Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch RedHat vulnerability provider from OVAL to CSAF #323

Open
westonsteimel opened this issue Oct 10, 2023 · 5 comments · May be fixed by #758
Open

Switch RedHat vulnerability provider from OVAL to CSAF #323

westonsteimel opened this issue Oct 10, 2023 · 5 comments · May be fixed by #758
Assignees
Labels
enhancement New feature or request provider:rhel Relating to the RHEL provider

Comments

@westonsteimel
Copy link
Contributor

What would you like to be added:

The RedHat provider currently uses the v2 OVAL files for RedHat vulnerability data; however, those will only continue to be updated until the end of 2024. We need to transition to using the new CSAF endpoints per https://www.redhat.com/en/blog/future-red-hat-security-data

@westonsteimel westonsteimel added enhancement New feature or request provider:rhel Relating to the RHEL provider labels Oct 10, 2023
@westonsteimel westonsteimel changed the title Switch RedHat vulnerability provider to CSAF endpoints Switch RedHat vulnerability provider from OVAL to CSAF Oct 10, 2023
@westonsteimel westonsteimel self-assigned this Jan 4, 2024
@westonsteimel
Copy link
Contributor Author

I was hoping that the CSAF data would include the data about non-fixed and not affected packages so that we could drop having to also rely on the CVE api, but unfortunately it doesn't. There is currently only CSAF data available for entries that do have advisories issued. This means that even with the switch to CSAF we'll still need to first call the summary api to get all applicable cves, download the full cve json, parse the entries from the cve json, and then enhance the entries that have RHSA with the data from the CSAF document for that RHSA.

@westonsteimel
Copy link
Contributor Author

It will also end up being more network calls for the CSAF data since each CSAF RHSA is stored as a separate json whereas the OVAL data was stored as a bulk xml per rhel release

@wagoodman wagoodman added this to OSS Mar 12, 2024
@wagoodman wagoodman moved this to Ready in OSS Sep 17, 2024
@willmurphyscode
Copy link
Contributor

Maybe we can use a general CSAF parser also for SUSE, for example instead of #635.

@willmurphyscode willmurphyscode moved this from Ready to In Progress in OSS Oct 8, 2024
@willmurphyscode willmurphyscode moved this from In Progress to Stalled in OSS Nov 13, 2024
@wagoodman
Copy link
Contributor

This will affect RHEL 10 when it lands, our best path forward here is to fuse this with the hydra data

@spiffcs spiffcs moved this from Stalled to In Progress in OSS Jan 7, 2025
@willmurphyscode willmurphyscode linked a pull request Jan 9, 2025 that will close this issue
11 tasks
@willmurphyscode
Copy link
Contributor

I've given up trying to get good vulnerability _matching data from just the RHEL CSAF, for two reasons:

  1. When a module has to be patched due to a CVE, the version for all RPMs in the module is bumped, and all these changed modules are reported with product status fixed in the CSAF JSON. This means that we can't tell whether a given package is "fixed" because it was actually vulnerable in prior versions, or "fixed" because its neighbors were rebuilt
  2. A similar problem exists for source RPMs

I'm going to attempt to change the current RHEL Vunnel provider to keep using the API calls it uses today to get the list of vulnerable packages, but get the fixed information from CSAF instead of OVAL. I've started this in a branch called rhel-hydra-and-csaf. Just FYI @westonsteimel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request provider:rhel Relating to the RHEL provider
Projects
Status: In Progress
Development

Successfully merging a pull request may close this issue.

3 participants