Skip to content

PRP: Fix os/rpm extractor to support Mageia ecosystem (ID=mageia not mapped, zero MGASA advisories detected) #2177

Open
#2199
Open
PRP: Fix os/rpm extractor to support Mageia ecosystem (ID=mageia not mapped, zero MGASA advisories detected)#2177
#2199
Assignees
herdiyana256
Labels
PRPPatch Reward Program: This label is added to all PRP related issues for easy filteringPRP:AcceptedPatch Reward Program: This issue has been accepted as a PRP entry.
@herdiyana256

Description

@herdiyana256
herdiyana256
opened on Jun 2, 2026

Software distribution method or binary type: Mageia - RPM packages managed via urpmi/dnf/rpm. Packages reside in the standard RPM database at /var/lib/rpm/ on Mageia systems and container images (e.g. docker.io/mageia/mageia).

Popularity of distribution method: Mageia is an independent, community-driven
RPM-based Linux distribution forked from Mandriva Linux in 2010. It has a dedicated global community and is consistently ranked among the top RPM distributions by DistroWatch. Key facts:

  • Docker Hub: The official mageia/mageia image has hundreds of thousands
    of pulls, used widely for containerised RPM-environment testing and CI pipelines.
  • RPM ecosystem leader: Mageia is one of the longest-running independent
    RPM distributions, predating many modern alternatives; its security team
    publishes advisories under the MGASA prefix.
  • Active security programme: Mageia has a dedicated security team
    (https://advisories.mageia.org/) that publishes timely advisories for
    every CVE affecting packages in its repositories.
  • OSV.dev coverage: 5,941+ security advisories are tracked under the
    Mageia ecosystem on OSV.dev — all prefixed MGASA-.
    https://osv.dev/list?ecosystem=Mageia

Any critical, emergent vulnerability associated with software from the distribution method:

The following critical advisories are tracked under the Mageia ecosystem on
OSV.dev, but OSV-SCALIBR currently cannot detect any of them because the
existing os/rpm extractor does not map Mageia packages to the correct
OSV.dev ecosystem:

Root cause: In extractor/filesystem/os/ecosystem/ecosystem.go, the
*rpmmeta.Metadata switch correctly handles:

But ID=mageia has no case - any RPM package extracted from a Mageia
system falls through with an empty namespace, resulting in zero OSV matches
against the 5,941+ MGASA advisories on OSV.dev.

The EcosystemMageia constant is already defined in the codebase at
inventory/osvecosystem/parsed.go (line ~124) but is never referenced in
ecosystem.go.

Proposed fix: Add one if-branch in the *rpmmeta.Metadata case (no new
dependencies, no new extractor plugin required):

if m.OSID == "mageia" {
    return osvecosystem.Parsed{Ecosystem: osvconstants.EcosystemMageia, Suffix: m.OSVersionID}
}

After this fix, PURL output will correctly be:

  • pkg:rpm/mageia/openssl@3.0.8-1.mga9 → matched against MGASA-2022-0450 (Critical)
  • pkg:rpm/mageia/curl@7.88.1-1.mga9 → matched against MGASA-2023-0298 (CVSS 9.8)

Resources:

Metadata

Metadata

Assignees

Labels

PRPPatch Reward Program: This label is added to all PRP related issues for easy filteringPRP:AcceptedPatch Reward Program: This issue has been accepted as a PRP entry.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions