Hello,
My name is Louis and I'm the core maintainer of Clar: https://github.com/quay/clair
Clair is a project for scanning containers for vulnerabilities.
We'd like to support CentOS but we need a little help in the form of information gathering.
For Clair to properly support a distribution we typically require it to have an official upstream vulnerability database. For example, RHEL has their own Oval 2 feeds as does Ubuntu, Suse, etc...
What we are trying to determine is how we can extract packages from CentOS containers and match against known vulnerabilities.
We have the first half worked out already, we have generic RPM database scanners which extract package names and versions.
The second half is where we need some more information.
A few questions: * Does CentOS maintain its own security database for packages in its downstream repositories ? * If not, can we reliably treat any CentOS packages (name, versions) identical to the way we treat RHEL packages. (For instance if we find package A with version B can we attempt to match this against RHEL's Oval v2 stream?) * Can you provide any information on package naming, versioning, and packaging that creates a difference between RHEL packages and CentOS?
Thank you for your time, I look forward to hearing back.
On 4/9/21 10:27 AM, Louis DeLosSantos wrote:
Hello,
My name is Louis and I'm the core maintainer of Clar: https://github.com/quay/clair https://github.com/quay/clair
Clair is a project for scanning containers for vulnerabilities.
We'd like to support CentOS but we need a little help in the form of information gathering.
For Clair to properly support a distribution we typically require it to have an official upstream vulnerability database. For example, RHEL has their own Oval 2 feeds as does Ubuntu, Suse, etc...
What we are trying to determine is how we can extract packages from CentOS containers and match against known vulnerabilities.
We have the first half worked out already, we have generic RPM database scanners which extract package names and versions.
The second half is where we need some more information.
A few questions:
- Does CentOS maintain its own security database for packages in its
downstream repositories ?
- If not, can we reliably treat any CentOS packages (name, versions)
identical to the way we treat RHEL packages. (For instance if we find package A with version B can we attempt to match this against RHEL's Oval v2 stream?)
- Can you provide any information on package naming, versioning, and
packaging that creates a difference between RHEL packages and CentOS?
Thank you for your time, I look forward to hearing back.
CentOS 8 Linux is going EOL in 7 months .. I would not recommend doing anything for that WRT security info.
CentOS 8 Stream will not have the exact versions from RHEL .. it will be slightly ahead of released RHEL (it will the the source code which will become the NEXT point release of RHEL .. usually between 1 and 6 months ahead of the current RHEL).
CentOS 7 Linux is a direct rebuild of release RHEL 7 source code. However, neither the CentOS Project or Red Hat provide any assurance that CentOS has or fixes ANY security issues. We have never tested for any, and we never will. CentOS Linux 7 is just built source code that users decide either meets or does not meet their requirements.
We announce CentOS 7 Linux updates here: https://lists.centos.org/pipermail/centos-announce/
That lists our shasums .. and a link to what Red Hat said the update was for .. BUT .. the CentOS Project does not do any validations or make any claims about the software other than we built and released the packages. We also make it easier for users to look at what the update is said to have fixed. But, it is the user's responsibility to test anything they want to test prior to use.
As to any assumptions to whether or not the same version of a RHEL and CentOS Linux package is the same .. we make no claims on that either. The were built, in a different closed build system, from the same source code. The build systems are completely different .. so the packages are never identical. Only an individual user can determine if this is good enough for them to use. Only they can determine the risk they are willing to accept for testing they require for assurance WRT security. The purpose of all the testing that RHEL does and the software assurance they provide (for a cost) is why RHEL exists. That is the only Red Hat distribution that exists that has this assurance.
Thanks for this info, this is very helpful for us.
I'm gaining that any matching between CentOS packages and RHEL packages will be a "best guess" effort at best.
This is good information, and is what I sought out to gather.
Appreciate your response.
On Fri, Apr 9, 2021 at 11:54 AM Johnny Hughes johnny@centos.org wrote:
On 4/9/21 10:27 AM, Louis DeLosSantos wrote:
Hello,
My name is Louis and I'm the core maintainer of Clar: https://github.com/quay/clair https://github.com/quay/clair
Clair is a project for scanning containers for vulnerabilities.
We'd like to support CentOS but we need a little help in the form of information gathering.
For Clair to properly support a distribution we typically require it to have an official upstream vulnerability database. For example, RHEL has their own Oval 2 feeds as does Ubuntu, Suse, etc...
What we are trying to determine is how we can extract packages from CentOS containers and match against known vulnerabilities.
We have the first half worked out already, we have generic RPM database scanners which extract package names and versions.
The second half is where we need some more information.
A few questions:
- Does CentOS maintain its own security database for packages in its
downstream repositories ?
- If not, can we reliably treat any CentOS packages (name, versions)
identical to the way we treat RHEL packages. (For instance if we find package A with version B can we attempt to match this against RHEL's Oval v2 stream?)
- Can you provide any information on package naming, versioning, and
packaging that creates a difference between RHEL packages and CentOS?
Thank you for your time, I look forward to hearing back.
CentOS 8 Linux is going EOL in 7 months .. I would not recommend doing anything for that WRT security info.
CentOS 8 Stream will not have the exact versions from RHEL .. it will be slightly ahead of released RHEL (it will the the source code which will become the NEXT point release of RHEL .. usually between 1 and 6 months ahead of the current RHEL).
CentOS 7 Linux is a direct rebuild of release RHEL 7 source code. However, neither the CentOS Project or Red Hat provide any assurance that CentOS has or fixes ANY security issues. We have never tested for any, and we never will. CentOS Linux 7 is just built source code that users decide either meets or does not meet their requirements.
We announce CentOS 7 Linux updates here: https://lists.centos.org/pipermail/centos-announce/
That lists our shasums .. and a link to what Red Hat said the update was for .. BUT .. the CentOS Project does not do any validations or make any claims about the software other than we built and released the packages. We also make it easier for users to look at what the update is said to have fixed. But, it is the user's responsibility to test anything they want to test prior to use.
As to any assumptions to whether or not the same version of a RHEL and CentOS Linux package is the same .. we make no claims on that either. The were built, in a different closed build system, from the same source code. The build systems are completely different .. so the packages are never identical. Only an individual user can determine if this is good enough for them to use. Only they can determine the risk they are willing to accept for testing they require for assurance WRT security. The purpose of all the testing that RHEL does and the software assurance they provide (for a cost) is why RHEL exists. That is the only Red Hat distribution that exists that has this assurance. _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On 4/9/21 12:46 PM, Louis DeLosSantos wrote:
Thanks for this info, this is very helpful for us.
I'm gaining that any matching between CentOS packages and RHEL packages will be a "best guess" effort at best.
This is good information, and is what I sought out to gather.
Appreciate your response.
Well, WRT items that are a exact match, they are built from the exact same source code and the build systems .. while not exactly the same, are similar.
So the packages should WORK the same .. and the SHOULD link the same named libraries. But users need to test for vulnerabilities themselves, as no testing directly for security is done by the CentOS Project.
That does not mean I would EXPECT major differences. Just that everyone needs to do their own validation.
<snip>