Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintain a vulnerability list for GL packages (GLVD) #76

Open
pnpavlov opened this issue Jun 21, 2024 · 1 comment
Open

Maintain a vulnerability list for GL packages (GLVD) #76

pnpavlov opened this issue Jun 21, 2024 · 1 comment
Assignees
@fwilhe
Labels
kind/epic Large multi-story topic

Comments

@pnpavlov
Copy link
Member

pnpavlov commented Jun 21, 2024
edited
Loading

Epic: Maintain a vulnerability list for GL packages

Summary

As Garden Linux adopter, I would like to know what vulnerabilities are identified for the available packages in the Garden Linux repository. The information provided to me should aggregate the data collected from one or multiple sources available to the distribution and package maintainers and reach me in a standardized and consistent way.

The access to the package vulnerability data should be handled in engineer friendly format that enables both human and machine friendly reading. I would like to have an REST API endpoint, supported with a common widely adopted specification and API documentation.

Requirements

  • The API design and implementation follows industry best practices like the Microsoft REST API Guidelines -> Azure REST API Guidelines or at least the most essential sections covering HTTP Request / Response Pattern, HTTP Return Codes.
  • The API provides clear, up-to-date developer friendly documentation according to a common standard, like OpenAPI Specification which is served together with the API for example over Swagger Open Source tools
  • As of today, single deployment is sufficient. It should contain always the latest version of the main branch.
  • NIST : Ingest all NIST metric versions, not only v3.

Definition of done

  • As user, I can use a public HTTP endpoint that is serving a well designed and versioned API and complete documentation for each allowed request. Preferred solution is to have HTTP REST API that can serve me documentation, schema and real data.

  • The user can query for known CVEs of a list packages

Limitations or not included in scope

  • This does not yet require a nice user interface, an HTTP API is sufficient
  • This does not yet include knowledge about which packages are included in any given Garden Linux image, the user provides a list of package names and versions

Tasks

Sept

Aug

July

June
@pnpavlov pnpavlov added the kind/epic Large multi-story topic label Jun 21, 2024
@pnpavlov pnpavlov changed the title GLVD backend system Maintain a vulnerability list for GL packages Jun 24, 2024
@pnpavlov pnpavlov mentioned this issue Jul 25, 2024
Closed
@pnpavlov pnpavlov changed the title Maintain a vulnerability list for GL packages Maintain a vulnerability list for GL packages (GLVD) Aug 22, 2024
@fwilhe
Copy link
Member

fwilhe commented Sep 6, 2024

Implemented with this endpoint https://gardenlinux.github.io/glvd-api/#_get_a_list_of_cves_for_packages_by_distro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fwilhe fwilhe

Labels
kind/epic Large multi-story topic
Projects
Public Roadmap
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fwilhe @pnpavlov