Dear Debian Security Team, My name is Reicela Mackevica, and I am a software engineer at Sysdig. We provide vulnerability scanning for Debian-based environments, and I have a technical question regarding how to correctly interpret the Debian Security Tracker JSON feed. (https://security-tracker.debian.org/tracker/data/json)
We have observed that while the linux source package is regularly updated with CVE information, related packages, such as linux-signed-amd64, linux-signed-arm64 and other signed or derivative variants are absent from the vulnerability data. To ensure our scanning logic remains accurate and does not produce false negatives for debian users, we are trying to determine which of the following three approaches we should adopt: 1. The vulnerabilities truly do not exist for these specific packages (i.e., they are not vulnerable despite being derived from the linux source). 2. These packages are vulnerable, and their absence from the JSON feed is an omission that will be addressed in future feed updates. 3. We should programmatically treat packages like linux-signed-amd64 (or other linux-* derivatives) as inheriting the same vulnerabilities as the primary linux source package. If manual mapping is the intended solution, what would be the specific semantic rule or naming? Thank you for your time and for all the work you do for the community. Best regards, Reicela Mackevica
