Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positives in Redhat 8.6 EUS #1989

Open
wagde-orca opened this issue Jul 10, 2024 · 12 comments
Open

False Positives in Redhat 8.6 EUS #1989

wagde-orca opened this issue Jul 10, 2024 · 12 comments
Labels

Comments

@wagde-orca
Copy link
Contributor

What did you do? (required. The issue will be closed when not provided.)

I ran vuls on redhat 8.6 with curl 7.61.1-22.el8_6.4 installed

What did you expect to happen?

I expected to get 0:7.61.1-22.el8_6.12 as the fixed version

What happened instead?

I got 0:7.61.1-30.el8 as the fixed version

Redhat has a separate oval file for redhat 8.6 EUS
rhel-8.6-eus.oval.xml.bz2

and currently goval-dictionary and vuls does not fetch it and fetch only the redhat 8 oval file and this is causing the FP... as you can see in the redhat security tracker (https://access.redhat.com/security/cve/CVE-2022-35252) they mention 8.6 EUS separately
and I guess vuls should behave according to this

@wagde-orca wagde-orca added the bug label Jul 10, 2024
@MaineK00n
Copy link
Collaborator

MaineK00n commented Jul 10, 2024

It is also necessary to confirm that it is a package installed from EUS Repository.
In other words, it is necessary to identify not only the OS version but also the OVAL used in the package installation repository.
In order to respond to that, we are currently considering large -scale refactoring because it is difficult with the current system.

@MaineK00n
Copy link
Collaborator

MaineK00n commented Jul 10, 2024

As you can see, OVALV2 can only be used until 2024, so it is necessary to move the whole to CSAF, but it is very difficult to do these.

Support of OVAL v2 content will continue until the end of 2024
https://www.redhat.com/en/blog/future-red-hat-security-data

@wagde-orca
Copy link
Contributor Author

@MaineK00n do you have an ETA for the large scale refactoring? and if will take long... do you have an idea how we can provide a workaround for this until the good solution is implemented?

@MaineK00n
Copy link
Collaborator

MaineK00n commented Jul 11, 2024

@wagde-orca
Both the full-scale migration to CSAF and the method of somehow patching OVAL will take a considerable amount of time. In the latter case, it will be necessary to proceed with the migration to CSAF by the end of the year, which will mean double work.
We will try our best to implement it as soon as possible, but we think the target date for the migration will be October.

@wagde-orca
Copy link
Contributor Author

thanx @MaineK00n
what about the option to fetch the 8.6 EUS oval2 and put it in the redhat oval and query it in vuls in case we have 8.6 and fallback to redhat 8 for cves that are not found in 8.6 db?
it should not take much time...

@MaineK00n
Copy link
Collaborator

@wagde-orca
I'm not sure if OVAL in 8.6 EUS works well on its own or if it needs to be partially combined with 8.
At the very least, unpatched items will need to be retrieved from 8.
I think it will take longer to investigate than implementation.

@wagde-orca
Copy link
Contributor Author

yes we need some fallback mechanism like the one we had with oval and gost...
we should start with 8.6... fill the results...
and then query 8... and fill the entries that has no data from 8... and it will include the unpatched... what do you think?
if we implement this it will give vuls advantage upon other cve scanners :-)

@MaineK00n
Copy link
Collaborator

Thank you for your proposal for how to implement it.
This is getting tough, so you may be waiting for a large -scale refactoring.

@wagde-orca
Copy link
Contributor Author

@MaineK00n do you have an ETA for the large-scale refactoring?

@MaineK00n
Copy link
Collaborator

We are currently working towards a release date of the end of 2024.

@wagde-orca
Copy link
Contributor Author

@MaineK00n will the large scale refactoring include also handling Redhat ELS properly?

@MaineK00n
Copy link
Collaborator

Of course, we are aware of that problem, so it is included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants