Good afternoon,
I'm currently completely reworking a Local Security Check scanner for
OpenVAS as my bachelor thesis.
Since Debian is so widely used and appreciated, especially by us over at
Greenbone, it is obvious that we will want to continue supporting your
advisories such as DSA and DLA in the future. To do that, I have come
across your useful way of presenting information from your security
tracker in JSON (https://security-tracker.debian.org/tracker/data/json).
This is really really useful and almost what I need.
However, this is how our scripts currently look like for checking
packages that are stated in your DLAs or DSAs:
https://vulners.com/openvas/OPENVAS:1361412562310704634
As you can see, it's a bit of a problem that all of your information in
JSON is listed by packages and their CVEs without any reference to a
DSA/DLA advisory. In order to use your information in JSON in the
future, it would be fantastic to have the information be listed by
advisories (such as a DSA or DLA with their ID, for example). Then, it
would branch into e.g. a list of all related CVEs, OS-versions (you'd
probably call it "releases"), all affected package names, their fixed
versions, the status and the description.
Since this information should all be present in your database, I could
definitely see this working and it would be of huge value! Let me know
what you think about this. If we could get this implemented as soon as
possible, it would be fantastic! Having to parse HTML is not
contemporary anymore. This would be a great step forward in the right
direction.
Best wishes,
Thorsten Paßfeld