idea: CVE linkages

[ctreleaven]

Would it be possible to link to CVE reports for a given version of a package? Could be an extremely valuable resource.

[AMDmi3]

Sure, I've had this idea from beginning (#15). I've investigated it couple of times and it turns out to not be that straightforward.

CVEs don't usually contain usable package names and use CPE instead. I don't see a way to map CPE to metapackages for now. I don't remember seeing CPE info in any package system apart from FreeBSD, it should be specially extracted from there.

We could use distro-specific vulnerability reports as these do contain usable names. There are a lot of these available, for instance:

• FreeBSD vuxml
• Gentoo GLSA
• Debian DSA

However there are problems as well:

• Not all of these are machine readable. Only vuxml uses XML format, for Debian and Gentoo it seems that we'll have to parse HTML
• They depend on specific repository features. For instance, vuxml may list postgresql95 < 9.5.10 as vulnerable, relying on the fact that other major postgresql versions are in separate packages. We can't use this information without knowledge of that postgresql95 version range is [9.5.0, 9.6.0), and there's nowhere to get that knowledge form. Another example: Debian lists fixed versions in its own format, that is 4.9.65-3+deb9u2. Repology normalizes versions on early stages so it doesn't have this, and even if it had, we'll need to add Debian-specific version comparison facilities to libversion to use this.

[obadz]

This would be amazing for NixOS..

cc @teh @zimbatm @grahamc @ryantm

[AMDmi3]

Being implemented in #15.