This guide outlines the steps needed to integrate the Minimus Advisories Feed with your vulnerability scanner to optimize scanning for Minimus Images.

Overall, vulnerability scanning involves:

  1. Confirming the image uses MinimOS as its distribution.
  2. Identifying all installed packages.
  3. Mapping each package to known vulnerabilities.

Step 1: Identifying the Distribution

The first step is to confirm the distribution ID is minimos.

As with many Linux distributions, distribution info is available under /etc/os-release. For MinimOS, a typical /etc/os-release file looks like this:

ID=minimos
NAME="MinimOS"
PRETTY_NAME="MinimOS"
VERSION_ID="20241031"
HOME_URL="https://minimus.io"
BUG_REPORT_URL="https://support.minimus.io"

Scanners should read the ID field, expecting it to be minimos. Other fields are not relevant. If ID is anything else, then the image falls outside the MinimOS scope.

MinimOS Distro is Unversioned

Unlike many distributions (e.g., Ubuntu, Debian), MinimOS is not versioned. It operates as a continuous, rolling package set. The VERSION_ID field doesn’t impact vulnerability scanning and should not be shown as the distribution version to scanner users.

Technically, VERSION_ID corresponds to the version of the package that installed /etc/os-release — usually minimos-baselayout. It can safely be ignored.

Detecting the MinimOS Distro via SBOMs

If a scanner supports SBOMs (software bills of materials), you can also detect MinimOS based on the distro metadata within the SBOM, provided it identifies the distro as minimos.

Step 2: Identifying Installed Packages

Once you’ve established that the distro is MinimOS, the next step is to catalog all installed distribution packages. Each package record requires:

  1. Name
  2. Version
  3. Origin package

You can parse the /lib/apk/db/installed database to retrieve this information. Example record:

P:libcrypto3
V:3.1.1-r2
A:x86_64
L:Apache-2.0
T:OpenSSL libcrypto library
o:openssl

Where:

  • P: indicates the package name
  • V: provides the package version
  • o: points to the origin package

What is an Origin Package

In APK ecosystems, a package may declare an “origin” different from its “name”. For MinimOS, origin packages correspond to build definitions that generate primary packages and any associated subpackages. Subpackages share the version number of their origin.

Refer to APK documentation for further information about the format.

Detecting Packages via SBOMs

If the SBOM already enumerates the installed packages along with name, version, and origin, you can trust it instead of parsing /lib/apk/db/installed.

Step 3: Mapping Installed Packages to Vulnerabilities

Finally, the objective is to map all installed packages to known vulnerabilities using the Minimus Advisories Feed using either format: SecDB or OSV.

Using the SecDB Feed to Identify Vulnerable Packages

Let’s look at an example package. Here we have the package name, version, and origin package specified:

{
  "name": "libcrypto3",
  "version": "3.1.1-r2",
  "origin": "openssl"
},

In the SecDB feed, vulnerabilities are filed under the origin package. For example, below is the SecDB entry for openssl:

{
  "pkg": {
    "name": "openssl",
    "secfixes": {
      "0": ["CVE-2023-0466", "CVE-2023-4807"],
      "3.0.8-r0": ["CVE-2022-4203", "CVE-2022-4304"],
      "3.1.1-r2": ["CVE-2023-2975"],
      "3.1.1-r3": ["CVE-2023-3446"],
      "3.1.1-r4": ["CVE-2023-3817"]
    }
  }
},

Compare your openssl version to the versions listed in the SecDB advisory. If your installed version is less than the fixed version, then the vulnerabilities apply. In our example, the origin package is version 3.1.1-r2. According to the SecDB feed, version 3.1.1-r2 is vulnerable to CVE-2023-3446 and CVE-2023-3817.

False Positives are Labeled as Version 0

You’ll notice “fixed” versions labeled as "0". This signals vulnerabilities that Minimus staff identified as false positives. These vulnerablities were determined to not truly impact the package.

Since 0 sorts lower than any real version, it allows scanners to filter these out efficiently.

Using the OSV Feed to Identify Vulnerable Packages

In OSV, packages are indexed by purl (Package URL specification). You can look up affected packages by matching the PURL, e.g., pkg:apk/minimos/ko, and checking the .ranges field.

Additional Options

Import the Minimus Advisories Feed into an Internal Vulnerability Database

Many scanners prefer to import secdb/OSV data into their own internal database to optimize querying. If you choose this path, we recommend that you sync the database daily or more often since Minimus updates its feeds frequently.

Supplementing Minimus Security Data

While Minimus data is comprehensive, you may configure your scanner to:

  1. Cross-reference installed packages against NVD datasets.
  2. Scan for non-distro packages (e.g., Go modules, Ruby Gems).

When matching against NVD:

  • Identify vulnerabilities with your NVD data.
  • Exclude vulnerabilities known to be false positives based on Minimus data.

When detecting non-distro packages:

  • Track file paths associated with non-distro package evidence.
  • Check whether these paths are managed by any distro package before treating them as independent packages.