Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-13

Inconsistent OVAL Format

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      We've recently run into an issue where our plugins are missing the required module checks, causing customers who are not using a required module to be flagged as vulnerable. So far this involves ruby:2.5-ruby:2.7 but it may also involve other OVAL data.

      Here is the OVAL data for RHSA-2022:0759

            <criteria operator="OR">
        <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20191992005"/>
        <criteria operator="AND">
          <criteria operator="OR">
            <criterion comment="Red Hat Enterprise Linux 8 is installed" test_ref="oval:com.redhat.rhba:tst:20191992003"/>
            <criterion comment="Red Hat CoreOS 4 is installed" test_ref="oval:com.redhat.rhba:tst:20191992004"/>
          </criteria>
          <criteria operator="OR">
            <criteria operator="AND">
              <criterion comment="Module virt:rhel is enabled" test_ref="oval:com.redhat.rhsa:tst:20191175195"/>
              <criteria operator="OR">
                <criteria operator="AND">
                  <criterion comment="SLOF is earlier than 0:20191022-3.git899d9883.module+el8.3.0+6423+e4cb6418" test_ref="oval:com.redhat.rhsa:tst:20204676001"/>
                  <criterion comment="SLOF is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20191175002"/>
                </criteria>

      Here is the OVAL data for RHSA-2022:0672 (ruby:2.5):

            <criteria operator="OR">
        <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20191992005"/>
        <criteria operator="AND">
          <criterion comment="Module ruby:2.5 is enabled" test_ref="oval:com.redhat.rhba:tst:20193384065"/>
          <criteria operator="OR">
            <criterion comment="Red Hat Enterprise Linux 8 is installed" test_ref="oval:com.redhat.rhba:tst:20191992003"/>
            <criterion comment="Red Hat CoreOS 4 is installed" test_ref="oval:com.redhat.rhba:tst:20191992004"/>
          </criteria>
          <criteria operator="OR">
            <criteria operator="AND">
              <criterion comment="ruby is earlier than 0:2.5.9-109.module+el8.5.0+14275+d9c243ca" test_ref="oval:com.redhat.rhsa:tst:20220672001"/>
              <criterion comment="ruby is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20193384002"/>
            </criteria>

      If you look at the 'Module is enabled' criterion, it appears in two completely different sections. Our current logic is expecting the module criterion to be in the location it is for RHSA-2022:0759, and it has been there since we started this process over a year ago at this point.

      Can you confirm which is correct/expected?

            rhn-support-jshepher Jason Shepherd
            chaddombrowski Chad Dombrowski (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: