Skip to content

Commit

Permalink
docs(blog): api queries for more linux distros (#2760)
Browse files Browse the repository at this point in the history
Add a blog post: api queries for more linux distros

---------

Co-authored-by: Andrew Pollock <[email protected]>
  • Loading branch information
hogo6002 and andrewpollock authored Oct 21, 2024
1 parent cf73474 commit a58c0bf
Showing 1 changed file with 24 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
title: "API Queries for More Linux Distributions"
date: 2024-10-22T00:00:00Z
draft: false
author: Holly Gong
---

We're excited to announce that OSV.dev's API now allows you to query all our supported Linux distributions! From now on, any new Linux distribution adopting the OSV Schema will be instantly available for querying as soon as it's imported by OSV.dev!
<!--more-->

2024 has seen significant adoption of the OSV Schema from prominent Linux distributions such as [Ubuntu](https://openssf.org/blog/2024/06/11/ubuntu-security-notices-now-available-in-osv/), [Chainguard/Wolfi](https://openssf.org/blog/2024/07/03/chainguard-enhances-security-with-osv-advisory-feed/), and [SUSE/openSUSE](https://www.suse.com/support/update/). In particular, Ubuntu provides us with both [Ubuntu Security Notices](https://ubuntu.com/security/notices) (identified as `USN-`) and [Ubuntu CVE Tracker](https://ubuntu.com/security/cves) (identified as `UBUNTU-CVE-`) to cover fixed and unfixed vulnerabilities. Chainguard/Wolfi and SUSE/openSUSE have also recently adopted the OSV Schema. This increased community adoption allows us to expand our Linux distribution vulnerability coverage significantly.

Although we had expanded our coverage of Linux distributions, we didn't support API queries for many of them due to limitations in our query implementation. Specifically, the OSV.dev API relied solely on enumerated affected versions for package version queries, requiring version enumeration functions to be implemented for each ecosystem. This approach was difficult to scale and limited our API queries to only Debian, Ubuntu, and Alpine. As a result, the lack of API query support for other Linux distributions created a barrier for users accessing the available data.

To overcome the limitations of our previous implementation, we developed a new [affected range matching method](https://github.com/google/osv.dev/issues/2401). This new method eliminates the need for version enumeration, allowing us to support queries for a wider range of Linux distributions. As a result, OSV.dev now supports package version queries across all our Linux distributions, including Rocky Linux, AlmaLinux, Chainguard/Wolfi, and SUSE/openSUSE. Furthermore, with this new method, any new Linux distribution that publishes vulnerabilities in the OSV Schema and is imported by OSV.dev in the future will be immediately queryable.

```bash
curl -d \
'{"package": {"name": "nodejs", "ecosystem": "AlmaLinux"},
"version": "1:16.13.1-3.module_el8.5.0+2605+45d748af"}' \
https://api.osv.dev/v1/query
```

This year, the OSV team has had a big focus on container image scanning. With the improved Linux distribution data and API query capabilities, we will deliver even better results for container image scanning. In our next update on container image scanning, we'll dive deeper into base image identification and layer attribution. Additionally, we'll unveil a new output format for OSV-Scanner. Stay tuned for more!

0 comments on commit a58c0bf

Please sign in to comment.