Inconsistency between unattended-upgrade and debsecan

Question

To install security updates automatically I use unattended-upgrade:

$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals

I also tried another tool called debsecan (homepage, currently on official repos) to list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it returns 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):

$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "CVE-20[0-2][0-9]" | sort | uniq -c
    3 CVE-2007
    2 CVE-2008
    8 CVE-2009
    3 CVE-2012
   14 CVE-2013
    9 CVE-2014
   42 CVE-2015
  173 CVE-2016
  948 CVE-2017
 3616 CVE-2018
 4158 CVE-2019
 3540 CVE-2020
    1 CVE-2021

1. Am I missing something?
2. There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP (now available! See below). Any other beside OpenVAS or Nessus?

Updates

• 2019: Answer from someone on Ubuntu Security Team:

  In Ubuntu, landscape is the preferred solution for checking security update status.

  We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.

  debsecan should be either adjusted (for ubuntu) or removed

• Seems debsecan read this file:

  curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
  

  AFAIK (please correct me) since there is no API for Ubuntu Security Advisory (USN), the data from CVE-tracking page or USN (or maybe easier from here, everything on bazaar.launchpad.net seems removed) should be merged [into a JSON and] there.

• 2020-05: UST2DSA

  We've just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.
  It is open source under Apache 2.0 and it is available here: https://github.com/BBVA/ust2dsa
  Using Github's CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.
  If anybody want to test the result you just have to run this command in your current Ubuntu installation:
  debsecan --suite $(lsb_release --codename --short) --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/

• 2021-11: Ubuntu’s OVAL data using OpenSCAP

  sudo apt install libopenscap8  # Install OpenSCAP base
  wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
  bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
  oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
  xdg-open report.html
  

Answer 1

Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.

---

The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:

$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...

I'm on 16.04, and of these CVEs:

• CVE-2017-14632 is fix-released in 16.04
• CVE-2016-2776 is fix-released in 16.04
• CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
• CVE-2017-8421 needs triage
• and CVE-2018-8784 does not exist in 16.04.

So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.