<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hello,</div><div><br></div><div>My name is Louis and I'm the core maintainer of Clar:</div><div><a href="https://github.com/quay/clair">https://github.com/quay/clair</a></div><div><br></div><div>Clair is a project for scanning containers for vulnerabilities. <br></div><div><br></div><div>We'd like to support CentOS but we need a little help in the form of information gathering. <br></div><div><br></div><div><div>For Clair to properly support a distribution we typically require
it to have an official upstream vulnerability database. For example,
RHEL has their own Oval 2 feeds as does</div><div>Ubuntu, Suse, etc... <br></div><div><br></div><div>What we are trying to determine is how we can extract packages from CentOS containers and match against known vulnerabilities. <br></div><div><br></div><div>We have the first half worked out already, we have generic RPM database scanners which extract package names and versions. <br></div><div><br></div><div>The second half is where we need some more information.</div><div><br></div><div>A few questions:<br></div><div>* Does CentOS maintain its own security database for packages in its downstream repositories ?</div><div>*
If not, can we reliably treat any CentOS packages (name, versions)
identical to the way we treat RHEL packages. (For instance if we find
package A with version B can we attempt to match this against RHEL's
Oval v2 stream?)</div><div>* Can you provide any information on package
naming, versioning, and packaging that creates a difference between RHEL
packages and CentOS?</div><div><br></div><div>Thank you for your time, I look forward to hearing back. <br></div></div></div></div></div>