Scan status files used by Ubuntu

[cav72]

Description
With the large amount of OSV data from Ubuntu on osv.dev, is there a plan to support /var/lib/dpkg/status "lockfiles" on Ubuntu?

For example, using this simplified /var/lib/dpkg/status file on a Debian 12 host:

Package: base-files
Status: install ok installed
Version: 12.4+deb12u7

Package: openvpn
Status: install ok installed
Version: 2.6.3-1+deb12u2

we receive the following vulnerability report when running $ osv-scanner scan --lockfile 'dpkg-status:/var/lib/dpkg/status' :

╭────────────────────────────────┬──────┬───────────┬─────────┬─────────────────┬────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION         │ SOURCE                     │
├────────────────────────────────┼──────┼───────────┼─────────┼─────────────────┼────────────────────────────┤
│ https://osv.dev/CVE-2024-28882 │      │ Debian:12 │ openvpn │ 2.6.3-1+deb12u2 │ ../var/lib/dpkg/status     │
╰────────────────────────────────┴──────┴───────────┴─────────┴─────────────────┴────────────────────────────╯

But when we run an equivalent scan on an Ubuntu 24.04 host with the following simplified /var/lib/dpkg/status file:

Package: base-files
Status: install ok installed
Version: 13ubuntu10.1

Package: openvpn
Status: install ok installed
Version: 2.6.9-1ubuntu4

we receive:

No issues found

What I would like to retrieve is a report like:

╭───────────────────────────────────────┬──────┬──────────────────┬─────────┬────────────────┬────────────────────────────╮
│ OSV URL                               │ CVSS │ ECOSYSTEM        │ PACKAGE │ VERSION        │ SOURCE                     │
├───────────────────────────────────────┼──────┼──────────────────┼─────────┼────────────────┼────────────────────────────┤
│ https://osv.dev/UBUNTU-CVE-2024-28882 │      │ Ubuntu:24.04:LTS │ openvpn │ 2.6.9-1ubuntu4 │ ../var/lib/dpkg/status     │
╰───────────────────────────────────────┴──────┴──────────────────┴─────────┴────────────────┴────────────────────────────╯

Is this functionality able to integrated into osv-scanner?

To Reproduce
Steps to reproduce the behaviour:
Run the commands above and check the output.

Expected behaviour
The following data should be retrieved:
https://osv.dev/vulnerability/UBUNTU-CVE-2024-28882

cc: @dodys

[oliverchang]

Thanks for filing the issue!

CC @hogo6002 @another-rex who are currently working on Ubuntu scanning in the context of container scanning.

[another-rex]

This is actively being worked on!
Coming soon (in a month or 2?) in OSV-Scanner V2, when we complete the migration to use osv-scalibr extractors.

At that point it should work as you expect where both scanning on host in an ubuntu machine, or scanning an ubuntu container image will correctly return ubuntu vulnerabilties.

[cav72]

That is great to hear! Let me know if you need any extra external testing when it lands! Thank you heaps.