Changes to Bottlerocket's security advisory publication #4063
ginglis13
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
As part of adapting to the core kit migration (#4048) and the recent order of magnitude increase in kernel CVE assignments, the Bottlerocket project will be making the following changes:
updateinfo.xml
instead, which is the canonical source of this data. Bottlerocket’supdateinfo.xml
is published to https://advisories.bottlerocket.aws/updateinfo.xml.gzupdateinfo.xml
. These data sources will no longer remove the “bottlerocket-” prefix from package names, or replace package versions with Bottlerocket project versions. Instead, packages will reflect the names and versions from the corresponding RPM spec file.updateinfo.xml
will not be modified.What is
updateinfo.xml
?updateinfo.xml
is a special file used by software distributions to communicate security advisories for a collection of software and what updates one can take to patch said security advisories.What is
application-inventory.json
?Bottlerocket’s
application-inventory.json
file is a special file listing the packages installed in a Bottlerocket image. Since Bottlerocket variants do not include a package database, this file takes the place of that database for inventory/security scanners to identify the software included on a Bottlerocket host.What is the relationship between
application-inventory.json
andupdateinfo.xml
?The application inventory lists packages on a Bottlerocket instance.
updateinfo.xml
lists advisories affecting specific packages vended by Bottlerocket across its core-kit and variants. Comparisons between application inventory andupdateinfo.xml
allow developers and tools to draw conclusions about security advisory applicability to Bottlerocket instances.What does Bottlerocket
updateinfo.xml
look like today?Bottlerocket provides an
updateinfo.xml
with each new release of Bottlerocket variants. The historical<update>
s inupdateinfo.xml
must be preserved; it is an append-only document. Note theversion
of a<package>
below corresponds to a Bottlerocket release version.The full document can be found at https://advisories.bottlerocket.aws/updateinfo.xml.gz (note: some browsers do not recognize the content-type properly. Try
curl -L https://advisories.bottlerocket.aws/updateinfo.xml.gz -o updateinfo.xml.gz
).What changes are coming to Bottlerocket
updateinfo.xml
?The format of the file will remain the same. Any software which consumes Bottlerocket’s application inventory and evaluates it against
updateinfo.xml
will continue to behave as expected.What does Bottlerocket’s
application-inventory.json
look like today?What changes are coming to Bottlerocket application inventory?
The format of the file will remain the same. Any software which consumes Bottlerocket’s application inventory and evaluates it against
updateinfo.xml
will continue to behave as expected.Beta Was this translation helpful? Give feedback.
All reactions