Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upstream SUSE OVAL archives and CVSS data is changing #571

Closed
msmeissn opened this issue May 8, 2024 · 5 comments · Fixed by #625
Closed

Upstream SUSE OVAL archives and CVSS data is changing #571

msmeissn opened this issue May 8, 2024 · 5 comments · Fixed by #625
Labels
enhancement New feature or request

Comments

@msmeissn
Copy link

msmeissn commented May 8, 2024

What would you like to be added:

  • You can download SUSE oval data now .bz2 compressed. We plan to discontinue the .gz compressed data.
  • We changed the severity impact mappings. We now use the CVSS v3.1 offical values: low, medium, high, critical

Why is this needed:

changes on SUSE side.

Additional context:
@msmeissn msmeissn added the enhancement New feature or request label May 8, 2024
@msmeissn
Copy link
Author

msmeissn commented May 8, 2024
edited
Loading

CVE lines now look like:

        <cve impact="high" cvss3="7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" href="https://www.suse.com/security/cve/CVE-2002-20001/">CVE-2002-20001 at SUSE</cve>
        <cve impact="high" cvss3="7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" href="https://nvd.nist.gov/vuln/detail/CVE-2002-20001">CVE-2002-20001 at NVD</cve>

@tgerla
Copy link

tgerla commented May 9, 2024

Hi @msmeissn, thank you for the heads up. When will the .gz files stop being generated? It should be an easy enough change on our side but it would be helpful to know when the change will happen. Thanks!

Dev note: change .gz to .bz2 here:

vunnel/src/vunnel/providers/sles/parser.py

Line 49 in 44df4e2

__oval_url__ = "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.server.{}.xml.gz"

@spiffcs
Copy link
Contributor

spiffcs commented May 9, 2024

Dev Note:
We can find the new listing of .bz2 files here

@kzantow
Copy link
Contributor

kzantow commented May 10, 2024

Also, it looks like we will need to update the severities here:

https://github.com/anchore/vunnel/blob/main/src/vunnel/providers/sles/parser.py#L39

@msmeissn
Copy link
Author

I currently have no timeline for discontinuing .gz format, as I do not know all the users. So at least a year I would say

@spiffcs spiffcs moved this to Ready in OSS May 16, 2024
@willmurphyscode willmurphyscode mentioned this issue May 29, 2024
Closed
@westonsteimel westonsteimel mentioned this issue Jul 11, 2024
Merged
@wagoodman wagoodman changed the title SUSE OVAL changes Upstream SUSE OVAL archives and CVSS data is changing Jul 11, 2024
@github-project-automation github-project-automation bot moved this from Ready to Done in OSS Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
4 participants
@tgerla @msmeissn @kzantow @spiffcs