Different results when using Nagios report format (`-n`)

[niclashoyer]

We just noticed that cvescan reports differently when using the -n switch:

# cvescan -n
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!

WARNING: Affected by 1 CVEs with "high" or higher priority.
CVE-2020-28374

# cvescan -p all
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!

Summary
------------------------------------  -----
Ubuntu Release                        focal
Installed Packages                    1121
CVE Priority                          All
Unique Packages Fixable by Patching   0
Unique CVEs Fixable by Patching       0
Vulnerabilities Fixable by Patching   0
Fixes Available by `apt-get upgrade`  0
------------------------------------  -----

Why is that? The scan using -n is correct, as the kernel running on this machine is still old and affected. So why doesn't it show up if running cvescan using normal output?

[ristomcgehee]

Niclas, I believe if you run cvescan -p high --unresolved, it will list the same vulnerabilities as with cvescan -n.

[niclashoyer]

I can confirm that! I got mislead by "unresolved". So basically they are "unresolved" in the sense, that there is no package upgrade, because such CVEs need a newer kernel, right?

[ristomcgehee]

I think so. Either the kernel needs updating or the CVE is unpatched. I'm not a maintainer, so don't view my answer as definitive.

[niclashoyer]

thanks! Maybe it just needs a bit documentation around -n to clarify which settings are used to generate the Nagios output. Closing for now. 👍🏽