Enable triage on package level (GLVD)

[pnpavlov]

Epic: Enable triage on package level (GLVD)

Summary

As Garden Linux maintainer, I would like to be able to triage vulnerabilities related to Garden Linux.

Requirements

• The API design and implementation follows industry best practices like the Microsoft REST API Guidelines -> Azure REST API Guidelines or at least the most essential sections covering HTTP Request / Response Pattern, HTTP Return Codes.
• The API provides clear, up-to-date developer friendly documentation according to a common standard, like OpenAPI Specification which is served together with the API for example over Swagger Open Source tools
• As of today, single deployment is sufficient. It should contain always the latest version of the main branch.
• NIST : Ingest all NIST metric versions, not only v3.

Definition of done

• As user, I can use a public HTTP endpoint that is serving a well designed and versioned API and complete documentation for each allowed request. Preferred solution is to have HTTP REST API that can serve me documentation, schema and real data.
• The user can query for published release and get the list of packages involved and their known vulnerabilities.

Limitations or not included in scope

• This does not yet require a nice user interface, an HTTP API is sufficient
• This does not yet include knowledge about which packages are included in any given Garden Linux image, the user provides a list of package names and versions

Tasks

Nov

• https://github.com/gardenlinux/sap-internal/issues/34