retain signatures of installed packages in apkdb
A current problem with security scanners are that they just check the version field and assume all packages are coming from the same ecosystem.
This means that, as an attacker, I can build an old version (say nginx 1.20.2-r0
) of a package which has vulnerabilities, and distribute it through an alternative repository, while saying it is the latest version (nginx 1.20.2-r9000
), and the security scanners will say this is entirely fine, because the version is higher than the last vulnerable one.
We already have a useful piece of data that can be used to correlate whether or not a package legitimately comes from the distribution ecosystem: the package signature. If we retain it, then scanners can check the signature to determine which ecosystem (and thus, security feeds) the package should be checked against (or it can warn that the package does not come from an ecosystem supported by that scanner).