Weird item with no history and various RedHat data bugs

[pombredanne]

This entry is weird https://public.vulnerablecode.io/packages/pkg:rpm/redhat/application-ui@container-v2.3%3Farch=6-9?search=pkg:rpm/redhat/application-ui@container-v2.3?arch=6-9

• The vulnerability does not reference anything redhat in https://nvd.nist.gov/vuln/detail/CVE-2021-3918 or in https://github.com/advisories/GHSA-896r-f27r-55mw

• there is no history in our entry https://public.vulnerablecode.io/vulnerabilities/VCID-ft33-ayw5-aaad and

• https://ftp.redhat.com/redhat/containers/rhacm2/application-ui-rhel8/v2.3.0-120.txt is a place that references this application-ui-container-v2.3.0-120 application-ui-container-v2.3.0-120.tar.gz (or may be it could be from https://ftp.redhat.com/redhat/containers/rhacm2/application-ui-rhel8/v2.3.6-9.txt ?)

• pkg:rpm/redhat/application-ui@container-v2.3?arch=6-9 is not correct at all and we did not parse the name, version and else correctly.

• There are a bunch of refs to RedHat that are for fixes to packages that bundled the json-schema at fault:

  Reference id    Reference type  URL
      https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3918.json
  2024702         https://bugzilla.redhat.com/show_bug.cgi?id=2024702
  999765      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999765
  RHSA-2021:5171      https://access.redhat.com/errata/RHSA-2021:5171
  RHSA-2022:0041      https://access.redhat.com/errata/RHSA-2022:0041
  RHSA-2022:0246      https://access.redhat.com/errata/RHSA-2022:0246
  RHSA-2022:0350      https://access.redhat.com/errata/RHSA-2022:0350
  RHSA-2022:0595      https://access.redhat.com/errata/RHSA-2022:0595
  RHSA-2022:0735      https://access.redhat.com/errata/RHSA-2022:0735
  RHSA-2022:4914      https://access.redhat.com/errata/RHSA-2022:4914
  RHSA-2022:4956      https://access.redhat.com/errata/RHSA-2022:4956
  RHSA-2022:7055      https://access.redhat.com/errata/RHSA-2022:7055

  ... BUT I do not know where the incorrect data was collected from.

In https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3918.json I see:

{
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8",
    "release_date" : "2022-03-04T00:00:00Z",
    "advisory" : "RHSA-2022:0595",
    "cpe" : "cpe:/a:redhat:acm:2.3::el8",
    "package" : "rhacm2/application-ui-rhel8:v2.3.6-9",
    "impact" : "moderate"
  }

which is likely the thing did not parse correctly.

[pombredanne]

We should drop using OVAL which is problematic, and embrace their CSAF and OSV formats instead

• See https://security.access.redhat.com/data/csaf/
• And OSV https://security.access.redhat.com/data/osv/all.json

And https://openssf.org/blog/2024/11/01/red-hats-collaboration-with-the-openssf-and-osv-dev-yields-results-red-hat-security-data-now-available-in-the-osv-format/

There are also SPDX SBOMs https://security.access.redhat.com/data/sbom/