OVAL package appears to be for EL8

Greetings,
Recently we implemented ALMA 9, and we are finding many false positives when using the OVAL feed for ALMA 9. It appears in many cases that the OVAL feed has a El8 reference. Example CVE-2024-27280:
The host is patched:

rpm -q --changelog ruby
* Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.0.7-162
- Upgrade to Ruby 3.0.7.

However in the ALMA 9 OVAL feed the comment appears incorrect.

<criterion
test_ref
="oval:org.almalinux.alsa:tst:20243671001"
comment
="ruby is earlier than 0:3.3.1-2.module_
el8
.10.0+3855+767cb125"/>

However looking at the test definitions they appear correct:
red-def:rpminfo_state id=“oval:org.almalinux.alsa:ste:20226585001” version=“635”>

<red-def:arch operation="pattern match" datatype="string">aarch64|i686|ppc64le|s390x|x86_64</red-def:arch>

<red-def:evr datatype="evr_string" operation="less than">0:3.0.4-160.el9_0</red-def:evr>

</red-def:rpminfo_state>

At this point I am uncertain if the false positive is realated to the OVAL definitions that I am unaware of, or if there is some other issue.

I’ll continue to research and update on any discoveries.
–PD

1 Like

Hi @pdoyley, nice catch! Thanks!

There is definitely an error in the AlmaLinux OVAL document generation process. I checked other errata-related data and I couldn’t find any evidence of such problems in dnf updateinfo data or in the AlmaLinux Errata website. In any case, we’ll get those fixed as soon as possible. And yes please, feel free to bring any inconsistencies that you might find in further research, that’d be really helpful.

Also, and as an alternative, you are welcome to join our security channel, where you can bring this kind of topics to the attention of more people from the AlmaLinux community.

Again, thanks for the report :slight_smile: