[CentOS] CentOS Security Advisories OVAL feed??

Wed Aug 5 18:21:53 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 05.08.20 um 17:55 schrieb Johnny Hughes:
> On 8/5/20 10:45 AM, centos at niob.at wrote:
>> On 05/08/2020 16:49, Johnny Hughes wrote:
>>> On 8/5/20 1:05 AM, centos at niob.at wrote:
>>>> On 04/08/2020 23:50, Jon Pruente wrote:
>>>>> On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote:
>>>>>> Q5) If the answer to the last question is "no": shouldn't there be
>>>>>> such
>>>>>> a resource?
>>>>> CentOS doesn't publish security errata. If you need it then you should
>>>>> either buy RHEL, or deal with putting together your own set up with
>>>>> something like http://cefs.steve-meier.de/
>>>> I expected just this answer, and we do have a RHEL subscription (and
>>>> BTW: thanks for the link). But you missed the main point by omitting the
>>>> other questions (especially Q1, Q2 and Q3): There are upstream package
>>>> versions that were never rebuilt for CentOS.
>>>> For instance: If, for whatever reason, I am required to stay with nginx
>>>> 1.14.1 then the missing rebuild of the packages mentioned in
>>>> RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would
>>>> leave me with a vulnerable system.
>>>> The question for an OVAL feed is actually an add-on question: In the
>>>> same spirit that is the base for the CentOS project itself: wouldn't
>>>> such a feed be a good thing to have? Otherwise your answer could be the
>>>> catch-all answer to all questions CentOS: Go get a commercial
>>>> subscription. Personally, I think such an answer is not very helpful.
>>>> So what do you think about the underlying issue? Under what
>>>> argumentation does it NOT constitute to be an issue?
>>> Modules suck .. :)
>>> But that is built and in the repo ..
>>> dnf list 'nginx*'
>>> nginx.x86_64
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-all-modules.noarch
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-filesystem.noarch
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-mod-http-image-filter.x86_64
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-mod-http-perl.x86_64
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-mod-http-xslt-filter.x86_64
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-mod-mail.x86_64
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> nginx-mod-stream.x86_64
>>> 1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
>>> As I have said before .. mbbox (the item used to build modules) adds an
>>> index code (the 184) and a part of the git commit (e34fea82) .. so this
>>> will always be different between RHEL and CentOS .. because we use
>>> different builders and a different git repo.  Red Hat's RHEL index code
>>> is 4108 and the git commit is af250afe
>> Thanks a lot for pointing that out! That explains part of the problem.
>> The corresponding source RPMs are indeed identical (I checked :-) ), so
>> the packages were (indeed) rebuilt. That was not at all obvious to me.
>> OTOH: I probably would have guessed if there had been a corresponding
>> e-mail to Centos-Announce. At this point, I would like to add that I am
>> extremely impressed by the CentOS project and that I do not want to
>> blame anybody for forgetting such an e-mail (or maybe it was just lost
>> somewhere in SMTP-land) - I just want to state that fact. Thanks for
>> putting in all that hard work!
>> With that new knowledge, I also checked my other issues wrt to the
>> container-tools package: Same module issue. So there is a pattern. But
>> there is also the pattern that I cannot find the corresponding
>> CentOS-Announce e-mail. Strange, isn't it?
>> This still leaves me wondering if there should be an attempt at
>> providing a CentOS OVAL file similar to the one by RH that is not
>> generated by taking the upstream file and running some uninspired
>> sed-script on it, like (for reference):
>>      sed -e 's,/etc/redhat-release,/etc/centos-release,g' -e
>> 's/199e2f91fd431d51/05b555b38483c65d/g'
>> However, the question could be asked if such an OVAL file would be of
>> any use, in the light of possibly missing CESA announce e-Mails, because
>> that advisory information must some be translated into the OCAL XML.
>> Having said all this: maybe there is some deeper problem here, because
>> of that pattern of missing announce e-mails that correspond with
>> packages that differ in the final version number with respect to the
>> upstream package. Or is this just a coincidence?
> We understand that there are no announcements for CentOS 8 .. this (the
> modules differences) is precisely the reason why (the names do not match
> up and our scripts require that).
> We do not have the capability to announce these at the present time.
> This is something that needs an engineering solution.  Submissions welcome.

I the mean time : https://feeds.centos.org/