Comments (6)
@setharnold No, it's not. See #56 and #53
from sec-cvescan.
@setharnold @mssalvatore as a work-around until 3.0, do you see any issues with using the following to remove previously uninstalled items from the manifest?
$ grep -v -f <(dpkg --get-selections | awk '$2 ~ /deinstall/ {print $1}') <(dpkg-query -W)
from sec-cvescan.
If it helps, the cloud image manifests published to http://cloud-images.ubuntu.com/releases/focal/release/ are generated using
dpkg-query --show --admindir="/var/lib/dpkg"
See https://git.launchpad.net/ubuntu/+source/livecd-rootfs/tree/live-build/functions?h=ubuntu/focal-updates#n46 for more details.
from sec-cvescan.
@philroche that still turns up previously installed packages for me -- for example, zfs-zed
is no longer installed locally and ideally won't show up in a manifest:
$ dpkg -l | grep '^rc' | tail -1 Wed 16 Dec 2020 09:28:15 PM UTC
rc zfs-zed 0.7.12-1ubuntu5 amd64 OpenZFS Event Daemon
but it does show up in standard queries:
$ dpkg-query --show --admindir="/var/lib/dpkg" | grep 'zfs-zed'
zfs-zed 0.7.12-1ubuntu5
from sec-cvescan.
@techalchemy Interesting. I'll check to see if any cloud-images are affected by this. I'll also update https://github.com/CanonicalLtd/ubuntu-package-manifest too
@philroche that still turns up previously installed packages for me -- for example,
zfs-zed
is no longer installed locally and ideally won't show up in a manifest:$ dpkg -l | grep '^rc' | tail -1 Wed 16 Dec 2020 09:28:15 PM UTC rc zfs-zed 0.7.12-1ubuntu5 amd64 OpenZFS Event Daemonbut it does show up in standard queries:
$ dpkg-query --show --admindir="/var/lib/dpkg" | grep 'zfs-zed' zfs-zed 0.7.12-1ubuntu5
from sec-cvescan.
I have confirmed that Ubuntu cloud image manifests are not affected as any package removal that I can find uses apt-get remove --purge
which means it will not show up in the manifest.
I have tested this locally now too.
from sec-cvescan.
Related Issues (20)
- CVE publish date
- deb package cvescan HOT 1
- Database Release Version
- Debian compatibility HOT 2
- Scan shows vulnerable if some patched packages are installed from PPA HOT 1
- Mismatch between oval and cvescan
- Vulnerability database used by cvescan not the same as the Oval data thus missing some vulnerable packages during scan
- cloud-init package listed as fixable, but not yet available in official repositories HOT 3
- epoch number might causing inaccurate results
- CVE-2019-3466 outstanding when postgresql-all = 10+190ubuntu0.1
- Database files are out of date HOT 2
- grub related packages reported as vulnerable without a means to fix HOT 3
- CVEscan should catch network issues and not crash HOT 1
- Publish Pypi packages
- CVE data not yet published for Impish Indiri HOT 2
- cvescan on Xenial incorrectly labelling a number of CVEs as still unfixed. HOT 1
- KeyError in parsing recent /var/lib/ubuntu-advantage/status.json HOT 1
- Add support for parsing DISTRIB_CODENAME vs just Ubuntu only HOT 1
- cvescan gives dpkg error on rhel8 HOT 2
- When using manifest, please provide option to specify suite HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sec-cvescan.