Distro: Suse and OpenSuse
Both OpenSUSE and also SUSE Enterprise use the same format.
The below specification for ingestion is not completed.
Trivy Ingestion Code
- https://github.com/aquasecurity/trivy-db/blob/db9680195a7a130c30c80407bd34d53ebdc3d0b2/pkg/vulnsrc/suse-cvrf/suse-cvrf.go#L61
- https://github.com/aquasecurity/trivy-db/blob/db9680195a7a130c30c80407bd34d53ebdc3d0b2/pkg/vulnsrc/suse-cvrf/types.go#L3
Ingestion
- Organization:
/cvrf/suse/<opensuse|suse>/<year>/- Folders:
-
suse-- SUSE Linux Enterprise -
opensuse- openSUSE Leap
-
- Example:
/cvrf/suse/opensuse/2020
- Folders:
- Mapping CVE
-
Vulnerabilities(array)-
CVE-- CVE ID
-
-
- Affected version
-
ProductTree.Relationships(Array)- Array of vulnerable packages
- Array Item object:
-
ProductReference- Affected package and version
- Example:
haproxy-2.0.14-150200.11.15.1 - Code to split package and version
-
RelatesToProductReference-- OS Version- Example:
SUSE Linux Enterprise High Availability Extension 15 SP2, - Code to parse OS version
- Example:
-
-
- Fixed version
-
Vulnerabilities(Array)-
ProductStatuses(array)-
Type==Fixed -
ProductID(array) array of fixed packages with distro name- Example:
openSUSE Leap 15.4:postgresql12-timescaledb-2.9.3-bp154.2.3.1
- Example:
-
-
-
- Normalizing severity:
-
Vulnerabilities(Array)-
Threats(Array)-
Severity-
low→ low -
moderate→ medium -
important→ high -
critical→ critical
-
-
-
-
Examples
Click to expand
{
"Title": "Security update for haproxy",
"Tracking": {
"ID": "SUSE-SU-2023:0413-1",
"Status": "Final",
"Version": "1",
"InitialReleaseDate": "2023-02-14T16:07:30Z",
"CurrentReleaseDate": "2023-02-14T16:07:30Z",
"RevisionHistory": [
{
"Number": "1",
"Date": "2023-02-14T16:07:30Z",
"Description": "current"
}
]
},
"Notes": [
{
"Text": "Security update for haproxy",
"Title": "Topic",
"Type": "Summary"
},
{
"Text": "This update for haproxy fixes the following issues:\n\n- CVE-2023-25725: Fixed a serious vulnerability in the HTTP/1 parser (bsc#1208132).\n- CVE-2023-0056: Fixed denial of service via crash in http_wait_for_response() (bsc#1207181).\n",
"Title": "Details",
"Type": "General"
},
{
"Text": "The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"Title": "Terms of Use",
"Type": "Legal Disclaimer"
},
{
"Text": "SUSE-2023-413,SUSE-SLE-Product-HA-15-SP2-2023-413,SUSE-SLE-Product-HA-15-SP3-2023-413",
"Title": "Patchnames",
"Type": "Details"
}
],
"ProductTree": {
"Relationships": [
{
"ProductReference": "haproxy-2.0.14-150200.11.15.1",
"RelatesToProductReference": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"RelationType": "Default Component Of"
},
{
"ProductReference": "haproxy-2.0.14-150200.11.15.1",
"RelatesToProductReference": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"RelationType": "Default Component Of"
}
]
},
"References": [
{
"URL": "https://www.suse.com/support/update/announcement/2023/suse-su-20230413-1/",
"Description": "Link for SUSE-SU-2023:0413-1"
},
{
"URL": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013762.html",
"Description": "E-Mail link for SUSE-SU-2023:0413-1"
},
{
"URL": "https://www.suse.com/support/security/rating/",
"Description": "SUSE Security Ratings"
},
{
"URL": "https://bugzilla.suse.com/1207181",
"Description": "SUSE Bug 1207181"
},
{
"URL": "https://bugzilla.suse.com/1208132",
"Description": "SUSE Bug 1208132"
},
{
"URL": "https://www.suse.com/security/cve/CVE-2023-0056/",
"Description": "SUSE CVE CVE-2023-0056 page"
},
{
"URL": "https://www.suse.com/security/cve/CVE-2023-25725/",
"Description": "SUSE CVE CVE-2023-25725 page"
}
],
"Vulnerabilities": [
{
"CVE": "CVE-2023-0056",
"Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.",
"Threats": [
{
"Type": "Impact",
"Severity": "important"
}
],
"References": [
{
"URL": "https://www.suse.com/security/cve/CVE-2023-0056.html",
"Description": "CVE-2023-0056"
},
{
"URL": "https://bugzilla.suse.com/1207181",
"Description": "SUSE Bug 1207181"
}
],
"ProductStatuses": [
{
"Type": "Fixed",
"ProductID": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1"
]
}
],
"CVSSScoreSets": {}
},
{
"CVE": "CVE-2023-25725",
"Description": "HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"Threats": [
{
"Type": "Impact",
"Severity": "critical"
}
],
"References": [
{
"URL": "https://www.suse.com/security/cve/CVE-2023-25725.html",
"Description": "CVE-2023-25725"
},
{
"URL": "https://bugzilla.suse.com/1208132",
"Description": "SUSE Bug 1208132"
}
],
"ProductStatuses": [
{
"Type": "Fixed",
"ProductID": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1"
]
}
],
"CVSSScoreSets": {}
}
]
}Edited by Michael Eddington