Scanning RPM packages for vulnerabilities
itsecforu opened this issue · 2 comments
Hey folks!
How do correctly scanning rpm packages ?
Maybe you have some kind of page with examples or even a wiki?
Internet search gave no results
Hi!
OSS Index uses the Package URL (purl) specification for packages (components). Here's a link with info:
https://ossindex.sonatype.org/doc/coordinates
The URL of each component on the OSS Index website contains the purl. You can browse a list of rpm components here:
https://ossindex.sonatype.org/browse/rpm?page=0
An easy way to try out the OSS Index API is via this page:
https://ossindex.sonatype.org/rest
Note that the API requires a version number for each purl. For example, here's a specific version of a component: https://ossindex.sonatype.org/component/pkg:rpm/nginx@1.10.1
The purl starts with "pkg:", so the purl is pkg:rpm/nginx@1.10.1
.
A request to the API for that purl would be the following:
{
"coordinates": [
"pkg:rpm/nginx@1.10.1"
]
}
Up to 128 purls per request are allowed (add additional ones to the "coordinates" array above).
Hi, thx for feedback.