ProdSec has made the decision to deprecate the OVALv2 feeds that they currently publish (and Clair consumes). In its place they are publishing advisories in CSAF format (one per advisory).

Currently in beta the new format is available herehttps://access.redhat.com/security/data/csaf/v2/advisories.

Acceptance:

• Clair no longer pull data from Red Hat in the OVALv2 format
• Clair pulls and parses advisories from the CSAF endpoints
• Clair is able to ingest unpatched vulnerabilities.

Blockers:

• Poking around we uncovered a rate limit that we need raising to be able to ingest advisories at a reasonable rate during initial startup.
• Unpatched vulnerabilities aren't currently represented in the new format, but should be soon.
• ProdSec will make available a compressed 1-file representation of all the advisories which we should use for the initial advisory pull down. This currently does not exist
• Currently Clair does not support delta updates to security DBs and can only consume entire DBs, the new updater architecture will need to be in place before this work can be completed.