On 04/29/2011 04:53 AM, Riccardo Veraldi wrote: > Hello, > I ask here if CentOS has a xml oval repository. This is the reason of my > question: > > Actually I have an automatic system to check CVE vulnerabilities report > against RedHat OVAL resources, for example: > https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml for > 2011 CVEs and RHSAs related OVALS > > My problem is that while the mechanism works flawlessly regarding > Scientific Linux, with CentOS I have false positives reports > because the patch level numbers for some rpms is somewhat different from > the one written in the official RedHat OVALS. > > I make an example to explain myself better: > > Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security > advisory and it regards a pango vulnerability. > > RedHat calls the updated rpm which addresses the vulnerability as > pango-1.14.9-8.el5_6.2 > > CentOS calls it as pango-1.14.9-8.el5.centos.2 > > so we have: > > pango-1.14.9-8.el5_6.2 in the RedHat OVALS while CentOS has > pango-1.14.9-8.el5.centos.2 and I think they both addresses the > CVE-2011-0020 vulnerability > but since the naming is different I have a report that my pango RPM on > CentOS is vulnerable, while on SL with same rpm I have no false > positives and everything is ok. > > So i ask if CentOS has it's own OVAL xml files because I cannot use i na > realiable way the RedHat OVALS with CentOS for my porpouses. > No, we don't have that .. and we can't "screen scrape" the Red Hat content and make our own. While the Red Hat source files are Open Source (Usually GPL, but also other licenses) and we can rebuild their SRPMS ... their "Customer Portals" are NOT open source. In fact, here is the terms for using their "Customer Portals": http://www.redhat.com/legal/legal_statement.html "Red Hat either owns the intellectual property rights in the HTML, text, images audio, video, software or other content that is made available on this website, or has obtained the permission of the owner of the intellectual property to make it available on this website. Red Hat strictly prohibits the redistribution or copying of any part of this website or content on this website without written permission from Red Hat. Red Hat authorizes you to display on your computer, download and print pages from this website provided: (a) the copyright notice appears on all such printouts, (b) the information will not be altered, (c) the content is only used for personal, educational and non-commercial use, and (d) you do not redistribute or copy the information to any other media." Also this one: https://access.redhat.com/site/help/terms_conditions.html Use of Content. Red Hat grants you a personal, non-assignable license to use Red Hat Content for your own internal use while you are a Red Hat Customer (as defined in Section 2 above). Distributing any portion of Red Hat Content to a third party, using any Red Hat Content for the benefit of a third party or using Red Hat Content in connection with software other than Red Hat Software under an active Red Hat subscription are all prohibited. Red Hat authorizes you to display on your computer, download, play and print the Red Hat Content provided: (a) the copyright notice is not removed, (b) Red Hat Content is not be altered, (c) Red Hat Content is used only for your personal, educational and non-commercial use in support of your active valid subscriptions to Red Hat products and services and in accordance with your Customer Agreement, (d) you do not further redistribute or copy Red Hat Content and (e) you comply with any Additional Terms. In the event of a conflict, inconsistency or difference between this Section 6 and the terms of a License or Customer Agreement, the License or Customer Agreement will control (for example, for Red Hat Content licensed under a Creative Commons License, you will have the rights set forth in the applicable Creative Commons License). If you exceed your authorized use of Red Hat Content (for example, if you use Red Hat Content in support of Software for which you do not have an active valid subscription), you may be required under your Customer Agreement to purchase additional subscriptions to Red Hat products. In addition, your right to continue to access Red Hat Content from a Red Hat Portal is subject to your continued compliance with these Terms of Use, your Customer Agreement and the Additional Terms. ================================================================= What this means is that we can NOT screen scrape, download, or otherwise use content from the Red Hat website as a "Template" to then modify can generate modified copies of that content ... BECAUSE ... content is NOT software and the Red Hat content is NOT open source. This is also why we do not duplicate the whole content from security advisories. We can point you at it, we can not grab it and modify it and then republish it. The centOS Project takes copyright and intellectual properly rights very seriously. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 253 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20110429/015b62e2/attachment-0005.sig>