Package version detection from external repos

[penfolda-mat]

Hi there,

We currently use external repos for packages such as salt to use versions that are suitable for our environment. Vuls is currently reporting the latest version within debian, and therefore the CVEs and vulnerabilities related to it are not accurate for our environment. We have to manually go through and check the vulnerabilities associated with these external repo packages.

For example: We are currently using salt-minion version 3003.1+ds-1 on Debian 9.

$ apt-cache policy salt-minion
salt-minion:
  Installed: 3003.1+ds-1
  Candidate: 3003.1+ds-1
  Version table:
 *** 3003.1+ds-1 500
        500 https://repo.saltproject.io/py3/debian/9/amd64/latest stretch/main amd64 Packages
        100 /var/lib/dpkg/status
     3000.9+ds-1 500
        500 http://repo.saltstack.com/apt/debian/9/amd64/3000 stretch/main amd64 Packages
     2016.11.2+ds-1+deb9u6 500
        500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
     2016.11.2+ds-1+deb9u4 500
        500 http://ftp.uk.debian.org/debian stretch/main amd64 Packages

However in VulsRepo it is showing incorrect vulnerabilities in relation to the version we're using, as it's picking up the latest version from debian security tracker which is 3002.6:

Is it possible to implement a feature that allows for version detection through external repos? In short, we would like to check for vulnerabilities within salt but we're not using the debian repo.

Look forward to your response.

[kotakanbe]

The vulnerability DB of the External repo is not public, so I think it is difficult.
If you know the URL of the vulnerability DB of external repo, please let me know.