[ubuntu-hardened] Tooling question about collecting changelog info for security updates

Marcos Alano marcoshalano at gmail.com
Fri May 31 22:18:15 UTC 2024 

Hi,

I probably did not understand your question so my suggestion may sound
stupid, but you could scan your image using Trivy to get the errors and
produce a report in JSON that could be parsed by machine.

Again, I think I misunderstood your question. Sorry.

Marcos Alano

On Fri, May 31, 2024, 19:07 Mike McCracken (mikmccra) <mikmccra at cisco.com>
wrote:

> Hi, I am wondering if there is already a tool to generate this kind of
> report about
> CVE-driven and other security fixes in the archive:
>
> I have container images based on ubuntu being built at regular intervals,
> and
> we are updating all packages to get the latest security updates at image
> build time.
> In order to be able to tell if a build of my images has a given fix, I
> produce a list
> of all packages that were installed and their versions.
>
> What I would like to do is given two such lists, get all the changelogs
> (or just CVE IDs)
> for each update that happened between those lists.
>
> So for example using recent jammy releases of git:
> at Time T, I build an image that has a list including git like this:
>
> ```
> git 1:2.34.1-1ubuntu1.9
> ```
>
> and then Time T+1 I rebuild and get a git that's two package releases
> newer:
>
> ```
> git 1:2.34.1-1ubuntu1.11
> ```
>
> Then I want to be able to produce a file where I get the logs for each
> increment of the package
> between those version
>
> ```
> # git
> 1:2.34.1-1ubuntu1.9 - 1:2.34.1-1ubuntu1.11
>
> ## 1:2.34.1-1ubuntu1.10 changes
>
>  git (1:2.34.1-1ubuntu1.10) jammy; urgency=medium
> .
> * Fix issue where untracked files are not recovered during a stash
> pop/apply operation when a merge conflict is present. Untracked
> files are now correctly restored regardless if a conflict is
> present or not. (LP: #2026319)
> - d/p/lp-2026319-stash-do-not-return-before-restoring-untracked-files.patch
>
> ## git (1:2.34.1-1ubuntu1.11) jammy-security; urgency=medium
> .
> * SECURITY UPDATE: Facilitation of arbitrary code execution
> - debian/patches/CVE-2024-32002.patch: submodule paths
> must not contains symlinks in builtin/submodule--helper.c.
> - CVE-2024-32002
>
> ...etc
> ```
>
> This info is available on launchpad easy enough for manual looking,
> but it doesn't seem to be exposed in a straightforward way
> for scripting to automate the whole list. So I thought I'd ask if anyone
> has already tackled this, or knows of a better way to get this info,
> and then I can just use their work and praise their name.
>
> Thanks!
> -mike
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20240531/28087e27/attachment.html>

More information about the ubuntu-hardened mailing list