Recommendations for integrating scanners with the Minimus Advisories Feed
minimos
.
As with many Linux distributions, distribution info is available under /etc/os-release
. For MinimOS, a typical /etc/os-release
file looks like this:
ID
field, expecting it to be minimos
. Other fields are not relevant. If ID
is anything else, then the image falls outside the MinimOS scope.
VERSION_ID
field doesn’t impact vulnerability scanning and should not be shown as the distribution version to scanner users.
Technically, VERSION_ID
corresponds to the version of the package that installed /etc/os-release
— usually minimos-baselayout
. It can safely be ignored.
minimos
.
/lib/apk/db/installed
database to retrieve this information. Example record:
P:
indicates the package nameV:
provides the package versiono:
points to the origin package/lib/apk/db/installed
.
openssl
:
openssl
version to the versions listed in the SecDB advisory. If your installed version is less than the fixed version, then the vulnerabilities apply. In our example, the origin package is version 3.1.1-r2. According to the SecDB feed, version 3.1.1-r2 is vulnerable to CVE-2023-3446 and CVE-2023-3817.
"0"
. This signals vulnerabilities that Minimus staff identified as false positives. These vulnerablities were determined to not truly impact the package.
Since 0
sorts lower than any real version, it allows scanners to filter these out efficiently.
pkg:apk/minimos/mysql-8.4
, and checking the .ranges
field.
For example, the OSV advisory for PURL pkg:apk/minimos/mysql-8.4
shows that versions older than 8.4.5-r0 are vulnerable to CVE-2025-30685.