Hello, My name is Louis and I'm the core maintainer of Clar: https://github.com/quay/clair Clair is a project for scanning containers for vulnerabilities. We'd like to support CentOS but we need a little help in the form of information gathering. For Clair to properly support a distribution we typically require it to have an official upstream vulnerability database. For example, RHEL has their own Oval 2 feeds as does Ubuntu, Suse, etc... What we are trying to determine is how we can extract packages from CentOS containers and match against known vulnerabilities. We have the first half worked out already, we have generic RPM database scanners which extract package names and versions. The second half is where we need some more information. A few questions: * Does CentOS maintain its own security database for packages in its downstream repositories ? * If not, can we reliably treat any CentOS packages (name, versions) identical to the way we treat RHEL packages. (For instance if we find package A with version B can we attempt to match this against RHEL's Oval v2 stream?) * Can you provide any information on package naming, versioning, and packaging that creates a difference between RHEL packages and CentOS? Thank you for your time, I look forward to hearing back. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210409/97510a6a/attachment-0002.html>