Linux

dd support for ingesting Arch Linux into the command line component for vuln-list ingestion.

Trivy Ingestion Code

• https://github.com/aquasecurity/trivy-db/blob/db9680195a7a130c30c80407bd34d53ebdc3d0b2/pkg/vulnsrc/arch-linux/archlinux.go#L45
• https://github.com/aquasecurity/trivy-db/blob/db9680195a7a130c30c80407bd34d53ebdc3d0b2/pkg/vulnsrc/arch-linux/types.go#L3

Ingestion

• Organization: /arch-linux/
  • Single folder of JSON files named AVG-N.json, example: AVG-1244.json
• Mapping to CVE
  • Find in issues and array of CVE IDs
• Filter out status == Not affected
• Fixed version
  • The status property is Fixed
  • The fixed property: "fixed": "0.9.11-1",
  • Package names in packages array
• Affected version
  • The affected property: "affected": "0.9.10-4",
  • Package names in packages array
• Severity in severity, no mapping needed

Examples

Click to expand

Exmaple of fixed:

{
  "name": "AVG-124",
  "packages": [
    "libvncserver"
  ],
  "status": "Fixed",
  "severity": "Critical",
  "type": "arbitrary code execution",
  "affected": "0.9.10-4",
  "fixed": "0.9.11-1",
  "issues": [
    "CVE-2016-9942",
    "CVE-2016-9941"
  ],
  "advisories": [
    "ASA-201701-20"
  ]
}

Example of not fixed:

{
  "name": "AVG-2048",
  "packages": [
    "ming"
  ],
  "status": "Vulnerable",
  "severity": "Medium",
  "type": "multiple issues",
  "affected": "0.4.8.r68.g04aee523-3",
  "fixed": "",
  "issues": [
    "CVE-2021-34342",
    "CVE-2021-34341",
    "CVE-2021-34340",
    "CVE-2021-34339",
    "CVE-2021-34338"
  ],
  "advisories": []
}

Filter out status == Not affected:

{
  "name": "AVG-2019",
  "packages": [
    "firefox"
  ],
  "status": "Not affected",
  "severity": "High",
  "type": "multiple issues",
  "affected": "88.0.1-1",
  "fixed": "89.0-1",
  "issues": [
    "CVE-2021-29965",
    "CVE-2021-29964",
    "CVE-2021-29963",
    "CVE-2021-29962"
  ],
  "advisories": []
}