OVAL vs. OSV
39 views
Skip to first unread message
Christopher Halbersma
Mar 23, 2023, 1:14:55 PM3/23/23
to osv-discuss
Howdy,
Is there a plan/interest to support OVAL vulnerability data inside of the OSV spec? If done (and successful) it could bring in pre-existing security notices from RedHat, Ubuntu, Debian and a number of other Operating Systems.
CRH
Is there a plan/interest to support OVAL vulnerability data inside of the OSV spec? If done (and successful) it could bring in pre-existing security notices from RedHat, Ubuntu, Debian and a number of other Operating Systems.
CRH
Oliver Chang
Mar 23, 2023, 11:55:30 PM3/23/23
to Christopher Halbersma, osv-discuss
Hi!
Indeed we'd love to be able to convert OVAL vulnerability data into OSV and support more Linux distros.
That said, we're not sure how to do this, and haven't had the chance to look very deeply into the OVAL format itself. We'd love to see contributions here.
Cheers,
--
Oliver
--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/1776b356-0165-4d4a-b46d-877b372d5d9dn%40googlegroups.com.
Christopher Halbersma
Mar 24, 2023, 7:19:17 PM3/24/23
to osv-discuss
So here is an example of of a Red Hat Security Advisory that has an update for a security update to tcp_wrappers package : https://access.redhat.com/errata/RHBA-2007:0565
Red Hat also publishes an OVAL for it: https://www.redhat.com/security/data/oval/com.redhat.rhba-20070565.xml And while the format is XML based, it is fairly similar to the OSV format. The format isn't quite as clean, however I think if you view this section:
```
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20070565004"/>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhba:tst:20070565003"/>
<criterion comment="tcp_wrappers is earlier than 0:7.6-40.4.el5" test_ref="oval:com.redhat.rhba:tst:20070565001"/>
<criterion comment="tcp_wrappers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20070565002"/>
</criteria>
</criteria>
```
That can likely be translated to the OSV `affected.ranges` syntax. And I think the references and similar things have similar issues. There are some extra controls in the OVAL format to help better handle alternative package repositories, different OS releases (RHEL5, vs 6, vs 7 etc...). The Ubuntu/Debian formats are a little less uniform; but that might be doable still.
It just seems very challenging to get organizations who've never seem to be a big fan of OVAL to also publish in another security format.
CRH
Red Hat also publishes an OVAL for it: https://www.redhat.com/security/data/oval/com.redhat.rhba-20070565.xml And while the format is XML based, it is fairly similar to the OSV format. The format isn't quite as clean, however I think if you view this section:
```
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20070565004"/>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhba:tst:20070565003"/>
<criterion comment="tcp_wrappers is earlier than 0:7.6-40.4.el5" test_ref="oval:com.redhat.rhba:tst:20070565001"/>
<criterion comment="tcp_wrappers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20070565002"/>
</criteria>
</criteria>
```
That can likely be translated to the OSV `affected.ranges` syntax. And I think the references and similar things have similar issues. There are some extra controls in the OVAL format to help better handle alternative package repositories, different OS releases (RHEL5, vs 6, vs 7 etc...). The Ubuntu/Debian formats are a little less uniform; but that might be doable still.
It just seems very challenging to get organizations who've never seem to be a big fan of OVAL to also publish in another security format.
CRH
Reply all
Reply to author
Forward
0 new messages