False Positives in Redhat 8.6 EUS

[wagde-orca]

What did you do? (required. The issue will be closed when not provided.)

I ran vuls on redhat 8.6 with curl 7.61.1-22.el8_6.4 installed

What did you expect to happen?

I expected to get 0:7.61.1-22.el8_6.12 as the fixed version

What happened instead?

I got 0:7.61.1-30.el8 as the fixed version

Redhat has a separate oval file for redhat 8.6 EUS rhel-8.6-eus.oval.xml.bz2

and currently goval-dictionary and vuls does not fetch it and fetch only the redhat 8 oval file and this is causing the FP... as you can see in the redhat security tracker (https://access.redhat.com/security/cve/CVE-2022-35252) they mention 8.6 EUS separately and I guess vuls should behave according to this

[MaineK00n]

It is also necessary to confirm that it is a package installed from EUS Repository. In other words, it is necessary to identify not only the OS version but also the OVAL used in the package installation repository. In order to respond to that, we are currently considering large -scale refactoring because it is difficult with the current system.

[MaineK00n]

As you can see, OVALV2 can only be used until 2024, so it is necessary to move the whole to CSAF, but it is very difficult to do these.

Support of OVAL v2 content will continue until the end of 2024 https://www.redhat.com/en/blog/future-red-hat-security-data

[wagde-orca]

@MaineK00n do you have an ETA for the large scale refactoring? and if will take long... do you have an idea how we can provide a workaround for this until the good solution is implemented?

[MaineK00n]

@wagde-orca Both the full-scale migration to CSAF and the method of somehow patching OVAL will take a considerable amount of time. In the latter case, it will be necessary to proceed with the migration to CSAF by the end of the year, which will mean double work. We will try our best to implement it as soon as possible, but we think the target date for the migration will be October.

[wagde-orca]

thanx @MaineK00n what about the option to fetch the 8.6 EUS oval2 and put it in the redhat oval and query it in vuls in case we have 8.6 and fallback to redhat 8 for cves that are not found in 8.6 db? it should not take much time...

[MaineK00n]

@wagde-orca I'm not sure if OVAL in 8.6 EUS works well on its own or if it needs to be partially combined with 8. At the very least, unpatched items will need to be retrieved from 8. I think it will take longer to investigate than implementation.

[wagde-orca]

yes we need some fallback mechanism like the one we had with oval and gost... we should start with 8.6... fill the results... and then query 8... and fill the entries that has no data from 8... and it will include the unpatched... what do you think? if we implement this it will give vuls advantage upon other cve scanners :-)

[MaineK00n]

Thank you for your proposal for how to implement it. This is getting tough, so you may be waiting for a large -scale refactoring.