attention-attention
vulnerabilities
attention-attention | vulnerabilities | |
---|---|---|
1 | 2 | |
7 | 12 | |
- | - | |
2.4 | 4.3 | |
about 1 year ago | 10 months ago | |
Python | ||
GNU General Public License v3.0 only | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
attention-attention
-
Wolfi: A community Linux OS designed for the container and cloud-native era
I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention
There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.
1: https://github.com/tiiuae/sbomnix
vulnerabilities
-
Wolfi: A community Linux OS designed for the container and cloud-native era
Do you provide an OVAL feed?
Alpine is out of the picture for us because the guy that works on their security tracker just doesn't care, and responds half a year after filing an issue. The tracker itself is broken for over a year and the response was to basically rebuild our own package index and host our own security tracker.
So I would not say that Alpine has security as a high priority, even though in theory there are the secfixesdb.
Redhat Enterprise, Debian and Ubuntu are used because they provide an OVAL feed that are easily integrated with zero development overhead. So if compliance is your focus, I'd heavily recommend generating an OVAL feed when you're regenerating the secfixes json files.
Source: Am building a cross-linux-distro vulnerability database and I am scraping _all_ linux security trackers. [1]
[1] https://github.com/tholian-network/vulnerabilities
-
Why does VoidLinux not have any security advisories tracker or page?
I was trying to find the security tracker or advisories page for VoidLinux, as I'm building a cross-distro vulnerabilities database; where I want to match the confidence via reliable disclosures and unreliable advisories.
What are some alternatives?
sbomnix - A suite of utilities to help with software supply chain challenges on nix targets
os - Main package repository for production Wolfi images
Flatcar - Flatcar project repository for issue tracking, project documentation, etc.
images - Public Chainguard Images
community - Documents and tools powering the Wolfi OS community
bottlerocket - An operating system designed for hosting containers
pipeline - A cloud-native Pipeline resource.