Distro: Debian

Add support for ingesting AlmaLinux into the command line component for vuln-list ingestion.

NOTE: A CVE may not exist (yet) for every advisory found in this data store. Importing the DLA/DSA advisories may be needed in some cases.

Trivy Ingestion Code

Ingestion

Debian ingestion is more complicated than other distro's. Several folders of data are loaded and processed in a specific order (code here). It's recommended to take a read through the code before implementing.

  1. Parse distributions.json (always parse)
    1. Code: https://github.com/aquasecurity/trivy-db/blob/91fc6e248bca16db8887df51a493ced2909f4f69/pkg/vulnsrc/debian/debian.go#L511
  2. Parse source/**.json (always parse)
    1. Code: https://github.com/aquasecurity/trivy-db/blob/91fc6e248bca16db8887df51a493ced2909f4f69/pkg/vulnsrc/debian/debian.go#L537
  3. Parse updated-source/**.json (always parse)
    1. Code: https://github.com/aquasecurity/trivy-db/blob/91fc6e248bca16db8887df51a493ced2909f4f69/pkg/vulnsrc/debian/debian.go#L537
  4. Parse CVE/*.json (can parse just changed, updated files here)
    1. Code: https://github.com/aquasecurity/trivy-db/blob/91fc6e248bca16db8887df51a493ced2909f4f69/pkg/vulnsrc/debian/debian.go#L182
  5. Parse DLA/*.json (can parse just changed, updated files here)
    1. Code: https://github.com/aquasecurity/trivy-db/blob/91fc6e248bca16db8887df51a493ced2909f4f69/pkg/vulnsrc/debian/debian.go#L248
  6. Parse DSA/*.json (can parse just changed, updated files here)
    1. Code: https://github.com/aquasecurity/trivy-db/blob/91fc6e248bca16db8887df51a493ced2909f4f69/pkg/vulnsrc/debian/debian.go#L256
  • Remove/skip not-affected, undetermined, removed
    • When these statuses are found, remove advisory if it already exists in the DB
  • Mapping severity from urgency:
    • not yet assigned, end-of-life --> Unknown
    • unimportant, low, low*, low** --> Low
    • medium, medium*, medium** --> Medium
    • high, high*, high** --> High
  • Fixed Version
Edited by Michael Eddington