Scan status files used by Ubuntu

[cav72]

Description
With the large amount of OSV data from Ubuntu on osv.dev, is there a plan to support /var/lib/dpkg/status "lockfiles" on Ubuntu?

For example, using this simplified /var/lib/dpkg/status file on a Debian 12 host:

Package: base-files
Status: install ok installed
Version: 12.4+deb12u7

Package: openvpn
Status: install ok installed
Version: 2.6.3-1+deb12u2

we receive the following vulnerability report when running $ osv-scanner scan --lockfile 'dpkg-status:/var/lib/dpkg/status' :

╭────────────────────────────────┬──────┬───────────┬─────────┬─────────────────┬────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION         │ SOURCE                     │
├────────────────────────────────┼──────┼───────────┼─────────┼─────────────────┼────────────────────────────┤
│ https://osv.dev/CVE-2024-28882 │      │ Debian:12 │ openvpn │ 2.6.3-1+deb12u2 │ ../var/lib/dpkg/status     │
╰────────────────────────────────┴──────┴───────────┴─────────┴─────────────────┴────────────────────────────╯

But when we run an equivalent scan on an Ubuntu 24.04 host with the following simplified /var/lib/dpkg/status file:

Package: base-files
Status: install ok installed
Version: 13ubuntu10.1

Package: openvpn
Status: install ok installed
Version: 2.6.9-1ubuntu4

we receive:

No issues found

What I would like to retrieve is a report like:

╭───────────────────────────────────────┬──────┬──────────────────┬─────────┬────────────────┬────────────────────────────╮
│ OSV URL                               │ CVSS │ ECOSYSTEM        │ PACKAGE │ VERSION        │ SOURCE                     │
├───────────────────────────────────────┼──────┼──────────────────┼─────────┼────────────────┼────────────────────────────┤
│ https://osv.dev/UBUNTU-CVE-2024-28882 │      │ Ubuntu:24.04:LTS │ openvpn │ 2.6.9-1ubuntu4 │ ../var/lib/dpkg/status     │
╰───────────────────────────────────────┴──────┴──────────────────┴─────────┴────────────────┴────────────────────────────╯

Is this functionality able to integrated into osv-scanner?

To Reproduce
Steps to reproduce the behaviour:
Run the commands above and check the output.

Expected behaviour
The following data should be retrieved:
https://osv.dev/vulnerability/UBUNTU-CVE-2024-28882

cc: @dodys

[oliverchang]

Thanks for filing the issue!

CC @hogo6002 @another-rex who are currently working on Ubuntu scanning in the context of container scanning.

[another-rex]

This is actively being worked on!
Coming soon (in a month or 2?) in OSV-Scanner V2, when we complete the migration to use osv-scalibr extractors.

At that point it should work as you expect where both scanning on host in an ubuntu machine, or scanning an ubuntu container image will correctly return ubuntu vulnerabilties.

[cav72]

That is great to hear! Let me know if you need any extra external testing when it lands! Thank you heaps.

[dodys]

@another-rex do you have any updates or ETA to share on this issue?
I saw that osv-scalibr was officially announced.

[oliverchang]

This took a little longer than expected, but we're gearing up for a beta release of OSV-Scanner V2 this week (it's already usable from HEAD)I! We'll ping this thread as soon as it is.

We'd love feedback on making sure the results are accurate!

[dodys]

@oliverchang that's great news thanks!
I will catch-up tomorrow with @cav72 and see if he can do some testing with current HEAD and give some feedback here.

[oliverchang]

v2.0.0-beta1 has been released. Please see https://osv.dev/blog/posts/osv-scanner-v2-beta1-is-ready/