IssueHuntDo you want to work on this issue?
You can request for a bounty in order to promote it!
Package version detection from external repos #1285
penfolda-mat posted onGitHub
Hi there,
We currently use external repos for packages such as salt to use versions that are suitable for our environment. Vuls is currently reporting the latest version within debian, and therefore the CVEs and vulnerabilities related to it are not accurate for our environment. We have to manually go through and check the vulnerabilities associated with these external repo packages.
For example: We are currently using salt-minion version 3003.1+ds-1 on Debian 9.
$ apt-cache policy salt-minion
salt-minion:
Installed: 3003.1+ds-1
Candidate: 3003.1+ds-1
Version table:
*** 3003.1+ds-1 500
500 https://repo.saltproject.io/py3/debian/9/amd64/latest stretch/main amd64 Packages
100 /var/lib/dpkg/status
3000.9+ds-1 500
500 http://repo.saltstack.com/apt/debian/9/amd64/3000 stretch/main amd64 Packages
2016.11.2+ds-1+deb9u6 500
500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
2016.11.2+ds-1+deb9u4 500
500 http://ftp.uk.debian.org/debian stretch/main amd64 PackagesHowever in VulsRepo it is showing incorrect vulnerabilities in relation to the version we're using, as it's picking up the latest version from debian security tracker which is 3002.6:
<img width="1141" alt="vulsrepo2" src="https://user-images.githubusercontent.com/88712444/129384883-a8d531e9-6842-4504-a7dd-0d9168ba4bf8.png">
Is it possible to implement a feature that allows for version detection through external repos? In short, we would like to check for vulnerabilities within salt but we're not using the debian repo.
Look forward to your response.
