Include Severity Rating with Debian Vulnerabilities

[RTann]

Background

Clair uses the OVAL feed provided by Debian for vulnerabilities in Debian-based images. Debian’s OVAL feed lacks severity rating data, which is a problem for ACS. ACS shows customers vulnerability severity ratings, and would much prefer to use the severity ratings from the distribution, itself, opposed to ratings from a third-party source like NVD. The goal is to add the severity rating to Debian vulnerabilities.

Proposal

Clair v2 and ACS Scanner both utilize https://security-tracker.debian.org/tracker/data/json for Debian vulnerabilities (see https://security-tracker.debian.org/tracker/ for more information). We propose to revert the change from this source to OVAL and return to using the original security tracker JSON feed. The JSON feed contains all of the same data about a vulnerability as the OVAL feed plus severity rating (note: both OVAL and JSON sources are missing vulnerability issued time).

Severity Mapping

Debian lists four severity ratings (see here for their meanings):

• unimportant
• low
• medium
• high

Based on Red Hat’s severity rating four-point scale, we propose to map the ratings as follows:

• unimportant -> Low
• low -> Medium
  • Debian mentions this includes issues which may still affect availability (ex: local DoS). Red Hat says vulnerabilities which can still affect availability fall under Moderate, which ClairCore maps to Medium
• medium -> High
  • Debian mentions most remote DoS attacks land in medium. Red Hat says remote DoS attacks fall under Important, which ClairCore maps to High
• high -> Critical
• default: Negligible
  • The severity rating is not always known. There are times when Debian lists the urgency as “not yet assigned”. In this case and all other unknown ratings, we default to Negligible

Note: this mapping differs from what Clair v2 did and what ACS Scanner does now. At this time, ACS Scanner does the following:

• unimportant -> Low
• low -> Low
• medium -> Moderate
• high -> High

Side Effects

• DSAs will no longer be displayed
  • It does not look like the JSON feed includes them
• Only the previous, current, next future release, and unstable are supported
  • At the time of writing this, Debian 11 is the current release. That means only Debian 10 (Buster), Debian 11 (Bullseye), Debian 12 (Bookworm), and unstable (Sid) are supported at this time

Alternatives

Keep OVAL but Find Urgency Elsewhere

This is not ideal, as we would like to obtain vulnerability data from a single source-of-truth. It is currently unclear if DSAs are assigned a level of urgency, so we’d need to determine the urgency from the related CVEs. However, at that point, it may just be worth changing vulnerability sources to minimize the number of websites queried.

[RTann]

Should be done with #888