Greetings,
Recently we implemented ALMA 9, and we are finding many false positives when using the OVAL feed for ALMA 9. It appears in many cases that the OVAL feed has a El8 reference. Example CVE-2024-27280:
The host is patched:
rpm -q --changelog ruby
* Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.0.7-162
- Upgrade to Ruby 3.0.7.
However in the ALMA 9 OVAL feed the comment appears incorrect.
<criterion
test_ref
="oval:org.almalinux.alsa:tst:20243671001"
comment
="ruby is earlier than 0:3.3.1-2.module_
el8
.10.0+3855+767cb125"/>
However looking at the test definitions they appear correct:
red-def:rpminfo_state id=“oval:org.almalinux.alsa:ste:20226585001” version=“635”>
<red-def:arch operation="pattern match" datatype="string">aarch64|i686|ppc64le|s390x|x86_64</red-def:arch>
<red-def:evr datatype="evr_string" operation="less than">0:3.0.4-160.el9_0</red-def:evr>
</red-def:rpminfo_state>
At this point I am uncertain if the false positive is realated to the OVAL definitions that I am unaware of, or if there is some other issue.
I’ll continue to research and update on any discoveries.
–PD