Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch RedHat vulnerability provider from OVAL to CSAF #323

Open
westonsteimel opened this issue Oct 10, 2023 · 4 comments
Open

Switch RedHat vulnerability provider from OVAL to CSAF #323

westonsteimel opened this issue Oct 10, 2023 · 4 comments
Assignees
Labels
enhancement New feature or request provider:rhel Relating to the RHEL provider

Comments

@westonsteimel
Copy link
Contributor

What would you like to be added:

The RedHat provider currently uses the v2 OVAL files for RedHat vulnerability data; however, those will only continue to be updated until the end of 2024. We need to transition to using the new CSAF endpoints per https://www.redhat.com/en/blog/future-red-hat-security-data

@westonsteimel westonsteimel added enhancement New feature or request provider:rhel Relating to the RHEL provider labels Oct 10, 2023
@westonsteimel westonsteimel changed the title Switch RedHat vulnerability provider to CSAF endpoints Switch RedHat vulnerability provider from OVAL to CSAF Oct 10, 2023
@westonsteimel westonsteimel self-assigned this Jan 4, 2024
@westonsteimel
Copy link
Contributor Author

I was hoping that the CSAF data would include the data about non-fixed and not affected packages so that we could drop having to also rely on the CVE api, but unfortunately it doesn't. There is currently only CSAF data available for entries that do have advisories issued. This means that even with the switch to CSAF we'll still need to first call the summary api to get all applicable cves, download the full cve json, parse the entries from the cve json, and then enhance the entries that have RHSA with the data from the CSAF document for that RHSA.

@westonsteimel
Copy link
Contributor Author

It will also end up being more network calls for the CSAF data since each CSAF RHSA is stored as a separate json whereas the OVAL data was stored as a bulk xml per rhel release

@wagoodman wagoodman added this to OSS Mar 12, 2024
@wagoodman wagoodman moved this to Ready in OSS Sep 17, 2024
@willmurphyscode
Copy link
Contributor

Maybe we can use a general CSAF parser also for SUSE, for example instead of #635.

@willmurphyscode willmurphyscode moved this from Ready to In Progress in OSS Oct 8, 2024
@willmurphyscode willmurphyscode moved this from In Progress to Stalled in OSS Nov 13, 2024
@wagoodman
Copy link
Contributor

This will affect RHEL 10 when it lands, our best path forward here is to fuse this with the hydra data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request provider:rhel Relating to the RHEL provider
Projects
Status: Stalled
Development

No branches or pull requests

3 participants