API Queries for More Linux Distributions

Posted by Holly Gong on Oct 22, 2024

We’re excited to announce that OSV.dev’s API now allows you to query all our supported Linux distributions! From now on, any new Linux distribution adopting the OSV Schema will be instantly available for querying as soon as it’s imported by OSV.dev!

2024 has seen significant adoption of the OSV Schema from prominent Linux distributions such as Ubuntu, Chainguard/Wolfi, and SUSE/openSUSE. In particular, Ubuntu provides us with both Ubuntu Security Notices (identified as USN-) and Ubuntu CVE Tracker (identified as UBUNTU-CVE-) to cover fixed and unfixed vulnerabilities. Chainguard/Wolfi and SUSE/openSUSE have also recently adopted the OSV Schema. This increased community adoption allows us to expand our Linux distribution vulnerability coverage significantly.

Although we had expanded our coverage of Linux distributions, we didn’t support API queries for many of them due to limitations in our query implementation. Specifically, the OSV.dev API relied solely on enumerated affected versions for package version queries, requiring version enumeration functions to be implemented for each ecosystem. This approach was difficult to scale and limited our API queries to only Debian, Ubuntu, and Alpine. As a result, the lack of API query support for other Linux distributions created a barrier for users accessing the available data.

To overcome the limitations of our previous implementation, we developed a new affected range matching method. This new method eliminates the need for version enumeration, allowing us to support queries for a wider range of Linux distributions. As a result, OSV.dev now supports package version queries across all our Linux distributions, including Rocky Linux, AlmaLinux, Chainguard/Wolfi, and SUSE/openSUSE. Furthermore, with this new method, any new Linux distribution that publishes vulnerabilities in the OSV Schema and is imported by OSV.dev in the future will be immediately queryable.

curl -d \
'{"package": {"name": "nodejs", "ecosystem": "AlmaLinux"},
"version": "1:16.13.1-3.module_el8.5.0+2605+45d748af"}' \
https://api.osv.dev/v1/query

This year, the OSV team has had a big focus on container image scanning. With the improved Linux distribution data and API query capabilities, we will deliver even better results for container image scanning. In our next update on container image scanning, we’ll dive deeper into base image identification and layer attribution. Additionally, we’ll unveil a new output format for OSV-Scanner. Stay tuned for more!