future-architect/vuls

Do you want to work on this issue?

You can request for a bounty in order to promote it!

False Positives in Redhat 8.6 EUS #1989

wagde-orca posted onGitHub

What did you do? (required. The issue will be closed when not provided.)

I ran vuls on redhat 8.6 with curl 7.61.1-22.el8_6.4 installed

What did you expect to happen?

I expected to get 0:7.61.1-22.el8_6.12 as the fixed version

What happened instead?

I got 0:7.61.1-30.el8 as the fixed version

Redhat has a separate oval file for redhat 8.6 EUS rhel-8.6-eus.oval.xml.bz2

and currently goval-dictionary and vuls does not fetch it and fetch only the redhat 8 oval file and this is causing the FP... as you can see in the redhat security tracker (https://access.redhat.com/security/cve/CVE-2022-35252) they mention 8.6 EUS separately and I guess vuls should behave according to this

It is also necessary to confirm that it is a package installed from EUS Repository. In other words, it is necessary to identify not only the OS version but also the OVAL used in the package installation repository. In order to respond to that, we are currently considering large -scale refactoring because it is difficult with the current system.

posted by MaineK00n 8 months ago

As you can see, OVALV2 can only be used until 2024, so it is necessary to move the whole to CSAF, but it is very difficult to do these.

Support of OVAL v2 content will continue until the end of 2024 https://www.redhat.com/en/blog/future-red-hat-security-data

posted by MaineK00n 8 months ago

@MaineK00n do you have an ETA for the large scale refactoring? and if will take long... do you have an idea how we can provide a workaround for this until the good solution is implemented?

posted by wagde-orca 8 months ago

@wagde-orca Both the full-scale migration to CSAF and the method of somehow patching OVAL will take a considerable amount of time. In the latter case, it will be necessary to proceed with the migration to CSAF by the end of the year, which will mean double work. We will try our best to implement it as soon as possible, but we think the target date for the migration will be October.

posted by MaineK00n 8 months ago

thanx @MaineK00n what about the option to fetch the 8.6 EUS oval2 and put it in the redhat oval and query it in vuls in case we have 8.6 and fallback to redhat 8 for cves that are not found in 8.6 db? it should not take much time...

posted by wagde-orca 8 months ago

@wagde-orca I'm not sure if OVAL in 8.6 EUS works well on its own or if it needs to be partially combined with 8. At the very least, unpatched items will need to be retrieved from 8. I think it will take longer to investigate than implementation.

posted by MaineK00n 8 months ago

yes we need some fallback mechanism like the one we had with oval and gost... we should start with 8.6... fill the results... and then query 8... and fill the entries that has no data from 8... and it will include the unpatched... what do you think? if we implement this it will give vuls advantage upon other cve scanners :-)

posted by wagde-orca 8 months ago

Thank you for your proposal for how to implement it. This is getting tough, so you may be waiting for a large -scale refactoring.

posted by MaineK00n 8 months ago

@MaineK00n do you have an ETA for the large-scale refactoring?

posted by wagde-orca 6 months ago

We are currently working towards a release date of the end of 2024.

posted by MaineK00n 6 months ago

@MaineK00n will the large scale refactoring include also handling Redhat ELS properly?

posted by wagde-orca 4 months ago

Of course, we are aware of that problem, so it is included.

posted by MaineK00n 4 months ago

Fund this Issue

$0.00

Funded

Only logged in users can fund an issue

Pull requests

Company

Community

Support

FAQ Terms of use Privacy policy Code of conduct Credits

Connect

Facebook Twitter

© 2019 BoostIO, Inc.