Maintain a vulnerability list for GL packages (GLVD)

[pnpavlov]

Epic: Maintain a vulnerability list for GL packages

Summary

As Garden Linux adopter, I would like to know what vulnerabilities are identified for the available packages in the Garden Linux repository. The information provided to me should aggregate the data collected from one or multiple sources available to the distribution and package maintainers and reach me in a standardized and consistent way.

The access to the package vulnerability data should be handled in engineer friendly format that enables both human and machine friendly reading. I would like to have an REST API endpoint, supported with a common widely adopted specification and API documentation.

Requirements

• The API design and implementation follows industry best practices like the Microsoft REST API Guidelines -> Azure REST API Guidelines or at least the most essential sections covering HTTP Request / Response Pattern, HTTP Return Codes.
• The API provides clear, up-to-date developer friendly documentation according to a common standard, like OpenAPI Specification which is served together with the API for example over Swagger Open Source tools
• As of today, single deployment is sufficient. It should contain always the latest version of the main branch.
• NIST : Ingest all NIST metric versions, not only v3.

Definition of done

• As user, I can use a public HTTP endpoint that is serving a well designed and versioned API and complete documentation for each allowed request. Preferred solution is to have HTTP REST API that can serve me documentation, schema and real data.

• The user can query for known CVEs of a list packages

Limitations or not included in scope

• This does not yet require a nice user interface, an HTTP API is sufficient
• This does not yet include knowledge about which packages are included in any given Garden Linux image, the user provides a list of package names and versions

Tasks

Nov

• Optimise the image content  #129

Oct

• Prepare deployable application skeleton (app + db) #79
• Migrate the ingestion cronjob to kubernetes job #84
• Enable filtering in GLVD API #94
• CI Infra: Auto-update db and api images/deployments #101
• CI Infra: Properly setup the Database without re-running ingestion all the time #102

Sept

• https://github.com/gardenlinux/sap-internal/issues/12
• Review & finalize initial API design specification and tooling #80
• Enable sorting in GLVD API #95
• Restore glvd db from backup to avoid need for running ingestion job on new cluster setup #108
• glvd show cvss score #109
• glvd: get info about applicable vulns in motd on Garden Linux nodes #118
• glvd: simple cve details page #120
• glvd: add client to the gl apt repo #123

Aug

• Model the required data to be pulled from the sources #89

July

• ✅ Prioritize the high level functionality #92

June

• https://github.com/gardenlinux/process/issues/63
• Transform the prototype to first mvp foundation #81
• Build first REST API design proposal #82
• CI Infra: Auto-update db and api images/deployments #101

[fwilhe]

Implemented with this endpoint https://gardenlinux.github.io/glvd-api/#_get_a_list_of_cves_for_packages_by_distro