Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1151

CPE mapping inconsistency: RHEL 8 AppStream/BaseOS point to E4S repo, but RHEL 9 AppStream/BaseOS do not

XMLWordPrintable

    • Icon: Ticket Ticket
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Very Likely
    • 0

      Description:
      We have observed an inconsistency in repository-to-CPE mapping between RHEL 8 and RHEL 9.

      • For RHEL 8:
        • cpe:/a:redhat:enterprise_linux:8::appstream
        • cpe:/o:redhat:enterprise_linux:8::baseos
          → Both are pointing to the E4S repo.
      • For RHEL 9:
        • cpe:/a:redhat:enterprise_linux:9::appstream
        • cpe:/o:redhat:enterprise_linux:9::baseos
          → These are not pointing to the E4S repo.

      Expected Behavior:
      CPE-to-repo mappings should be consistent across RHEL 8 and RHEL 9 unless there is a deliberate difference.

      Actual Behavior:

      • In RHEL 8, CPEs are mapped to multiple repos, including E4S repos.
      • However, advisories such as RHSA-2024:6148 do not list E4S systems under "Affected Products", even though the CSAF data maps CPEs to E4S repos.
      • This creates an inconsistency between the advisory metadata and the repository-to-CPE mapping.

      Supporting Data:
      From repository-to-cpe.json:
       
       
      {{cpe:/a:redhat:enterprise_linux:8::appstream
      rhel-8-for-aarch64-appstream-debug-rpms
      rhel-8-for-aarch64-appstream-rpms
      rhel-8-for-aarch64-appstream-source-rpms
      rhel-8-for-ppc64le-appstream-debug-rpms
      rhel-8-for-ppc64le-appstream-e4s-debug-rpms
      rhel-8-for-ppc64le-appstream-e4s-rpms
      rhel-8-for-ppc64le-appstream-e4s-source-rpms
      rhel-8-for-ppc64le-appstream-rpms
      rhel-8-for-ppc64le-appstream-source-rpms
      rhel-8-for-s390x-appstream-debug-rpms
      rhel-8-for-s390x-appstream-rpms
      rhel-8-for-s390x-appstream-source-rpms
      rhel-8-for-x86_64-appstream-debug-rpms
      rhel-8-for-x86_64-appstream-e4s-debug-rpms
      rhel-8-for-x86_64-appstream-e4s-rpms
      rhel-8-for-x86_64-appstream-e4s-source-rpms
      rhel-8-for-x86_64-appstream-rpms
      rhel-8-for-x86_64-appstream-source-rpms}}
      Additional References:
      Examples of advisories where similar behavior is observed:

      • RHSA-2024:6000
      • RHSA-2024:6001
      • RHSA-2024:6018

      Request:
      Please confirm whether the mapping of RHEL 8 AppStream/BaseOS CPEs to E4S repos is intentional. If not, should the mapping or advisory data be corrected to ensure consistency?

              Unassigned Unassigned
              sagaristhebest Sagar Kale
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: