Maintain a vulnerability list by release (GLVD)

[pnpavlov]

Epic: Maintain a vulnerability list by release (GLVD)

Summary

As Garden Linux adopter, I would like to be able to identify what vulnerabilities(CVEs) are relevant for given Garden Linux release. The CVEs should be mapped to to the packages in the release.

Requirements

• The API design and implementation follows industry best practices like the Microsoft REST API Guidelines -> Azure REST API Guidelines or at least the most essential sections covering HTTP Request / Response Pattern, HTTP Return Codes.
• The API provides clear, up-to-date developer friendly documentation according to a common standard, like OpenAPI Specification which is served together with the API for example over Swagger Open Source tools
• As of today, single deployment is sufficient. It should contain always the latest version of the main branch.
• NIST : Ingest all NIST metric versions, not only v3.

Definition of done

• As user, I can use a public HTTP endpoint that is serving a well designed and versioned API and complete documentation for each allowed request. Preferred solution is to have HTTP REST API that can serve me documentation, schema and real data.
• The user can query for published release and get the list of packages involved and their known vulnerabilities.

Limitations or not included in scope

• This does not yet require a nice user interface, an HTTP API is sufficient
• This does not yet include knowledge about which packages are included in any given Garden Linux image, the user provides a list of package names and versions

Tasks

Nov

Oct

[fwilhe]

Implemented with this endpoint https://gardenlinux.github.io/glvd-api/#_get_a_list_of_cves_by_distro