Data source for Alpine Linux
bgoareguer opened this issue · comments
I have an Docker image based on Alpine 3.11 with curl and libcurl installed via apk (nginx:1.18.0-alpine)
The versions of curl and libcurl (7.67.0-r0) are affected by CVE-2020-8231 (https://curl.haxx.se/docs/CVE-2020-8231.html).
The vuln-list README says Alpine vulnerabilities are fetched from https://bugs.alpinelinux.org/projects/alpine/issues. This URL redirrects to https://gitlab.alpinelinux.org/alpine. In this repository, the APKBUILD file (https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/curl/APKBUILD) includes the above mentioned CVE:
# secfixes:
# 7.72.0-r0:
# - CVE-2020-8231
But in the vuln-list-update source code, the URL that is used to check Alpine vulnerabilities is https://git.alpinelinux.org/aports/ (https://github.com/aquasecurity/vuln-list-update/blob/master/alpine/alpine.go#L22). And in this repository, CVE-2020-8231 is not mentioned in the APKBUILD file.
So I see 2 issues:
1- the vuln-list README does not seem to be aligned with what actually is in the vuln-list-update source code
2- the source for Alpine vulnerabilities used in vuln-list-update does not seem to be updated regularly