Fix Debian point release detection#4997
Open
OsamaSE wants to merge 1 commit into
Open
Conversation
Debian's /etc/os-release declares only the major version in VERSION_ID (e.g. "13"), while /etc/debian_version carries the point release (e.g. "13.5"). The cataloger previously skipped debian_version whenever os-release already had a Version/VersionID, so point releases were lost. Signed-off-by: Osama Elhindawy <25825931+OsamaSE@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Debian stable keeps
/etc/os-releaseVERSION_IDat the major release, while/etc/debian_versioncarries the point release. Syft already reads/etc/debian_versionwhenos-releasehas no Debian version (#4569); this also uses it whenos-releaseonly has the major version.Debian documents this split in
base-files:VERSION_ID="13"andDEBIAN_VERSION_FULL=13.5. The Debian discussion for adding point releases toVERSION_IDinstead concluded thatVERSION_IDshould continue to identify the release series, with full point-release information exposed in a separate Debian-specific field.VERSION_IDshould identify the release series: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931197#49base-filesexample showingVERSION_ID="13"andDEBIAN_VERSION_FULL=13.5: https://sources.debian.org/src/base-files/13.8%2Bdeb13u5/etc/os-release/This also aligns Debian with other distro metadata where
VERSION_IDcommonly includes minor or patch versions, for example Ubuntu24.04, Rocky9.3, and Alpine3.21.7.On a Debian point-release image, Trivy did not report the same findings from a Syft-generated SBOM when the SBOM identified the distro as only the major release (
13). The SBOM scan matched Trivy's direct image scan when the SBOM used the point release (13.5), which is expected because Trivy puts Debian OS versions into the package PURLdistroqualifier and requires qualifier values to match.This is not expected to change Grype or Dependency-Track vulnerability results, since both treat Debian point releases as matching the major series:
13matches13.5: https://github.com/anchore/grype/blob/main/grype/search/distro.go#L93-L104debian-11.6as matchingdebian-11: https://github.com/DependencyTrack/dependency-track/blob/main/vuln-analysis/internal/src/test/java/org/dependencytrack/vulnanalysis/internal/InternalVulnAnalyzerTest.java#L572-L573Type of change
Checklist
Issue references
Related: #4569