Add support for parsing DISTRIB_CODENAME vs just Ubuntu only

[meramsey]

Add support for parsing DISTRIB_CODENAME vs just Ubuntu only

❯ sudo snap install cvescan
cvescan 2.5.0 from Canonical✓ installed
~  took 30s  at 16:46:33 

❯ sudo cvescan
Error: Failed to determine the correct Ubuntu codename -- [Errno 13] Permission denied: '/etc/lsb-release'
~ [✖ ERROR] at 17:08:05 

❯ sudo cvescan^C
~ [🧱 INT] at 17:08:12 

❯ cat /etc/lsb-release
DISTRIB_ID=Pop
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Pop!_OS 21.04"
~ at 17:40:01 

❯ 

onessa@onessa-All-Series:~$ cat /etc/os-release 
NAME="Linux Mint"
VERSION="20.2 (Uma)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 20.2"
VERSION_ID="20.2"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.linuxmint.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=uma
UBUNTU_CODENAME=focal
onessa@onessa-All-Series:~$

PopOS/Mint Linux is just Ubuntu so it should work if the DISTRIB_CODENAME|UBUNTU_CODENAME is in the same list of known Ubuntu codenames or maybe if we know the DISTRIB_ID is in the same list of known Ubuntu Alt distros that are deb based there is also other distros Ubuntu based that have ID=linuxmint ID_LIKE=ubuntu which could be a nice fallback.

    def _get_ubuntu_codename(self):
        distrib_id, codename = self.get_lsb_release_info()

        supported_distribs = ["Ubuntu", "Pop"]
        if distrib_id not in supported_distribs:
            raise DistribIDError(
                "DISTRIB_ID in /etc/lsb-release must be Ubuntu based distro (DISTRIB_ID=%s)"
                % distrib_id
            )

        return codename

Not sure if your interested in adding support or not so figured I'd throw that out here first. If there is no objection I might make a PR for it if its likely to be includeded.

[setharnold]

We don't currently have the resources to give this the attention it deserves.

I'm not sure pop_OS and mint are really "close enough" here -- I believe they've both replaced the kernel packages with their own, and probably there is more changed, too. Doubtless some packages are unique to them, some unique to Ubuntu.

It might be right for 99.9% of packages, but at least the Linux kernel is a vastly important example where the data just plain wouldn't be correct. The other packages that they've replaced or added would also be important, in the sense that they represent a good chunk of the user experience for pop_OS or mint users -- software we know would be in wide use in those communities.

Do either pop_OS or mint publish OVAL data feeds for their security updates? Or otherwise make their data available? That would probably be necessary to having a good experience. Maybe a generic list of packages with known incorrect statuses, something to skip..

But, like I said, I don't see us returning to cvescan in any real way soon, so please don't invest much time into it, I don't think we'll be able to reciprocate.

Thanks