On 4/9/21 10:27 AM, Louis DeLosSantos wrote: > Hello, > > My name is Louis and I'm the core maintainer of Clar: > https://github.com/quay/clair <https://github.com/quay/clair> > > Clair is a project for scanning containers for vulnerabilities. > > We'd like to support CentOS but we need a little help in the form of > information gathering. > > For Clair to properly support a distribution we typically require it to > have an official upstream vulnerability database. For example, RHEL has > their own Oval 2 feeds as does > Ubuntu, Suse, etc... > > What we are trying to determine is how we can extract packages from > CentOS containers and match against known vulnerabilities. > > We have the first half worked out already, we have generic RPM database > scanners which extract package names and versions. > > The second half is where we need some more information. > > A few questions: > * Does CentOS maintain its own security database for packages in its > downstream repositories ? > * If not, can we reliably treat any CentOS packages (name, versions) > identical to the way we treat RHEL packages. (For instance if we find > package A with version B can we attempt to match this against RHEL's > Oval v2 stream?) > * Can you provide any information on package naming, versioning, and > packaging that creates a difference between RHEL packages and CentOS? > > Thank you for your time, I look forward to hearing back. > CentOS 8 Linux is going EOL in 7 months .. I would not recommend doing anything for that WRT security info. CentOS 8 Stream will not have the exact versions from RHEL .. it will be slightly ahead of released RHEL (it will the the source code which will become the NEXT point release of RHEL .. usually between 1 and 6 months ahead of the current RHEL). CentOS 7 Linux is a direct rebuild of release RHEL 7 source code. However, neither the CentOS Project or Red Hat provide any assurance that CentOS has or fixes ANY security issues. We have never tested for any, and we never will. CentOS Linux 7 is just built source code that users decide either meets or does not meet their requirements. We announce CentOS 7 Linux updates here: https://lists.centos.org/pipermail/centos-announce/ That lists our shasums .. and a link to what Red Hat said the update was for .. BUT .. the CentOS Project does not do any validations or make any claims about the software other than we built and released the packages. We also make it easier for users to look at what the update is said to have fixed. But, it is the user's responsibility to test anything they want to test prior to use. As to any assumptions to whether or not the same version of a RHEL and CentOS Linux package is the same .. we make no claims on that either. The were built, in a different closed build system, from the same source code. The build systems are completely different .. so the packages are never identical. Only an individual user can determine if this is good enough for them to use. Only they can determine the risk they are willing to accept for testing they require for assurance WRT security. The purpose of all the testing that RHEL does and the software assurance they provide (for a cost) is why RHEL exists. That is the only Red Hat distribution that exists that has this assurance.