Security Scanning

[turtle0x1]

Assuming #580 is merged, its somewhat dreamable that packages can be scanned for out of date packages to produce reports.

Idea

It should be possible to compare our package list to security advisories to monitor infrastructure for vulnerabilities.

For example the big players seem to publish OVAL files with varying degrees of completeness (Cannonical, Redhat, Suse ). Alpine publishes its own a sec db

Other products scan CVE databases directly and import / grep / parse / LLM whatever they can out the text, which may be the better overall solution. Another fun link https://github.com/CVEProject/cvelistV5

Drawbacks

• It would probably be "feature creep" to include something like this within LXDMosaic
  • it requires downloading and parsing quite a lot of files and probably quite DB intensive
    • perhaps spin out as separate app (maybe fish for some coin by offering it as a service).
• Package managers like npm, pip, and SNAP dont appear to publish OVAL files (:cry:)
  • require even more code & parsing
• If your mega serious you build your images, pin/compile every package, and control everything everywhere
  • I'm willing to wager my time thats not super common until you hit ISO 27001 level control

Pros

• "Free" scanning
• If anyone else uses it the world might be 0.001% more secure 😄