[ubuntu-hardened] Tooling question about collecting changelog info for security updates

Mon Jun 3 12:25:59 UTC 2024

Have you tried using OVAL reports to get the information you are looking for?  It will deal specifically with CVE’s and USNs for security fixes and not standard upgrade patches.  It provides an HTML color code list to quickly see what CVEs are currently outstanding for a particular server.  https://ubuntu.com/security/oval

I have a cron job running the first of each month to update the OVAL database and provide a report on each server as to what remains to be patched.  Needed patches appear in a red hue while completed patches appear green.  I use Ansible to keep everything up to date and to download the reports to my local machine.  I can then plan my monthly CABs based on the results.

Hope this helps!

From: ubuntu-hardened <ubuntu-hardened-bounces at lists.ubuntu.com> on behalf of Marcos Alano <marcoshalano at gmail.com>
Date: Friday, May 31, 2024 at 5:19 PM
To: Ubuntu security discussion <ubuntu-hardened at lists.ubuntu.com>
Subject: Re: [ubuntu-hardened] Tooling question about collecting changelog info for security updates

EXTERNAL: Use caution when clicking on links, opening attachments, or responding.
Hi,

I probably did not understand your question so my suggestion may sound stupid, but you could scan your image using Trivy to get the errors and produce a report in JSON that could be parsed by machine.

Again, I think I misunderstood your question. Sorry.

Marcos Alano

On Fri, May 31, 2024, 19:07 Mike McCracken (mikmccra) <mikmccra at cisco.com<mailto:mikmccra at cisco.com>> wrote:
Hi, I am wondering if there is already a tool to generate this kind of report about
CVE-driven and other security fixes in the archive:

I have container images based on ubuntu being built at regular intervals, and
we are updating all packages to get the latest security updates at image build time.
In order to be able to tell if a build of my images has a given fix, I produce a list
of all packages that were installed and their versions.

What I would like to do is given two such lists, get all the changelogs (or just CVE IDs)
for each update that happened between those lists.

So for example using recent jammy releases of git:
at Time T, I build an image that has a list including git like this:

```
git 1:2.34.1-1ubuntu1.9
```

and then Time T+1 I rebuild and get a git that's two package releases newer:

```
git 1:2.34.1-1ubuntu1.11
```

Then I want to be able to produce a file where I get the logs for each increment of the package
between those version

```
# git
1:2.34.1-1ubuntu1.9 - 1:2.34.1-1ubuntu1.11

## 1:2.34.1-1ubuntu1.10 changes

 git (1:2.34.1-1ubuntu1.10) jammy; urgency=medium
.
* Fix issue where untracked files are not recovered during a stash
pop/apply operation when a merge conflict is present. Untracked
files are now correctly restored regardless if a conflict is
present or not. (LP: #2026319)
- d/p/lp-2026319-stash-do-not-return-before-restoring-untracked-files.patch

## git (1:2.34.1-1ubuntu1.11) jammy-security; urgency=medium
.
* SECURITY UPDATE: Facilitation of arbitrary code execution
- debian/patches/CVE-2024-32002.patch: submodule paths
must not contains symlinks in builtin/submodule--helper.c.
- CVE-2024-32002

...etc
```

This info is available on launchpad easy enough for manual looking,
but it doesn't seem to be exposed in a straightforward way
for scripting to automate the whole list. So I thought I'd ask if anyone
has already tackled this, or knows of a better way to get this info,
and then I can just use their work and praise their name.

Thanks!
-mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20240603/3568b9de/attachment.html>